Edit tour

Windows Analysis Report
llD1w4ROY5.exe

Overview

General Information

Sample name:	llD1w4ROY5.exe renamed because original name is a hash value
Original sample name:	f4782fb4d2d7413e36842663253901b15e158d7eff945c208ccfcdc7e2c208fc.exe
Analysis ID:	1466072
MD5:	efe76128c39edb6cd9fd02eb2e7ffdad
SHA1:	4e4c7cc0dff9aa68fea29a62e462a3126476746c
SHA256:	f4782fb4d2d7413e36842663253901b15e158d7eff945c208ccfcdc7e2c208fc
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

llD1w4ROY5.exe (PID: 2340 cmdline: "C:\Users\user\Desktop\llD1w4ROY5.exe" MD5: EFE76128C39EDB6CD9FD02EB2E7FFDAD)

RegSvcs.exe (PID: 5412 cmdline: "C:\Users\user\Desktop\llD1w4ROY5.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

SzvWIzD.exe (PID: 3964 cmdline: "C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 2064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SzvWIzD.exe (PID: 7344 cmdline: "C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 7352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "s30.securelayernetwork.com", "Username": "unlimited@smtpfreemail.com", "Password": "%lmb-a,[(1ty"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3656759841.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3656759841.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3672242009.0000000003274000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1218967859.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1218967859.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.1218967859.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1218967859.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x343a4:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34416:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x344a0:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34532:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3459c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3460e:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x346a4:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34734:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Process Memory Space: llD1w4ROY5.exe PID: 2340	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: llD1w4ROY5.exe PID: 2340	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: llD1w4ROY5.exe PID: 2340	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 5412	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5412	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.llD1w4ROY5.exe.3fe0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.llD1w4ROY5.exe.3fe0000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.llD1w4ROY5.exe.3fe0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x325a4:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32616:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x326a0:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32732:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3279c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3280e:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x328a4:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32934:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x343a4:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34416:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x344a0:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34532:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3459c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3460e:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x346a4:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34734:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.llD1w4ROY5.exe.3fe0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.llD1w4ROY5.exe.3fe0000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.llD1w4ROY5.exe.3fe0000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.llD1w4ROY5.exe.3fe0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x343a4:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34416:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x344a0:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34532:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3459c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3460e:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x346a4:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34734:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 6 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5412, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SzvWIzD

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "s30.securelayernetwork.com", "Username": "unlimited@smtpfreemail.com", "Password": "%lmb-a,[(1ty"}

Multi AV Scanner detection for submitted file

Source: llD1w4ROY5.exe

ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: llD1w4ROY5.exe

Joe Sandbox ML: detected

Source: llD1w4ROY5.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.7:49699 version: TLS 1.2

Source:	Binary string: RegSvcs.pdb, source: SzvWIzD.exe, 0000000C.00000000.1355171678.0000000000EE2000.00000002.00000001.01000000.00000007.sdmp, SzvWIzD.exe.2.dr
Source:	Binary string: wntdll.pdbUGP source: llD1w4ROY5.exe, 00000000.00000003.1214753167.0000000004070000.00000004.00001000.00020000.00000000.sdmp, llD1w4ROY5.exe, 00000000.00000003.1214126837.0000000004210000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: llD1w4ROY5.exe, 00000000.00000003.1214753167.0000000004070000.00000004.00001000.00020000.00000000.sdmp, llD1w4ROY5.exe, 00000000.00000003.1214126837.0000000004210000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: SzvWIzD.exe, 0000000C.00000000.1355171678.0000000000EE2000.00000002.00000001.01000000.00000007.sdmp, SzvWIzD.exe.2.dr

Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_00274696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00274696
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_0027C93C FindFirstFileW,FindClose,	0_2_0027C93C
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_0027C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0027C9C7
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_0027F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0027F200
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_0027F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0027F35D
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_0027F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0027F65E
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_00273A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00273A2B
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_00273D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00273D4E
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_0027BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0027BF27

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.llD1w4ROY5.exe.3fe0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1218967859.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View

ASN Name: TUT-ASUS TUT-ASUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: ip-api.com

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_002825E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_002825E2

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ip-api.com

Source: RegSvcs.exe, 00000002.00000002.3672242009.00000000032EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org
Source: RegSvcs.exe, 00000002.00000002.3672242009.0000000003326000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3672242009.000000000330F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3672242009.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: llD1w4ROY5.exe, 00000000.00000002.1218967859.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3656759841.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3672242009.000000000330F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3672242009.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: RegSvcs.exe, 00000002.00000002.3672242009.0000000003211000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3672242009.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: llD1w4ROY5.exe, 00000000.00000002.1218967859.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3656759841.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: RegSvcs.exe, 00000002.00000002.3672242009.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipif8f
Source: llD1w4ROY5.exe, 00000000.00000002.1218967859.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3656759841.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3672242009.0000000003211000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3672242009.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: RegSvcs.exe, 00000002.00000002.3672242009.0000000003211000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3672242009.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: RegSvcs.exe, 00000002.00000002.3672242009.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/T
Source: RegSvcs.exe, 00000002.00000002.3672242009.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/p
Source: RegSvcs.exe, 00000002.00000002.3672242009.0000000003211000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3672242009.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.7:49699 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.llD1w4ROY5.exe.3fe0000.1.raw.unpack, R1W.cs

.Net Code: IySS1qz

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_0028425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0028425A

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_00284458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00284458

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

0_2_0028425A

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_00270219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00270219

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_0029CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0029CDAC

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.llD1w4ROY5.exe.3fe0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.llD1w4ROY5.exe.3fe0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1218967859.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00213B4C
Source: llD1w4ROY5.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: llD1w4ROY5.exe, 00000000.00000000.1204749692.00000000002C5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d9abfedc-9
Source: llD1w4ROY5.exe, 00000000.00000000.1204749692.00000000002C5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_09a370ac-f
Source: llD1w4ROY5.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_bbae3653-5
Source: llD1w4ROY5.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a31e23a7-b

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_00274021: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00274021

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_00268858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00268858

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_0027545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0027545F

Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_0021E800	0_2_0021E800
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_0023DBB5	0_2_0023DBB5
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_0021E060	0_2_0021E060
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_0029804A	0_2_0029804A
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_00224140	0_2_00224140
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_00232405	0_2_00232405
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_00246522	0_2_00246522
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_00290665	0_2_00290665
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_0024267E	0_2_0024267E
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_0023283A	0_2_0023283A
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_00226843	0_2_00226843
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_002489DF	0_2_002489DF
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_00228A0E	0_2_00228A0E
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_00246A94	0_2_00246A94
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_00290AE2	0_2_00290AE2
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_0026EB07	0_2_0026EB07
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_00278B13	0_2_00278B13
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_0023CD61	0_2_0023CD61
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_00247006	0_2_00247006
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_0022710E	0_2_0022710E
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_00223190	0_2_00223190
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_00211287	0_2_00211287
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_002333C7	0_2_002333C7
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_0023F419	0_2_0023F419
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_00225680	0_2_00225680
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_002316C4	0_2_002316C4
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_002258C0	0_2_002258C0
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_002378D3	0_2_002378D3
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_00231BB8	0_2_00231BB8
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_00249D05	0_2_00249D05
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_0021FE40	0_2_0021FE40
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_0023BFE6	0_2_0023BFE6
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_00231FD0	0_2_00231FD0
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_022C3610	0_2_022C3610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02FF4AD0	2_2_02FF4AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02FF3EB8	2_2_02FF3EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02FF4200	2_2_02FF4200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06DC343C	2_2_06DC343C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06DCB540	2_2_06DCB540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06DC4A60	2_2_06DC4A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06DE5710	2_2_06DE5710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06DE31C0	2_2_06DE31C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06DE3F68	2_2_06DE3F68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06DE2378	2_2_06DE2378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06DE0040	2_2_06DE0040

Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: String function: 00238B40 appears 42 times
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: String function: 00230D27 appears 70 times
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: String function: 00217F41 appears 35 times

Source: llD1w4ROY5.exe, 00000000.00000003.1214475342.000000000433D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs llD1w4ROY5.exe
Source: llD1w4ROY5.exe, 00000000.00000003.1214025515.0000000004193000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs llD1w4ROY5.exe
Source: llD1w4ROY5.exe, 00000000.00000002.1218967859.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename43756820-3e34-450f-9ce0-c8dc057ff702.exe4 vs llD1w4ROY5.exe

Source: llD1w4ROY5.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.llD1w4ROY5.exe.3fe0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.llD1w4ROY5.exe.3fe0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1218967859.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 0.2.llD1w4ROY5.exe.3fe0000.1.raw.unpack, KLhJmaON.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.llD1w4ROY5.exe.3fe0000.1.raw.unpack, KLhJmaON.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.llD1w4ROY5.exe.3fe0000.1.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.llD1w4ROY5.exe.3fe0000.1.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.llD1w4ROY5.exe.3fe0000.1.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.llD1w4ROY5.exe.3fe0000.1.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.llD1w4ROY5.exe.3fe0000.1.raw.unpack, 9HIFdl.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.llD1w4ROY5.exe.3fe0000.1.raw.unpack, 9HIFdl.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/8@2/2

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_0027A2D5 GetLastError,FormatMessageW,

0_2_0027A2D5

Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_00268713 AdjustTokenPrivileges,CloseHandle,		0_2_00268713
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_00268CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00268CC3

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_0027B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0027B59E

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_0028F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0028F121

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_0027C602 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0027C602

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_00214FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00214FE9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\SzvWIzD

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7352:120:WilError_03

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

File created: C:\Users\user~1\AppData\Local\Temp\aut4D89.tmp

Jump to behavior

Source: llD1w4ROY5.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3672242009.0000000003353000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3672242009.0000000003341000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: llD1w4ROY5.exe

ReversingLabs: Detection: 60%

Source: unknown	Process created: C:\Users\user\Desktop\llD1w4ROY5.exe "C:\Users\user\Desktop\llD1w4ROY5.exe"
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\llD1w4ROY5.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe "C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe"
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe "C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe"
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\llD1w4ROY5.exe"	Jump to behavior

Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: llD1w4ROY5.exe

Static file information: File size 1115648 > 1048576

Source: llD1w4ROY5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: llD1w4ROY5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: llD1w4ROY5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: llD1w4ROY5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: llD1w4ROY5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: llD1w4ROY5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: llD1w4ROY5.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: RegSvcs.pdb, source: SzvWIzD.exe, 0000000C.00000000.1355171678.0000000000EE2000.00000002.00000001.01000000.00000007.sdmp, SzvWIzD.exe.2.dr
Source:	Binary string: wntdll.pdbUGP source: llD1w4ROY5.exe, 00000000.00000003.1214753167.0000000004070000.00000004.00001000.00020000.00000000.sdmp, llD1w4ROY5.exe, 00000000.00000003.1214126837.0000000004210000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: llD1w4ROY5.exe, 00000000.00000003.1214753167.0000000004070000.00000004.00001000.00020000.00000000.sdmp, llD1w4ROY5.exe, 00000000.00000003.1214126837.0000000004210000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: SzvWIzD.exe, 0000000C.00000000.1355171678.0000000000EE2000.00000002.00000001.01000000.00000007.sdmp, SzvWIzD.exe.2.dr

Source: llD1w4ROY5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: llD1w4ROY5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: llD1w4ROY5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: llD1w4ROY5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: llD1w4ROY5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_0028C304 LoadLibraryA,GetProcAddress,

0_2_0028C304

Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_0021C590 push eax; retn 0021h	0_2_0021C599
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_00238B85 push ecx; ret	0_2_00238B98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02FF0C6D push edi; retf	2_2_02FF0C7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02FF0C45 push ebx; retf	2_2_02FF0C52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06DC8BA5 push es; ret	2_2_06DC8BAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06DC91F0 push es; ret	2_2_06DC9200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06DEE550 push es; ret	2_2_06DEE540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06DEE530 push es; ret	2_2_06DEE540

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SzvWIzD			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SzvWIzD			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_00214A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00214A35
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_002955FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_002955FD

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_002333C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_002333C7

Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: llD1w4ROY5.exe PID: 2340, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

API/Special instruction interceptor: Address: 22C3234

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: llD1w4ROY5.exe, 00000000.00000002.1218967859.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3656759841.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3672242009.0000000003326000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3672242009.0000000003274000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Memory allocated: 1530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Memory allocated: 3250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Memory allocated: 3160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Memory allocated: DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Memory allocated: 28F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Memory allocated: 48F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598685	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597374	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596931	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596352	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596231	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596013	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595776	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595502	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594150	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2644			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7175			Jump to behavior

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-98959

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

API coverage: 4.6 %

Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe TID: 5940	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe TID: 7400	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_00274696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00274696
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_0027C93C FindFirstFileW,FindClose,	0_2_0027C93C
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_0027C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0027C9C7
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_0027F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0027F200
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_0027F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0027F35D
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_0027F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0027F65E
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_00273A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00273A2B
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_00273D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00273D4E
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_0027BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0027BF27

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_00214AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00214AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598685	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597374	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596931	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596352	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596231	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596013	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595776	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595502	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594150	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3672242009.0000000003274000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RegSvcs.exe, 00000002.00000002.3672242009.0000000003274000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: llD1w4ROY5.exe, 00000000.00000002.1218967859.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3656759841.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: hgfsZrw6
Source: RegSvcs.exe, 00000002.00000002.3656759841.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: RegSvcs.exe, 00000002.00000002.3673486904.0000000006405000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

API call chain: ExitProcess graph end node

graph_0-98319

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_02FF7ED8 CheckRemoteDebuggerPresent,

2_2_02FF7ED8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_002841FD BlockInput,

0_2_002841FD

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_00213B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00213B4C

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_00245CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00245CCC

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_0028C304 LoadLibraryA,GetProcAddress,

0_2_0028C304

Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_022C34A0 mov eax, dword ptr fs:[00000030h]	0_2_022C34A0
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_022C3500 mov eax, dword ptr fs:[00000030h]	0_2_022C3500
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_022C1E70 mov eax, dword ptr fs:[00000030h]	0_2_022C1E70

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_002681F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_002681F7

Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_0023A364 SetUnhandledExceptionFilter,		0_2_0023A364
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_0023A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0023A395

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 11B7008

Jump to behavior

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_00268C93 LogonUserW,

0_2_00268C93

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_00213B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00213B4C

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_00214A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00214A35

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_00274EF5 mouse_event,

0_2_00274EF5

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\llD1w4ROY5.exe"

Jump to behavior

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

0_2_002681F7

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_00274C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00274C03

Source: llD1w4ROY5.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: llD1w4ROY5.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_0023886B cpuid

0_2_0023886B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Queries volume information: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Queries volume information: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_002450D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_002450D7

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_00252230 GetUserNameW,

0_2_00252230

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_0024418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0024418A

Source: C:\Users\user\Desktop\llD1w4ROY5.exe

Code function: 0_2_00214AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00214AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.llD1w4ROY5.exe.3fe0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.llD1w4ROY5.exe.3fe0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3656759841.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1218967859.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: llD1w4ROY5.exe PID: 2340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5412, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: llD1w4ROY5.exe	Binary or memory string: WIN_81
Source: llD1w4ROY5.exe	Binary or memory string: WIN_XP
Source: llD1w4ROY5.exe	Binary or memory string: WIN_XPe
Source: llD1w4ROY5.exe	Binary or memory string: WIN_VISTA
Source: llD1w4ROY5.exe	Binary or memory string: WIN_7
Source: llD1w4ROY5.exe	Binary or memory string: WIN_8
Source: llD1w4ROY5.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 0.2.llD1w4ROY5.exe.3fe0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.llD1w4ROY5.exe.3fe0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3656759841.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3672242009.0000000003274000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1218967859.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: llD1w4ROY5.exe PID: 2340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5412, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.llD1w4ROY5.exe.3fe0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.llD1w4ROY5.exe.3fe0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3656759841.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1218967859.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: llD1w4ROY5.exe PID: 2340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5412, type: MEMORYSTR

Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_00286596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00286596
Source: C:\Users\user\Desktop\llD1w4ROY5.exe	Code function: 0_2_00286A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00286A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	138 System Information Discovery	Distributed Component Object Model	121 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	651 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	251 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	251 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
llD1w4ROY5.exe	61%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
llD1w4ROY5.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://api.ipify.org/	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
http://ip-api.com	0%	URL Reputation	safe
https://api.ipif8f	0%	Avira URL Cloud	safe
http://api.ipify.org	0%	Avira URL Cloud	safe
https://api.ipify.org/p	0%	Avira URL Cloud	safe
https://api.ipify.org/T	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.12.205	true	false		unknown
ip-api.com	208.95.112.1	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipif8f	RegSvcs.exe, 00000002.00000002.3672242009.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org	llD1w4ROY5.exe, 00000000.00000002.1218967859.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3656759841.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3672242009.0000000003211000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3672242009.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org/p	RegSvcs.exe, 00000002.00000002.3672242009.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.dyn.com/	llD1w4ROY5.exe, 00000000.00000002.1218967859.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3656759841.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org/T	RegSvcs.exe, 00000002.00000002.3672242009.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org/t	RegSvcs.exe, 00000002.00000002.3672242009.0000000003211000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3672242009.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.3672242009.0000000003211000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3672242009.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://api.ipify.org	RegSvcs.exe, 00000002.00000002.3672242009.00000000032EE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ip-api.com	RegSvcs.exe, 00000002.00000002.3672242009.0000000003326000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3672242009.000000000330F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3672242009.0000000003261000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	true
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466072
Start date and time:	2024-07-02 14:02:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	llD1w4ROY5.exe renamed because original name is a hash value
Original Sample Name:	f4782fb4d2d7413e36842663253901b15e158d7eff945c208ccfcdc7e2c208fc.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/8@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 60 Number of non-executed functions: 272
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SzvWIzD.exe, PID 3964 because it is empty
Execution Graph export aborted for target SzvWIzD.exe, PID 7344 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: llD1w4ROY5.exe

Simulations

Behavior and APIs

Time	Type	Description
08:02:57	API Interceptor	11944955x Sleep call for process: RegSvcs.exe modified
14:03:01	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SzvWIzD C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe
14:03:09	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SzvWIzD C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	DHL AWB COMMERCAIL INVOICE AND TRACKNG DETAILS.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	orden de compra.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	KWOTASIE.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	ServerManager.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	MicrosoftService.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	F.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	ip-api.com/line/?fields=hosting
	x.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	ip-api.com/line/?fields=hosting
	java_update.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	ip-api.com/line/?fields=hosting
	Roblox Account Manager.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/
104.26.12.205	SecuriteInfo.com.Win64.RansomX-gen.22171.1307.exe	Get hash	malicious	Conti, PureLog Stealer, Targeted Ransomware	Browse	api.ipify.org/
	482730621.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	482730621.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sonic-Glyder.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exe	Get hash	malicious	Bunny Loader	Browse	api.ipify.org/
	lods.cmd	Get hash	malicious	Remcos	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	DHL AWB COMMERCAIL INVOICE AND TRACKNG DETAILS.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	orden de compra.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	KWOTASIE.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	ServerManager.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	MicrosoftService.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	F.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	208.95.112.1
	x.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	208.95.112.1
	java_update.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	208.95.112.1
	Roblox Account Manager.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
api.ipify.org	arrival notice.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	FmQx1Fw3VA.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	config.lnk.mal.lnk	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	purchase order - PO-011024-201.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	3z5nZg91qJ.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	GuLoader	Browse	172.67.74.152
	DHL AWB COMMERCAIL INVOICE AND TRACKNG DETAILS.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	GuLoader	Browse	104.26.13.205
	https://pub-4d0a115db8fb4f15a6bf3059fadf5ec9.r2.dev/secure_response.html?user-agent=Mozilla/5.0WindowsNT10.0;Win64;x64AppleWebKit/537.36KHTML,likeGeckoChrome/86.0.4240.75Safari/537.36	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	GkYUK8VCrO.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://shippingservice-dhiexpress.dudaone.com/serviceid193811983/	Get hash	malicious	Unknown	Browse	172.67.183.214
	FNB-Copy.pdf	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08	Get hash	malicious	HTMLPhisher	Browse	172.64.151.101
	arrival notice.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://www.aspcp.uk	Get hash	malicious	Unknown	Browse	104.16.160.145
	https://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	FmQx1Fw3VA.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	config.lnk.mal.lnk	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	IF10339.pdf.lnk.mal.lnk	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://m.exactag.com/ai.aspx?tc=d9608989bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253APGI.medamax.com.ar/index.xml%23?email=b2xpdmVyLnNjaHVzdGVyQHZvc3Nsb2guY29t	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
TUT-ASUS	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	DHL AWB COMMERCAIL INVOICE AND TRACKNG DETAILS.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	orden de compra.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	KWOTASIE.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	ServerManager.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	MicrosoftService.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	F.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	208.95.112.1
	x.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	208.95.112.1
	java_update.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	208.95.112.1
	Roblox Account Manager.exe	Get hash	malicious	Unknown	Browse	208.95.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	arrival notice.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	invoicepast.pdf.lnk.mal.lnk	Get hash	malicious	ScreenConnect Tool	Browse	104.26.12.205
	Invoice-UPS-218931.pdf.lnk.mal.lnk	Get hash	malicious	Unknown	Browse	104.26.12.205
	IF10339.pdf.lnk.mal.lnk	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://ddec1-0-en-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2faagt%2damx%2dmoodle%2dmex.com%2freport%2finsights%2faction.php%3faction%3duseful%26forwardurl%3dhttps%253A%252F%252Faagt%2damx%2dmoodle%2dmex.com%252Freport%252Finsights%252Fdone.php%253Factionvisiblename%253D%2525C3%25259Atil%2526target%253D%5fblank%26predictionid%3d1580&umid=dfe32622-5afa-43d1-bc88-1d0d19378d86&auth=b37f34d438b54d6822929a8430f2a42f374caac4-c52e46d07bf23779234fc7b6680559fd6de91ad8	Get hash	malicious	Unknown	Browse	104.26.12.205
	http://wiki.hoeron.com/doku.php?id=hoeron:kb:hardware:fortinet:2023-11-29-1701246124	Get hash	malicious	Unknown	Browse	104.26.12.205
	purchase order - PO-011024-201.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	https://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	3z5nZg91qJ.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe	DHL AWB COMMERCAIL INVOICE AND TRACKNG DETAILS.exe	Get hash	malicious	AgentTesla	Browse
	8f5WsFcnTc.exe	Get hash	malicious	AgentTesla	Browse
	v31TgVEtHi.exe	Get hash	malicious	AgentTesla	Browse
	54dse57Lv7.exe	Get hash	malicious	AgentTesla	Browse
	001 Tech. Spec pdf.exe	Get hash	malicious	AgentTesla	Browse
	doc -scan file.exe	Get hash	malicious	AgentTesla	Browse
	payment order.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe	Get hash	malicious	AgentTesla	Browse
	ORDERDATASHEET#PO8738763.scr.exe	Get hash	malicious	AgentTesla, RedLine, SugarDump, XWorm	Browse
	DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe	Get hash	malicious	AgentTesla	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SzvWIzD.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\aut4D89.tmp

Download File

Process:	C:\Users\user\Desktop\llD1w4ROY5.exe
File Type:	data
Category:	dropped
Size (bytes):	153406
Entropy (8bit):	7.934517355573764
Encrypted:	false
SSDEEP:	3072:QnETKxmV8JKEv0pzyTGGH/ZW2DrynXJRi3lm07ugqMSfLKXUYiyEzfRTp:QvG8Tv0pkGGH/ZW+ynXXi3lm07XySUTP
MD5:	9764C9214C991D33BD1A9763E89A7EBC
SHA1:	F7F4DEAD37DC85A6B13038652736D7DCAC6729B4
SHA-256:	5183A720079F45972A5A07E3B85BCEC6BC2D3373F60AC67BF980A2D15820E2BB
SHA-512:	ECBB326E63DFE8A25DC28E3B7A80E2AFEC389C9ECFA8EE27F6127FD880055F87B4AB11B6E6A33C6F55F6F0A0E81901507EF8F19927102D81D1EAFE472857C50B
Malicious:	false
Reputation:	low
Preview:	EA06.....@.....M.M.3.F.2..j..}..5.V..I...7..T..\...~....W.z..oe.....oxK}.G$..g.y.JE9..%....C......Go.M.H... ...i.....T.+X.E).9..{..4.s5.Vg..4.m...4`.\J..j.b,..u.@..:eK....z...'...F......+.....L.t.t...V&...V@4.L.V.p.WSM.Ci...=&.A....D~.._E.3....k...b..U...A!.......mA....E6.O.T.m4..".Od...zf...x.....?\|....99.O$R.-fr.+.....C.H...........~.T.t...Sh....4.d`.z...N...jh....E.\|6.<t&...\'..V6..v&..T.....!.{.sGI..v.hM#1..c.7...{..z...WaY.o..:.F.3..:Z.._oq.NgT9.zqj.U4.].^#...).x..i%.J..Od...L/.H.K...}....9..tZI&.O;.Wc..E.K+.F%.id.Y... .._c...?[^.Q...+S.u.I .......6.x;........i..."...]@4....[..$........s...r...D......m..&`...I:.....%.3........(.e..~%......>..V.s.j...K....x...m{..../?I&...y.z+.....y...6.Pm.8&.A..U.D.cE......i..o,}......O2x.=.....cuY.../Nn.l...\.oC..zmu...ce0.pw.x.)..m..U.5..f...Z.l..m.).P.s...I.O. ....e..i...._..V)<..Fq7..m..mRg...f7....M..g.;.ra5.T).Y..kP.M....:.....#r}...fr......P.t.M:ma...)...r.\'@.@..O.E+z.egwX.....6t.fL.1.&.F.

C:\Users\user\AppData\Local\Temp\aut4DE8.tmp

Download File

Process:	C:\Users\user\Desktop\llD1w4ROY5.exe
File Type:	data
Category:	dropped
Size (bytes):	9818
Entropy (8bit):	7.602882644671823
Encrypted:	false
SSDEEP:	192:na0ZsqLUGeKtxWQa88XEeap488uXrfBNa6fYHd4WL1nHYsSWY43HU542Me+ZLc:azqLFLtx3a880eap48vXrPjY93JHHjcP
MD5:	595A8C6D5D3C39CA2C721466186B5870
SHA1:	4E0C0695DD08621189B8F255E5FE9AD0C08A873F
SHA-256:	12F8CB12D2AE4939CB1E0065FC313E06FD2AB6FC470DF55492E06981F2C0045D
SHA-512:	48A15EFA2E58C7C0187442A4B6A33F53F1E6DFBFED1590427F8B304E39E41D66D09634317E3E4020D9805C5B834BA7EF9F9DCA0750E591D2B0523F42C529A7D0
Malicious:	false
Reputation:	low
Preview:	EA06..pD.L&.J...7...sz%..5.M.s...i0.L&....g9..h...g8.Q&4Z5.c3...sY..E........2^&.Y..c.Ll.;..a2....Y..ob.M.@...a6.N'3I..ib....]........K........\|...o..b..`.....8.....9.X.30...,.....2.Z..k9..6.@.o.l..X......g.9...v0..X....N.,.I.........9..&....r.'.Y...c ....Aa.H.......F.3<..Y@.6...$.`....f@...x..j....Br.....Xf.0..l....n...Y&@5_..h....&.5_..p.U.., 5_....U..,.5_..`.U..f@5\..>3...M.^.a.Z..k6.z..o6......@.....3y..G../Z.M. .....jr....n.u....$.`./.o8...f.G_T.......>_.......zk5....i....3 ...................`.M..`... ...c...@..(.'.4.X.{>K...c.MlS@..X..._..p.....>K.#G.b..3\|v9..G.4.X.@8_..kc..i\|v9....c.h.,v..........7.Ml.K5...M..0;..8.Nf.0.L..6i..f..+..ff6)...6.N,....f...E...Y....3.I.....M.......vI.....0.....2p....<d....,vb........N@!+..'& ....,fo2..,.).......r.2.X...c3k$.ef.Y.!...Gf@....,f.9..,.. .#7.....c.0.....y..p.h.s.....,vf......t.L@...40.....f....N&3....4..@.6.-..p..S.-..2...S0.N.@.;5.`..9.M,`...k8.....c.P..Yf3.wx.....vl......@.E....N.y6....p.c3.%..4..b.!....F ....B5c.L.

C:\Users\user\AppData\Local\Temp\hurtling

Download File

Process:	C:\Users\user\Desktop\llD1w4ROY5.exe
File Type:	data
Category:	dropped
Size (bytes):	244224
Entropy (8bit):	6.67918560017853
Encrypted:	false
SSDEEP:	6144:Qm9SVmdPdM2jVBrn3ZUsj9UySx9Iq2zl4sUyJtDd34BuWF1UDYT2i+ESca6Fp:oMdPO2j2olVnK2i+2a6r
MD5:	1AFC6BEDDFF47FF27DF5267B949512B5
SHA1:	34BF47CDAC4FD9082D48CF3F072BCE8AD02940FE
SHA-256:	B7F2AD7C0979CD9874701D879E439DAC2AC9D0F08FC8583457E94698CF0A8C94
SHA-512:	18306CEDC6ECE6DF3CC274164031FAD4942727B49373DB7DC391B329B7900B382DCEA8F7FDFC707DF421688103810B678CEFA4656AF07335C177052DDA16C6A8
Malicious:	false
Reputation:	low
Preview:	...P[6XM46A8.N2.MPMOEY5.X6XM06A87IN2KMPMOEY5PX6XM06A87IN2KM.MOEW.V6.D...9{.of#$#m?76R"9[x.QX/WCi,Wk?%#o,7...ex _R$.:DD.KMPMOEYe.X6.L36..{/N2KMPMOE.5RY=YF06.;7IF2KMPMO+.6PX.XM0.B87I.2KmPMOGY5TX6XM06A<7IN2KMPMoAY5RX6XM06C8w.N2[MP]OEY5@X6HM06A87YN2KMPMOEY5PL.[Mg6A87.M2.HPMOEY5PX6XM06A87IN2KIPAOEY5PX6XM06A87IN2KMPMOEY5PX6XM06A87IN2KMPMOEY5PX6XM0.A8?IN2KMPMOEY5Xx6X.06A87IN2KMPc; !APX6,.36A.7IN.HMPOOEY5PX6XM06A87iN2+c">=&Y5P.3XM0.B87ON2K.SMOEY5PX6XM06Ax7I..9(<",EY9PX6XM46A:7IN.HMPMOEY5PX6XM0vA8uIN2KMPMOEY5PX6XM`.B87IN2.MPMME\5h.4X..7A;7IN3KMVMOEY5PX6XM06A87IN2KMPMOEY5PX6XM06A87IN2KMPMOEY5PE......4p8)J.k.".6..%..I..7v\.I_....H......86..8.F~..Y...@.P3!L....q.9:C8.8jVT.E.....`Lw..4%....'..60\|.....j..._9....$..;"]. HG%+..,6,=,.7.Y6XM0.......$(..hZ:Nl$ ......[6d...1EY54X6X?06AY7INuKMP"OEY[PX6&M06?87I.2KM.MOEn5PX.XM0[A87mN2K3PMO.$:_..$C..87IN2~..}.(....o...wI.7.Ps...+....]e.BX.6{{...E.&..Ng;^...77G<2KI6HAmC....qZ2\H21E;;t@y...l.c..i...<...kM.22KMPMO.Y5.X6X.6.87I.2.M..OEY..X.X.0...7

C:\Users\user\AppData\Local\Temp\spiketop

Download File

Process:	C:\Users\user\Desktop\llD1w4ROY5.exe
File Type:	ASCII text, with very long lines (28740), with no line terminators
Category:	modified
Size (bytes):	28740
Entropy (8bit):	3.5895382875066826
Encrypted:	false
SSDEEP:	768:WiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbp+IC6bd4vfF3if6gyuc:WiTZ+2QoioGRk6ZklputwjpjBkCiw2Rg
MD5:	B7371496BA7679671D00E8067D7900E7
SHA1:	E81C46E91EE0CD579D82ADB68B2055F7F41EED89
SHA-256:	AC304CEE140390CCB38FBECE310FFFCCC48B8890B0CD624E6AF5C8991EC49A9F
SHA-512:	A8C43869550B782228F82A26026010EF2B201870DB99AC40BC86C5560AE735AEB506EBAFE4B8722477C6F6E9EA0991D1CA53E25DD8373ED2395D5EF13C953435
Malicious:	false
Reputation:	low
Preview:	606DABF73C37DFE5B6388B40F071263955F8071380D1EFA13173545CE7671ACF380x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c000000668995

C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	45984
Entropy (8bit):	6.16795797263964
Encrypted:	false
SSDEEP:	768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
MD5:	9D352BC46709F0CB5EC974633A0C3C94
SHA1:	1969771B2F022F9A86D77AC4D4D239BECDF08D07
SHA-256:	2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
SHA-512:	13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: DHL AWB COMMERCAIL INVOICE AND TRACKNG DETAILS.exe, Detection: malicious, Browse Filename: 8f5WsFcnTc.exe, Detection: malicious, Browse Filename: v31TgVEtHi.exe, Detection: malicious, Browse Filename: 54dse57Lv7.exe, Detection: malicious, Browse Filename: 001 Tech. Spec pdf.exe, Detection: malicious, Browse Filename: doc -scan file.exe, Detection: malicious, Browse Filename: payment order.exe, Detection: malicious, Browse Filename: DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe, Detection: malicious, Browse Filename: ORDERDATASHEET#PO8738763.scr.exe, Detection: malicious, Browse Filename: DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.442398121585593
Encrypted:	false
SSDEEP:	24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
MD5:	6FB4D27A716A8851BC0505666E7C7A10
SHA1:	AD2A232C6E709223532C4D1AB892303273D8C814
SHA-256:	1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
SHA-512:	3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.098415896207959
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	llD1w4ROY5.exe
File size:	1'115'648 bytes
MD5:	efe76128c39edb6cd9fd02eb2e7ffdad
SHA1:	4e4c7cc0dff9aa68fea29a62e462a3126476746c
SHA256:	f4782fb4d2d7413e36842663253901b15e158d7eff945c208ccfcdc7e2c208fc
SHA512:	ce2de4e689cae54b4270ca8e543c9a2f4371f599b30dd13f49ae95e95e80bc1eb06e23a8a1e112e8912a13c9be187647ce9594ab1f0e8fad440ee6e3e883d192
SSDEEP:	24576:hAHnh+eWsN3skA4RV1Hom2KXMmHaI62UuMMvl5l5:4h+ZkldoPK8YaI6Ns9
TLSH:	A435AD0273D2C036FFAB92739B6AF24256BD79254123852F13981DB9BD701B1273E663
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	1d79597149594541

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66666532 [Mon Jun 10 02:30:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F8339342C2Dh
jmp 00007F83393359E4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F8339335B6Ah
cmp edi, eax
jc 00007F8339335ECEh
bt dword ptr [004C41FCh], 01h
jnc 00007F8339335B69h
rep movsb
jmp 00007F8339335E7Ch
cmp ecx, 00000080h
jc 00007F8339335D34h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F8339335B70h
bt dword ptr [004BF324h], 01h
jc 00007F8339336040h
bt dword ptr [004C41FCh], 00000000h
jnc 00007F8339335D0Dh
test edi, 00000003h
jne 00007F8339335D1Eh
test esi, 00000003h
jne 00007F8339335CFDh
bt edi, 02h
jnc 00007F8339335B6Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F8339335B73h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F8339335BC5h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x45e10	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10e000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x45e10	0x46000	e1dcc3c7d47b558532549045041ec136	False	0.9674665178571429	data	7.9508741867994575	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10e000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc8458	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc8580	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc86a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc87d0	0x5c40	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	Great Britain	0.9687923441734417
RT_MENU	0xce410	0x50	data	English	Great Britain	0.9
RT_STRING	0xce460	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xce9f4	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcf080	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf510	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcfb0c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd0168	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd05d0	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd0728	0x3d19a	data			1.0003436343730272
RT_GROUP_ICON	0x10d8c4	0x14	data	English	Great Britain	1.2
RT_GROUP_ICON	0x10d8d8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x10d8ec	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x10d900	0x14	data	English	Great Britain	1.25
RT_VERSION	0x10d914	0x10c	data	English	Great Britain	0.6007462686567164
RT_MANIFEST	0x10da20	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 14:02:57.751421928 CEST	49699	443	192.168.2.7	104.26.12.205
Jul 2, 2024 14:02:57.751452923 CEST	443	49699	104.26.12.205	192.168.2.7
Jul 2, 2024 14:02:57.751609087 CEST	49699	443	192.168.2.7	104.26.12.205
Jul 2, 2024 14:02:57.766608953 CEST	49699	443	192.168.2.7	104.26.12.205
Jul 2, 2024 14:02:57.766623974 CEST	443	49699	104.26.12.205	192.168.2.7
Jul 2, 2024 14:02:58.299806118 CEST	443	49699	104.26.12.205	192.168.2.7
Jul 2, 2024 14:02:58.299879074 CEST	49699	443	192.168.2.7	104.26.12.205
Jul 2, 2024 14:02:58.303680897 CEST	49699	443	192.168.2.7	104.26.12.205
Jul 2, 2024 14:02:58.303693056 CEST	443	49699	104.26.12.205	192.168.2.7
Jul 2, 2024 14:02:58.304054022 CEST	443	49699	104.26.12.205	192.168.2.7
Jul 2, 2024 14:02:58.348350048 CEST	49699	443	192.168.2.7	104.26.12.205
Jul 2, 2024 14:02:58.354564905 CEST	49699	443	192.168.2.7	104.26.12.205
Jul 2, 2024 14:02:58.400497913 CEST	443	49699	104.26.12.205	192.168.2.7
Jul 2, 2024 14:02:59.010428905 CEST	443	49699	104.26.12.205	192.168.2.7
Jul 2, 2024 14:02:59.010493040 CEST	443	49699	104.26.12.205	192.168.2.7
Jul 2, 2024 14:02:59.010586023 CEST	49699	443	192.168.2.7	104.26.12.205
Jul 2, 2024 14:02:59.018134117 CEST	49699	443	192.168.2.7	104.26.12.205
Jul 2, 2024 14:02:59.031218052 CEST	49700	80	192.168.2.7	208.95.112.1
Jul 2, 2024 14:02:59.036149979 CEST	80	49700	208.95.112.1	192.168.2.7
Jul 2, 2024 14:02:59.038574934 CEST	49700	80	192.168.2.7	208.95.112.1
Jul 2, 2024 14:02:59.038659096 CEST	49700	80	192.168.2.7	208.95.112.1
Jul 2, 2024 14:02:59.043446064 CEST	80	49700	208.95.112.1	192.168.2.7
Jul 2, 2024 14:02:59.634330034 CEST	80	49700	208.95.112.1	192.168.2.7
Jul 2, 2024 14:02:59.676491022 CEST	49700	80	192.168.2.7	208.95.112.1
Jul 2, 2024 14:04:17.032298088 CEST	80	49700	208.95.112.1	192.168.2.7
Jul 2, 2024 14:04:17.032358885 CEST	49700	80	192.168.2.7	208.95.112.1
Jul 2, 2024 14:04:39.020766020 CEST	49700	80	192.168.2.7	208.95.112.1
Jul 2, 2024 14:04:39.025615931 CEST	80	49700	208.95.112.1	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 14:02:57.725037098 CEST	64882	53	192.168.2.7	1.1.1.1
Jul 2, 2024 14:02:57.732458115 CEST	53	64882	1.1.1.1	192.168.2.7
Jul 2, 2024 14:02:59.023050070 CEST	53111	53	192.168.2.7	1.1.1.1
Jul 2, 2024 14:02:59.030658007 CEST	53	53111	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 2, 2024 14:02:57.725037098 CEST	192.168.2.7	1.1.1.1	0x8551	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jul 2, 2024 14:02:59.023050070 CEST	192.168.2.7	1.1.1.1	0x5c59	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jul 2, 2024 14:02:57.732458115 CEST	1.1.1.1	192.168.2.7	0x8551	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Jul 2, 2024 14:02:57.732458115 CEST	1.1.1.1	192.168.2.7	0x8551	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Jul 2, 2024 14:02:57.732458115 CEST	1.1.1.1	192.168.2.7	0x8551	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Jul 2, 2024 14:02:59.030658007 CEST	1.1.1.1	192.168.2.7	0x5c59	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49700	208.95.112.1	80	5412	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 14:02:59.038659096 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jul 2, 2024 14:02:59.634330034 CEST	175	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 12:02:58 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	104.26.12.205	443	5412	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 12:02:58 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-07-02 12:02:59 UTC	211	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 12:02:58 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89ce7d6b0b3243d9-EWR
2024-07-02 12:02:59 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Target ID:	0
Start time:	08:02:54
Start date:	02/07/2024
Path:	C:\Users\user\Desktop\llD1w4ROY5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\llD1w4ROY5.exe"
Imagebase:	0x210000
File size:	1'115'648 bytes
MD5 hash:	EFE76128C39EDB6CD9FD02EB2E7FFDAD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1218967859.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.1218967859.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1218967859.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.1218967859.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:02:55
Start date:	02/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\llD1w4ROY5.exe"
Imagebase:	0xe30000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3656759841.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3656759841.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3672242009.0000000003274000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	08:03:09
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe"
Imagebase:	0xee0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:03:09
Start date:	02/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	08:03:17
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe"
Imagebase:	0x5d0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	08:03:17
Start date:	02/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	6%
Total number of Nodes:	2000
Total number of Limit Nodes:	183

Executed Functions

Function 00213B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00213B7A
IsDebuggerPresent.KERNEL32 ref: 00213B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,002D62F8,002D62E0,?,?), ref: 00213BFD

Part of subcall function 00217D2C: _memmove.LIBCMT ref: 00217D66

Part of subcall function 00220A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00213C26,002D62F8,?,?,?), ref: 00220ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00213C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,002C93F0,00000010), ref: 0024D4BC
SetCurrentDirectoryW.KERNEL32(?,002D62F8,?,?,?), ref: 0024D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,002C5D40,002D62F8,?,?,?), ref: 0024D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 0024D581

Part of subcall function 00213A58: GetSysColorBrush.USER32(0000000F), ref: 00213A62
Part of subcall function 00213A58: LoadCursorW.USER32(00000000,00007F00), ref: 00213A71
Part of subcall function 00213A58: LoadIconW.USER32(00000063), ref: 00213A88
Part of subcall function 00213A58: LoadIconW.USER32(000000A4), ref: 00213A9A
Part of subcall function 00213A58: LoadIconW.USER32(000000A2), ref: 00213AAC
Part of subcall function 00213A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00213AD2
Part of subcall function 00213A58: RegisterClassExW.USER32(?), ref: 00213B28

Part of subcall function 002139E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00213A15
Part of subcall function 002139E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00213A36
Part of subcall function 002139E7: ShowWindow.USER32(00000000,?,?), ref: 00213A4A
Part of subcall function 002139E7: ShowWindow.USER32(00000000,?,?), ref: 00213A53

Part of subcall function 002143DB: _memset.LIBCMT ref: 00214401
Part of subcall function 002143DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 002144A6

Strings

runas, xrefs: 0024D575
%*, xrefs: 00213C56
This is a third-party compiled AutoIt script., xrefs: 0024D4B4

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%*
API String ID: 529118366-1945766179
Opcode ID: 7794141fdd43bb5f7cf862a1e03be7e9ed8f578a2ed27cb74af1debcbed950f9
Instruction ID: 36493acf0c050ae00c28e0d15a2a0ccfa50e917e6d2269a029a27a4174dd301a
Opcode Fuzzy Hash: 7794141fdd43bb5f7cf862a1e03be7e9ed8f578a2ed27cb74af1debcbed950f9
Instruction Fuzzy Hash: 6751D830D24249AACF11EFF4EC0DEED7BB5AB65700B0441A7F851A2192DB744AA5CF61

Function 00214FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00214EEE,?,?,00000000,00000000), ref: 00214FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00214EEE,?,?,00000000,00000000), ref: 00215010
LoadResource.KERNEL32(?,00000000,?,?,00214EEE,?,?,00000000,00000000,?,?,?,?,?,?,00214F8F), ref: 0024DD60
SizeofResource.KERNEL32(?,00000000,?,?,00214EEE,?,?,00000000,00000000,?,?,?,?,?,?,00214F8F), ref: 0024DD75
LockResource.KERNEL32(N!,?,?,00214EEE,?,?,00000000,00000000,?,?,?,?,?,?,00214F8F,00000000), ref: 0024DD88

Strings

N!, xrefs: 0024DD85
SCRIPT, xrefs: 00215006

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT$N!
API String ID: 3051347437-2924198466
Opcode ID: 0066b0cd7d927f7d4da0facf0858f38af6b9a9084e754352b2153eb67be143bc
Instruction ID: 53b870b7add4abd6357ebee635659eb37546f45ce1dfc3ad4931e9c1634369f2
Opcode Fuzzy Hash: 0066b0cd7d927f7d4da0facf0858f38af6b9a9084e754352b2153eb67be143bc
Instruction Fuzzy Hash: 38119A75600701AFE7608B65EC58F677BBAEBC9B11F2041A9F806C6260DBA1E8508660

Function 00214AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00214B2B

Part of subcall function 00217D2C: _memmove.LIBCMT ref: 00217D66

GetCurrentProcess.KERNEL32(?,0029FAEC,00000000,00000000,?), ref: 00214BF8
IsWow64Process.KERNEL32(00000000), ref: 00214BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00214C45
FreeLibrary.KERNEL32(00000000), ref: 00214C50
GetSystemInfo.KERNEL32(00000000), ref: 00214C81
GetSystemInfo.KERNEL32(00000000), ref: 00214C8D

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 5e18fb075dbe0c85753f9a48943f98668a93761d9c7eb356b02c7c856895fec8
Instruction ID: ad80e106975a8eb14090ed2609f8046ffd85bee12cd89365efa8e83445000183
Opcode Fuzzy Hash: 5e18fb075dbe0c85753f9a48943f98668a93761d9c7eb356b02c7c856895fec8
Instruction Fuzzy Hash: 4191E33196E7C1DEC735DF6895911EABFE4AF36300B484A9ED0CE83A01D260E998C759

Function 0021E800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Dt-, xrefs: 00253F58
Variable must be of type 'Object'., xrefs: 0025428C
Dt-, xrefs: 00253F1F
Dt-, xrefs: 0021EC1A
Dt-, xrefs: 0021EC21

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID:
String ID: Dt-$Dt-$Dt-$Dt-$Variable must be of type 'Object'.
API String ID: 0-410758760
Opcode ID: 33d9d2c942922fb27dca26415a0082dc4a0f26c376808af7b815beb77c9f6c9c
Instruction ID: b9165f94a913f5c40f2ab8e0e69beb8f55d013d1efccc802bf4239cda60bdcde
Opcode Fuzzy Hash: 33d9d2c942922fb27dca26415a0082dc4a0f26c376808af7b815beb77c9f6c9c
Instruction Fuzzy Hash: 78A28E74A24206CBCF14CF54C980AE9B7F1FF68314F658069EC16AB351D775ADA2CB81

Function 00274696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0024E7C1), ref: 002746A6
FindFirstFileW.KERNELBASE(?,?), ref: 002746B7
FindClose.KERNEL32(00000000), ref: 002746C7

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 7b5b95d17e2abdc8d44384092814a593810ac4175dfe8f27cad7650954ba7d3a
Instruction ID: e111ac7a8157730dee70b03c118c2846db32b986bab6d9a7249fb97b543032b3
Opcode Fuzzy Hash: 7b5b95d17e2abdc8d44384092814a593810ac4175dfe8f27cad7650954ba7d3a
Instruction Fuzzy Hash: E0E0DF328204016B8650BB38FC4D8EA779C9E06335F104726F839C24E0EBB0A9608A9A

Function 00220B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00220BBB
timeGetTime.WINMM ref: 00220E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00220FB3
TranslateMessage.USER32(?), ref: 00220FC7
DispatchMessageW.USER32(?), ref: 00220FD5
Sleep.KERNEL32(0000000A), ref: 00220FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 0022105A
DestroyWindow.USER32 ref: 00221066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00221080
Sleep.KERNEL32(0000000A,?,?), ref: 002552AD
TranslateMessage.USER32(?), ref: 0025608A
DispatchMessageW.USER32(?), ref: 00256098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002560AC

Strings

@GUI_CTRLID, xrefs: 00255364
pr-, xrefs: 00255BDE
pr-, xrefs: 0025542D
@TRAY_ID, xrefs: 00255BB9
@GUI_WINHANDLE, xrefs: 002553B9
@GUI_CTRLHANDLE, xrefs: 0025540E
pr-, xrefs: 00255383
@COM_EVENTOBJ, xrefs: 0025591A
pr-, xrefs: 002553D8

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pr-$pr-$pr-$pr-
API String ID: 4003667617-1310307165
Opcode ID: 67b256f87fef95bada12c188a58ed67f09b973da76df3539220e843f77256608
Instruction ID: 6fe202b919bb44c8e89589ad0d02fb342baa086ed46a09a230c00b73538c386c
Opcode Fuzzy Hash: 67b256f87fef95bada12c188a58ed67f09b973da76df3539220e843f77256608
Instruction Fuzzy Hash: 80B2D370628752DFD724DF24D898BAAB7E5BF84304F14491DF84987291DB70E8A8CF86

Function 002793DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002791E9: __time64.LIBCMT ref: 002791F3

Part of subcall function 00215045: _fseek.LIBCMT ref: 0021505D

__wsplitpath.LIBCMT ref: 002794BE

Part of subcall function 0023432E: __wsplitpath_helper.LIBCMT ref: 0023436E

_wcscpy.LIBCMT ref: 002794D1
_wcscat.LIBCMT ref: 002794E4
__wsplitpath.LIBCMT ref: 00279509
_wcscat.LIBCMT ref: 0027951F
_wcscat.LIBCMT ref: 00279532

Part of subcall function 0027922F: _memmove.LIBCMT ref: 00279268
Part of subcall function 0027922F: _memmove.LIBCMT ref: 00279277

_wcscmp.LIBCMT ref: 00279479

Part of subcall function 002799BE: _wcscmp.LIBCMT ref: 00279AAE
Part of subcall function 002799BE: _wcscmp.LIBCMT ref: 00279AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 002796DC
_wcsncpy.LIBCMT ref: 0027974F
DeleteFileW.KERNEL32(?,?), ref: 00279785
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0027979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002797AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002797BE

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 9e182a31e613dc893cbb3de340b0da0c75d6227f4a3e33b104be702b0966d13f
Instruction ID: e24539a96977c78a9e0e982b37990064409ccee46b787dc273100197e432d1a5
Opcode Fuzzy Hash: 9e182a31e613dc893cbb3de340b0da0c75d6227f4a3e33b104be702b0966d13f
Instruction Fuzzy Hash: 71C13CB1D10229AADF21DF94CC85EDEB7BDEF59300F0080AAF609E7151DB709A948F65

Function 00213015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 75
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00213074
RegisterClassExW.USER32(00000030), ref: 0021309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002130AF
InitCommonControlsEx.COMCTL32(?), ref: 002130CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002130DC
LoadIconW.USER32(000000A9), ref: 002130F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00213101

Strings

TaskbarCreated, xrefs: 002130A4
0, xrefs: 00213056
+, xrefs: 0021305D
AutoIt v3 GUI, xrefs: 00213090

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 87a753a970da0bf6e9c3d250e4b001ec090e6f5f0e31a242f7493479dd2b82cc
Instruction ID: f9066a4c2b0ce845a3879cdcd9120f7786417158da2f786535f640f5ed6df695
Opcode Fuzzy Hash: 87a753a970da0bf6e9c3d250e4b001ec090e6f5f0e31a242f7493479dd2b82cc
Instruction Fuzzy Hash: 353178B1C41309AFDB818FA4EC8CAC9BBF4FB09320F10052AE580E62A0D3B50995CF50

Function 00213041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00213074
RegisterClassExW.USER32(00000030), ref: 0021309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002130AF
InitCommonControlsEx.COMCTL32(?), ref: 002130CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002130DC
LoadIconW.USER32(000000A9), ref: 002130F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00213101

Strings

TaskbarCreated, xrefs: 002130A4
0, xrefs: 00213056
+, xrefs: 0021305D
AutoIt v3 GUI, xrefs: 00213090

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 0d5b726319edb0759a7cf47194cba54b50beb56927e925397b593b6f9161b571
Instruction ID: 5edb0660e8f9950e01b14251e0fcd0beab38446650c8ce0c3affb97b3eb313c7
Opcode Fuzzy Hash: 0d5b726319edb0759a7cf47194cba54b50beb56927e925397b593b6f9161b571
Instruction Fuzzy Hash: D721AEB1D51218AFDB809FA4F98DADDBBF8FB08700F10412BEA10E62A0D7B149549F91

Function 002171EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00214864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002D62F8,?,002137C0,?), ref: 00214882

Part of subcall function 0023074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,002172C5), ref: 00230771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00217308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0024ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0024ED32
RegCloseKey.ADVAPI32(?), ref: 0024ED70
_wcscat.LIBCMT ref: 0024EDC9

Strings

Software\AutoIt v3\AutoIt, xrefs: 002172FE
Include, xrefs: 0024ECE8, 0024ED29
\, xrefs: 0024EDEC
\Include\, xrefs: 002172C5

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 545e43087a076051eaa697812ceb9c0236c72bed913fa05306579c2fc3fb3395
Instruction ID: 38b7f157ad5c9244256082c87ba5a964e33ca6eee1babe25dcb0acc9e4c35cb9
Opcode Fuzzy Hash: 545e43087a076051eaa697812ceb9c0236c72bed913fa05306579c2fc3fb3395
Instruction Fuzzy Hash: A9715C719293419ED714EF25EC8989BB7F8FF99750F40052FF845831A0EB3099A8CBA1

Function 00213633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 002136D2
KillTimer.USER32(?,00000001), ref: 002136FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0021371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0021372A
CreatePopupMenu.USER32 ref: 0021373E
PostQuitMessage.USER32(00000000), ref: 0021375F

Strings

TaskbarCreated, xrefs: 00213725
%*, xrefs: 0024D2D1, 0024D31F

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%*
API String ID: 129472671-2475160800
Opcode ID: ae1d818c9e4b6b00a1a217bfa204de329c1221ecfd6fee1f4b0d5d0bae8b733b
Instruction ID: 42e1139471c3794e69bd73429c7342862933f4532328130fe2a3a4044bc4f0a0
Opcode Fuzzy Hash: ae1d818c9e4b6b00a1a217bfa204de329c1221ecfd6fee1f4b0d5d0bae8b733b
Instruction Fuzzy Hash: 5F4127B1234146BBEB54DF64FC0DBF977DAE720300F14012BF902C22E1DAA59EB19A65

Function 00213A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00213A62
LoadCursorW.USER32(00000000,00007F00), ref: 00213A71
LoadIconW.USER32(00000063), ref: 00213A88
LoadIconW.USER32(000000A4), ref: 00213A9A
LoadIconW.USER32(000000A2), ref: 00213AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00213AD2
RegisterClassExW.USER32(?), ref: 00213B28

Part of subcall function 00213041: GetSysColorBrush.USER32(0000000F), ref: 00213074
Part of subcall function 00213041: RegisterClassExW.USER32(00000030), ref: 0021309E
Part of subcall function 00213041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002130AF
Part of subcall function 00213041: InitCommonControlsEx.COMCTL32(?), ref: 002130CC
Part of subcall function 00213041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002130DC
Part of subcall function 00213041: LoadIconW.USER32(000000A9), ref: 002130F2
Part of subcall function 00213041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00213101

Strings

0, xrefs: 00213B06
AutoIt v3, xrefs: 00213B17
#, xrefs: 00213B0D

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: ce46b064d7f484f9e820a8a26331b9d56c405e1e054ce580752533cac69b25a1
Instruction ID: 3d0aae567e33d7466c1f470787d1e37e7c6e01e8ce2bd33db436806387c81ff4
Opcode Fuzzy Hash: ce46b064d7f484f9e820a8a26331b9d56c405e1e054ce580752533cac69b25a1
Instruction Fuzzy Hash: 77211771E12308AFEB509FA4FD0DB9D7BF6FB08711F10412BE904A62A0D7B65A548F94

Function 00213778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteLine, xrefs: 002138B9
CMDLINE, xrefs: 00213834
CMDLINERAW, xrefs: 0021380D
/AutoIt3ExecuteScript, xrefs: 002138CE
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 002137C0
/AutoIt3OutputDebug, xrefs: 002138A4
/ErrorStdOut, xrefs: 0021388F
b-, xrefs: 0024D44E

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$b-
API String ID: 1825951767-256201994
Opcode ID: 61976d821361884cd205023c6950b248dbb1f583d283fb9f09bd4f274ea02360
Instruction ID: 4d66e1a60e59fe0e158d52f29b5ee8b7467720a30f15f9a2497c92e7fbf962c4
Opcode Fuzzy Hash: 61976d821361884cd205023c6950b248dbb1f583d283fb9f09bd4f274ea02360
Instruction Fuzzy Hash: 3DA130719302299ADF04EFA0DC95AEEB7F9BF24300F54042AF416A7191DF745AA9CF60

Function 0021F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002303A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 002303D3
Part of subcall function 002303A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 002303DB
Part of subcall function 002303A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 002303E6
Part of subcall function 002303A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 002303F1
Part of subcall function 002303A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 002303F9
Part of subcall function 002303A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00230401

Part of subcall function 00226259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0021FA90), ref: 002262B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0021FB2D
OleInitialize.OLE32(00000000), ref: 0021FBAA
CloseHandle.KERNEL32(00000000), ref: 002549F2

Strings

<g-, xrefs: 0021FA90
\d-, xrefs: 0021F957
c-, xrefs: 0021F94B
%*, xrefs: 0021F8F6, 0021F908, 0021FACE, 0021FBB1

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <g-$\d-$%*$c-
API String ID: 1986988660-1525193879
Opcode ID: c2d97b96f010a48ae534d3be2c29ba5686a9967924fd0e4d213616361530ac40
Instruction ID: 63f80ceb9d449892e5c94ab077e14faa6bd5af4f4a58c55971d9205fb61b686e
Opcode Fuzzy Hash: c2d97b96f010a48ae534d3be2c29ba5686a9967924fd0e4d213616361530ac40
Instruction Fuzzy Hash: 9D81A7B0D262848FD3A4EF69FA5C655BBE5FB98708710816BD018C73A2EB354C65CF60

Function 022C25F0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 022C26C1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 022C28E7

Memory Dump Source

Source File: 00000000.00000002.1218875570.00000000022C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22c0000_llD1w4ROY5.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction ID: d70d759e52b26612fafaee8d60d95417559cef3bfd9763627e9167c1cc15c372
Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction Fuzzy Hash: CBA10674E14209EBDB14CFE4C894BEEBBB5BF48304F208659E501BB284DB759A45CFA4

Function 002139E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00213A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00213A36
ShowWindow.USER32(00000000,?,?), ref: 00213A4A
ShowWindow.USER32(00000000,?,?), ref: 00213A53

Strings

edit, xrefs: 00213A30
AutoIt v3, xrefs: 00213A0D, 00213A12, 00213A13

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: e84d68932dbc3ad6446155f9c0cccc73297e6f67292fa2d5e5f9c89b1a443f05
Instruction ID: f7e0df058ef0d8e684955bcc003462515bce75cd53275aa1b6907df1fd6b8383
Opcode Fuzzy Hash: e84d68932dbc3ad6446155f9c0cccc73297e6f67292fa2d5e5f9c89b1a443f05
Instruction Fuzzy Hash: F1F0B271A42290BAEAA11B67BC4DE676F7DE7C6F50F00412BBD04E21A0C6A61C51DAB0

Function 022C23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 022C22A0: Sleep.KERNELBASE(000001F4), ref: 022C22B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 022C24DC

Strings

EY5PX6XM06A87IN2KMPMO, xrefs: 022C253F, 022C2542

Memory Dump Source

Source File: 00000000.00000002.1218875570.00000000022C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22c0000_llD1w4ROY5.jbxd

Similarity

API ID: CreateFileSleep
String ID: EY5PX6XM06A87IN2KMPMO
API String ID: 2694422964-186988925
Opcode ID: 2babe65a2317f128da28d86aabd355fedbbd099a9e81184f625ad1313130d228
Instruction ID: 53564e3207d54f535802123097ae52a61c2a0e5a17a6de8f24b215951006f89e
Opcode Fuzzy Hash: 2babe65a2317f128da28d86aabd355fedbbd099a9e81184f625ad1313130d228
Instruction Fuzzy Hash: 7B517030D14248DAEB11DBE4C854BEFBB79AF19304F104299E648BB2C0DAB91B45CBA5

Function 0021410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0024D5EC

Part of subcall function 00217D2C: _memmove.LIBCMT ref: 00217D66

_memset.LIBCMT ref: 0021418D
_wcscpy.LIBCMT ref: 002141E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002141F1

Strings

Line: , xrefs: 0024D615

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: b18ce21df5964fe586437c5d8394ffdd22b1bb6a1da389108bb7b7262792391a
Instruction ID: 02475da3b3fe0c320d0014f7efdeedf3c6b13344cff3ca56ee723d5f4894ef11
Opcode Fuzzy Hash: b18ce21df5964fe586437c5d8394ffdd22b1bb6a1da389108bb7b7262792391a
Instruction Fuzzy Hash: B431D571429305AAD721EB60EC49FDB77ECAF64310F10451FF58992091DB74AAA8CB92

Function 0023564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 002356AB
_memcpy_s.LIBCMT ref: 0023571D
__read_nolock.LIBCMT ref: 0023577B
__filbuf.LIBCMT ref: 0023579E
_memset.LIBCMT ref: 002357E2

Part of subcall function 00238D68: __getptd_noexit.LIBCMT ref: 00238D68

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: 4362f459c8624f0db7f5743625c4a107a1cb2ffe4885c701c2ee25bc6b81b1ea
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: 9251A4B0A20B26DBDB249F79C88566EB7B5AF40320F648729F83D962D0D7749D708F40

Function 002169CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00214F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,002D62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00214F6F

_free.LIBCMT ref: 0024E68C
_free.LIBCMT ref: 0024E6D3

Part of subcall function 00216BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00216D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0024E462
Bad directive syntax error, xrefs: 0024E6BB

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 2704c821a2081d61f17a3025e41dbf8b31a4aea1557fbf213584db28943c8751
Instruction ID: 8044ead19490444ca604288c2e140707c4f11fe2d440fe78c5794f376e4e20f1
Opcode Fuzzy Hash: 2704c821a2081d61f17a3025e41dbf8b31a4aea1557fbf213584db28943c8751
Instruction Fuzzy Hash: 8F919D71920219EFDF08EFA4C8819EDB7B8FF28304F15446AF816AB291DB309965CF50

Function 002135B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,002135A1,SwapMouseButtons,00000004,?), ref: 002135D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,002135A1,SwapMouseButtons,00000004,?,?,?,?,00212754), ref: 002135F5
RegCloseKey.KERNELBASE(00000000,?,?,002135A1,SwapMouseButtons,00000004,?,?,?,?,00212754), ref: 00213617

Strings

Control Panel\Mouse, xrefs: 002135D2

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 1bcb6b58f594655220941773d68fd0c4838e0eb47f611679f653f5ef47b9cf54
Instruction ID: 335cb3baaa3c31fcaccd0331ae66d82617960ba25b9ae10d77030749b0944da7
Opcode Fuzzy Hash: 1bcb6b58f594655220941773d68fd0c4838e0eb47f611679f653f5ef47b9cf54
Instruction Fuzzy Hash: DA114871A20248BFDB20CF64EC84AEEB7FDEF54740F00446AE805D7210D2719EA49764

Function 022C12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 022C1ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 022C1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 022C1B13

Memory Dump Source

Source File: 00000000.00000002.1218875570.00000000022C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22c0000_llD1w4ROY5.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction ID: 3a39aa10698c0dd39870f282bb5ae9e6ab2cab176f8a2aa07d8c186adf62f7d8
Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction Fuzzy Hash: B3621D70A24258DBEB24CFA4C841BDEB372EF58300F2091A9D10DEB395E7759E81CB59

Function 002797E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00215045: _fseek.LIBCMT ref: 0021505D

Part of subcall function 002799BE: _wcscmp.LIBCMT ref: 00279AAE
Part of subcall function 002799BE: _wcscmp.LIBCMT ref: 00279AC1

_free.LIBCMT ref: 0027992C
_free.LIBCMT ref: 00279933
_free.LIBCMT ref: 0027999E

Part of subcall function 00232F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00239C64), ref: 00232FA9
Part of subcall function 00232F95: GetLastError.KERNEL32(00000000,?,00239C64), ref: 00232FBB

_free.LIBCMT ref: 002799A6

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction ID: 32bc5abd48563f18e87c3223f97b885e3936f0ef8f82935addba5689f8a5a87e
Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction Fuzzy Hash: 91515FF1914628EFDF249F64CC41A9EBBB9EF48310F0044AEB60DA7241DB715A90CF59

Function 0023493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002349D0
__flush.LIBCMT ref: 002349F0
__write.LIBCMT ref: 00234A23
__flsbuf.LIBCMT ref: 00234A51

Part of subcall function 00238D68: __getptd_noexit.LIBCMT ref: 00238D68

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: 8ace6c62804a1b8eb2c6cbc5d08555724a3f639c93581a21211f76bc474be97c
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: AC41D6F06207069BDF18EEA9C890A6F7BA9EF80360F2485BDE855C7650D770FD618B44

Function 00214DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00214E1A

Strings

AU3!P/*, xrefs: 00214E14
EA06, xrefs: 0024DCF5

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/*$EA06
API String ID: 4104443479-4236188408
Opcode ID: 953d10d51110cb17d87084ac76f177078e50425732e939b7b13c982b8d81b0f2
Instruction ID: 189306334d65915d258a0edcd32d8b8872832c013ce61184c51fb828e0983626
Opcode Fuzzy Hash: 953d10d51110cb17d87084ac76f177078e50425732e939b7b13c982b8d81b0f2
Instruction Fuzzy Hash: 3C418071A341699BCF116F64C851BFE7FE6AB75300F6840B5EC4A9B282C5618DF08BE1

Function 002173E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0024EE62
GetOpenFileNameW.COMDLG32(?), ref: 0024EEAC

Part of subcall function 002148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002148A1,?,?,002137C0,?), ref: 002148CE

Part of subcall function 002309D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002309F4

Strings

X, xrefs: 0024EE7A

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 45e656654aaedac98bdca96c8f0662182b742f488b2f1ab77b93245883a478e8
Instruction ID: 4ea6cb18d477779181fc42aea38c8e5b453b098a5a6c895e66780efbc43312c7
Opcode Fuzzy Hash: 45e656654aaedac98bdca96c8f0662182b742f488b2f1ab77b93245883a478e8
Instruction Fuzzy Hash: 4D21C370A2025C9BDF15DF94DC49BEE7BF8AF59310F00405AE408E7281DBF859A98FA1

Function 0027901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00279036
__fread_nolock.LIBCMT ref: 0027904B

Strings

EA06, xrefs: 0027907D

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 99c6aca0a70f128690d2b4d177f43f4868e65e05d4194bb620f55630fe908e58
Instruction ID: 61ffb0ec8d341ac9a11782dce8dd407a3f96b837875c96c568bd259ae62235d9
Opcode Fuzzy Hash: 99c6aca0a70f128690d2b4d177f43f4868e65e05d4194bb620f55630fe908e58
Instruction Fuzzy Hash: CF01F9718243686EDB28CAA8C816FEEBBF89B01301F00419EF556D2181E5B5A6148B60

Function 00279B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00279B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00279B99

Strings

aut, xrefs: 00279B93

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: b567bc111c0d98a76f95140c380eec1b1801f019cd8f8c70da27ad070c052f67
Instruction ID: 76546b3e828f3e6d91cbb9a893a01bc7a2bc0698a2f5155aa1413134f798ddaa
Opcode Fuzzy Hash: b567bc111c0d98a76f95140c380eec1b1801f019cd8f8c70da27ad070c052f67
Instruction Fuzzy Hash: F7D05E7994030DABDBA09B90EC0EF9A772CE704704F0042A2BE54D10A1DEB155A88B95

Function 0028CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c19f33a9e00b32a7d46a276913bd7c261a44f3d2a7f5264f3fb0a0601aa634ec
Instruction ID: 18e8e19aec57d0ca99ba0247560870cc0093eec33691b03d24a2662eda29c9d1
Opcode Fuzzy Hash: c19f33a9e00b32a7d46a276913bd7c261a44f3d2a7f5264f3fb0a0601aa634ec
Instruction Fuzzy Hash: FFF15B746183019FC714EF28C484A6ABBE5FF88314F14892EF8999B392D771E955CF82

Function 002143DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00214401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 002144A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 002144C3

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: ee2c3922258cd95069583928b99cc2cc0afcfd122508ea99f83f133925787259
Instruction ID: 36f40b7f947671abf8708cee527a6557f87425931cdb7a712c12eadbd01b0aa4
Opcode Fuzzy Hash: ee2c3922258cd95069583928b99cc2cc0afcfd122508ea99f83f133925787259
Instruction Fuzzy Hash: 723161B09157019FD760EF24E8887DBBBE8FB58704F00092EE99E83251D7756994CB92

Function 0023594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00235963

Part of subcall function 0023A3AB: __NMSG_WRITE.LIBCMT ref: 0023A3D2
Part of subcall function 0023A3AB: __NMSG_WRITE.LIBCMT ref: 0023A3DC

__NMSG_WRITE.LIBCMT ref: 0023596A

Part of subcall function 0023A408: GetModuleFileNameW.KERNEL32(00000000,002D43BA,00000104,?,00000001,00000000), ref: 0023A49A
Part of subcall function 0023A408: ___crtMessageBoxW.LIBCMT ref: 0023A548

Part of subcall function 002332DF: ___crtCorExitProcess.LIBCMT ref: 002332E5
Part of subcall function 002332DF: ExitProcess.KERNEL32 ref: 002332EE

Part of subcall function 00238D68: __getptd_noexit.LIBCMT ref: 00238D68

RtlAllocateHeap.NTDLL(01570000,00000000,00000001,00000000,?,?,?,00231013,?), ref: 0023598F

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 9fbff1824f4d8a0a0e5dd63ddfd0712411820ef2b7a755ff6240238c20ca0ba7
Instruction ID: 905e939710050275e8928ac1357715ea4072e0ef40da10226b0240dd8c696c96
Opcode Fuzzy Hash: 9fbff1824f4d8a0a0e5dd63ddfd0712411820ef2b7a755ff6240238c20ca0ba7
Instruction Fuzzy Hash: 7201B5F1231B26DFE6117B75EC56B6E73889F41B70F50012BF909AA1D1DEB09D218AE0

Function 00279B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,002797D2,?,?,?,?,?,00000004), ref: 00279B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,002797D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00279B5B
CloseHandle.KERNEL32(00000000,?,002797D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00279B62

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 2c58e879bc862853d0200a9b1770e119591a74b85de0c447383bba94f831edec
Instruction ID: f3d5f0fcc6b26e9147f010f0eb169c35a5f148176a630efae6b76abe00ffaebb
Opcode Fuzzy Hash: 2c58e879bc862853d0200a9b1770e119591a74b85de0c447383bba94f831edec
Instruction Fuzzy Hash: E1E08632180314F7D7611F64FC0DFCA7B18EB05765F108121FB18A90E087B1252197DC

Function 00278F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00278FA5

Part of subcall function 00232F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00239C64), ref: 00232FA9
Part of subcall function 00232F95: GetLastError.KERNEL32(00000000,?,00239C64), ref: 00232FBB

_free.LIBCMT ref: 00278FB6
_free.LIBCMT ref: 00278FC8

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction ID: e1af00b5c7358dfa9abd644a6c9f3d80d603d746374f26dc502cecf8bbed3e11
Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction Fuzzy Hash: 2EE012F16297028ACA24A978AD44AA357FE5F48360B58081DF50DEB942DE34E8658529

Function 0021AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0025002B

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 2616b88c30ddd4b6af3710ed8d9307cc4b48b91190c40f87893d8c972153b75d
Instruction ID: 51d42b0dc8a74898118d5497f7c6c5277640d143df5f2061e9f0cc3be7921e1f
Opcode Fuzzy Hash: 2616b88c30ddd4b6af3710ed8d9307cc4b48b91190c40f87893d8c972153b75d
Instruction Fuzzy Hash: ED226870529241DFC725DF14C494BAAB7F1BF98300F14896DE88A8B362D771EDA5CB82

Function 0021492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00214992

Part of subcall function 002335AC: __lock.LIBCMT ref: 002335B2
Part of subcall function 002335AC: DecodePointer.KERNEL32(00000001,?,002149A7,002681BC), ref: 002335BE
Part of subcall function 002335AC: EncodePointer.KERNEL32(?,?,002149A7,002681BC), ref: 002335C9

Part of subcall function 00214A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00214A73
Part of subcall function 00214A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00214A88

Part of subcall function 00213B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00213B7A
Part of subcall function 00213B4C: IsDebuggerPresent.KERNEL32 ref: 00213B8C
Part of subcall function 00213B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,002D62F8,002D62E0,?,?), ref: 00213BFD
Part of subcall function 00213B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00213C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 002149D2

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 686a203448f8f6e59c175e9b1bab154d1dc002fdca9026b4ad819426436a757c
Instruction ID: a6a5bfb4b939d57648d3143b6274d42bf44bb37b57c1fe2e2ddebaf27a513c71
Opcode Fuzzy Hash: 686a203448f8f6e59c175e9b1bab154d1dc002fdca9026b4ad819426436a757c
Instruction Fuzzy Hash: 3B116D719293119BC700EF28E80D94AFBF8EFA4710F10851BF44587261DB709AA9CF96

Function 00215DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00215981,?,?,?,?), ref: 00215E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00215981,?,?,?,?), ref: 0024E19C

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c1ad7c6d2c78fb2d32a22bb729b1996fb97e2a9370094e1a1cc8951c20dec687
Instruction ID: bd239a860d2be19d5d502d2acb308cacd8aac5ba8cacfb76aeadca30fb4875f2
Opcode Fuzzy Hash: c1ad7c6d2c78fb2d32a22bb729b1996fb97e2a9370094e1a1cc8951c20dec687
Instruction Fuzzy Hash: 8F01F570294319FEF7640E24CC8AFA23BDCFB10768F108319BAE95A1E0C6B01E958F50

Function 00230FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0023594C: __FF_MSGBANNER.LIBCMT ref: 00235963
Part of subcall function 0023594C: __NMSG_WRITE.LIBCMT ref: 0023596A
Part of subcall function 0023594C: RtlAllocateHeap.NTDLL(01570000,00000000,00000001,00000000,?,?,?,00231013,?), ref: 0023598F

std::exception::exception.LIBCMT ref: 0023102C
__CxxThrowException@8.LIBCMT ref: 00231041

Part of subcall function 002387DB: RaiseException.KERNEL32(?,?,?,002CBAF8,00000000,?,?,?,?,00231046,?,002CBAF8,?,00000001), ref: 00238830

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 3ea965ad248a9511bfc1be715e85215b1c4b9a591172cf202ddc8ed85892009e
Instruction ID: fa9c3993cf06ce6a714057d6bf70cac8fe7aba6d158b35bd6c67c0a8ee13f02d
Opcode Fuzzy Hash: 3ea965ad248a9511bfc1be715e85215b1c4b9a591172cf202ddc8ed85892009e
Instruction Fuzzy Hash: E2F0CDB552031DA7C725FE98DC06ADFB7AC9F01351F100426FC04A5992EFB18AB58AD0

Function 0023582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0023585C
__lock_file.LIBCMT ref: 0023587D

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 8b212cb8fb7df0d32bd19f21094b8e44655fc3434eae24be164da0bd916e0487
Instruction ID: 5f95216e006bb04d81ac9aa62e9b94ce51e0f8f70aee2851da5a3495a0337233
Opcode Fuzzy Hash: 8b212cb8fb7df0d32bd19f21094b8e44655fc3434eae24be164da0bd916e0487
Instruction Fuzzy Hash: 7B01A7F1C20719EBCF12AF698C0699F7B61AF40360F148215F8185B1A1DB318A71DF91

Function 002355D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00238D68: __getptd_noexit.LIBCMT ref: 00238D68

__lock_file.LIBCMT ref: 0023561B

Part of subcall function 00236E4E: __lock.LIBCMT ref: 00236E71

__fclose_nolock.LIBCMT ref: 00235626

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 0342988664f3c3c8b3df4ccd8dfdfafbe32ac339271ad1feb662477ce31e918c
Instruction ID: 92a3c1be62a8a645548337ad8eb4f9f0e6d7af3eaa7b0a495e758b1a480b3ec6
Opcode Fuzzy Hash: 0342988664f3c3c8b3df4ccd8dfdfafbe32ac339271ad1feb662477ce31e918c
Instruction Fuzzy Hash: 27F02BF1930B159AD7216F34880375E77D51F00334F548209B418AF0C1CF7C4A218F41

Function 002181C1 Relevance: 2.6, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,0021558F,?,?,?,?,?), ref: 002181DA
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,0021558F,?,?,?,?,?), ref: 0021820D

Part of subcall function 002178AD: _memmove.LIBCMT ref: 002178E9

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: 6a9fe7f592aeedc0f202cbdb548d129a07da5c3d7d02324c39e9833f9ca678a8
Instruction ID: c0a79b734ea78be938068d07b0b9bf72ef648a15939504afb07727b92cdc2186
Opcode Fuzzy Hash: 6a9fe7f592aeedc0f202cbdb548d129a07da5c3d7d02324c39e9833f9ca678a8
Instruction Fuzzy Hash: A701A271211104BFEB256A25ED8AFBB3BADEB85760F10802AFD05CD190DE7098509A71

Function 022C129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 022C1ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 022C1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 022C1B13

Memory Dump Source

Source File: 00000000.00000002.1218875570.00000000022C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22c0000_llD1w4ROY5.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction ID: 54d0f653be1e89e0053a6a614dde994b39608e2e3034792f9184e2a2b08434e2
Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction Fuzzy Hash: EB12DD24E24658C6EB24DF60D8507DEB232EF68300F1091ED910DEB7A5E77A4E91CF5A

Function 0021F3F0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f89b69cb3fc9f696d7f2c6f3321d21427b489e6a8508b1c2a9cd9097cfa1776
Instruction ID: f169c581c9e831949ee9a5420a4f3f1b742da882a73974398b25ea22b8b0074c
Opcode Fuzzy Hash: 6f89b69cb3fc9f696d7f2c6f3321d21427b489e6a8508b1c2a9cd9097cfa1776
Instruction Fuzzy Hash: B861DF70620206AFDB10EF24CA90AABB7F5EF58304F54803DE9269B251E770EDA4CB51

Function 00222123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b90d5af20a66954320b0551bf3fb2f2406b6c89ea7e813b0e2323899bb4d9991
Instruction ID: 9f91e82e4f9656b8e0fde973129771b324ad8adb946e0c139b3268309c7d6590
Opcode Fuzzy Hash: b90d5af20a66954320b0551bf3fb2f2406b6c89ea7e813b0e2323899bb4d9991
Instruction Fuzzy Hash: C651A130620614EFCF14EF94C995EAE73E5AF84310F1481A8F846AB392CB31ED64CB55

Function 0021766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0021774A

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: ab6fd76627a5ae7c550f538024095d9708897891a7e1bc3d2fbdd679136dc1ef
Instruction ID: b1b86869fcdce1beeaa04c752e71190f782706fd09e8a0050946c589e1171aa5
Opcode Fuzzy Hash: ab6fd76627a5ae7c550f538024095d9708897891a7e1bc3d2fbdd679136dc1ef
Instruction Fuzzy Hash: 3F31B679228A03DFD7249F18C090961F7F4FF59310B14C569E9898B7A5EB70D8E2CB94

Function 00215C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00215CF6

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 963d60f397d131380dc1925c216762e9a28e5c932963230c1539637fdf4e56f5
Instruction ID: 8f2c9b7bd4303387f9f124c6489a4619fcdd1d45794e35627fe66293fe589681
Opcode Fuzzy Hash: 963d60f397d131380dc1925c216762e9a28e5c932963230c1539637fdf4e56f5
Instruction Fuzzy Hash: 02314D71A20B1AEFCB18CF29D48469DB7F5FF98310F14865AE81993710D771A9A0DBD0

Function 002500D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 002500E1

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: d3faa5bfa516615709f0e5521b69f76d247138ae7bc7969cf9fe29d652ebbaf4
Instruction ID: 562910d3e92994dd78f4de70702daba2cbd7d54ec21f591c71b3fe03c8e7cbbf
Opcode Fuzzy Hash: d3faa5bfa516615709f0e5521b69f76d247138ae7bc7969cf9fe29d652ebbaf4
Instruction Fuzzy Hash: 1B412774514351CFDB24DF14C484B5ABBE0BF55318F1988ACE8898B362C332E8A5CF56

Function 00214F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00214D13: FreeLibrary.KERNEL32(00000000,?), ref: 00214D4D

Part of subcall function 0023548B: __wfsopen.LIBCMT ref: 00235496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,002D62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00214F6F

Part of subcall function 00214CC8: FreeLibrary.KERNEL32(00000000), ref: 00214D02

Part of subcall function 00214DD0: _memmove.LIBCMT ref: 00214E1A

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: cc456e313a096b9b8bd1e62c459388a201ee2952e9ceaf1facce3f7488bd7088
Instruction ID: 051cd1e77cb6f76065163f86c123f68f22468b371798029c6aad639e25b1dd85
Opcode Fuzzy Hash: cc456e313a096b9b8bd1e62c459388a201ee2952e9ceaf1facce3f7488bd7088
Instruction Fuzzy Hash: 29112732A20319AACF14BF70DC02BEE73E49F54710F20842AF945A62D1DA719A659F90

Function 002501AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 002501BB

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: d5e1894f64fcbd023f4c3572b89e7026f00076c196f55e24b168018851220255
Instruction ID: d07c581294e53b2635318b5f3be75a3b4f6685570823bd315d91463af5f8d02d
Opcode Fuzzy Hash: d5e1894f64fcbd023f4c3572b89e7026f00076c196f55e24b168018851220255
Instruction Fuzzy Hash: 332124B4528351DFCB24DF54C884B5ABBE0BF98314F048968E88A97721D731E8A9CF52

Function 00215D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00215807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00215D76

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d53621fade546ccbfa5db0fd90a8af2d76c5309241dac8f20f798b7970e64109
Instruction ID: 7a768298456316955bb789451ab981812924d78ce6bb8d4e5bfba4ba49abe01a
Opcode Fuzzy Hash: d53621fade546ccbfa5db0fd90a8af2d76c5309241dac8f20f798b7970e64109
Instruction Fuzzy Hash: 6A113A71210B11DFD3308F15E488BA2B7F9EF95750F10C96EE4AA86A50D7B0E995CF60

Function 00217F41 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00217F82

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: c56c3b4cee92743fd843ba2fcf40f434112ab0d27706c117a31bb8eb393c03f0
Instruction ID: ec1380c7b393e21a7d0b826b3868b60f3cc32007299eb6ce366e2c80b945ee5e
Opcode Fuzzy Hash: c56c3b4cee92743fd843ba2fcf40f434112ab0d27706c117a31bb8eb393c03f0
Instruction Fuzzy Hash: 7901FEB22247057ED3245F39CC02F67B7E4DB84750F10852DF55ACA5D1DA71E4618B60

Function 00284583 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 002845C0

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: 1ea07dd6a633103f9f5f14dc1a87d9452175cc15b3333f17f693833210b7d016
Instruction ID: 2347a7e6c8d38ef3a649a3970a85cf36bfcf3ca9e57917b9c6bbf5dc7af6bf02
Opcode Fuzzy Hash: 1ea07dd6a633103f9f5f14dc1a87d9452175cc15b3333f17f693833210b7d016
Instruction Fuzzy Hash: F9F03175624145AF8B14EB64D846C9F7BF8EF55720F00405AF8059B251DE70A9A1CBA0

Function 00234A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00234AD6

Part of subcall function 00238D68: __getptd_noexit.LIBCMT ref: 00238D68

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: cbf5e73cfd38fc1de52960e633428122b69509055161251e1c38114efb801633
Instruction ID: 1837b3abf2fbaa2443eff9fe05dcd3e9a26d377a88600ca202834b17870b2740
Opcode Fuzzy Hash: cbf5e73cfd38fc1de52960e633428122b69509055161251e1c38114efb801633
Instruction Fuzzy Hash: 67F0AFB196030AABDF61BF748C0679E77A5AF00329F048554B824AA1D1CB789E70DF51

Function 00214FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,002D62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00214FDE

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 8343ae150bdbd0d3e39b349c90d97c0b818818e82b6be59a441a48370c4dc691
Instruction ID: 26890528ee8138d70a25fd49af28371228b19d4f7ae88a2839dad9d2a1f5a159
Opcode Fuzzy Hash: 8343ae150bdbd0d3e39b349c90d97c0b818818e82b6be59a441a48370c4dc691
Instruction Fuzzy Hash: 0FF03071125716CFC734AF64E494852BBE1BF243253208A3EE5DE82B10C772A8A5DF40

Function 002309D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002309F4

Part of subcall function 00217D2C: _memmove.LIBCMT ref: 00217D66

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 4710478b23c2e9af80039571aa40dd3d69dac1b3517ef3cf398b518dc8b94266
Instruction ID: aedc9656f8bd1dd6d3a13d586e56d257e0331930f7c1f9be9a4d6bb82cd334c3
Opcode Fuzzy Hash: 4710478b23c2e9af80039571aa40dd3d69dac1b3517ef3cf398b518dc8b94266
Instruction Fuzzy Hash: 4CE0863691422857C720D698AC05FFA77EDDF88690F0401B6FC0CD7208D9609C918A90

Function 00279129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0027914B

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: ea988994003325a5665a72171067a6b1a1b50bc9cb83a2d55412c9178784e3bc
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: FAE092B0114B015FDB348E24D8117E373E0AB06315F00081CF29E83341EB6278918B59

Function 00215DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0024E16B,?,?,00000000), ref: 00215DBF

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 5e28aa07226b46dfd2cf90c2ae527f8758f8590b3c3fe3d8ccd7418a0f8cfc3e
Instruction ID: 09f87b96ba8662f27bad770465f11fe399733efd61ba0d51f5b4adfb5273ce72
Opcode Fuzzy Hash: 5e28aa07226b46dfd2cf90c2ae527f8758f8590b3c3fe3d8ccd7418a0f8cfc3e
Instruction Fuzzy Hash: 23D0C77564020CBFE710DB80DC46FA9777CDB05710F100195FD0496290D6B27D508795

Function 0023548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00235496

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: cefbb63518f002235e5c01d3dd4c4f05fbe71917139676ad2614fe8d6d794629
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 9DB092B684020C77DE012E82EC02A593B199B40678F808020FB0C18162A673A6B0AA89

Function 0027D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 0027D46A

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: f93ab67ef2bd98a2ae08daf23e6ab1ab0526b7a1cb25913bc5b6e1caea5c665c
Instruction ID: 970bfed579b8f4cb29ca67bbc04f7550eca0052dff3f95b2d2d86b3e7e66a53e
Opcode Fuzzy Hash: f93ab67ef2bd98a2ae08daf23e6ab1ab0526b7a1cb25913bc5b6e1caea5c665c
Instruction Fuzzy Hash: 907142302243028FC714EF24D4E1AAAB7F1AF98314F04496DF49A9B2A1DB70ED59CF52

Function 00230E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00230EF7

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 1281f8a87765342b89ea3c16a5b760d124232503bdbf2a96e629c25a4e329160
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 3C31D2B4A20106DBC718DF58C4E0969F7A6FF59300F648AA5E409CB651DB71EDE1CBE0

Function 022C22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 022C22B1

Memory Dump Source

Source File: 00000000.00000002.1218875570.00000000022C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22c0000_llD1w4ROY5.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 06641a408b3b2f0a4c1fae8b81eb64b996ce423b1d27d9e25983dbc26ed92f5e
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: CBE0E67494020EDFDB00EFF8D94969E7FB4EF04301F100265FD01D2284DA709D508A72

Non-executed Functions

Function 0029CDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00212612: GetWindowLongW.USER32(?,000000EB), ref: 00212623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0029CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0029CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0029CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0029CF00
SendMessageW.USER32 ref: 0029CF29
_wcsncpy.LIBCMT ref: 0029CFA1
GetKeyState.USER32(00000011), ref: 0029CFC2
GetKeyState.USER32(00000009), ref: 0029CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0029CFE5
GetKeyState.USER32(00000010), ref: 0029CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0029D018
SendMessageW.USER32 ref: 0029D03F
SendMessageW.USER32(?,00001030,?,0029B602), ref: 0029D145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0029D15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0029D16E
SetCapture.USER32(?), ref: 0029D177
ClientToScreen.USER32(?,?), ref: 0029D1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0029D1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0029D203
ReleaseCapture.USER32 ref: 0029D20E
GetCursorPos.USER32(?), ref: 0029D248
ScreenToClient.USER32(?,?), ref: 0029D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 0029D2B1
SendMessageW.USER32 ref: 0029D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 0029D31C
SendMessageW.USER32 ref: 0029D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0029D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0029D37B
GetCursorPos.USER32(?), ref: 0029D39B
ScreenToClient.USER32(?,?), ref: 0029D3A8
GetParent.USER32(?), ref: 0029D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 0029D431
SendMessageW.USER32 ref: 0029D462
ClientToScreen.USER32(?,?), ref: 0029D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0029D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 0029D51A
SendMessageW.USER32 ref: 0029D53D
ClientToScreen.USER32(?,?), ref: 0029D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0029D5C3

Part of subcall function 002125DB: GetWindowLongW.USER32(?,000000EB), ref: 002125EC

GetWindowLongW.USER32(?,000000F0), ref: 0029D65F

Strings

pr-, xrefs: 0029D1BD
@GUI_DRAGID, xrefs: 0029D1AA
F, xrefs: 0029D543

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pr-
API String ID: 3977979337-225883629
Opcode ID: 802583b8305a1413052e1b7e3587223d866ec0671f75ade8efa44cf622cf58a2
Instruction ID: dd18b0c1168f6db58f274e087003f5072778a4bfaabc744a338f8265d6d03690
Opcode Fuzzy Hash: 802583b8305a1413052e1b7e3587223d866ec0671f75ade8efa44cf622cf58a2
Instruction Fuzzy Hash: 7742A030514341AFDB25CF28D858AAABBE6FF49314F24051EF69AC72A0C7719C64DF92

Function 0029804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0029873F

Strings

%d/%02d/%02d, xrefs: 00298478

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: d7c1f95767029511059aa18ac787a5f9d0497235f0074c2c19df3e11929639aa
Instruction ID: be2e7228b9841db293c05634c5fd0cfc08dbdbf2f8ead0e9240a4708f2a44336
Opcode Fuzzy Hash: d7c1f95767029511059aa18ac787a5f9d0497235f0074c2c19df3e11929639aa
Instruction Fuzzy Hash: 3812D171920305ABEF648F64DC49FAA7BB9EF46310F28412AF919DA2E1DF708951CF10

Function 0022710E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002275C2
_memset.LIBCMT ref: 002276B1
_memmove.LIBCMT ref: 00227C4B
_memmove.LIBCMT ref: 00227E4F

Strings

Q\E, xrefs: 002281C1
DEFINE, xrefs: 002625AF
\b(?=\w), xrefs: 00263C34
[:>:]], xrefs: 0022760A
0w,, xrefs: 00261F5B
\b(?<=\w), xrefs: 00263C41
Oa", xrefs: 0026287E
[:<:]], xrefs: 002275F1

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: _memmove$_memset
String ID: 0w,$DEFINE$Oa"$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-3111593503
Opcode ID: bfaa05ec861affe510a98e41ac7381949298b39b2e786462e7e3cb2e5f193cf3
Instruction ID: 32088c1feb46b80c9aae0bf81ebce3d12811f670dd15f618db792094679386a6
Opcode Fuzzy Hash: bfaa05ec861affe510a98e41ac7381949298b39b2e786462e7e3cb2e5f193cf3
Instruction Fuzzy Hash: 58939071E24216DBDB24CF98D881BADB7B1FF48310F25816AE945EB290E7709ED1CB50

Function 00214A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00214A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0024DA8E
IsIconic.USER32(?), ref: 0024DA97
ShowWindow.USER32(?,00000009), ref: 0024DAA4
SetForegroundWindow.USER32(?), ref: 0024DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0024DAC4
GetCurrentThreadId.KERNEL32 ref: 0024DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 0024DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 0024DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 0024DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 0024DAF8
SetForegroundWindow.USER32(?), ref: 0024DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 0024DB10
keybd_event.USER32(00000012,00000000), ref: 0024DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 0024DB25
keybd_event.USER32(00000012,00000000), ref: 0024DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 0024DB33
keybd_event.USER32(00000012,00000000), ref: 0024DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 0024DB42
keybd_event.USER32(00000012,00000000), ref: 0024DB47
SetForegroundWindow.USER32(?), ref: 0024DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 0024DB71

Strings

Shell_TrayWnd, xrefs: 0024DA89

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: ece567d1dc2c08eacd48c73401c80fb07664d66e03f3459791516b2187fa48aa
Instruction ID: 792da677937600444a6ab28ea4da0586667cff60c7f0e284b8ad88bbf8234526
Opcode Fuzzy Hash: ece567d1dc2c08eacd48c73401c80fb07664d66e03f3459791516b2187fa48aa
Instruction Fuzzy Hash: 74316371A90318BBEB616FA1AD4DF7F7E6CEB44B50F114026FA04EA1D0D6B05D10AAA1

Function 00268858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00268CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00268D0D
Part of subcall function 00268CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00268D3A
Part of subcall function 00268CC3: GetLastError.KERNEL32 ref: 00268D47

_memset.LIBCMT ref: 0026889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 002688ED
CloseHandle.KERNEL32(?), ref: 002688FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00268915
GetProcessWindowStation.USER32 ref: 0026892E
SetProcessWindowStation.USER32(00000000), ref: 00268938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00268952

Part of subcall function 00268713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00268851), ref: 00268728
Part of subcall function 00268713: CloseHandle.KERNEL32(?,?,00268851), ref: 0026873A

Strings

default, xrefs: 0026894D
winsta0, xrefs: 00268910
, xrefs: 002688AA

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 3e3274101700061a9cdd547239ec340958f90dbf79bb116d37a964169cfc59a0
Instruction ID: ed2a37c062237a42ec7a1f0ac38fae9aa5a97c867bc809cb49ec1b1687354aae
Opcode Fuzzy Hash: 3e3274101700061a9cdd547239ec340958f90dbf79bb116d37a964169cfc59a0
Instruction Fuzzy Hash: 2A8150B195020AAFDF11DFE4DD49AEE7B78EF04304F18426AFD14A6161DB318EA4DB60

Function 0028425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0029F910), ref: 00284284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00284292
GetClipboardData.USER32(0000000D), ref: 0028429A
CloseClipboard.USER32 ref: 002842A6
GlobalLock.KERNEL32(00000000), ref: 002842C2
CloseClipboard.USER32 ref: 002842CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 002842E1
IsClipboardFormatAvailable.USER32(00000001), ref: 002842EE
GetClipboardData.USER32(00000001), ref: 002842F6
GlobalLock.KERNEL32(00000000), ref: 00284303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00284337
CloseClipboard.USER32 ref: 00284447

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: ad1a48acf04bef124a21b375042369fbd0f20bf11747565fc39abc74a131cdfd
Instruction ID: 5dc45fc045b154492157e5b2db250d113b06b1c2103121af4058e2d921079fe2
Opcode Fuzzy Hash: ad1a48acf04bef124a21b375042369fbd0f20bf11747565fc39abc74a131cdfd
Instruction Fuzzy Hash: E551B235214303ABD340FF60ED89FAE77A8AF94B00F10452AF956D21E1DB70D9648B62

Function 0027C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0027C9F8
FindClose.KERNEL32(00000000), ref: 0027CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0027CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0027CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 0027CAAF
__swprintf.LIBCMT ref: 0027CAFB
__swprintf.LIBCMT ref: 0027CB3E

Part of subcall function 00217F41: _memmove.LIBCMT ref: 00217F82

__swprintf.LIBCMT ref: 0027CB92

Part of subcall function 002338D8: __woutput_l.LIBCMT ref: 00233931

__swprintf.LIBCMT ref: 0027CBE0

Part of subcall function 002338D8: __flsbuf.LIBCMT ref: 00233953
Part of subcall function 002338D8: __flsbuf.LIBCMT ref: 0023396B

__swprintf.LIBCMT ref: 0027CC2F
__swprintf.LIBCMT ref: 0027CC7E
__swprintf.LIBCMT ref: 0027CCCD

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0027CAF5
%4d, xrefs: 0027CB38
%02d, xrefs: 0027CB86, 0027CB90, 0027CBDE, 0027CC2D, 0027CC7C, 0027CCCB

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 07b807821f8738ba0d056e0b25519f4b7a80e3c68a9af4805310349a560deb8a
Instruction ID: 31bfd6146517dcb632195d49981549b9441285ad24850bff9f74b49607b0a818
Opcode Fuzzy Hash: 07b807821f8738ba0d056e0b25519f4b7a80e3c68a9af4805310349a560deb8a
Instruction Fuzzy Hash: C7A14EB1528304ABC750EF64C895DAFB7ECFF94700F40492EB586C3191EA34DA99CB62

Function 0027F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0027F221
_wcscmp.LIBCMT ref: 0027F236
_wcscmp.LIBCMT ref: 0027F24D
GetFileAttributesW.KERNEL32(?), ref: 0027F25F
SetFileAttributesW.KERNEL32(?,?), ref: 0027F279
FindNextFileW.KERNEL32(00000000,?), ref: 0027F291
FindClose.KERNEL32(00000000), ref: 0027F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 0027F2B8
_wcscmp.LIBCMT ref: 0027F2DF
_wcscmp.LIBCMT ref: 0027F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 0027F308
SetCurrentDirectoryW.KERNEL32(002CA5A0), ref: 0027F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 0027F330
FindClose.KERNEL32(00000000), ref: 0027F33D
FindClose.KERNEL32(00000000), ref: 0027F34F

Strings

*.*, xrefs: 0027F2B3

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 0f7a2bf75a7d5c04c860ff80978e34efe36510b0fd243923d18224f3d7715bae
Instruction ID: 4f501fd4d8b270566eb59b0f86931363feb25d845f7f3ad4cbccc11f85b41225
Opcode Fuzzy Hash: 0f7a2bf75a7d5c04c860ff80978e34efe36510b0fd243923d18224f3d7715bae
Instruction Fuzzy Hash: D831F87651425A6BCB90DFB4ED4DEEE73ACAF09360F1481B6E808D3090EB30DE65CA54

Function 00290AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00290BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,0029F910,00000000,?,00000000,?,?), ref: 00290C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00290C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00290D1D
RegCloseKey.ADVAPI32(?), ref: 0029103D
RegCloseKey.ADVAPI32(00000000), ref: 0029104A

Strings

REG_MULTI_SZ, xrefs: 00290E05
REG_BINARY, xrefs: 00290FD8
REG_SZ, xrefs: 00290D5B
REG_DWORD, xrefs: 00290F0E
REG_QWORD, xrefs: 00290F8B
REG_EXPAND_SZ, xrefs: 00290CBA

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 8fdb566e144700da5dc954744e650ae60be503c66516ef3cc479de16252f58d4
Instruction ID: 6105d1883c9e2e3988617c18a45904fd6817fa60277ca176baa16c2fa088e7bd
Opcode Fuzzy Hash: 8fdb566e144700da5dc954744e650ae60be503c66516ef3cc479de16252f58d4
Instruction Fuzzy Hash: CC026A752206119FCB14DF14C895E6AB7E5EF89710F04885DF89A9B3A2CB30EDA1CF81

Function 0027F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0027F37E
_wcscmp.LIBCMT ref: 0027F393
_wcscmp.LIBCMT ref: 0027F3AA

Part of subcall function 002745C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 002745DC

FindNextFileW.KERNEL32(00000000,?), ref: 0027F3D9
FindClose.KERNEL32(00000000), ref: 0027F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 0027F400
_wcscmp.LIBCMT ref: 0027F427
_wcscmp.LIBCMT ref: 0027F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 0027F450
SetCurrentDirectoryW.KERNEL32(002CA5A0), ref: 0027F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 0027F478
FindClose.KERNEL32(00000000), ref: 0027F485
FindClose.KERNEL32(00000000), ref: 0027F497

Strings

*.*, xrefs: 0027F3FB

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 72e6bad544a1dbec151a279e5adacd4adb95e9e5e93e9584b832fb9966681679
Instruction ID: 7c2553ad4278229008f010ef5c8cc704d3cbc9050ae553a37142f00f5c69546c
Opcode Fuzzy Hash: 72e6bad544a1dbec151a279e5adacd4adb95e9e5e93e9584b832fb9966681679
Instruction Fuzzy Hash: 5A31097151525A6FCF90DF74ED99AEE73AC9F09364F1082B5E904E30A0D730DE64CA64

Function 002681F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0026874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00268766
Part of subcall function 0026874A: GetLastError.KERNEL32(?,0026822A,?,?,?), ref: 00268770
Part of subcall function 0026874A: GetProcessHeap.KERNEL32(00000008,?,?,0026822A,?,?,?), ref: 0026877F
Part of subcall function 0026874A: HeapAlloc.KERNEL32(00000000,?,0026822A,?,?,?), ref: 00268786
Part of subcall function 0026874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0026879D

Part of subcall function 002687E7: GetProcessHeap.KERNEL32(00000008,00268240,00000000,00000000,?,00268240,?), ref: 002687F3
Part of subcall function 002687E7: HeapAlloc.KERNEL32(00000000,?,00268240,?), ref: 002687FA
Part of subcall function 002687E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00268240,?), ref: 0026880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0026825B
_memset.LIBCMT ref: 00268270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0026828F
GetLengthSid.ADVAPI32(?), ref: 002682A0
GetAce.ADVAPI32(?,00000000,?), ref: 002682DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002682F9
GetLengthSid.ADVAPI32(?), ref: 00268316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00268325
HeapAlloc.KERNEL32(00000000), ref: 0026832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0026834D
CopySid.ADVAPI32(00000000), ref: 00268354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00268385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 002683AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 002683BF

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: bc9bb76426cdb71b59c7630cddb34b9d9bb7acf096e13e73d9f29754b18c2f41
Instruction ID: afe96ffecb12e8451c089d062d9a512bbe065e540fff45c3252c4699a9b7eb6d
Opcode Fuzzy Hash: bc9bb76426cdb71b59c7630cddb34b9d9bb7acf096e13e73d9f29754b18c2f41
Instruction Fuzzy Hash: E0613D7191020AEBDF00DF94DD49AAEBB79FF04700F14826AE915E6291DB319AA5CB60

Function 00226843 Relevance: 20.9, Strings: 16, Instructions: 883COMMON

Download Yara Rule

Strings

NO_START_OPT), xrefs: 00261588
LIMIT_RECURSION=, xrefs: 00261635
UTF16), xrefs: 00261508
BSR_UNICODE), xrefs: 00261771
UTF), xrefs: 00261533
CRLF), xrefs: 002616FA
CR), xrefs: 002616C0
Oa", xrefs: 00261888, 0026192F, 002619DD
BSR_ANYCRLF), xrefs: 00261757
LF), xrefs: 002616DD
ANY), xrefs: 00261717
UCP), xrefs: 00261546
ANYCRLF), xrefs: 00261734
LIMIT_MATCH=, xrefs: 002615A9
PJ+, xrefs: 002268B3
NO_AUTO_POSSESS), xrefs: 00261567

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oa"$PJ+$UCP)$UTF)$UTF16)
API String ID: 0-1205288418
Opcode ID: 31fc495246a5aec81041f0e4c5cb4b60248fbbd2716cd2f4e7b75e26128082de
Instruction ID: c99d2e7c60040592542a513a3ae615e951a2a7aa9a9a36dbfd4b5f8882943381
Opcode Fuzzy Hash: 31fc495246a5aec81041f0e4c5cb4b60248fbbd2716cd2f4e7b75e26128082de
Instruction Fuzzy Hash: B0727475E202299BDF24CF98D8857ADB7B5FF48310F14816AE845EB290DB709DA1CF90

Function 00290665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002910A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00290038,?,?), ref: 002910BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00290737

Part of subcall function 00219997: __itow.LIBCMT ref: 002199C2
Part of subcall function 00219997: __swprintf.LIBCMT ref: 00219A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 002907D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0029086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00290AAD
RegCloseKey.ADVAPI32(00000000), ref: 00290ABA

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 0ca5891e4b766c65a039b759688e9d34dadb0f929e2feb7d650788f63635ff6b
Instruction ID: 1c49df798113270b13587eff172bed39d7cf0b4affd2d54fd2c2e8751c4f2a6f
Opcode Fuzzy Hash: 0ca5891e4b766c65a039b759688e9d34dadb0f929e2feb7d650788f63635ff6b
Instruction Fuzzy Hash: CDE17C31214315AFCB14DF28C994E6ABBE9EF88714F04846DF45ADB2A2DA30ED51CF91

Function 00270219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00270241
GetAsyncKeyState.USER32(000000A0), ref: 002702C2
GetKeyState.USER32(000000A0), ref: 002702DD
GetAsyncKeyState.USER32(000000A1), ref: 002702F7
GetKeyState.USER32(000000A1), ref: 0027030C
GetAsyncKeyState.USER32(00000011), ref: 00270324
GetKeyState.USER32(00000011), ref: 00270336
GetAsyncKeyState.USER32(00000012), ref: 0027034E
GetKeyState.USER32(00000012), ref: 00270360
GetAsyncKeyState.USER32(0000005B), ref: 00270378
GetKeyState.USER32(0000005B), ref: 0027038A

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: efcee80bf8612641b8543fd85c2b84ed3beeb5a19bb94294f0fcbbd87c3ab598
Instruction ID: 70b6545b6772def4304926bc995700298902eb5cbf20f36411f93918bc335825
Opcode Fuzzy Hash: efcee80bf8612641b8543fd85c2b84ed3beeb5a19bb94294f0fcbbd87c3ab598
Instruction Fuzzy Hash: D141A9245247CBEEFF714E6495883B5BEA0AB12340F48C09ED9CD465C2E7B459EC8792

Function 00284458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0028447F
EmptyClipboard.USER32 ref: 00284485
GlobalAlloc.KERNEL32(00000002,?), ref: 0028449A
CloseClipboard.USER32 ref: 00284539

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: c8a66693b979b351997fe48029af5055dad08e7df72a1258c0e0cf560829ffed
Instruction ID: c27ad9c27b5878616626bc4bd60e97addf23c6f71b69813316da8b345067e964
Opcode Fuzzy Hash: c8a66693b979b351997fe48029af5055dad08e7df72a1258c0e0cf560829ffed
Instruction Fuzzy Hash: 5A21BF392112119FDB50AF60FD0DB6D77A8EF14314F10802AF946DB2A1DB75AC60CB54

Function 00273A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 002148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002148A1,?,?,002137C0,?), ref: 002148CE

Part of subcall function 00274CD3: GetFileAttributesW.KERNEL32(?,00273947), ref: 00274CD4

FindFirstFileW.KERNEL32(?,?), ref: 00273ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00273B87
MoveFileW.KERNEL32(?,?), ref: 00273B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00273BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00273BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00273BF5

Strings

\*.*, xrefs: 00273A8A, 00273A93, 00273AA8

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: ec2589e160052955a868f2858e6ff14f29043d6515733dd099cca15ac452031c
Instruction ID: 568cfbc5e3e254b8277d8c94743c03a934818e8c335d98846d95a34d0b31ccda
Opcode Fuzzy Hash: ec2589e160052955a868f2858e6ff14f29043d6515733dd099cca15ac452031c
Instruction Fuzzy Hash: 2F51B53181114E9ACF05EFA0CE929EDB7B9AF64300F2481A9E405B7191DF306F59DF90

Function 00224140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 002244ED
VUUU, xrefs: 00257B0C
VUUU, xrefs: 002244DB
VUUU, xrefs: 00224520
Oa", xrefs: 00224984, 00258173
ERCP, xrefs: 0022421F

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID:
String ID: ERCP$Oa"$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1224689372
Opcode ID: 59d95ee82bd920b4abaa1f8a11ce4eb2b9a7066e19ec6e0233996b4e4e5d86d1
Instruction ID: 7bf0735b9940c3dd63099bd6b53560ee210cb04ac3684319540ae1e3a28a2384
Opcode Fuzzy Hash: 59d95ee82bd920b4abaa1f8a11ce4eb2b9a7066e19ec6e0233996b4e4e5d86d1
Instruction Fuzzy Hash: 14A2B070E2422ADBDF24DF98E8407BDB7B1BB14315F1481AADC5AA7280D7709EA5CF44

Function 0027F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00217F41: _memmove.LIBCMT ref: 00217F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0027F6AB
Sleep.KERNEL32(0000000A), ref: 0027F6DB
_wcscmp.LIBCMT ref: 0027F6EF
_wcscmp.LIBCMT ref: 0027F70A
FindNextFileW.KERNEL32(?,?), ref: 0027F7A8
FindClose.KERNEL32(00000000), ref: 0027F7BE

Strings

*.*, xrefs: 0027F690

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: dda8a7057013476a1467eb411533ccb3937b6b4c76775f60b9b4b3cf159ecc99
Instruction ID: 808a89134a9cf714acbad6caf27d990bf22055d7533e2299ce2fa72a3f8e4051
Opcode Fuzzy Hash: dda8a7057013476a1467eb411533ccb3937b6b4c76775f60b9b4b3cf159ecc99
Instruction Fuzzy Hash: D641937192421A9FCF95DF64CD89AEEBBB4FF05310F148566E819A3190DB309EA4CF90

Function 002258C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00225A05
_memmove.LIBCMT ref: 00225A55
_memmove.LIBCMT ref: 00225ABB

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 3ae6a2ed4d2c9a8dfd74783a3decddd41c0662ec7168e6f6bf5553b6fdc485f9
Instruction ID: 98173b0365a1062d4d832afa402182317672c4c5ab746f9e000221d6e278fa05
Opcode Fuzzy Hash: 3ae6a2ed4d2c9a8dfd74783a3decddd41c0662ec7168e6f6bf5553b6fdc485f9
Instruction Fuzzy Hash: 50129C70A20619EFDF14DFA4E985AEEB3F5FF48300F108569E406A7291EB35AD61CB50

Function 00225680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00230FF6: std::exception::exception.LIBCMT ref: 0023102C
Part of subcall function 00230FF6: __CxxThrowException@8.LIBCMT ref: 00231041

_memmove.LIBCMT ref: 0026062F
_memmove.LIBCMT ref: 00260744
_memmove.LIBCMT ref: 002607EB

Strings

yZ", xrefs: 00260881, 002607FF

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID: yZ"
API String ID: 1300846289-827686647
Opcode ID: 9515d2fc5d8f135445173f3eae0a55c1bed1232378b46504fe62862070218459
Instruction ID: c484129bf6d60e861f08da835272597284346433a26792296a248e8e1ac9be53
Opcode Fuzzy Hash: 9515d2fc5d8f135445173f3eae0a55c1bed1232378b46504fe62862070218459
Instruction Fuzzy Hash: E20291B0A20215EBDF04DF64D981AAEBBF5FF44300F148069E806DB255EB71DAA0DF91

Function 0027545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00268CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00268D0D
Part of subcall function 00268CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00268D3A
Part of subcall function 00268CC3: GetLastError.KERNEL32 ref: 00268D47

ExitWindowsEx.USER32(?,00000000), ref: 0027549B

Strings

@, xrefs: 0027548E
, xrefs: 00275489
SeShutdownPrivilege, xrefs: 0027546B

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 68614a693293dfa24f7072a056579dea4f365c72aaeb2799cc1add97e21ff472
Instruction ID: 38ddae4950fbb34c9e675bedf7f5a438ef73e86221caa1d842d6519f691b237e
Opcode Fuzzy Hash: 68614a693293dfa24f7072a056579dea4f365c72aaeb2799cc1add97e21ff472
Instruction Fuzzy Hash: 62014C31A75B266AE7685F74EC6ABB6F258EB00342F248121FD0ED20D2DAF01CA041A0

Function 00223190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON

Download Yara Rule

Strings

Oa", xrefs: 00223482

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: __itow__swprintf
String ID: Oa"
API String ID: 674341424-755042541
Opcode ID: 9ef30480c21281f79f076789c44c70741750da538e03d7c2c937444f6a983a90
Instruction ID: 716b058abee5ba2d91166a449c8587b1fcf8e3f52545e95c6c3af856758edf14
Opcode Fuzzy Hash: 9ef30480c21281f79f076789c44c70741750da538e03d7c2c937444f6a983a90
Instruction Fuzzy Hash: 1D22AD71528311AFC724DF54D891BAEB7E4AF88300F10491DF89A97291DB74EE68CF92

Function 00286596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 002865EF
WSAGetLastError.WSOCK32(00000000), ref: 002865FE
bind.WSOCK32(00000000,?,00000010), ref: 0028661A
listen.WSOCK32(00000000,00000005), ref: 00286629
WSAGetLastError.WSOCK32(00000000), ref: 00286643
closesocket.WSOCK32(00000000,00000000), ref: 00286657

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 167fd32303f57a739f0344a8cd7fa20f0bc9dbdb9a75638b75b67b1c8ac32bea
Instruction ID: 08d6c9fa25e1d7bc34518100ead2b388dc7da9d9e61e6674fca9165e1c8ced3a
Opcode Fuzzy Hash: 167fd32303f57a739f0344a8cd7fa20f0bc9dbdb9a75638b75b67b1c8ac32bea
Instruction Fuzzy Hash: 2321D0346102119FCB40EF64D94DBAEB7E9EF48320F24816AE956E73D1DB74ADA0CB50

Function 00211287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00212612: GetWindowLongW.USER32(?,000000EB), ref: 00212623

DefDlgProcW.USER32(?,?,?,?,?), ref: 002119FA
GetSysColor.USER32(0000000F), ref: 00211A4E
SetBkColor.GDI32(?,00000000), ref: 00211A61

Part of subcall function 00211290: DefDlgProcW.USER32(?,00000020,?), ref: 002112D8

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: e92ea789a29cf3839703fe2ffb91ccc5a1221d3dd15915fab8f5e3e7e99c5c16
Instruction ID: a764d8b1e2a90a81bba5eff1fc0d0a15eef7bb03ce46c607afbb4f40712b7d2d
Opcode Fuzzy Hash: e92ea789a29cf3839703fe2ffb91ccc5a1221d3dd15915fab8f5e3e7e99c5c16
Instruction Fuzzy Hash: 92A16771136446BEEB29AF289C88DFF39DCDF65345B24011AF602D6192CA70CDB1D6B1

Function 00286A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 002880A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 002880CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00286AB1
WSAGetLastError.WSOCK32(00000000), ref: 00286ADA
bind.WSOCK32(00000000,?,00000010), ref: 00286B13
WSAGetLastError.WSOCK32(00000000), ref: 00286B20
closesocket.WSOCK32(00000000,00000000), ref: 00286B34

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: bf0ffec0845ae2d877695a49eb2aacbe08233bf18d7e91e362dabb029462bd7f
Instruction ID: 52a2a92bdb1d398202908279847d1137ed873a3d028bbcf2dffde41708ed2d9e
Opcode Fuzzy Hash: bf0ffec0845ae2d877695a49eb2aacbe08233bf18d7e91e362dabb029462bd7f
Instruction Fuzzy Hash: D941D775710210AFEB10BF64DC96FAE77E5DF14714F048059F95AAB3C2CA705D908B91

Function 002955FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0029564C
IsWindowEnabled.USER32 ref: 0029565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00295667
IsIconic.USER32 ref: 00295675
IsZoomed.USER32 ref: 00295683

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 46f2bc61a5428eb8c4c4b43694669d8b5cd443c7f5734bfb2b77e00325882b21
Instruction ID: 053548166f2021544c23ac8c8a92385bb8707c3e00d3a56c76077ab578a8ad2d
Opcode Fuzzy Hash: 46f2bc61a5428eb8c4c4b43694669d8b5cd443c7f5734bfb2b77e00325882b21
Instruction Fuzzy Hash: AA11C432320A216FEB221F26EC58B6FB79DEF54721F854029F906D7241CB709D52CBA4

Function 0027C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0027C69D
CoCreateInstance.OLE32(002A2D6C,00000000,00000001,002A2BDC,?), ref: 0027C6B5

Part of subcall function 00217F41: _memmove.LIBCMT ref: 00217F82

CoUninitialize.OLE32 ref: 0027C922

Strings

.lnk, xrefs: 0027C631, 0027C659, 0027C663

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: f93bb534130729073a9663756ed1e697c9e3d82449b28b106f24dacbf1d2b1bd
Instruction ID: f164336260da4be633ef2677656e626202f7f44f54c537707e739d116a189191
Opcode Fuzzy Hash: f93bb534130729073a9663756ed1e697c9e3d82449b28b106f24dacbf1d2b1bd
Instruction Fuzzy Hash: 4EA14D71118205AFD700EF64C891EABB7ECFF99304F10496CF156971A2DB70EA99CB92

Function 0028C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00251D88,?), ref: 0028C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0028C324

Strings

kernel32.dll, xrefs: 0028C30D
GetSystemWow64DirectoryW, xrefs: 0028C31E

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 3ef099582457efb6bb0b5a1d07c614194006fb7aba401d4a86283540f9c9766e
Instruction ID: 9b26a3cb92da1e0bfe3edc751eb3f620bdc34d54c0fbed4063a780301d7c2388
Opcode Fuzzy Hash: 3ef099582457efb6bb0b5a1d07c614194006fb7aba401d4a86283540f9c9766e
Instruction Fuzzy Hash: 7EE08674221303CFDB605F25E808A4676D4EB0D305B50C479D849C2150D770D461C770

Function 0028F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0028F151
Process32FirstW.KERNEL32(00000000,?), ref: 0028F15F

Part of subcall function 00217F41: _memmove.LIBCMT ref: 00217F82

Process32NextW.KERNEL32(00000000,?), ref: 0028F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0028F22E

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: af6feec75e78c1661688f71bba59c424004daec5824509487c187fb84a59c33e
Instruction ID: 041195f11890b340344ff2156335d289960a8e1fc685032b9824a740e7450b4d
Opcode Fuzzy Hash: af6feec75e78c1661688f71bba59c424004daec5824509487c187fb84a59c33e
Instruction Fuzzy Hash: 55518F715143119FD350EF20DC85EABBBE8FFA4710F10482DF49597291EB70A958CB92

Function 0026EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0026EB19

Strings

(, xrefs: 0026EB5F
|, xrefs: 0026EB49

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: c8d18e95ad73cd2da1484021824726b51dd1fdea687a32aa64745052e97c818a
Instruction ID: c598a35790eaddbab6b94c484a04f14f6de597d0314099963a8baa3d027f1d27
Opcode Fuzzy Hash: c8d18e95ad73cd2da1484021824726b51dd1fdea687a32aa64745052e97c818a
Instruction Fuzzy Hash: 5E322575A106059FCB28CF19D481A6AB7F0FF48320B16C56EE89ADB7A1D770E991CB40

Function 002825E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 002826D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0028270C

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: f932ced1b453b92f7b3b355e6bba4a8153fb7eadb6dc325544ad5763492cc356
Instruction ID: 92d2c0e49b8ddd36f7463163bba3a0304d967ec18771657895030e193df32238
Opcode Fuzzy Hash: f932ced1b453b92f7b3b355e6bba4a8153fb7eadb6dc325544ad5763492cc356
Instruction Fuzzy Hash: 5F411A7952130AFFEB20EE55DC85EBBB7FCEB40714F10406AF601A61C0EAB19D699B50

Function 0027B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0027B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0027B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0027B655

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 55e957f820ef9fc4b46f1ef0cf9cb01a321367e636d3ae3df06915db79c00b22
Instruction ID: 8641bc87402455bf6864371dfa6a6b08226b405d3e3246991224344996efc335
Opcode Fuzzy Hash: 55e957f820ef9fc4b46f1ef0cf9cb01a321367e636d3ae3df06915db79c00b22
Instruction Fuzzy Hash: 87214C35A10218EFCB00EFA5D884AEDBBF8FF49310F1480AAE945AB351DB319955CF51

Function 00268CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00230FF6: std::exception::exception.LIBCMT ref: 0023102C
Part of subcall function 00230FF6: __CxxThrowException@8.LIBCMT ref: 00231041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00268D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00268D3A
GetLastError.KERNEL32 ref: 00268D47

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: cf2afd5da866161f62f68dfc3239a6457c49cc55bb1d9132886a1e3d672af7e0
Instruction ID: 2681e5c0eb402bb174b293cccc0f4645327139c830b2ed4f38faca0ecd73859f
Opcode Fuzzy Hash: cf2afd5da866161f62f68dfc3239a6457c49cc55bb1d9132886a1e3d672af7e0
Instruction Fuzzy Hash: 5B118FB1424209AFD7289F64EDC5D6BB7BCEB44710B20862EF45693641EF70AC508A60

Function 00274021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0027404B
DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00274088
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00274091

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 5b8f23c8b6ec093cbe8708540d2db8cc0b7a3db20b54749237a60bf6dc24d4d1
Instruction ID: b2c8879d2f5cd42bd5f797372e686f63023478020b58db906e91fe668a60b6ab
Opcode Fuzzy Hash: 5b8f23c8b6ec093cbe8708540d2db8cc0b7a3db20b54749237a60bf6dc24d4d1
Instruction Fuzzy Hash: 991173B1D14225BEE7509BE8DC48FAFBBBCEB08710F104556BA08E7190D3745D1447A1

Function 00274C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00274C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00274C43
FreeSid.ADVAPI32(?), ref: 00274C53

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: b037ec748419c6cc1dc2dcc99d68939c793b6cf8d54fd34e0c66078845628771
Instruction ID: b9f11a66e0ab4bb4a704ace6f3f8b54e4bd57beeb45d49861d26dc013eed538d
Opcode Fuzzy Hash: b037ec748419c6cc1dc2dcc99d68939c793b6cf8d54fd34e0c66078845628771
Instruction Fuzzy Hash: 71F06D75A1130DBFDF04DFF0ED89ABEBBBCEF08201F1044AAA901E2181E7706A148B50

Function 00278B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00278B25

Part of subcall function 0023543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,002791F8,00000000,?,?,?,?,002793A9,00000000,?), ref: 00235443
Part of subcall function 0023543A: __aulldiv.LIBCMT ref: 00235463

Strings

0u-, xrefs: 00278B1C

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0u-
API String ID: 2893107130-3434999108
Opcode ID: 8dee4fd053756d9aef03446bb5d3fc292d38a8a084d434385b3a4b6d3b41940e
Instruction ID: 092e2ddb7dc3c1e76117b4514a733930fc2997ad0d4a1231a548a1c84a2d9afb
Opcode Fuzzy Hash: 8dee4fd053756d9aef03446bb5d3fc292d38a8a084d434385b3a4b6d3b41940e
Instruction Fuzzy Hash: 5E21E4726355118BC329CF25E441A52B3E1EBA4321F688E6DD4F9CB2D0DA34BD05CB94

Function 0021E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc499a612ac5b07efe3af0f07a7ca75af788a4eea0fc6e1a5011bd45d5e50204
Instruction ID: fdedfc23c7b70809cb82ae290d57169d8b8a3ce9b1aaf7c328806a6605ca106d
Opcode Fuzzy Hash: cc499a612ac5b07efe3af0f07a7ca75af788a4eea0fc6e1a5011bd45d5e50204
Instruction Fuzzy Hash: 01228974A20216DFDF24DF54C890AEAB7F1FF28300F158069EC56AB341E774A9A5CB91

Function 0027C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0027C966
FindClose.KERNEL32(00000000), ref: 0027C996

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c013586917f2eaa4302a9a81c8af6b5b7ebfc3a44cc2471c5a7a5d1311fe79bb
Instruction ID: 4eb7c89f3dbfc38869a1ee6edc8ac21dc7066acc2480b72ac86d270621ceecac
Opcode Fuzzy Hash: c013586917f2eaa4302a9a81c8af6b5b7ebfc3a44cc2471c5a7a5d1311fe79bb
Instruction Fuzzy Hash: 8811A1326206009FD710EF29D849A6AF7E9FF94320F10851EF9A9D7291DB30AC54CF81

Function 0027A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0028977D,?,0029FB84,?), ref: 0027A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0028977D,?,0029FB84,?), ref: 0027A314

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: eb9a7401654538b066f3d9dcc9281e1f920a2ed95cf83bd0aa4cb77e7accd8c6
Instruction ID: 68d4cc18188c709383438fbe88f85f422e0eb97a60b9d059b7d05cef7e254f95
Opcode Fuzzy Hash: eb9a7401654538b066f3d9dcc9281e1f920a2ed95cf83bd0aa4cb77e7accd8c6
Instruction Fuzzy Hash: B1F0E23152422DBBDB509FA4CC49FEA736DFF08361F0082A6B808D2180D6309950CBA1

Function 00268713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00268851), ref: 00268728
CloseHandle.KERNEL32(?,?,00268851), ref: 0026873A

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: ee14af21a70dc3c8196bbcd74375581afd12d7dd460222dd1c1738c1738d3440
Instruction ID: bd190111d3d3d157fe12404e930bfdabf06e923f2e1958960580e4f3973778f4
Opcode Fuzzy Hash: ee14af21a70dc3c8196bbcd74375581afd12d7dd460222dd1c1738c1738d3440
Instruction Fuzzy Hash: B8E0B676024651EFE7662B60FD09D77BBA9EB04350B24892AB896C0470DB62ACA0DB10

Function 0023A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00238F97,?,?,?,00000001), ref: 0023A39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0023A3A3

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: aa834b387adfe8e4aa61d3b285fbbe35d443bb78639afd7218d58583c41771d4
Instruction ID: caeba3d25a09ea7c5a4406876e7fb6f749f7aa62b1dff091c2d80c8b91a2e145
Opcode Fuzzy Hash: aa834b387adfe8e4aa61d3b285fbbe35d443bb78639afd7218d58583c41771d4
Instruction Fuzzy Hash: A3B09231054248EBCAC02BA1FD0DB883F68EB44BA2F4040A2FE0DC4060CB6654A08A99

Function 0023F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2455177201d59c4c89735a9f094db849a45f318be9e8c056b45f7960fe51e68d
Instruction ID: 16cf3f907d5df199053532d8e6e0731f9afdef90e75d6b0955db4cf104df210f
Opcode Fuzzy Hash: 2455177201d59c4c89735a9f094db849a45f318be9e8c056b45f7960fe51e68d
Instruction Fuzzy Hash: 8C32E3A1D79F014ED7639634ED36326A249AFB73C8F15DB37E819B59A6EF28C4834100

Function 0024267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bcbc94961dfd812a7c22984440d58a9060d9baeaeb5a4381abf70fe5fec7d41
Instruction ID: 11932210c918d8137898e00e8c54864fd515fa0676091edb1bb2c625821b16eb
Opcode Fuzzy Hash: 8bcbc94961dfd812a7c22984440d58a9060d9baeaeb5a4381abf70fe5fec7d41
Instruction Fuzzy Hash: C2B10220D2AF418ED76396399835336BB4CAFBB2D5F91D71BFC2674D22EB2185838141

Function 002841FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00284218

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: b71bfa7ae048f12663758338e9ed3c5a0e5988789c43f388d0753a4b1d5b1fbf
Instruction ID: c6bd96a75ad723ca36eca7532a9b0b8444090165974c20bbd471d009ff74a9d0
Opcode Fuzzy Hash: b71bfa7ae048f12663758338e9ed3c5a0e5988789c43f388d0753a4b1d5b1fbf
Instruction Fuzzy Hash: 12E048352642155FC710FF59D844A9AF7ECAF64760F008016FC49C7351DA70F8908B90

Function 00274EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00274F18

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 6dd824fa11c464f061b5b492a4c682f11f31fea61d8eb376e14d660995e143ca
Instruction ID: 1af1757e505a1b998da528969f6d719c4d586a8bdfbc82a1e45ed392ca61fd10
Opcode Fuzzy Hash: 6dd824fa11c464f061b5b492a4c682f11f31fea61d8eb376e14d660995e143ca
Instruction Fuzzy Hash: 30D09EB417460AB9FC586F20AC1FF761109E350791FE4D989B209D5CD19AF57870A436

Function 00268C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,002688D1), ref: 00268CB3

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 7f82595ad00fd5c9b54f8e3fd4281aaf26646fe3eb8f979ec2d51275704b098e
Instruction ID: 8c575ddcbfe81d47aae7ca4d09c65a5a7839f5769440729b360fff215dbd3f74
Opcode Fuzzy Hash: 7f82595ad00fd5c9b54f8e3fd4281aaf26646fe3eb8f979ec2d51275704b098e
Instruction Fuzzy Hash: C6D05E3226450EABEF418EA4ED05EAE3B69EB04B01F408111FE15C50A1C775D835AB60

Function 00252230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00252242

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 17f3e76797fae84271e2c1daf8f6ae5b98cd0751e0e4d47888ddb4a6fd53f674
Instruction ID: e94817f944a31789db907b2419d5fda158b87291d001b348a5ded8c97efde9d6
Opcode Fuzzy Hash: 17f3e76797fae84271e2c1daf8f6ae5b98cd0751e0e4d47888ddb4a6fd53f674
Instruction Fuzzy Hash: 28C04CF1810109DBDB45DB90DA88DEE77BCAB04305F104056A501F2140D7749B548A71

Function 0023A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0023A36A

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 39528305192aeea256e480e4044067e2cab58578eec4286825962c8863d463b4
Instruction ID: 1ab1f35777c9009b08e6bda62e89a097c55108f70c7fe07f58dbe7be5b7646f0
Opcode Fuzzy Hash: 39528305192aeea256e480e4044067e2cab58578eec4286825962c8863d463b4
Instruction Fuzzy Hash: 9EA0123000010CE78A401B51FC084447F5CD6001907004061FC0C80021873254504584

Function 00228A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2b7cb992f91962336d080becfe9cbfa56ee5cd9e412ee639dec2569014b524d
Instruction ID: 08c7acd497a27cfe334d30ea902f3de13d4b37e1cb2011a7f2353315c1292407
Opcode Fuzzy Hash: b2b7cb992f91962336d080becfe9cbfa56ee5cd9e412ee639dec2569014b524d
Instruction Fuzzy Hash: F7221430536637EBCF288E98E49467DB7A1EB01304F68446BD9428B6A1DB74DDE1CB60

Function 00232405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: f6cf9d84b2b6e0956aade2eca203b52858a3b2f81931ab306e0bc40f3017fd86
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: D0C1B5B222519349DF2D8A39D43413EFAE15EA27B1B1A075DE4B3CB5D4EF20D538D620

Function 0023283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 2dce959e73db6bdf9fd3e0436f8d585943a46136ab22a13250a7ce31b0476744
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 49C1C5B22251934ADF2D4A3A943413EFBE15BA27B171A176DE4B2DB4C4EF20D538D620

Function 022C3610 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1218875570.00000000022C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22c0000_llD1w4ROY5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 93087ebb9dcf8fa4adce5f4e2bf82b4c6cac27b590bec577e094cf9218f3dc72
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 8E41B571D1051CDBCF48CFADC991AEEBBF1AF88201F648299D516AB345D730AB41DB50

Function 022C34A0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1218875570.00000000022C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22c0000_llD1w4ROY5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 772456eb5f7da8355fe8efd401716b7614cfa9c005b15d4665649571698ecd5a
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: CF019278A14209EFCB54DF98C5909AEF7F5FB88310F2086D9D819A7705D731AE41DB90

Function 022C3500 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1218875570.00000000022C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22c0000_llD1w4ROY5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 94211201caf52d56ae30d0f4e91126dd675d017483d5da8a1a2fd3f2327a9e47
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: FE019278A14209EFCB44DF98C5909AEF7B5FB88310F2086D9D819A7745E731AE41DB80

Function 022C1E70 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1218875570.00000000022C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22c0000_llD1w4ROY5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 002937F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0029F910), ref: 002938AF
IsWindowVisible.USER32(?), ref: 002938D3

Strings

SETCURRENTSELECTION, xrefs: 00293A3E
ISVISIBLE, xrefs: 002938BF
FINDSTRING, xrefs: 002939FE
ISCHECKED, xrefs: 00293AC1
GETLINECOUNT, xrefs: 00293B4E
GETCURRENTLINE, xrefs: 00293B75
GETCURRENTCOL, xrefs: 00293BB0
CURRENTTAB, xrefs: 00293945
EDITPASTE, xrefs: 00293BE7
TABRIGHT, xrefs: 00293925
GETLINE, xrefs: 00293C23
SHOWDROPDOWN, xrefs: 00293968
ISENABLED, xrefs: 002938F3
CHECK, xrefs: 00293AF5
GETSELECTED, xrefs: 00293B2B
SENDCOMMANDID, xrefs: 00293C62
TABLEFT, xrefs: 0029390F
HIDEDROPDOWN, xrefs: 00293988
DELSTRING, xrefs: 002939D1
ADDSTRING, xrefs: 0029399E
SELECTSTRING, xrefs: 00293A8E
UNCHECK, xrefs: 00293B0B
GETCURRENTSELECTION, xrefs: 00293A6B

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 747d39e3864bef7915e8e5ad6cace915dc5e0ee7f314b731d235752f52821ae5
Instruction ID: c3446f7921f798befc006d95742a8debeb941f3a5d443e92d812b14024db3b02
Opcode Fuzzy Hash: 747d39e3864bef7915e8e5ad6cace915dc5e0ee7f314b731d235752f52821ae5
Instruction Fuzzy Hash: 62D160302347069BCF14EF10C4A5B6AB7E9EF54344F10455DB8865B2A2CB71EEAACF91

Function 0029A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0029A89F
GetSysColorBrush.USER32(0000000F), ref: 0029A8D0
GetSysColor.USER32(0000000F), ref: 0029A8DC
SetBkColor.GDI32(?,000000FF), ref: 0029A8F6
SelectObject.GDI32(?,?), ref: 0029A905
InflateRect.USER32(?,000000FF,000000FF), ref: 0029A930
GetSysColor.USER32(00000010), ref: 0029A938
CreateSolidBrush.GDI32(00000000), ref: 0029A93F
FrameRect.USER32(?,?,00000000), ref: 0029A94E
DeleteObject.GDI32(00000000), ref: 0029A955
InflateRect.USER32(?,000000FE,000000FE), ref: 0029A9A0
FillRect.USER32(?,?,?), ref: 0029A9D2
GetWindowLongW.USER32(?,000000F0), ref: 0029A9FD

Part of subcall function 0029AB60: GetSysColor.USER32(00000012), ref: 0029AB99
Part of subcall function 0029AB60: SetTextColor.GDI32(?,?), ref: 0029AB9D
Part of subcall function 0029AB60: GetSysColorBrush.USER32(0000000F), ref: 0029ABB3
Part of subcall function 0029AB60: GetSysColor.USER32(0000000F), ref: 0029ABBE
Part of subcall function 0029AB60: GetSysColor.USER32(00000011), ref: 0029ABDB
Part of subcall function 0029AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0029ABE9
Part of subcall function 0029AB60: SelectObject.GDI32(?,00000000), ref: 0029ABFA
Part of subcall function 0029AB60: SetBkColor.GDI32(?,00000000), ref: 0029AC03
Part of subcall function 0029AB60: SelectObject.GDI32(?,?), ref: 0029AC10
Part of subcall function 0029AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0029AC2F
Part of subcall function 0029AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0029AC46
Part of subcall function 0029AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0029AC5B

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 47fd7c7fe1863280280eeab6ef223fbf429fee13be85da805e687255abe01311
Instruction ID: d68c97ad93cfd553681f1ad7a637aea580736a66237fe5145614d5e73353ad0c
Opcode Fuzzy Hash: 47fd7c7fe1863280280eeab6ef223fbf429fee13be85da805e687255abe01311
Instruction Fuzzy Hash: 29A18271018301EFDB909F64ED0CA6B7BA9FF88321F104A2AF966D61A0D771D954CB92

Function 00212C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00212CA2
DeleteObject.GDI32(00000000), ref: 00212CE8
DeleteObject.GDI32(00000000), ref: 00212CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00212CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00212D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0024C68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0024C6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0024CAED

Part of subcall function 00211B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00212036,?,00000000,?,?,?,?,002116CB,00000000,?), ref: 00211B9A

SendMessageW.USER32(?,00001053), ref: 0024CB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0024CB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0024CB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0024CB62

Strings

0, xrefs: 0024C981

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 3ab6ae2333d5d96f0cf2a99b14dfffc1c340416b1703d63271a723e0b7814d6c
Instruction ID: 42d0f0ea50d8132fcab601f3c4059ee7606e063b1cd8908e9c67f063af943923
Opcode Fuzzy Hash: 3ab6ae2333d5d96f0cf2a99b14dfffc1c340416b1703d63271a723e0b7814d6c
Instruction Fuzzy Hash: FB12A030221202EFDB59CF28C988BA9B7E5FF14300F64456AF595DB262C771E8A5CF91

Function 002877BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 002877F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 002878B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 002878EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00287900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00287946
GetClientRect.USER32(00000000,?), ref: 00287952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00287996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 002879A5
GetStockObject.GDI32(00000011), ref: 002879B5
SelectObject.GDI32(00000000,00000000), ref: 002879B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 002879C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002879D2
DeleteDC.GDI32(00000000), ref: 002879DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00287A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00287A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00287A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00287A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00287A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00287AAE
GetStockObject.GDI32(00000011), ref: 00287AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00287AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00287ACE

Strings

msctls_progress32, xrefs: 00287A4F
DISPLAY, xrefs: 0028799B
AutoIt v3, xrefs: 0028793E
static, xrefs: 00287990, 00287AA8

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: c2f7b262449555e14f622451a42a29ce983ca1701cf5fa004cbc4de5155522f3
Instruction ID: b74f04aa09158207ee57d538b4ea0a0f8175a7b212c182cf0a883c74f9362397
Opcode Fuzzy Hash: c2f7b262449555e14f622451a42a29ce983ca1701cf5fa004cbc4de5155522f3
Instruction Fuzzy Hash: F8A17E71A51205BFEB549FA4ED4EFAEBBA9EB48710F104116FA14E72E0C770AD50CB60

Function 0027AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0027AF89
GetDriveTypeW.KERNEL32(?,0029FAC0,?,\\.\,0029F910), ref: 0027B066
SetErrorMode.KERNEL32(00000000,0029FAC0,?,\\.\,0029F910), ref: 0027B1C4

Strings

RAMDisk, xrefs: 0027B090
CDROM, xrefs: 0027B09A
1394, xrefs: 0027B146
Fibre, xrefs: 0027B154
Unknown, xrefs: 0027B086, 0027B12A
USB, xrefs: 0027B15B
ATA, xrefs: 0027B13F
PhysicalDrive, xrefs: 0027B012
SATA, xrefs: 0027B177
SSA, xrefs: 0027B14D
\\.\, xrefs: 0027AFDB
FileBackedVirtual, xrefs: 0027B193
SCSI, xrefs: 0027B131
SAS, xrefs: 0027B170
SSD, xrefs: 0027B0F1
iSCSI, xrefs: 0027B169
MMC, xrefs: 0027B185
RAID, xrefs: 0027B162
Removable, xrefs: 0027B0B8
Fixed, xrefs: 0027B0AE
Network, xrefs: 0027B0A4
Virtual, xrefs: 0027B18C
ATAPI, xrefs: 0027B138

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 61d7081f1ffa9258ff9fd107cd9de76ad364051c39b288a9df7989f343e51fd8
Instruction ID: 99b62578cad11e9761616b35ab110295881bed68000057f39d5072bd3a79238b
Opcode Fuzzy Hash: 61d7081f1ffa9258ff9fd107cd9de76ad364051c39b288a9df7989f343e51fd8
Instruction Fuzzy Hash: 2351E3706B4349AB8B01DF10CD66FBDB3B0BB5A345760C11AE40EA7690C7B59DB5CB42

Function 00216A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00216A91
__wcsnicmp.LIBCMT ref: 00216AA9
__wcsnicmp.LIBCMT ref: 00216AC1
__wcsnicmp.LIBCMT ref: 00216AD9
__wcsnicmp.LIBCMT ref: 00216AF1
__wcsnicmp.LIBCMT ref: 00216B09
__wcsnicmp.LIBCMT ref: 00216B21
__wcsnicmp.LIBCMT ref: 00216B35
__wcsnicmp.LIBCMT ref: 00216B76
__wcsnicmp.LIBCMT ref: 00216B8A
__wcsnicmp.LIBCMT ref: 00216B9E
__wcsnicmp.LIBCMT ref: 00216BB2

Strings

#notrayicon, xrefs: 00216AA3
#cs, xrefs: 00216B2F, 00216B84
#include, xrefs: 00216B03
#requireadmin, xrefs: 00216ABB
#comments-start, xrefs: 00216B1B, 00216B70
Unterminated group of comments, xrefs: 0024E82C
#OnAutoItStartRegister, xrefs: 00216AD3
#ce, xrefs: 00216BAC
#pragma compile, xrefs: 00216A8B
#include-once, xrefs: 00216AEB
Bad directive syntax error, xrefs: 0024E743
Cannot parse #include, xrefs: 0024E819
#comments-end, xrefs: 00216B98

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 71e4837e265c936cb262b40be28ef29d3f956191eb77f0500eba0d50115c7734
Instruction ID: 1180ca554c8692ac6a742cc4d011a2e45e78dcd02e6824ef127ca1177ddeb9b3
Opcode Fuzzy Hash: 71e4837e265c936cb262b40be28ef29d3f956191eb77f0500eba0d50115c7734
Instruction Fuzzy Hash: CB812AB0674216BADF24AE60CD86FEE77E8AF25704F044024FD05AA181EB70DBB5C691

Function 0029AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0029AB99
SetTextColor.GDI32(?,?), ref: 0029AB9D
GetSysColorBrush.USER32(0000000F), ref: 0029ABB3
GetSysColor.USER32(0000000F), ref: 0029ABBE
CreateSolidBrush.GDI32(?), ref: 0029ABC3
GetSysColor.USER32(00000011), ref: 0029ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0029ABE9
SelectObject.GDI32(?,00000000), ref: 0029ABFA
SetBkColor.GDI32(?,00000000), ref: 0029AC03
SelectObject.GDI32(?,?), ref: 0029AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 0029AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0029AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 0029AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0029ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0029ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 0029ACEC
DrawFocusRect.USER32(?,?), ref: 0029ACF7
GetSysColor.USER32(00000011), ref: 0029AD05
SetTextColor.GDI32(?,00000000), ref: 0029AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0029AD21
SelectObject.GDI32(?,0029A869), ref: 0029AD38
DeleteObject.GDI32(?), ref: 0029AD43
SelectObject.GDI32(?,?), ref: 0029AD49
DeleteObject.GDI32(?), ref: 0029AD4E
SetTextColor.GDI32(?,?), ref: 0029AD54
SetBkColor.GDI32(?,?), ref: 0029AD5E

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 656021924e7dd6a8d3148ea4cb1b1f9d8e0722146408f3be8ab2917a5aa87030
Instruction ID: eb85c64abb07d3e4c6f63c28b8bdef334af71a33d2bc5939c23d7feb648d1cfe
Opcode Fuzzy Hash: 656021924e7dd6a8d3148ea4cb1b1f9d8e0722146408f3be8ab2917a5aa87030
Instruction Fuzzy Hash: 9C617C71900219EFDF519FA8ED48AAE7B79FB08320F214126F915EB2A1D6719950CF90

Function 00298C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00298D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00298D45
CharNextW.USER32(0000014E), ref: 00298D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00298DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00298DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00298DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00298DF9
SetWindowTextW.USER32(?,0000014E), ref: 00298E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00298E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00298E8C
_memset.LIBCMT ref: 00298EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00298EFA
_memset.LIBCMT ref: 00298F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00298F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00298FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00299088
InvalidateRect.USER32(?,00000000,00000001), ref: 002990AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002990F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00299121
DrawMenuBar.USER32(?), ref: 00299130
SetWindowTextW.USER32(?,0000014E), ref: 00299158

Strings

0, xrefs: 002990C2

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: ced66a615067dbb8dc45f870f019eed85d6a7089ba320f2659c50cc5558b45ef
Instruction ID: 0fd8da6fc5624b546957e6b6d3ad78d07359b8d55c7d0029527b6b660ed8a66f
Opcode Fuzzy Hash: ced66a615067dbb8dc45f870f019eed85d6a7089ba320f2659c50cc5558b45ef
Instruction Fuzzy Hash: 9EE1D87092121AAFDF10DF64DC88EEE7B79FF05710F04815AF91996290DB708AA5DF60

Function 00294B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00294C51
GetDesktopWindow.USER32 ref: 00294C66
GetWindowRect.USER32(00000000), ref: 00294C6D
GetWindowLongW.USER32(?,000000F0), ref: 00294CCF
DestroyWindow.USER32(?), ref: 00294CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00294D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00294D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00294D68
SendMessageW.USER32(?,00000421,?,?), ref: 00294D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00294D90
IsWindowVisible.USER32(?), ref: 00294DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00294DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00294DDF
GetWindowRect.USER32(?,?), ref: 00294DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00294E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00294E37
CopyRect.USER32(?,?), ref: 00294E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00294EB9

Strings

0, xrefs: 00294BFC
(, xrefs: 00294E2A
tooltips_class32, xrefs: 00294D1D

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 92cb72e878e3dfb950277f20e8ced0a0c8f41afa5b177d69da18115d2bdcf97c
Instruction ID: cc12dd5964eb4313b662f03d92fe4c18700f9640456e50c744eadbf1022a74e3
Opcode Fuzzy Hash: 92cb72e878e3dfb950277f20e8ced0a0c8f41afa5b177d69da18115d2bdcf97c
Instruction Fuzzy Hash: C8B19A71624341AFDB44EF24D948F6ABBE4BF88304F008A1DF5999B2A1D770EC55CB91

Function 002746D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 002746E8
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0027470E
_wcscpy.LIBCMT ref: 0027473C
_wcscmp.LIBCMT ref: 00274747
_wcscat.LIBCMT ref: 0027475D
_wcsstr.LIBCMT ref: 00274768
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00274784
_wcscat.LIBCMT ref: 002747CD
_wcscat.LIBCMT ref: 002747D4
_wcsncpy.LIBCMT ref: 002747FF

Strings

DefaultLangCodepage, xrefs: 002747E7
04090000, xrefs: 002747BA
%u.%u.%u.%u, xrefs: 00274862
StringFileInfo\, xrefs: 00274757
\VarFileInfo\Translation, xrefs: 0027477C

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 0cf5cdaa740cae3742cefc6e884762c0b831475de140a544ed836d16cc6019d6
Instruction ID: e1db23c65a7b09a68a16903b796b91680eef97285b9577a36450da008209fbbf
Opcode Fuzzy Hash: 0cf5cdaa740cae3742cefc6e884762c0b831475de140a544ed836d16cc6019d6
Instruction Fuzzy Hash: 03412BB1630215BBDB14BB749D47EBFB77CDF02710F00416AF908E6182EB719A319AA5

Function 002127D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002128BC
GetSystemMetrics.USER32(00000007), ref: 002128C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002128EF
GetSystemMetrics.USER32(00000008), ref: 002128F7
GetSystemMetrics.USER32(00000004), ref: 0021291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00212939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00212949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0021297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00212990
GetClientRect.USER32(00000000,000000FF), ref: 002129AE
GetStockObject.GDI32(00000011), ref: 002129CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 002129D5

Part of subcall function 00212344: GetCursorPos.USER32(?), ref: 00212357
Part of subcall function 00212344: ScreenToClient.USER32(002D67B0,?), ref: 00212374
Part of subcall function 00212344: GetAsyncKeyState.USER32(00000001), ref: 00212399
Part of subcall function 00212344: GetAsyncKeyState.USER32(00000002), ref: 002123A7

SetTimer.USER32(00000000,00000000,00000028,00211256), ref: 002129FC

Strings

AutoIt v3 GUI, xrefs: 00212974

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 9e8a7063859254eb1ca53ab8e26969e81c6915ef48c62b5b110013e2f26f6b0f
Instruction ID: 6aea476f304bc18e26dff6ce7e2679fe6deb4ac140e7282db6a1af7f9f92957d
Opcode Fuzzy Hash: 9e8a7063859254eb1ca53ab8e26969e81c6915ef48c62b5b110013e2f26f6b0f
Instruction Fuzzy Hash: 0AB17E71A1020AEFDB54DFA8DD49BEE7BB4FB18310F11412AFA15E6290DB749864CF50

Function 00294069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002940F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002941B6

Strings

SELECT, xrefs: 00294250
FINDITEM, xrefs: 00294329
SELECTCLEAR, xrefs: 00294235
VIEWCHANGE, xrefs: 00294375
GETITEMCOUNT, xrefs: 00294128
GETSELECTEDCOUNT, xrefs: 00294199
GETSUBITEMCOUNT, xrefs: 00294141
GETSELECTED, xrefs: 002942E4
SELECTINVERT, xrefs: 00294286
DESELECT, xrefs: 002942A4
ISSELECTED, xrefs: 002941C1
GETTEXT, xrefs: 0029415F
SELECTALL, xrefs: 0029421D

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 2f078853c10e81073363f46bb936c0899e5c9774b7261a4c62ae4c4a8baecb74
Instruction ID: 8a59462bed4623260b3ba4f21cfb08aaa32b309a694556f44f2e41bbd3c818b6
Opcode Fuzzy Hash: 2f078853c10e81073363f46bb936c0899e5c9774b7261a4c62ae4c4a8baecb74
Instruction Fuzzy Hash: B5A18E702342059FCB14FF20C951E6AB3E9BF98314F10496DB8969B692DB30EDA6CF51

Function 002852F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00285309
LoadCursorW.USER32(00000000,00007F8A), ref: 00285314
LoadCursorW.USER32(00000000,00007F00), ref: 0028531F
LoadCursorW.USER32(00000000,00007F03), ref: 0028532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00285335
LoadCursorW.USER32(00000000,00007F01), ref: 00285340
LoadCursorW.USER32(00000000,00007F81), ref: 0028534B
LoadCursorW.USER32(00000000,00007F88), ref: 00285356
LoadCursorW.USER32(00000000,00007F80), ref: 00285361
LoadCursorW.USER32(00000000,00007F86), ref: 0028536C
LoadCursorW.USER32(00000000,00007F83), ref: 00285377
LoadCursorW.USER32(00000000,00007F85), ref: 00285382
LoadCursorW.USER32(00000000,00007F82), ref: 0028538D
LoadCursorW.USER32(00000000,00007F84), ref: 00285398
LoadCursorW.USER32(00000000,00007F04), ref: 002853A3
LoadCursorW.USER32(00000000,00007F02), ref: 002853AE
GetCursorInfo.USER32(?), ref: 002853BE
GetLastError.KERNEL32(00000001,00000000), ref: 002853E9

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: b56c76dff41c7df8376e1d173d86abbe8b06f6d6ff6d9cb22bbfcac13818125d
Instruction ID: 4a4c6db6247a97a64ac3ba8b7c483880255281c8d82cecd02277f1abf66fcfb9
Opcode Fuzzy Hash: b56c76dff41c7df8376e1d173d86abbe8b06f6d6ff6d9cb22bbfcac13818125d
Instruction Fuzzy Hash: 38417370E143296ADB509FBA8C4986EFFF8EF51B10B10452FA509E72D0DAB8A4408F51

Function 0026AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0026AAA5
__swprintf.LIBCMT ref: 0026AB46
_wcscmp.LIBCMT ref: 0026AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0026ABAE
_wcscmp.LIBCMT ref: 0026ABEA
GetClassNameW.USER32(?,?,00000400), ref: 0026AC21
GetDlgCtrlID.USER32(?), ref: 0026AC73
GetWindowRect.USER32(?,?), ref: 0026ACA9
GetParent.USER32(?), ref: 0026ACC7
ScreenToClient.USER32(00000000), ref: 0026ACCE
GetClassNameW.USER32(?,?,00000100), ref: 0026AD48
_wcscmp.LIBCMT ref: 0026AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 0026AD82
_wcscmp.LIBCMT ref: 0026AD96

Part of subcall function 0023386C: _iswctype.LIBCMT ref: 00233874

Strings

%s%u, xrefs: 0026AB40

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 95d0516ccb7085878e8e2c49848e5c3e0fd7c59e1513b954bac384e291f4a861
Instruction ID: 404fc74188af640d710e5950a17ad4643cbf1452b47b150f737e85adc86bd5bb
Opcode Fuzzy Hash: 95d0516ccb7085878e8e2c49848e5c3e0fd7c59e1513b954bac384e291f4a861
Instruction Fuzzy Hash: E9A19F71224307ABD714DF64C884BAAF7E8FF44355F10462AF999E2190D730E9A5CF92

Function 0026B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0026B3DB
_wcscmp.LIBCMT ref: 0026B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0026B414
CharUpperBuffW.USER32(?,00000000), ref: 0026B431
_wcscmp.LIBCMT ref: 0026B44F
_wcsstr.LIBCMT ref: 0026B460
GetClassNameW.USER32(00000018,?,00000400), ref: 0026B498
_wcscmp.LIBCMT ref: 0026B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0026B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 0026B518
_wcscmp.LIBCMT ref: 0026B528
GetClassNameW.USER32(00000010,?,00000400), ref: 0026B550
GetWindowRect.USER32(00000004,?), ref: 0026B5B9

Strings

@, xrefs: 0026B3BC
ThumbnailClass, xrefs: 0026B4A3, 0026B523

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 410f0c980d7aff404f281131d099cba30cb141ea17b5334ba503abfc2417b1e5
Instruction ID: af78649a2c815a36ea5317ce9eb41212250ee6448dda32477844960f65cff022
Opcode Fuzzy Hash: 410f0c980d7aff404f281131d099cba30cb141ea17b5334ba503abfc2417b1e5
Instruction Fuzzy Hash: 398191710283069BDB16DF14D985FAAB7E8EF44314F048569FD86CA092DB30DDE5CB61

Function 0029C8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00212612: GetWindowLongW.USER32(?,000000EB), ref: 00212623

DragQueryPoint.SHELL32(?,?), ref: 0029C917

Part of subcall function 0029ADF1: ClientToScreen.USER32(?,?), ref: 0029AE1A
Part of subcall function 0029ADF1: GetWindowRect.USER32(?,?), ref: 0029AE90
Part of subcall function 0029ADF1: PtInRect.USER32(?,?,0029C304), ref: 0029AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 0029C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0029C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0029C9AE
_wcscat.LIBCMT ref: 0029C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0029C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 0029CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 0029CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 0029CA47
DragFinish.SHELL32(?), ref: 0029CA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0029CB41

Strings

@GUI_DROPID, xrefs: 0029CA6E
@GUI_DRAGFILE, xrefs: 0029CAF0
@GUI_DRAGID, xrefs: 0029CAB9
pr-, xrefs: 0029CA8B

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pr-
API String ID: 169749273-2520128573
Opcode ID: fb72f44505bfbff31445818aa32ed5cd0377e3ca5562bb769097e730d719d7f4
Instruction ID: 26f49463203bcbc82f2f85907f700a039c3275c8a271e379586c01cc9b0a190e
Opcode Fuzzy Hash: fb72f44505bfbff31445818aa32ed5cd0377e3ca5562bb769097e730d719d7f4
Instruction Fuzzy Hash: 72616B71118301AFC701DF64DC89D9FBBE8EF99710F100A2EF591961A1DB709A59CF92

Function 0026B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0026B23F

Strings

REGEXP=, xrefs: 0026B254
[REGEXPTITLE:, xrefs: 0026B267
LAST, xrefs: 0026B204
[ALL, xrefs: 0026B2E5
[CLASS:, xrefs: 0026B28F
[LAST, xrefs: 0026B2EC
HANDLE=, xrefs: 0026B238
ACTIVE, xrefs: 0026B21A
CLASSNAME=, xrefs: 0026B27C
[HANDLE:, xrefs: 0026B24B
ALL, xrefs: 0026B2D3
[ACTIVE, xrefs: 0026B22C

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 140f651df866ebcbcf4e71d02ce88ba0e5d691b5fefc4228d3dd2caab525fd54
Instruction ID: 029135eae6dffbead187f4d8e7315c58de51e13495a31c6395cbc8df84742bd3
Opcode Fuzzy Hash: 140f651df866ebcbcf4e71d02ce88ba0e5d691b5fefc4228d3dd2caab525fd54
Instruction Fuzzy Hash: 4D31C171A74206A6DB11FA60CD57FEEB7E89F21750F200129B841B10D1EF61AFF4C990

Function 0026C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0026C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0026C4E6
SetWindowTextW.USER32(?,?), ref: 0026C4FD
GetDlgItem.USER32(?,000003EA), ref: 0026C512
SetWindowTextW.USER32(00000000,?), ref: 0026C518
GetDlgItem.USER32(?,000003E9), ref: 0026C528
SetWindowTextW.USER32(00000000,?), ref: 0026C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0026C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0026C569
GetWindowRect.USER32(?,?), ref: 0026C572
SetWindowTextW.USER32(?,?), ref: 0026C5DD
GetDesktopWindow.USER32 ref: 0026C5E3
GetWindowRect.USER32(00000000), ref: 0026C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0026C636
GetClientRect.USER32(?,?), ref: 0026C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0026C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0026C693

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: f76c20ddf726e21238c28917b72597cb8d7ba94aaa3d648b1eaa481ac80fb35a
Instruction ID: 6a1d58e8916f88ea06b8d8c9908b4d231b06e8f660da611e7b57fc1b07bd4081
Opcode Fuzzy Hash: f76c20ddf726e21238c28917b72597cb8d7ba94aaa3d648b1eaa481ac80fb35a
Instruction Fuzzy Hash: 60518171900709AFDB20EFA8DE89B7EBBF9FF04704F104529E696A25A0C774A954CF50

Function 0029A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0029A4C8
DestroyWindow.USER32(?,?), ref: 0029A542

Part of subcall function 00217D2C: _memmove.LIBCMT ref: 00217D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0029A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0029A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0029A5F1
DestroyWindow.USER32(00000000), ref: 0029A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00210000,00000000), ref: 0029A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0029A663
GetDesktopWindow.USER32 ref: 0029A67C
GetWindowRect.USER32(00000000), ref: 0029A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0029A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0029A6B3

Part of subcall function 002125DB: GetWindowLongW.USER32(?,000000EB), ref: 002125EC

Strings

tooltips_class32, xrefs: 0029A5B5, 0029A643
0, xrefs: 0029A4DE

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 1f73600691e637c16168b8a543eb34f000c8ac797a131b92807d45cd402cdac4
Instruction ID: 3cd57115f497826c9cc417853d357cc39e01cfc9b0c6db48225ba1738f72194f
Opcode Fuzzy Hash: 1f73600691e637c16168b8a543eb34f000c8ac797a131b92807d45cd402cdac4
Instruction Fuzzy Hash: 4771AA71554306AFDB20CF28DC49FA67BE9FB88300F08452DF995872A0C770E966CB52

Function 00294619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002946AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002946F6

Strings

COLLAPSE, xrefs: 0029473C
EXPAND, xrefs: 002947A8
SELECT, xrefs: 002948A7
ISCHECKED, xrefs: 00294879
EXISTS, xrefs: 0029475F
GETTOTALCOUNT, xrefs: 002946DD
UNCHECK, xrefs: 002948D2
GETITEMCOUNT, xrefs: 002947D8
CHECK, xrefs: 00294716
GETTEXT, xrefs: 00294849
GETSELECTED, xrefs: 00294806

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 8158def2d332ff6ce65158e6df0508082e51f463d7c01ff191c0a774e2cf6b2a
Instruction ID: c35460c579b53d073a543b57466d695bbe8a463a71c096427b3b670a28ad70e0
Opcode Fuzzy Hash: 8158def2d332ff6ce65158e6df0508082e51f463d7c01ff191c0a774e2cf6b2a
Instruction Fuzzy Hash: A9917D742243059FCB14EF10C4A1EAAB7E5AF98314F10445DF8965B3A2CB71EDAACF81

Function 0029BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0029BB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00299431), ref: 0029BBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0029BC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0029BC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0029BC7D
FreeLibrary.KERNEL32(?), ref: 0029BC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0029BC99
DestroyIcon.USER32(?,?,?,?,?,00299431), ref: 0029BCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0029BCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0029BCD1

Part of subcall function 0023313D: __wcsicmp_l.LIBCMT ref: 002331C6

Strings

.exe, xrefs: 0029BB04
.icl, xrefs: 0029BAE4
.dll, xrefs: 0029BB27

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 8ba37eb16aa4c0d939f87fce0f6beb72a04afa95773a8e1360f2cfe3e2c95ac3
Instruction ID: 3a820aef2025232a9c5470bace96292b20339be7df760754b6373ea8fb5b3514
Opcode Fuzzy Hash: 8ba37eb16aa4c0d939f87fce0f6beb72a04afa95773a8e1360f2cfe3e2c95ac3
Instruction Fuzzy Hash: 7C61E371920215BEEF15DF64EE46FBE77A8EB08710F10411AFD15D61C0DB74A9A4CBA0

Function 0027A0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,0029FB78), ref: 0027A0FC

Part of subcall function 00217F41: _memmove.LIBCMT ref: 00217F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 0027A11E
__swprintf.LIBCMT ref: 0027A177
__swprintf.LIBCMT ref: 0027A190
_wprintf.LIBCMT ref: 0027A246
_wprintf.LIBCMT ref: 0027A264

Strings

Line %d (File "%s"):, xrefs: 0027A171, 0027A18A
"%s" (%d) : ==> %s:%s%s, xrefs: 0027A241
^ ERROR, xrefs: 0027A1E8
"%s" (%d) : ==> %s:, xrefs: 0027A25F
%*, xrefs: 0027A0C9
Error: , xrefs: 0027A20E

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%*
API String ID: 311963372-3195549547
Opcode ID: 6f2d433ed96392a814931ab52992e8c701358c2efcb7bf0ef166c14d201546a8
Instruction ID: e1109268e763f1285458e5cb33d86b7c5999575be4ca231fc76b2e2abbc658d6
Opcode Fuzzy Hash: 6f2d433ed96392a814931ab52992e8c701358c2efcb7bf0ef166c14d201546a8
Instruction Fuzzy Hash: 0351717191010AABCF15EBE0DD4AEEEB7B9AF54300F104165F905721A1EB316FA8CF91

Function 0027A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00219997: __itow.LIBCMT ref: 002199C2
Part of subcall function 00219997: __swprintf.LIBCMT ref: 00219A0C

CharLowerBuffW.USER32(?,?), ref: 0027A636
GetDriveTypeW.KERNEL32 ref: 0027A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0027A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0027A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0027A730

Part of subcall function 00217D2C: _memmove.LIBCMT ref: 00217D66

Strings

open , xrefs: 0027A692
set cd door , xrefs: 0027A6D1
wait, xrefs: 0027A6ED
close, xrefs: 0027A63C
closed, xrefs: 0027A64A, 0027A653
type cdaudio alias cd wait, xrefs: 0027A6AE
close cd wait, xrefs: 0027A71B
open, xrefs: 0027A65D

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: d40463a3e3b648579109d65c886d2f249c04b5debc56b506a007c8ac87e5b6bd
Instruction ID: c8b768e580d519f72d9cad7c501b533c1cce91f83aaeda33c5f230199029b241
Opcode Fuzzy Hash: d40463a3e3b648579109d65c886d2f249c04b5debc56b506a007c8ac87e5b6bd
Instruction Fuzzy Hash: D1515D711242099FC700EF10C8919AEB7F8EF94718F14896DF89A57251DB31AE59CF52

Function 0027A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0027A47A
__swprintf.LIBCMT ref: 0027A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 0027A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0027A4FE
_memset.LIBCMT ref: 0027A51D
_wcsncpy.LIBCMT ref: 0027A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0027A58E
CloseHandle.KERNEL32(00000000), ref: 0027A599
RemoveDirectoryW.KERNEL32(?), ref: 0027A5A2
CloseHandle.KERNEL32(00000000), ref: 0027A5AC

Strings

\??\%s, xrefs: 0027A496
\, xrefs: 0027A4B2
:, xrefs: 0027A4BD

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 6f4800000522534a26c8ca95cd812bb1de7ab6c513fc6513bd818fa964eca54d
Instruction ID: 6ea1f67286805f29786c5abb7385225e23d186581fcc86f363566b8185d28ab1
Opcode Fuzzy Hash: 6f4800000522534a26c8ca95cd812bb1de7ab6c513fc6513bd818fa964eca54d
Instruction Fuzzy Hash: D031AEB291010AABDB20DFA0DC49FEF37BCEF88711F1041B6FA08D2160E67097648B25

Function 0027DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0027DC7B
_wcscat.LIBCMT ref: 0027DC93
_wcscat.LIBCMT ref: 0027DCA5
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0027DCBA
SetCurrentDirectoryW.KERNEL32(?), ref: 0027DCCE
GetFileAttributesW.KERNEL32(?), ref: 0027DCE6
SetFileAttributesW.KERNEL32(?,00000000), ref: 0027DD00
SetCurrentDirectoryW.KERNEL32(?), ref: 0027DD12

Strings

*.*, xrefs: 0027DD51

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: add5bf31263cd7331f20e3f65b03e31178f0119c247bfa573fcdc62a1e7cbda2
Instruction ID: dba322effda726d6d134be6bed1a28e8f5e27567f7a7cea5a23aa475cb5e871b
Opcode Fuzzy Hash: add5bf31263cd7331f20e3f65b03e31178f0119c247bfa573fcdc62a1e7cbda2
Instruction Fuzzy Hash: 368182725242419FCB64EF24C8859AEB7F8BF89314F15C82EF88DC7250E670D994CB51

Function 0029C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00212612: GetWindowLongW.USER32(?,000000EB), ref: 00212623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0029C4EC
GetFocus.USER32 ref: 0029C4FC
GetDlgCtrlID.USER32(00000000), ref: 0029C507
_memset.LIBCMT ref: 0029C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0029C65D
GetMenuItemCount.USER32(?), ref: 0029C67D
GetMenuItemID.USER32(?,00000000), ref: 0029C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0029C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0029C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0029C744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0029C779

Strings

0, xrefs: 0029C62A

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: da7947581531e656e98f1c4071d59491312fd4f1088007e0e4c6147e8f4a188a
Instruction ID: 68e498af393523dabc797adc1ef72c6e9d89184849f0f098ca49381b9b5c5008
Opcode Fuzzy Hash: da7947581531e656e98f1c4071d59491312fd4f1088007e0e4c6147e8f4a188a
Instruction Fuzzy Hash: F88171715283029FDB10CF14D988AABBBE9FF88314F20492EF99597291D770D925CF91

Function 002683F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0026874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00268766
Part of subcall function 0026874A: GetLastError.KERNEL32(?,0026822A,?,?,?), ref: 00268770
Part of subcall function 0026874A: GetProcessHeap.KERNEL32(00000008,?,?,0026822A,?,?,?), ref: 0026877F
Part of subcall function 0026874A: HeapAlloc.KERNEL32(00000000,?,0026822A,?,?,?), ref: 00268786
Part of subcall function 0026874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0026879D

Part of subcall function 002687E7: GetProcessHeap.KERNEL32(00000008,00268240,00000000,00000000,?,00268240,?), ref: 002687F3
Part of subcall function 002687E7: HeapAlloc.KERNEL32(00000000,?,00268240,?), ref: 002687FA
Part of subcall function 002687E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00268240,?), ref: 0026880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00268458
_memset.LIBCMT ref: 0026846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0026848C
GetLengthSid.ADVAPI32(?), ref: 0026849D
GetAce.ADVAPI32(?,00000000,?), ref: 002684DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002684F6
GetLengthSid.ADVAPI32(?), ref: 00268513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00268522
HeapAlloc.KERNEL32(00000000), ref: 00268529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0026854A
CopySid.ADVAPI32(00000000), ref: 00268551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00268582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 002685A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 002685BC

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: eb234de364da674fb56bff5d19c680168db5e1e826a03c5c5333893104710aaa
Instruction ID: eea6c0fb4d6c0e92c20823219f08be8568798dbc10e8fab520fa649f0c31004d
Opcode Fuzzy Hash: eb234de364da674fb56bff5d19c680168db5e1e826a03c5c5333893104710aaa
Instruction Fuzzy Hash: 4F613C7191020AEBDF00DF94DD49AAEBBB9FF04300F54826AE915E6291DB319A65CF60

Function 0028762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 002876A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 002876AE
CreateCompatibleDC.GDI32(?), ref: 002876BA
SelectObject.GDI32(00000000,?), ref: 002876C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0028771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00287757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0028777B
SelectObject.GDI32(00000006,?), ref: 00287783
DeleteObject.GDI32(?), ref: 0028778C
DeleteDC.GDI32(00000006), ref: 00287793
ReleaseDC.USER32(00000000,?), ref: 0028779E

Strings

(, xrefs: 00287723

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 5b933ffbd1ea8a3c5f08bfe61ae8ed2ffcfadcf4a9cb64bbf34ea2c8aaec0141
Instruction ID: 79d7d00df6d7de6179647d4c5e1979c05f24d6d28ba8571a1a2989bce7ddaf6b
Opcode Fuzzy Hash: 5b933ffbd1ea8a3c5f08bfe61ae8ed2ffcfadcf4a9cb64bbf34ea2c8aaec0141
Instruction Fuzzy Hash: 0D515875914209EFCB54DFA8DC89EAEBBB9EF48310F24842AE95997250D631A850CB60

Function 00216BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00230B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00216C6C,?,00008000), ref: 00230BB7

Part of subcall function 002148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002148A1,?,?,002137C0,?), ref: 002148CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00216D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00216E5A

Part of subcall function 002159CD: _wcscpy.LIBCMT ref: 00215A05

Part of subcall function 0023387D: _iswctype.LIBCMT ref: 00233885

Strings

Error opening the file, xrefs: 0024E866, 0024E8E1
EA06, xrefs: 0024E87B
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0024E84A
Unterminated string, xrefs: 0024EC0D
AU3!, xrefs: 00216CC1
>>>AUTOIT SCRIPT<<<, xrefs: 0024E8BF
Bad directive syntax error, xrefs: 0024EBC6

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 3d3f58d0def2fec26bb443ca84a8dd80de99c6929dab49725d82b2a3c11d559e
Instruction ID: 8ad875280a7a567db2956410d6350823a2a34787b33907f136d2c8e53058a7ad
Opcode Fuzzy Hash: 3d3f58d0def2fec26bb443ca84a8dd80de99c6929dab49725d82b2a3c11d559e
Instruction Fuzzy Hash: EB028F711283419FCB24EF24C881AAFBBE5BFA5314F04491DF486972A1DB30D9A9CF42

Function 002145DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002145F9
GetMenuItemCount.USER32(002D6890), ref: 0024D7CD
GetMenuItemCount.USER32(002D6890), ref: 0024D87D
GetCursorPos.USER32(?), ref: 0024D8C1
SetForegroundWindow.USER32(00000000), ref: 0024D8CA
TrackPopupMenuEx.USER32(002D6890,00000000,?,00000000,00000000,00000000), ref: 0024D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0024D8E9

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: c508bb1f7d4829fc6067cd7f2dc42a4b640d6cb1ccc1d1e2a40b13997c20868c
Instruction ID: 013c495734e5b6ae417f0c9c98758f0634652331bfd3a81223399d4660f6fb8f
Opcode Fuzzy Hash: c508bb1f7d4829fc6067cd7f2dc42a4b640d6cb1ccc1d1e2a40b13997c20868c
Instruction Fuzzy Hash: 6B71F870660246BAFB249F14DC49FAAFFA8FF05358F104216F519A61E1C7B16C70DB90

Function 00288BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00288BEC
CoInitialize.OLE32(00000000), ref: 00288C19
CoUninitialize.OLE32 ref: 00288C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00288D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00288E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,002A2C0C), ref: 00288E84
CoGetObject.OLE32(?,00000000,002A2C0C,?), ref: 00288EA7
SetErrorMode.KERNEL32(00000000), ref: 00288EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00288F3A
VariantClear.OLEAUT32(?), ref: 00288F4A

Strings

,,*, xrefs: 00288BD6

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,*
API String ID: 2395222682-748471534
Opcode ID: 78b62f307667adec28f1bef12dc936d9e9aa40aa2c6c568f5a2b202d249a7709
Instruction ID: cd55852c233b5adf70fa04a14e25f7eb2fecaede21a9569177c2db3677a413bf
Opcode Fuzzy Hash: 78b62f307667adec28f1bef12dc936d9e9aa40aa2c6c568f5a2b202d249a7709
Instruction Fuzzy Hash: 87C14274228305AFD740EF68C88492BB7E9BF89308F40492DF58ADB291DB71ED55CB52

Function 002910A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00290038,?,?), ref: 002910BC

Strings

HKEY_USERS, xrefs: 002911BD
HKU, xrefs: 002911CE
HKEY_LOCAL_MACHINE, xrefs: 00291125
HKEY_CLASSES_ROOT, xrefs: 0029114F
HKCU, xrefs: 002911AC
HKEY_CURRENT_CONFIG, xrefs: 00291179
HKCC, xrefs: 0029118A
HKCR, xrefs: 00291164
HKLM, xrefs: 0029113A
HKEY_CURRENT_USER, xrefs: 0029119B

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 355c86983175f5c2fdfb484b0014165f767d08299b94621fb1e3a3a58aa1b4fa
Instruction ID: c43dd2d3c0ad628d46f9dadce86a598b8c13b7698dbf32da462cd64657b68e5f
Opcode Fuzzy Hash: 355c86983175f5c2fdfb484b0014165f767d08299b94621fb1e3a3a58aa1b4fa
Instruction Fuzzy Hash: FB417B7057025F9BCF11EF91D8A1AEB3778EF25300F104558EC955B291DB70A93ACBA0

Function 00275569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00217D2C: _memmove.LIBCMT ref: 00217D66

Part of subcall function 00217A84: _memmove.LIBCMT ref: 00217B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 002755D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 002755E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002755F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0027560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0027561C

Strings

open , xrefs: 00275581
alias PlayMe, xrefs: 002755AB
close PlayMe, xrefs: 002755E3, 00275610
play PlayMe, xrefs: 00275617
play PlayMe wait, xrefs: 00275606
status PlayMe mode, xrefs: 002755CD

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 5251035e75316704f421f2f20b77955460e1339df8429b82ac6e94405cf1f351
Instruction ID: a45bdc79ca17d1d8689985ca7aca011fdb30359e9e582283c7b3b590776afcb2
Opcode Fuzzy Hash: 5251035e75316704f421f2f20b77955460e1339df8429b82ac6e94405cf1f351
Instruction Fuzzy Hash: 68118620AB01AD79D720AAA1DC59DFFBBBCEFE2B04F40056DB405930D1DEA01D65C9A1

Function 002748F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0027490E
gethostname.WSOCK32(?,00000100), ref: 00274928
gethostbyname.WSOCK32(?), ref: 00274935
_wcscpy.LIBCMT ref: 0027495D
_memmove.LIBCMT ref: 00274970
inet_ntoa.WSOCK32(?), ref: 0027497B
_strcat.LIBCMT ref: 00274989
_wcscpy.LIBCMT ref: 002749A0
WSACleanup.WSOCK32 ref: 002749AE
_wcscpy.LIBCMT ref: 002749BC

Strings

0.0.0.0, xrefs: 00274957

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: ed068917516d386e7448e220dbe6ce1711a5ed2362b1488583ad0881e994d427
Instruction ID: 71b7b290c97e5c0604a8fb28600bb57d853342efc41cc3d96f07f4ff5ea72e25
Opcode Fuzzy Hash: ed068917516d386e7448e220dbe6ce1711a5ed2362b1488583ad0881e994d427
Instruction Fuzzy Hash: EB11E471A24215EBCB64FB64ED4AEDB77BCDF01710F0441B6F508D6091EFB09AA18A61

Function 00275217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0027521C

Part of subcall function 00230719: timeGetTime.WINMM(?,75A4B400,00220FF9), ref: 0023071D

Sleep.KERNEL32(0000000A), ref: 00275248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0027526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0027528E
SetActiveWindow.USER32 ref: 002752AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 002752BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 002752DA
Sleep.KERNEL32(000000FA), ref: 002752E5
IsWindow.USER32 ref: 002752F1
EndDialog.USER32(00000000), ref: 00275302

Strings

BUTTON, xrefs: 00275280

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: adfbe13de2806a58d4985acb6324be6b01b9aa8f26152225e8ffbe899e9a48cc
Instruction ID: 1042fcf9400c1c7194a76142b88ef4818c0fd8f1bd292d4528d0a881a57d4f22
Opcode Fuzzy Hash: adfbe13de2806a58d4985acb6324be6b01b9aa8f26152225e8ffbe899e9a48cc
Instruction Fuzzy Hash: 0021C370615706AFE7805F70FE8CB26BB6AEB45386F40446AFC0DC11B5DBB59C209B62

Function 0027D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00219997: __itow.LIBCMT ref: 002199C2
Part of subcall function 00219997: __swprintf.LIBCMT ref: 00219A0C

CoInitialize.OLE32(00000000), ref: 0027D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0027D8E8
SHGetDesktopFolder.SHELL32(?), ref: 0027D8FC
CoCreateInstance.OLE32(002A2D7C,00000000,00000001,002CA89C,?), ref: 0027D948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0027D9B7
CoTaskMemFree.OLE32(?,?), ref: 0027DA0F
_memset.LIBCMT ref: 0027DA4C
SHBrowseForFolderW.SHELL32(?), ref: 0027DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0027DAAB
CoTaskMemFree.OLE32(00000000), ref: 0027DAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0027DAE9
CoUninitialize.OLE32(00000001,00000000), ref: 0027DAEB

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 034cf40c711828f74322be6d612f21fad150ae60aa18745aa30a26ce0b661fe0
Instruction ID: bdac573131c881744b6b22959f08c1b853ec3c799927df58f16ab47e853862f4
Opcode Fuzzy Hash: 034cf40c711828f74322be6d612f21fad150ae60aa18745aa30a26ce0b661fe0
Instruction Fuzzy Hash: F8B1FA75A10109AFDB44DFA4C989EAEBBF9FF48304B148469E509EB251DB30ED91CF50

Function 0027052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 002705A7
SetKeyboardState.USER32(?), ref: 00270612
GetAsyncKeyState.USER32(000000A0), ref: 00270632
GetKeyState.USER32(000000A0), ref: 00270649
GetAsyncKeyState.USER32(000000A1), ref: 00270678
GetKeyState.USER32(000000A1), ref: 00270689
GetAsyncKeyState.USER32(00000011), ref: 002706B5
GetKeyState.USER32(00000011), ref: 002706C3
GetAsyncKeyState.USER32(00000012), ref: 002706EC
GetKeyState.USER32(00000012), ref: 002706FA
GetAsyncKeyState.USER32(0000005B), ref: 00270723
GetKeyState.USER32(0000005B), ref: 00270731

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: da7186df5075886555f1e4f1f5b44c86d2b2cfb2e90efbcbf026363dd06555a9
Instruction ID: 073431447b470e2e23043b2bb4e63b2764eac8e3f145b65bd6a36e1f1bb73288
Opcode Fuzzy Hash: da7186df5075886555f1e4f1f5b44c86d2b2cfb2e90efbcbf026363dd06555a9
Instruction Fuzzy Hash: 3D511B20A1478559FB34DFB088947EAFFB49F01380F48C59AD5CA5A1C2DA74AB6CCF51

Function 0026C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0026C746
GetWindowRect.USER32(00000000,?), ref: 0026C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0026C7B6
GetDlgItem.USER32(?,00000002), ref: 0026C7C1
GetWindowRect.USER32(00000000,?), ref: 0026C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0026C827
GetDlgItem.USER32(?,000003E9), ref: 0026C835
GetWindowRect.USER32(00000000,?), ref: 0026C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0026C889
GetDlgItem.USER32(?,000003EA), ref: 0026C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0026C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 0026C8C1

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 73c5c19282c75802c96479769b5de5ac7e02f4e48af3a3a7d1bc3d760b293e5a
Instruction ID: ed1c1b97894bd3f30bca6bf314867a76a4d95b5e8d3e72a5505b17d9a11af39d
Opcode Fuzzy Hash: 73c5c19282c75802c96479769b5de5ac7e02f4e48af3a3a7d1bc3d760b293e5a
Instruction Fuzzy Hash: 51514D71B10205ABDB58DFA8DD89AAEBBBAEB88310F24812DF516D7290D7709D508B50

Function 0021201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00211B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00212036,?,00000000,?,?,?,?,002116CB,00000000,?), ref: 00211B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 002120D3
KillTimer.USER32(-00000001,?,?,?,?,002116CB,00000000,?,?,00211AE2,?,?), ref: 0021216E
DestroyAcceleratorTable.USER32(00000000), ref: 0024BEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002116CB,00000000,?,?,00211AE2,?,?), ref: 0024BF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002116CB,00000000,?,?,00211AE2,?,?), ref: 0024BF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002116CB,00000000,?,?,00211AE2,?,?), ref: 0024BF5A
DeleteObject.GDI32(00000000), ref: 0024BF6C

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 00ffd5508ff73a24bb2e6a7d0c76495f6a53e38587700ffa962eda73cbd26d18
Instruction ID: d0fd32b6c6463fac4ff006a04948ead18dac452dd8c0fbb02582aefd2bbcfe6a
Opcode Fuzzy Hash: 00ffd5508ff73a24bb2e6a7d0c76495f6a53e38587700ffa962eda73cbd26d18
Instruction Fuzzy Hash: 72617A30521602EFDB2A9F14E94CB69B7F1FB64316F11452AF14686960C7B5ACB8EF80

Function 002121A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 002125DB: GetWindowLongW.USER32(?,000000EB), ref: 002125EC

GetSysColor.USER32(0000000F), ref: 002121D3

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: f1e15b2cfa87bb26dbf405e1e5ae03e5ec9af0564a0a55df2bf824c3c8688065
Instruction ID: d1b59ed4b74388b87b4202e6ea1b63beb5dd70565a95dcb656214e4e475a8846
Opcode Fuzzy Hash: f1e15b2cfa87bb26dbf405e1e5ae03e5ec9af0564a0a55df2bf824c3c8688065
Instruction Fuzzy Hash: C941E331110141EBDB655F28EC48BFD37A5EB16331F284266FD69CA1E2C7318CA6DB51

Function 0027AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0029F910), ref: 0027AB76
GetDriveTypeW.KERNEL32(00000061,002CA620,00000061), ref: 0027AC40
_wcscpy.LIBCMT ref: 0027AC6A

Strings

fixed, xrefs: 0027ABBE
cdrom, xrefs: 0027AB92
all, xrefs: 0027AB7C
ramdisk, xrefs: 0027ABEA
network, xrefs: 0027ABD4
unknown, xrefs: 0027AC01
removable, xrefs: 0027ABA8

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 86cb665d3b20c1f90f95a238a13ba1eaf7004bdd8df38c7e440ca6881226efa3
Instruction ID: d1c92d5075e5595ca638b55046418322ae9a02b59e20bc1a383c3cd7ee5977d6
Opcode Fuzzy Hash: 86cb665d3b20c1f90f95a238a13ba1eaf7004bdd8df38c7e440ca6881226efa3
Instruction Fuzzy Hash: 9B51B0301383069BC710EF14C891AAFB7E9EF95314F50882DF49A572A2DB319DA9CA53

Function 0029C27C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00212612: GetWindowLongW.USER32(?,000000EB), ref: 00212623

Part of subcall function 00212344: GetCursorPos.USER32(?), ref: 00212357
Part of subcall function 00212344: ScreenToClient.USER32(002D67B0,?), ref: 00212374
Part of subcall function 00212344: GetAsyncKeyState.USER32(00000001), ref: 00212399
Part of subcall function 00212344: GetAsyncKeyState.USER32(00000002), ref: 002123A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0029C2E4
ImageList_EndDrag.COMCTL32 ref: 0029C2EA
ReleaseCapture.USER32 ref: 0029C2F0
SetWindowTextW.USER32(?,00000000), ref: 0029C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0029C3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0029C48F

Strings

@GUI_DROPID, xrefs: 0029C3E1
pr-, xrefs: 0029C438
pr-, xrefs: 0029C3FD
@GUI_DRAGFILE, xrefs: 0029C424

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$pr-$pr-
API String ID: 1924731296-2999845695
Opcode ID: fac69f50cc18cb9e51f4d058662055aac82cfb543dd1b4bc4e0025a8c3a5bd82
Instruction ID: 51720e3a719fb94fe018b788a249d283eb72971cbe93010cbc68da7a7d70fd70
Opcode Fuzzy Hash: fac69f50cc18cb9e51f4d058662055aac82cfb543dd1b4bc4e0025a8c3a5bd82
Instruction Fuzzy Hash: 5D51AD70614345AFDB00EF24D899FAA7BE5FF88310F10452EF9558B2A1DB309968CF52

Function 00219997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 002199C2
__swprintf.LIBCMT ref: 00219A0C
__i64tow.LIBCMT ref: 0024FA0F

Strings

False, xrefs: 0024F9D7
%.15g, xrefs: 00219A06
True, xrefs: 0024F9D0
0x%p, xrefs: 0024F9F1

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: f4c61aeb1b38f4b95c916f290637efddbb95e4f77fa78ceae8b1ba6e7ea3fe6e
Instruction ID: 850078140cbdf97110b0b9087c9bcb0bb985eb91b44ba0d01cedfa4b6e45f933
Opcode Fuzzy Hash: f4c61aeb1b38f4b95c916f290637efddbb95e4f77fa78ceae8b1ba6e7ea3fe6e
Instruction Fuzzy Hash: D941C57163420AEFDB28DF38D942FB673E8EF45300F20486EE549D6291EA7199A1CB11

Function 002973C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002973D9
CreateMenu.USER32 ref: 002973F4
SetMenu.USER32(?,00000000), ref: 00297403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00297490
IsMenu.USER32(?), ref: 002974A6
CreatePopupMenu.USER32 ref: 002974B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002974DD
DrawMenuBar.USER32 ref: 002974E5

Strings

F, xrefs: 002974D1
0, xrefs: 002973CF

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 098bb5de82abea213df71f9eb11478f002e7f24838e4acfbebf97823fa594b89
Instruction ID: c711708c59a22f1f8066f8d9a06dcb8c05368830c3f4908b5782aca0ebfebc92
Opcode Fuzzy Hash: 098bb5de82abea213df71f9eb11478f002e7f24838e4acfbebf97823fa594b89
Instruction Fuzzy Hash: 9A414575A2120AEFDF20DF64E988A9ABBB9FF49300F144029E955A7361D731AD20CF50

Function 0029772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 002977CD
CreateCompatibleDC.GDI32(00000000), ref: 002977D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 002977E7
SelectObject.GDI32(00000000,00000000), ref: 002977EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 002977FA
DeleteDC.GDI32(00000000), ref: 00297803
GetWindowLongW.USER32(?,000000EC), ref: 0029780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00297821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0029782D

Strings

static, xrefs: 00297765

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 98187f207a9697978711f75ee35cf20c909d3ef460a44ed07bdaadea5396c591
Instruction ID: 6ece40ec9911929cd91cd75390b83be8fd3e3c644e4542d4beffb331876b42da
Opcode Fuzzy Hash: 98187f207a9697978711f75ee35cf20c909d3ef460a44ed07bdaadea5396c591
Instruction Fuzzy Hash: A0316D31125215ABDF529FA4ED0DFDA3B6DFF09360F110226FA15E60A0D731D821DBA4

Function 00237040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0023707B

Part of subcall function 00238D68: __getptd_noexit.LIBCMT ref: 00238D68

__gmtime64_s.LIBCMT ref: 00237114
__gmtime64_s.LIBCMT ref: 0023714A
__gmtime64_s.LIBCMT ref: 00237167
__allrem.LIBCMT ref: 002371BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002371D9
__allrem.LIBCMT ref: 002371F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0023720E
__allrem.LIBCMT ref: 00237225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00237243
__invoke_watson.LIBCMT ref: 002372B4

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: 0037fe937744195d51db0898b8f41fcdba53a5b700dd905703525247de2306fc
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 8771CCF1A24717ABEB28DE79CC4175BB3A8AF15720F14422AF914E7681E770DD608B90

Function 00272A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00272A31
GetMenuItemInfoW.USER32(002D6890,000000FF,00000000,00000030), ref: 00272A92
SetMenuItemInfoW.USER32(002D6890,00000004,00000000,00000030), ref: 00272AC8
Sleep.KERNEL32(000001F4), ref: 00272ADA
GetMenuItemCount.USER32(?), ref: 00272B1E
GetMenuItemID.USER32(?,00000000), ref: 00272B3A
GetMenuItemID.USER32(?,-00000001), ref: 00272B64
GetMenuItemID.USER32(?,?), ref: 00272BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00272BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00272C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00272C24

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 919e84bb8dcff6f50424fbc86ababce7f162790148444ebcb60408614b0e4984
Instruction ID: 8e155fa1a60f229a9bf6746a14605bf9d409f9a9dc0d7a7621b48cb50d6d84cd
Opcode Fuzzy Hash: 919e84bb8dcff6f50424fbc86ababce7f162790148444ebcb60408614b0e4984
Instruction Fuzzy Hash: EF61B3B092024AEFDB11CF64DD88EBE7BB8FB11308F14845AE84593251D731AD69DB21

Function 00297192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00297214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00297217
GetWindowLongW.USER32(?,000000F0), ref: 0029723B
_memset.LIBCMT ref: 0029724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0029725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 002972D6

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 891a8f76b60f197ca7e2fba8f30381dd0edd340fa8c37091ff43c438806b9ec1
Instruction ID: d02808dfd248661f199349212d2792c9fb908f8999f4462d3a3a13a184339f24
Opcode Fuzzy Hash: 891a8f76b60f197ca7e2fba8f30381dd0edd340fa8c37091ff43c438806b9ec1
Instruction Fuzzy Hash: AE617B71A20208AFDB10DFA4CC85EEE77F8EB09710F14419AFA14E72A1D770AD55DBA4

Function 0026710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00267135
SafeArrayAllocData.OLEAUT32(?), ref: 0026718E
VariantInit.OLEAUT32(?), ref: 002671A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 002671C0
VariantCopy.OLEAUT32(?,?), ref: 00267213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00267227
VariantClear.OLEAUT32(?), ref: 0026723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00267249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00267252
VariantClear.OLEAUT32(?), ref: 00267264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0026726F

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 7c856ffb3d1a6ccd01f1bb591fe3ea7b3fea67d3b78ceaeea862e789c402b5de
Instruction ID: bf265378013864bc052f161923c2aa083b244104d397566998dc91631799d739
Opcode Fuzzy Hash: 7c856ffb3d1a6ccd01f1bb591fe3ea7b3fea67d3b78ceaeea862e789c402b5de
Instruction Fuzzy Hash: D3415235A10119AFCF40DF64E9589EEBBB9FF48354F00806AF915E7261CB30A995CF90

Function 002886D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00219997: __itow.LIBCMT ref: 002199C2
Part of subcall function 00219997: __swprintf.LIBCMT ref: 00219A0C

CoInitialize.OLE32 ref: 00288718
CoUninitialize.OLE32 ref: 00288723
CoCreateInstance.OLE32(?,00000000,00000017,002A2BEC,?), ref: 00288783
IIDFromString.OLE32(?,?), ref: 002887F6
VariantInit.OLEAUT32(?), ref: 00288890
VariantClear.OLEAUT32(?), ref: 002888F1

Strings

Invalid parameter, xrefs: 0028880F
NULL Pointer assignment, xrefs: 002887C8
Failed to create object, xrefs: 0028878E, 00288844

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 0a16b094ca4d6cc55040820cd154f7a05a3c65a23c431971ce514aea1ea60c18
Instruction ID: 9b6b19a86d9bc892bfd1f0d8d24ef0d5156e88c4379cf0298101ceb44a52f02f
Opcode Fuzzy Hash: 0a16b094ca4d6cc55040820cd154f7a05a3c65a23c431971ce514aea1ea60c18
Instruction Fuzzy Hash: 9F61E1386293019FD710EF24C948F6ABBE4AF48714F90481DF9859B2D1DB70EDA4CB92

Function 00285A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00285AA6
inet_addr.WSOCK32(?,?,?), ref: 00285AEB
gethostbyname.WSOCK32(?), ref: 00285AF7
IcmpCreateFile.IPHLPAPI ref: 00285B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00285B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00285B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00285C00
WSACleanup.WSOCK32 ref: 00285C06

Strings

Ping, xrefs: 00285B29

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: b5635833cc3512b5294122f2199813e65c8d8090fdaef526c2a5543a378eae80
Instruction ID: 6be3357fd85eb55b018de11c58cea36c4e6eed37bc16f7bf67c10ae11f1eccb4
Opcode Fuzzy Hash: b5635833cc3512b5294122f2199813e65c8d8090fdaef526c2a5543a378eae80
Instruction Fuzzy Hash: C451CD352247119FDB10AF24DC89B6ABBE0EF58314F04896AF55ADB2E0DB70EC608F41

Function 0027B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0027B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0027B7B1
GetLastError.KERNEL32 ref: 0027B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 0027B828

Strings

READONLY, xrefs: 0027B7F3
READY, xrefs: 0027B801
INVALID, xrefs: 0027B7FA
NOTREADY, xrefs: 0027B7E7
UNKNOWN, xrefs: 0027B7E0

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: ddbcb15c52af8db6f6c4f2e777c29cadbfe61b19226f7810bac126165175abf2
Instruction ID: 20d86037d2d3bbd665d5a2807253e94d0a71990de565dcf00bfe06e1ff74d4cb
Opcode Fuzzy Hash: ddbcb15c52af8db6f6c4f2e777c29cadbfe61b19226f7810bac126165175abf2
Instruction Fuzzy Hash: 5E31B635A202099FDB05EF64C889FFEB7B8EF45704F108129F509D7291DB719962CB51

Function 00269471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00217F41: _memmove.LIBCMT ref: 00217F82

Part of subcall function 0026B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0026B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 002694F6
GetDlgCtrlID.USER32 ref: 00269501
GetParent.USER32 ref: 0026951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00269520
GetDlgCtrlID.USER32(?), ref: 00269529
GetParent.USER32(?), ref: 00269545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00269548

Strings

ListBox, xrefs: 002694B3
ComboBox, xrefs: 0026947E

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: c73fc50e1582d4f11809bd22c3bcb97ce99b9b627e6f3557755631dd87e1c59e
Instruction ID: 7bfa411adad43377db54b5703cc48685013a05a37675e4c8a079ad74e19aa444
Opcode Fuzzy Hash: c73fc50e1582d4f11809bd22c3bcb97ce99b9b627e6f3557755631dd87e1c59e
Instruction Fuzzy Hash: 9921C474A10204BBCF05AF64CC89EFEBBB9EF55300F10016AB562972A1DF7559A9DF20

Function 0026955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00217F41: _memmove.LIBCMT ref: 00217F82

Part of subcall function 0026B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0026B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 002695DF
GetDlgCtrlID.USER32 ref: 002695EA
GetParent.USER32 ref: 00269606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00269609
GetDlgCtrlID.USER32(?), ref: 00269612
GetParent.USER32(?), ref: 0026962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00269631

Strings

ListBox, xrefs: 0026959E
ComboBox, xrefs: 00269569

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 8c7c78d116d1a0aedce198f411a267eb38d0fd29e7e556fb96a1f0ac1ad38d8f
Instruction ID: 413b035e8f732e99fb0cb2ff6a1107f25ee11c90750494671351402c00376e0a
Opcode Fuzzy Hash: 8c7c78d116d1a0aedce198f411a267eb38d0fd29e7e556fb96a1f0ac1ad38d8f
Instruction Fuzzy Hash: 7321B675A10204BBDF01AB60CC89EFEBBBDEF55300F100156F522972A1DB7555A99E20

Function 00269645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00269651
GetClassNameW.USER32(00000000,?,00000100), ref: 00269666
_wcscmp.LIBCMT ref: 00269678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 002696F3

Strings

smallicons, xrefs: 002696BB
details, xrefs: 002696A1
largeicons, xrefs: 00269687
list, xrefs: 002696D5
SHELLDLL_DefView, xrefs: 00269672

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 894a0bea726701971bb920ca7ff13dbabefaa2183d793db08f71e07f992cd947
Instruction ID: bb24ea9529828f7544c05e8422404458be9167778e624608a69dc35d400d5391
Opcode Fuzzy Hash: 894a0bea726701971bb920ca7ff13dbabefaa2183d793db08f71e07f992cd947
Instruction Fuzzy Hash: 3A11CDB6168307BAFA016A24DC0BEA6779CDB05770F200117F914E50D1FEB19AF14A58

Function 00274189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 0027419D
__swprintf.LIBCMT ref: 002741AA

Part of subcall function 002338D8: __woutput_l.LIBCMT ref: 00233931

FindResourceW.KERNEL32(?,?,0000000E), ref: 002741D4
LoadResource.KERNEL32(?,00000000), ref: 002741E0
LockResource.KERNEL32(00000000), ref: 002741ED
FindResourceW.KERNEL32(?,?,00000003), ref: 0027420D
LoadResource.KERNEL32(?,00000000), ref: 0027421F
SizeofResource.KERNEL32(?,00000000), ref: 0027422E
LockResource.KERNEL32(?), ref: 0027423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0027429B

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 76185cb0bafd4e4cc1b80a9aea87890a80e9fca569efbd59e68b5a34959a6ba3
Instruction ID: c278046e07850c18a0d3bae4c14ce7ce33e6e7931eadeae9137162cc4ecb916c
Opcode Fuzzy Hash: 76185cb0bafd4e4cc1b80a9aea87890a80e9fca569efbd59e68b5a34959a6ba3
Instruction Fuzzy Hash: 6531B0B1A1521AABDB41AF60ED48EBF7BACEF04301F008526FD09D2151E774DE718BA0

Function 002716DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00271700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00270778,?,00000001), ref: 00271714
GetWindowThreadProcessId.USER32(00000000), ref: 0027171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00270778,?,00000001), ref: 0027172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0027173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00270778,?,00000001), ref: 00271755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00270778,?,00000001), ref: 00271767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00270778,?,00000001), ref: 002717AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00270778,?,00000001), ref: 002717C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00270778,?,00000001), ref: 002717CC

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 65aa59a93fa3077551ac007687edb0942614826b63bf88a4fdbb01a28d9112c8
Instruction ID: ab9759e3d7d3b5ad1dcb8fcc9745344bd5f8830064497f2440814dc8f008ea0a
Opcode Fuzzy Hash: 65aa59a93fa3077551ac007687edb0942614826b63bf88a4fdbb01a28d9112c8
Instruction Fuzzy Hash: D631B175A12305BFEB659F18FD8CB69B7ADEF25711F208016F808D62A0E7B49D608B50

Function 00289428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0028947C
VariantInit.OLEAUT32(?), ref: 0028954D
VariantInit.OLEAUT32(?), ref: 0028964E
VariantClear.OLEAUT32(?), ref: 00289658
VariantClear.OLEAUT32(?), ref: 002896B5

Strings

,,*, xrefs: 002894FA
Null Object assignment in FOR..IN loop, xrefs: 002894DD, 0028960B, 002896C3
Incorrect Object type in FOR..IN loop, xrefs: 00289631

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,*$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-313974470
Opcode ID: 7faf185fa8cd9e634a4ca537df2d416f8f33cdf7494c0183e514bd8f075a832c
Instruction ID: 0c49744005939efa17501de3fba9c892661eeba4e4d4b9788c98abd05d1c45b1
Opcode Fuzzy Hash: 7faf185fa8cd9e634a4ca537df2d416f8f33cdf7494c0183e514bd8f075a832c
Instruction Fuzzy Hash: 9791F474A21219AFDF24EFA5C848FBEB7B8EF45314F188119F505AB280D7709995CFA0

Function 0026A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0026AA64), ref: 0026A9A2

Strings

CLASS, xrefs: 0026A721
REGEXPCLASS, xrefs: 0026A767
CLASSNN, xrefs: 0026A744
TEXT, xrefs: 0026A8D9
INSTANCE, xrefs: 0026A8B0
NAME, xrefs: 0026A7D4

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: f9a0e785bddc36c853ea5010c2e9086abccfae94e1ffff30f8b0ae8758611241
Instruction ID: fb8eccec3c4816c82ec62c1b7046f8f783b25ec567e59b57eaa9d6f8b076094a
Opcode Fuzzy Hash: f9a0e785bddc36c853ea5010c2e9086abccfae94e1ffff30f8b0ae8758611241
Instruction Fuzzy Hash: D6916570520606EADB18DF60C491BE9FBB5FF14304F608119D59AB7191DB306AF9CFA1

Function 00212E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00212EAE

Part of subcall function 00211DB3: GetClientRect.USER32(?,?), ref: 00211DDC
Part of subcall function 00211DB3: GetWindowRect.USER32(?,?), ref: 00211E1D
Part of subcall function 00211DB3: ScreenToClient.USER32(?,?), ref: 00211E45

GetDC.USER32 ref: 0024CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0024CF95
SelectObject.GDI32(00000000,00000000), ref: 0024CFA3
SelectObject.GDI32(00000000,00000000), ref: 0024CFB8
ReleaseDC.USER32(?,00000000), ref: 0024CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0024D04B

Strings

U, xrefs: 0024CF20

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 81329daad751ded5b04f20d1d5bd1280bee8408f61aa02037f827b632e2e0bc0
Instruction ID: 005ab79993f51dbeb615f7e08f3ff99b445aeb10bbe69b8d6ce89dab51a61c8c
Opcode Fuzzy Hash: 81329daad751ded5b04f20d1d5bd1280bee8408f61aa02037f827b632e2e0bc0
Instruction Fuzzy Hash: F471D230520206DFCF258F68C884AEA7BB6FF59310F24426AFD559A165C7319CB5DF60

Function 00288F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0029F910), ref: 0028903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0029F910), ref: 00289071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 002891EB
SysFreeString.OLEAUT32(?), ref: 00289215

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: dd014b6a5f3aa84d3b461142f6eb8de190437f539672e38e29f2d0862e94eea6
Instruction ID: 4e672f0d6bd2905b3236d339c651bb0dd2975990a3f3ed82761f0bbbbcfadf57
Opcode Fuzzy Hash: dd014b6a5f3aa84d3b461142f6eb8de190437f539672e38e29f2d0862e94eea6
Instruction Fuzzy Hash: B3F13A75A1010AEFDB04EF94C888EBEB7B9FF49314F148099F515AB290CB31AE95CB50

Function 0028F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0028F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0028FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0028FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0028FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0028FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0028FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0028FD90
CloseHandle.KERNEL32(?), ref: 0028FDBF
CloseHandle.KERNEL32(?), ref: 0028FE36

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: c49e851736122b9c9a2dccec6675fcf280f9f26610e5f33a1ee1a94df334b419
Instruction ID: adf7d52d2929a2279ce84615ed743dba34a9d485d619d64198405b41b45f1323
Opcode Fuzzy Hash: c49e851736122b9c9a2dccec6675fcf280f9f26610e5f33a1ee1a94df334b419
Instruction Fuzzy Hash: CEE1C135224341DFCB54EF24C591A6ABBE0AF88314F14846DF8998B2E2DB31DC64CF52

Function 00274F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 002748AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002738D3,?), ref: 002748C7

Part of subcall function 002748AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002738D3,?), ref: 002748E0

Part of subcall function 00274CD3: GetFileAttributesW.KERNEL32(?,00273947), ref: 00274CD4

lstrcmpiW.KERNEL32(?,?), ref: 00274FE2
_wcscmp.LIBCMT ref: 00274FFC
MoveFileW.KERNEL32(?,?), ref: 00275017

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 3a0790c5c68bfd321a534d3911345ed1a2f1723983d32cc526c99658f956d7af
Instruction ID: 79343f83ee393ebd97d87b34d2a88c696c2425abcd274680ed849e886f03dfa2
Opcode Fuzzy Hash: 3a0790c5c68bfd321a534d3911345ed1a2f1723983d32cc526c99658f956d7af
Instruction Fuzzy Hash: C35181B25187859BC764EF60D8819DFB3ECAF85301F00492EF289C7151EF74A2988B66

Function 002988B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0029896E

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 7dc9634e1c0a7cbaea4898e47b3acf3aa43bb52c4b4e8b61ac4c3dd6eb599e38
Instruction ID: 61c0d23e6b3d3bc335d0a4122e76424c6d8869c5e624a8ccdfeec92db5d09b26
Opcode Fuzzy Hash: 7dc9634e1c0a7cbaea4898e47b3acf3aa43bb52c4b4e8b61ac4c3dd6eb599e38
Instruction Fuzzy Hash: 38519630520209BFEF209F24DC89BA97BA5FF06350F684116F915E62A1DF71ADB09B51

Function 00212B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0024C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0024C569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0024C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0024C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0024C5C0
DestroyIcon.USER32(00000000), ref: 0024C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0024C5EC
DestroyIcon.USER32(?), ref: 0024C5FB

Part of subcall function 0029A71E: DeleteObject.GDI32(00000000), ref: 0029A757

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 94ee8f72331ac2e97d05ef0e8c6e33928ba7170ddd2ce5ea17a4caf25a7e8ad0
Instruction ID: caef040b95766a5834e9c90f8a9dfc0d85a0d5e6579627415991ee36f60ab009
Opcode Fuzzy Hash: 94ee8f72331ac2e97d05ef0e8c6e33928ba7170ddd2ce5ea17a4caf25a7e8ad0
Instruction Fuzzy Hash: 2D517B74A20209EFDB64DF24DC49BAA77E5EB54314F204529F902E7290DBB0EDA4DB50

Function 00268E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00268A84,00000B00,?,?), ref: 00268E0C
HeapAlloc.KERNEL32(00000000,?,00268A84,00000B00,?,?), ref: 00268E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00268A84,00000B00,?,?), ref: 00268E28
GetCurrentProcess.KERNEL32(?,00000000,?,00268A84,00000B00,?,?), ref: 00268E30
DuplicateHandle.KERNEL32(00000000,?,00268A84,00000B00,?,?), ref: 00268E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00268A84,00000B00,?,?), ref: 00268E43
GetCurrentProcess.KERNEL32(00268A84,00000000,?,00268A84,00000B00,?,?), ref: 00268E4B
DuplicateHandle.KERNEL32(00000000,?,00268A84,00000B00,?,?), ref: 00268E4E
CreateThread.KERNEL32(00000000,00000000,00268E74,00000000,00000000,00000000), ref: 00268E68

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 56a273f3f94868af2d195477a65ba973f98558593e88311ab6bd0594aee77c21
Instruction ID: 10cfc9effb0af6fb9fd700745013184df012a6ca63413ab29b697b3eeee9b03e
Opcode Fuzzy Hash: 56a273f3f94868af2d195477a65ba973f98558593e88311ab6bd0594aee77c21
Instruction Fuzzy Hash: 5B01BF75640304FFE790AB65ED4DF5B3B6CEB89711F104422FA09DB1A1CA719C10CB64

Function 00289A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00267652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0026758C,80070057,?,?,?,0026799D), ref: 0026766F
Part of subcall function 00267652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0026758C,80070057,?,?), ref: 0026768A
Part of subcall function 00267652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0026758C,80070057,?,?), ref: 00267698
Part of subcall function 00267652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0026758C,80070057,?), ref: 002676A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00289B1B
_memset.LIBCMT ref: 00289B28
_memset.LIBCMT ref: 00289C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00289C97
CoTaskMemFree.OLE32(?), ref: 00289CA2

Strings

NULL Pointer assignment, xrefs: 00289CF0

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: b8b95d5ed33cb130a18032597e1a0d88e4779ca756277600103ff476f900b22f
Instruction ID: 2be45db80acb26720531c96e44971458cde38ff87e6aabbba7f74cebd6138313
Opcode Fuzzy Hash: b8b95d5ed33cb130a18032597e1a0d88e4779ca756277600103ff476f900b22f
Instruction Fuzzy Hash: 1A915C71D11229EBDB10EFA4DC84AEEBBB9BF08310F14415AF419A7281DB715A94CFA0

Function 00296FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00297093
SendMessageW.USER32(?,00001036,00000000,?), ref: 002970A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 002970C1
_wcscat.LIBCMT ref: 0029711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00297133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00297161

Strings

SysListView32, xrefs: 00297065

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 721862eb384036d54bb93b9ff7ae772cee77efc57a8a1814c67051e1b6a3aa17
Instruction ID: f27fd8372fc5b4b36f8d69b640940014f7ea42bc1a3e4820499c36764739a553
Opcode Fuzzy Hash: 721862eb384036d54bb93b9ff7ae772cee77efc57a8a1814c67051e1b6a3aa17
Instruction Fuzzy Hash: 9B419371A24309AFEF219F64DC89BEE77E8EF08350F10052AF558E7191D7729DA48B50

Function 0028EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00273E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00273EB6
Part of subcall function 00273E91: Process32FirstW.KERNEL32(00000000,?), ref: 00273EC4
Part of subcall function 00273E91: CloseHandle.KERNEL32(00000000), ref: 00273F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0028ECB8
GetLastError.KERNEL32 ref: 0028ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0028ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 0028ED77
GetLastError.KERNEL32(00000000), ref: 0028ED82
CloseHandle.KERNEL32(00000000), ref: 0028EDB7

Strings

SeDebugPrivilege, xrefs: 0028ECD6

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: f55efefeb519af65ec1fa3fcca99c91d5220a6fc1b134d837720916c79555d05
Instruction ID: bfa9e0da231fcf07d4dacc14e0e7c6bc2735b3bf652d6c6503efab3e9194ab01
Opcode Fuzzy Hash: f55efefeb519af65ec1fa3fcca99c91d5220a6fc1b134d837720916c79555d05
Instruction Fuzzy Hash: 6E41C0712202019FDB14EF24CC99F6DB7A5AF80714F188059F8469F2D2DBB5AC68CF96

Function 00273226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 002732C5

Strings

question, xrefs: 0027327E
stop, xrefs: 00273296
info, xrefs: 00273266
warning, xrefs: 002732AE
blank, xrefs: 00273247

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: d82c83c5a50c15c019816998bfe411c86257677fb43b96a392309f57802b39d5
Instruction ID: 83ff5f297134ac0deedd93b6f6f3ac295ab2d39eecf2ace0a99d5fa5ab48c440
Opcode Fuzzy Hash: d82c83c5a50c15c019816998bfe411c86257677fb43b96a392309f57802b39d5
Instruction Fuzzy Hash: F7115B31268357BAAB01DE54DC43DAAB3DCDF09374F10402AFD08A6183D6B19F201AA5

Function 00274534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0027454E
LoadStringW.USER32(00000000), ref: 00274555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0027456B
LoadStringW.USER32(00000000), ref: 00274572
_wprintf.LIBCMT ref: 00274598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 002745B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00274593

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 3461a53149c0ce641ad0f357090aecccca3df74052e4097002c09438fee01a0e
Instruction ID: 75cbd79b52dfdcc833ac6be614535c3706b754a4a2b96d5933f6005aa6eb406d
Opcode Fuzzy Hash: 3461a53149c0ce641ad0f357090aecccca3df74052e4097002c09438fee01a0e
Instruction Fuzzy Hash: EB0144F2510208BFE791A7949E8DEF6776CD708301F4005A6B749D2051E6745E958B74

Function 0029D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00212612: GetWindowLongW.USER32(?,000000EB), ref: 00212623

GetSystemMetrics.USER32(0000000F), ref: 0029D78A
GetSystemMetrics.USER32(0000000F), ref: 0029D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0029D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0029DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0029DA24
ShowWindow.USER32(00000003,00000000), ref: 0029DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 0029DA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 0029DA8B

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 7268f616c9ab4f2f01aedb5b81d925f6ba3d1ee6c51c2da1b7f5d5ff22874c8f
Instruction ID: 721f6bf67c7eb7323e4f6ec08c6ddfdc4d8748bc749ffa985c349bbf89d4c058
Opcode Fuzzy Hash: 7268f616c9ab4f2f01aedb5b81d925f6ba3d1ee6c51c2da1b7f5d5ff22874c8f
Instruction Fuzzy Hash: 17B17A75A10226EBDF14CF69C9C97AD7BB1FF44701F08806AEC489B295D734AD60EB50

Function 00212A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0024C417,00000004,00000000,00000000,00000000), ref: 00212ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0024C417,00000004,00000000,00000000,00000000,000000FF), ref: 00212B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0024C417,00000004,00000000,00000000,00000000), ref: 0024C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0024C417,00000004,00000000,00000000,00000000), ref: 0024C4D6

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 60381ed5df00da5ece231af920c5c2db0277bdc30c9eb9e0681dada81b62e42a
Instruction ID: da46dfa6a84e9b91141cc91ce3e7ed3b18e8c885c4cf4939afa9a7d244c60e6e
Opcode Fuzzy Hash: 60381ed5df00da5ece231af920c5c2db0277bdc30c9eb9e0681dada81b62e42a
Instruction Fuzzy Hash: EA413A31238681DAC7B98F2C9D9C7FA7BD5AF65300F34841AF08786560D67598F9D720

Function 00277368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0027737F

Part of subcall function 00230FF6: std::exception::exception.LIBCMT ref: 0023102C
Part of subcall function 00230FF6: __CxxThrowException@8.LIBCMT ref: 00231041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 002773B6
EnterCriticalSection.KERNEL32(?), ref: 002773D2
_memmove.LIBCMT ref: 00277420
_memmove.LIBCMT ref: 0027743D
LeaveCriticalSection.KERNEL32(?), ref: 0027744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00277461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00277480

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: a6d0c66774bd33315d71aaad38b70bc3219a2d59778c6dfcbe7efcc8cc564ae3
Instruction ID: b3f1527b4fe2c76b4d86eea9bfc61a9743ffc37780a3d35f9a0e0565547a5e7e
Opcode Fuzzy Hash: a6d0c66774bd33315d71aaad38b70bc3219a2d59778c6dfcbe7efcc8cc564ae3
Instruction Fuzzy Hash: B5318F71904205EBDF50DF64DD89AAE7BB8EF44710F1481A6FD04EB256DB309E20CBA0

Function 00296442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0029645A
GetDC.USER32(00000000), ref: 00296462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0029646D
ReleaseDC.USER32(00000000,00000000), ref: 00296479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 002964B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002964C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00299299,?,?,000000FF,00000000,?,000000FF,?), ref: 00296500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00296520

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 1df44e24ca74dc5cdc0ba8af19786b534fa89807ea7c9f7c11fbc3fa013c4581
Instruction ID: 41e7eadf620fbc1bb4a322534ae68d77ddcaeb6340be000e953b2bae6727864d
Opcode Fuzzy Hash: 1df44e24ca74dc5cdc0ba8af19786b534fa89807ea7c9f7c11fbc3fa013c4581
Instruction Fuzzy Hash: AF318B72200210BFEF618F50DD8AFEA3FADEF09761F040066FE08DA295C6759851CB60

Function 0026C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0026C087
_memcmp.LIBCMT ref: 0026C0A9
_memcmp.LIBCMT ref: 0026C0C1
_memcmp.LIBCMT ref: 0026C0D4
_memcmp.LIBCMT ref: 0026C0EE
_memcmp.LIBCMT ref: 0026C101
_memcmp.LIBCMT ref: 0026C119
_memcmp.LIBCMT ref: 0026C134

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9ef87d0406cd7f6f1a7f55982dd53d05e680a09b8cebe39c771012ca24024aad
Instruction ID: 75e97f85f51b238b292ab7f717169d2bd20052ce9d52e2d7f35668eaae5e22bd
Opcode Fuzzy Hash: 9ef87d0406cd7f6f1a7f55982dd53d05e680a09b8cebe39c771012ca24024aad
Instruction Fuzzy Hash: 6921D7B1630206F7D214B9258C43FBB335DAF233A4F240021FD4A96283EB51DD7589E5

Function 0027ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00219997: __itow.LIBCMT ref: 002199C2
Part of subcall function 00219997: __swprintf.LIBCMT ref: 00219A0C

Part of subcall function 0022FEC6: _wcscpy.LIBCMT ref: 0022FEE9

_wcstok.LIBCMT ref: 0027EEFF
_wcscpy.LIBCMT ref: 0027EF8E
_memset.LIBCMT ref: 0027EFC1

Strings

X, xrefs: 0027EFFE

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 8b0f91b340af002d6488df687fb09d34f00ac66e4d638a916b7dfdf2ec7e35a8
Instruction ID: 34e57b45044441a840cad7413465aa1638c73306c50d57a67123fad2ecb64aa7
Opcode Fuzzy Hash: 8b0f91b340af002d6488df687fb09d34f00ac66e4d638a916b7dfdf2ec7e35a8
Instruction Fuzzy Hash: 79C17F715283019FC754EF24C985A9AB7E4BF94310F00896DF899972A2DB30EDA5CF92

Function 00286E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00286F14
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00286F35
WSAGetLastError.WSOCK32(00000000), ref: 00286F48
htons.WSOCK32(?,?,?,00000000,?), ref: 00286FFE
inet_ntoa.WSOCK32(?), ref: 00286FBB

Part of subcall function 0026AE14: _strlen.LIBCMT ref: 0026AE1E
Part of subcall function 0026AE14: _memmove.LIBCMT ref: 0026AE40

_strlen.LIBCMT ref: 00287058
_memmove.LIBCMT ref: 002870C1

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 902cb0723ab21caabf48a350c6cd718ff08c8b520a4692db8fe352df1f5a1e93
Instruction ID: 66003aeb1308a5c478903d980eddfbd261186f06d23438582d532c89adcdc007
Opcode Fuzzy Hash: 902cb0723ab21caabf48a350c6cd718ff08c8b520a4692db8fe352df1f5a1e93
Instruction Fuzzy Hash: 43811F75528300AFC710EF24CC86FABB7E9AF94714F104919F5559B2E2DA70EDA0CB92

Function 00211424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aebd0abc5300d74f09aa727a50a28b5d89899d371f5d38737a7081757dcf6f7e
Instruction ID: d976d76aaa416523383cea0be9ff7cf27a08a50d72f270f6339152fd0b2651cb
Opcode Fuzzy Hash: aebd0abc5300d74f09aa727a50a28b5d89899d371f5d38737a7081757dcf6f7e
Instruction Fuzzy Hash: 15717F3091010AEFCB15DF58CC49AFEBBB9FF95310F148159FA15AA251C730AAA1DFA4

Function 0029B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01585DE8), ref: 0029B6A5
IsWindowEnabled.USER32(01585DE8), ref: 0029B6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0029B795
SendMessageW.USER32(01585DE8,000000B0,?,?), ref: 0029B7CC
IsDlgButtonChecked.USER32(?,?), ref: 0029B809
GetWindowLongW.USER32(01585DE8,000000EC), ref: 0029B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0029B843

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 240993743d1e8a35b1302a2753edab34282b30d0fc2b0f5345dadfd7b340b843
Instruction ID: a4a3e29776354c041125b875b014f754bf1c31a3200bc5bc28df141a8e076c67
Opcode Fuzzy Hash: 240993743d1e8a35b1302a2753edab34282b30d0fc2b0f5345dadfd7b340b843
Instruction Fuzzy Hash: 5E71B135620205AFDF229FA4EAD8FEABBB9FF49300F04415AE95597261C731AD60CF10

Function 0028F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0028F75C
_memset.LIBCMT ref: 0028F825
ShellExecuteExW.SHELL32(?), ref: 0028F86A

Part of subcall function 00219997: __itow.LIBCMT ref: 002199C2
Part of subcall function 00219997: __swprintf.LIBCMT ref: 00219A0C

Part of subcall function 0022FEC6: _wcscpy.LIBCMT ref: 0022FEE9

GetProcessId.KERNEL32(00000000), ref: 0028F8E1
CloseHandle.KERNEL32(00000000), ref: 0028F910

Strings

@, xrefs: 0028F839

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 1e615289791acfa0d887395bf3ea214efc13deab793b96e7fedebace65d035b7
Instruction ID: 65f576f2d558c0a001f54fab17b93455d830471e31540f86fcc0d164c5e8924f
Opcode Fuzzy Hash: 1e615289791acfa0d887395bf3ea214efc13deab793b96e7fedebace65d035b7
Instruction Fuzzy Hash: 7A619F75A20619DFCB15EF54C5949AEBBF5FF48310F148469E846AB391CB30ADA0CF90

Function 0027145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0027149C
GetKeyboardState.USER32(?), ref: 002714B1
SetKeyboardState.USER32(?), ref: 00271512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00271540
PostMessageW.USER32(?,00000101,00000011,?), ref: 0027155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 002715A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 002715C8

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6f9f8e9334fe07f01586c9c45445d6967b72710a22da224a8281ce4400158da5
Instruction ID: 602220c5c3cae2371cd7b9521e4c6a0c94e4e694ba7bc4dc8c0ebeee131a0fab
Opcode Fuzzy Hash: 6f9f8e9334fe07f01586c9c45445d6967b72710a22da224a8281ce4400158da5
Instruction Fuzzy Hash: 3751D5A06247D63DFB3A4A388C56BB6BEA95F46304F08C489E5D9558C2C3F8DCB4D750

Function 00271276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 002712B5
GetKeyboardState.USER32(?), ref: 002712CA
SetKeyboardState.USER32(?), ref: 0027132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00271357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00271374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 002713B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 002713D9

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 315f3beccb90bf45e4177a8ef82dd02c17acace0efb06ce6c7b39db58d809610
Instruction ID: d59fbb847f2a900ad3dee9b0c9d96fefc68cc4f16b333c5193f402ec93f2358f
Opcode Fuzzy Hash: 315f3beccb90bf45e4177a8ef82dd02c17acace0efb06ce6c7b39db58d809610
Instruction Fuzzy Hash: 5351E4A05247D63DFB368A298C55B7ABFA95F06300F08C5C9E5DC9A8C2D3A4ECB4D750

Function 0027589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 002758AC
_wcsncpy.LIBCMT ref: 002758E1
_wcsncpy.LIBCMT ref: 00275913
_wcsncpy.LIBCMT ref: 00275946
_wcsncpy.LIBCMT ref: 00275988
_wcsncpy.LIBCMT ref: 002759C2
_wcsncpy.LIBCMT ref: 002759F1

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: e108c7d6588e2346335a6db5907682c821251ebb5aa357cbfc9d13fc8d33bbde
Instruction ID: f7aefc3251676be421a7fb2432f6928f74b40568a6a92bbbd1938546f7ce8974
Opcode Fuzzy Hash: e108c7d6588e2346335a6db5907682c821251ebb5aa357cbfc9d13fc8d33bbde
Instruction Fuzzy Hash: 184186A5C30524B6CB10FBB488869CFB3BC9F04710F508966FA18E3111E634E765CBE5

Function 0026DA5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0026DAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0026DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0026DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0026DB8E

Strings

,,*, xrefs: 0026DA69
DllGetClassObject, xrefs: 0026DB01

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,*$DllGetClassObject
API String ID: 753597075-2894438887
Opcode ID: 1eb18d260b047351337bfe386bd285ca024b7a2cb9a997a24a7841f60e3b25b6
Instruction ID: 1775500e2d21ad7443bb1961d388272d293df2a890bdbdfea6e940c7a9e124c1
Opcode Fuzzy Hash: 1eb18d260b047351337bfe386bd285ca024b7a2cb9a997a24a7841f60e3b25b6
Instruction Fuzzy Hash: 0741A171A1020CDFDB14CF54D884A9A7BA9EF85314F1180AAAD09DF209D7B1DD90CBA0

Function 002738AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 002748AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002738D3,?), ref: 002748C7

Part of subcall function 002748AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002738D3,?), ref: 002748E0

lstrcmpiW.KERNEL32(?,?), ref: 002738F3
_wcscmp.LIBCMT ref: 0027390F
MoveFileW.KERNEL32(?,?), ref: 00273927
_wcscat.LIBCMT ref: 0027396F
SHFileOperationW.SHELL32(?), ref: 002739DB

Strings

\*.*, xrefs: 00273969

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 25ed81543774ec2d26929f298ae8119cdf90b49dcbe7fb4ecdd71349e879dda8
Instruction ID: d56f3bc0ba347ac1842b1a125160bcf53af658c2f2f1710d81d2947cada1558c
Opcode Fuzzy Hash: 25ed81543774ec2d26929f298ae8119cdf90b49dcbe7fb4ecdd71349e879dda8
Instruction Fuzzy Hash: 1B4193B25183859EC751EF64C845ADFB7E8AF88340F00492EB58DC3151EB74D6A8CB52

Function 00297500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00297519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002975C0
IsMenu.USER32(?), ref: 002975D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00297620
DrawMenuBar.USER32 ref: 00297633

Strings

0, xrefs: 0029750D

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: b21ebb176e7a085750b8849e396d87523038f8d2f0feaf6574da17344c018a59
Instruction ID: adf3f019ef31d49dca71b1fb1ca3514f3c3005809299b11dc591294548e780d0
Opcode Fuzzy Hash: b21ebb176e7a085750b8849e396d87523038f8d2f0feaf6574da17344c018a59
Instruction Fuzzy Hash: 0E412975A25609EFDF10DF54E988E9ABBF8FF08310F44812AE92597250D730AD64CF90

Function 0029122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0029125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00291286
FreeLibrary.KERNEL32(00000000), ref: 0029133D

Part of subcall function 0029122D: RegCloseKey.ADVAPI32(?), ref: 002912A3
Part of subcall function 0029122D: FreeLibrary.KERNEL32(?), ref: 002912F5
Part of subcall function 0029122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00291318

RegDeleteKeyW.ADVAPI32(?,?), ref: 002912E0

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: bacc7a9610db180525e64db2fb3f4bbdff95b8d410f1c51fbd246cbc18d79c20
Instruction ID: a63a3f6e8aff6443ab1f96f297accd964f5543fdc15537b5eda10c2cb07666a4
Opcode Fuzzy Hash: bacc7a9610db180525e64db2fb3f4bbdff95b8d410f1c51fbd246cbc18d79c20
Instruction Fuzzy Hash: 37314D71A1111ABFDF549F91ED89AFEB7BCEF08300F0001AAE905E2141DB749E659AA4

Function 0029653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0029655B
GetWindowLongW.USER32(01585DE8,000000F0), ref: 0029658E
GetWindowLongW.USER32(01585DE8,000000F0), ref: 002965C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 002965F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0029661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00296630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0029664A

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: cb82b43a45f6136068e325687aa8f684ca012143d3eb38f444432d83110694c9
Instruction ID: 4985e760fde3ac3460eab44cb0f82d9b8dbda4eef1c272011a37f89e8d638922
Opcode Fuzzy Hash: cb82b43a45f6136068e325687aa8f684ca012143d3eb38f444432d83110694c9
Instruction Fuzzy Hash: 46310230A14211AFDF208F18EC8CF553BE5FB4A350F5A41A9F611CB2B5CB62AC64DB41

Function 00286486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 002880A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 002880CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 002864D9
WSAGetLastError.WSOCK32(00000000), ref: 002864E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00286521
connect.WSOCK32(00000000,?,00000010), ref: 0028652A
WSAGetLastError.WSOCK32 ref: 00286534
closesocket.WSOCK32(00000000), ref: 0028655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00286576

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: dc9da34e8bbb717a10e60ae9af4be0a96e6da34fa3044b9de2f832ac554eade3
Instruction ID: cb79cfe3837a84621b54e451b879a430edeed52f6b8c6e2ccad95f407413f3c5
Opcode Fuzzy Hash: dc9da34e8bbb717a10e60ae9af4be0a96e6da34fa3044b9de2f832ac554eade3
Instruction Fuzzy Hash: 1A31B335620118AFDB50AF64DC89BBE7BA9EF44710F044029F905D72D1DB74AD54CBA1

Function 0026E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0026E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0026E120
SysAllocString.OLEAUT32(00000000), ref: 0026E123
SysAllocString.OLEAUT32 ref: 0026E144
SysFreeString.OLEAUT32 ref: 0026E14D
StringFromGUID2.OLE32(?,?,00000028), ref: 0026E167
SysAllocString.OLEAUT32(?), ref: 0026E175

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7dadde20a785789896a475a65fcc92b86bb29594c901d2505e2ae1859a654f56
Instruction ID: daf35772a108fdaae6fea878fe557b6f5e39c2224bc7a21c22be42a61345e580
Opcode Fuzzy Hash: 7dadde20a785789896a475a65fcc92b86bb29594c901d2505e2ae1859a654f56
Instruction Fuzzy Hash: 3421C875210109AFDF509FA8DC89CAB77ECEB09760B118176FA18CB2A0DA70DC91DB64

Function 0029783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00211D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00211D73
Part of subcall function 00211D35: GetStockObject.GDI32(00000011), ref: 00211D87
Part of subcall function 00211D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00211D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 002978A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 002978AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 002978B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 002978C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 002978D4

Strings

Msctls_Progress32, xrefs: 00297872

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 7ef13f7992e258c324021c6ea06564bad1accf9e1af8dc098a593ff29f96ef74
Instruction ID: 82b2dd152ee900fdf3451e48075db338ecb52d9cb4ab9cd6345043dcf9986cac
Opcode Fuzzy Hash: 7ef13f7992e258c324021c6ea06564bad1accf9e1af8dc098a593ff29f96ef74
Instruction Fuzzy Hash: 6B118EB252021ABFEF159E60CC89EEB7F6DEF08758F014115BA04A2090C7729C21DBA0

Function 002341C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00234292,?), ref: 002341E3
GetProcAddress.KERNEL32(00000000), ref: 002341EA
EncodePointer.KERNEL32(00000000), ref: 002341F6
DecodePointer.KERNEL32(00000001,00234292,?), ref: 00234213

Strings

RoInitialize, xrefs: 002341D2
combase.dll, xrefs: 002341DE

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: d36eab0e2cd3c933b4d5620ef29223bee43dd5cf353514cf979d4e742b30ec21
Instruction ID: c52ec4c6152ebee1d0218d83905b589204fe0c29d0884a54aa1662c03fc56cb8
Opcode Fuzzy Hash: d36eab0e2cd3c933b4d5620ef29223bee43dd5cf353514cf979d4e742b30ec21
Instruction Fuzzy Hash: 28E01AB0AA1741AFEBA07FB4FD0DB043BA4B762706F504466B859E50A0DBB598A58F04

Function 0023429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,002341B8), ref: 002342B8
GetProcAddress.KERNEL32(00000000), ref: 002342BF
EncodePointer.KERNEL32(00000000), ref: 002342CA
DecodePointer.KERNEL32(002341B8), ref: 002342E5

Strings

combase.dll, xrefs: 002342B3
RoUninitialize, xrefs: 002342A7

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 794571f979dd3e52b09a239d628387e8c9334fc9c4c6a442f1645521e5f20b39
Instruction ID: a879a995f87ecaa1bcc8e2d4aff40189274978dda8e7bb4116d7a04f18d219fa
Opcode Fuzzy Hash: 794571f979dd3e52b09a239d628387e8c9334fc9c4c6a442f1645521e5f20b39
Instruction Fuzzy Hash: 59E0BF78952311DBDB90AF64FD0DB053BA4B715742F104077F415F10A0CBF49954CA14

Function 0027675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002768AD
_memmove.LIBCMT ref: 002767E8

Part of subcall function 00219997: __itow.LIBCMT ref: 002199C2
Part of subcall function 00219997: __swprintf.LIBCMT ref: 00219A0C

_memmove.LIBCMT ref: 0027685B
_memmove.LIBCMT ref: 00276942
_memmove.LIBCMT ref: 0027695B
_memmove.LIBCMT ref: 00276977

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: fe2f17f79ebd84cb438237771d0d4cdbd62087dd95f3309a9b711921911bb9bb
Instruction ID: 7358cc40b6c8e545a69ba0bbbc888dd000c79acad55a054c9477dd9834b5e110
Opcode Fuzzy Hash: fe2f17f79ebd84cb438237771d0d4cdbd62087dd95f3309a9b711921911bb9bb
Instruction Fuzzy Hash: BB61ED3052065A9FCF15EF20CC96EFE77A4AF44308F048519F95A5B292DB30ADA5CF91

Function 0029046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00217F41: _memmove.LIBCMT ref: 00217F82

Part of subcall function 002910A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00290038,?,?), ref: 002910BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00290548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00290588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 002905AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 002905D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00290617
RegCloseKey.ADVAPI32(00000000), ref: 00290624

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: b82ab9fa342c5767232be471ef9d2ef14006185750e3ce7dc18f5a695219387e
Instruction ID: f7f67842b6bf8c6253b05c72e32597d18cf049718784412d6ff05784d52197d6
Opcode Fuzzy Hash: b82ab9fa342c5767232be471ef9d2ef14006185750e3ce7dc18f5a695219387e
Instruction Fuzzy Hash: DB515A31228205AFCB14EF54C885EAEBBE9FF88714F04492DF585872A1DB31E965CF52

Function 00295A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00295A82
GetMenuItemCount.USER32(00000000), ref: 00295AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00295AE1
GetMenuItemID.USER32(?,?), ref: 00295B50
GetSubMenu.USER32(?,?), ref: 00295B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00295BAF

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 08519243993035a8bdd67eb863e5d95549158ead18a4b2df626e578bfcd37269
Instruction ID: 67d9d4722b40d6e282c0cc3a20d4d3685c1cd01bca3b2589cccabc3555c4748c
Opcode Fuzzy Hash: 08519243993035a8bdd67eb863e5d95549158ead18a4b2df626e578bfcd37269
Instruction Fuzzy Hash: 25519F31A10626EFCF12EFA4C955AAEB7B4EF48310F104469F915B7351CB70AEA18F90

Function 0026F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0026F3F7
VariantClear.OLEAUT32(00000013), ref: 0026F469
VariantClear.OLEAUT32(00000000), ref: 0026F4C4
_memmove.LIBCMT ref: 0026F4EE
VariantClear.OLEAUT32(?), ref: 0026F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0026F569

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 2bead73f0e736252b5d11e7e0f195cb42e5ae7efd9da6e5ef57dd2c302a4a27d
Instruction ID: 5465aee51d469cbee01ebdc400cf84b0a62aaf3a7cca384a92edf0c6b07109de
Opcode Fuzzy Hash: 2bead73f0e736252b5d11e7e0f195cb42e5ae7efd9da6e5ef57dd2c302a4a27d
Instruction Fuzzy Hash: 2F516CB5A10209DFCB14CF58D884AAAB7B8FF4C314B15816AEE59DB300D730E951CFA0

Function 002726F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00272747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00272792
IsMenu.USER32(00000000), ref: 002727B2
CreatePopupMenu.USER32 ref: 002727E6
GetMenuItemCount.USER32(000000FF), ref: 00272844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00272875

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: b6ab543382a7c17ae835d79445eb64a4382f81d941b6163a624c317ba0f95671
Instruction ID: b41b00014000209476bba9ce6a04cd5f5998404e30ef9e36efdd1284659c8c88
Opcode Fuzzy Hash: b6ab543382a7c17ae835d79445eb64a4382f81d941b6163a624c317ba0f95671
Instruction Fuzzy Hash: D851C570920306DFDF24CF64D988BAEBBF4EF44314F108159E4199B291D7718968CB62

Function 00211765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00212612: GetWindowLongW.USER32(?,000000EB), ref: 00212623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0021179A
GetWindowRect.USER32(?,?), ref: 002117FE
ScreenToClient.USER32(?,?), ref: 0021181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0021182C
EndPaint.USER32(?,?), ref: 00211876

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: d98759c674d2c3724a8465df3059e5fb38b2c129b02474797aba9fc0ec8da30b
Instruction ID: 8b3e7c85030019cc92f4884e12f1993b85877c16d2b0cdf0ec39a0a535eaf738
Opcode Fuzzy Hash: d98759c674d2c3724a8465df3059e5fb38b2c129b02474797aba9fc0ec8da30b
Instruction Fuzzy Hash: 6D41DE70510311AFD711DF24DC88BBA7BE8EB59720F04462AFAA4C62A1C7709CA9DB61

Function 0029B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(002D67B0,00000000,01585DE8,?,?,002D67B0,?,0029B862,?,?), ref: 0029B9CC
EnableWindow.USER32(00000000,00000000), ref: 0029B9F0
ShowWindow.USER32(002D67B0,00000000,01585DE8,?,?,002D67B0,?,0029B862,?,?), ref: 0029BA50
ShowWindow.USER32(00000000,00000004,?,0029B862,?,?), ref: 0029BA62
EnableWindow.USER32(00000000,00000001), ref: 0029BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0029BAA9

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 49ff899d3c61dd19d8f4537c05b07e35f086283e874dc583708eb67f424f4e30
Instruction ID: 82f2c60fc7532899f4a9482212402c308c5ee8f5d7b28722a182b81e60f6e9e1
Opcode Fuzzy Hash: 49ff899d3c61dd19d8f4537c05b07e35f086283e874dc583708eb67f424f4e30
Instruction Fuzzy Hash: 1C416230610242AFDF22CF54E689B957BE0FF05310F1841B9EA588F2A2C731AC55CF91

Function 002873B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00285134,?,?,00000000,00000001), ref: 002873BF

Part of subcall function 00283C94: GetWindowRect.USER32(?,?), ref: 00283CA7

GetDesktopWindow.USER32 ref: 002873E9
GetWindowRect.USER32(00000000), ref: 002873F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00287422

Part of subcall function 002754E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0027555E

GetCursorPos.USER32(?), ref: 0028744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002874AC

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: a02fac89392dd9372fd2960ea4e88501bafeb2c480ddab125eb22b73d74e4f6c
Instruction ID: fe8811da183d8d61c0fccdb16a5a8abb018d59dcc4c61f13e695eda58590702e
Opcode Fuzzy Hash: a02fac89392dd9372fd2960ea4e88501bafeb2c480ddab125eb22b73d74e4f6c
Instruction Fuzzy Hash: 28310672509306ABC760EF14D849F9BBBE9FF88304F10492AF488D7191C770E918CB92

Function 00268D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002685F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00268608
Part of subcall function 002685F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00268612
Part of subcall function 002685F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00268621
Part of subcall function 002685F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00268628
Part of subcall function 002685F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0026863E

GetLengthSid.ADVAPI32(?,00000000,00268977), ref: 00268DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00268DB8
HeapAlloc.KERNEL32(00000000), ref: 00268DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00268DD8
GetProcessHeap.KERNEL32(00000000,00000000,00268977), ref: 00268DEC
HeapFree.KERNEL32(00000000), ref: 00268DF3

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: e02a3ec70d44d408a42a443fb0bf42dd6f9407a63625575a720ea4698bf834aa
Instruction ID: 9d6ff34d9bd3597db2501c91c4673057770ebec493aee21ae2edee60ed95e5d2
Opcode Fuzzy Hash: e02a3ec70d44d408a42a443fb0bf42dd6f9407a63625575a720ea4698bf834aa
Instruction Fuzzy Hash: E811E132520605FFDB908F64DD0CBAE7769EF41315F10426AE849D3250CB319990CBA0

Function 00268AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00268B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00268B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00268B40
CloseHandle.KERNEL32(00000004), ref: 00268B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00268B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00268B8E

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 6b2fad27cb6a5439a5db746d8ff68ca6b2d17399995b18bae883952ced977754
Instruction ID: 3d50fa26f97f612d8f03cb0be53967e0f03c591ee8c543684965d9783897d1d2
Opcode Fuzzy Hash: 6b2fad27cb6a5439a5db746d8ff68ca6b2d17399995b18bae883952ced977754
Instruction Fuzzy Hash: 7A116DB250020EABDF418FA4ED49FEE7BA9EF08308F044165FE04E2160C7758D64DB60

Function 0029C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 002112F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0021134D
Part of subcall function 002112F3: SelectObject.GDI32(?,00000000), ref: 0021135C
Part of subcall function 002112F3: BeginPath.GDI32(?), ref: 00211373
Part of subcall function 002112F3: SelectObject.GDI32(?,00000000), ref: 0021139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0029C1C4
LineTo.GDI32(00000000,00000003,?), ref: 0029C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0029C1E6
LineTo.GDI32(00000000,00000000,?), ref: 0029C1F6
EndPath.GDI32(00000000), ref: 0029C206
StrokePath.GDI32(00000000), ref: 0029C216

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 15833bed058c58fb770deb2800a62b28f7cc0a05bff9f504b47cd33eaa4ec192
Instruction ID: 9fbbf877ca81ec5ca73b4ed908defe77e47c9f19929e722bdeaee95069ba9b04
Opcode Fuzzy Hash: 15833bed058c58fb770deb2800a62b28f7cc0a05bff9f504b47cd33eaa4ec192
Instruction Fuzzy Hash: DC111B7640014DBFDF519F90EC88EEA7FADEF08354F148022BE189A161C7719D65DBA0

Function 002303A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 002303D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 002303DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 002303E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 002303F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 002303F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00230401

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 2c3300b2bd3af79f6df75caba4f8eb84766b3463cde1ee846afb7bbeb4ccbf5a
Instruction ID: 4e5677484d888f09712b002afdd6edd83013271a8cd314beeea1f5a2d4274905
Opcode Fuzzy Hash: 2c3300b2bd3af79f6df75caba4f8eb84766b3463cde1ee846afb7bbeb4ccbf5a
Instruction Fuzzy Hash: 480148B09017597DE3008F5A8C85A52FEA8FF19354F00411BA15887941C7B5A864CBE5

Function 0027568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0027569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 002756B1
GetWindowThreadProcessId.USER32(?,?), ref: 002756C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002756CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002756D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002756E0

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: f7cb0c086f84add2043bebb2af07019b98a96a6ebca2c60d9fa7a76aa11ec8d6
Instruction ID: e33536b9ad2f1e131f58f19db393b2cc2ef5670ba20191dcd9b5c077e7e30262
Opcode Fuzzy Hash: f7cb0c086f84add2043bebb2af07019b98a96a6ebca2c60d9fa7a76aa11ec8d6
Instruction Fuzzy Hash: 30F03032241259BBE7A15BA2ED0DEEF7B7CEFC6B11F00016AFA14D1050D7A15A0186B5

Function 002774D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 002774E5
EnterCriticalSection.KERNEL32(?,?,00221044,?,?), ref: 002774F6
TerminateThread.KERNEL32(00000000,000001F6,?,00221044,?,?), ref: 00277503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00221044,?,?), ref: 00277510

Part of subcall function 00276ED7: CloseHandle.KERNEL32(00000000,?,0027751D,?,00221044,?,?), ref: 00276EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00277523
LeaveCriticalSection.KERNEL32(?,?,00221044,?,?), ref: 0027752A

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: dd18d6942db65eac42af3a734baeb46c9b5276324a742401d43563630a331f0a
Instruction ID: 47119712672554bb5f01cc86b0a46495ba4cafed4e837052b841c3509f849468
Opcode Fuzzy Hash: dd18d6942db65eac42af3a734baeb46c9b5276324a742401d43563630a331f0a
Instruction Fuzzy Hash: CEF05E3A940612EBDB911B64FE8CAEF772AEF45302B500533FA06D10B0CB756821CBA0

Function 00268E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00268E7F
UnloadUserProfile.USERENV(?,?), ref: 00268E8B
CloseHandle.KERNEL32(?), ref: 00268E94
CloseHandle.KERNEL32(?), ref: 00268E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00268EA5
HeapFree.KERNEL32(00000000), ref: 00268EAC

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 9374d7a62b45fc63e4628dcc502d8a4e495b00ec8bbb38deca42f4755006447f
Instruction ID: 76fcdc65dbcc7d4f11bea86047e0291fe56b436afb6770c660b6922d6bf61d6c
Opcode Fuzzy Hash: 9374d7a62b45fc63e4628dcc502d8a4e495b00ec8bbb38deca42f4755006447f
Instruction Fuzzy Hash: 47E0C236004001FBDA811FF1FE0C94ABB69FB89322B208232F219C1070CB329420DB94

Function 00267A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,002A2C7C,?), ref: 00267C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,002A2C7C,?), ref: 00267C4A
CLSIDFromProgID.OLE32(?,?,00000000,0029FB80,000000FF,?,00000000,00000800,00000000,?,002A2C7C,?), ref: 00267C6F
_memcmp.LIBCMT ref: 00267C90

Strings

,,*, xrefs: 00267A85

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,*
API String ID: 314563124-748471534
Opcode ID: af4310e9b39cca901a5d1314b420d0cb8dcc45e5e4c57381aff5f4c6b2a277ec
Instruction ID: 25b640840bfdea753577f820eae1d7d954c9b737cdee3192e7fd188cbb460ef2
Opcode Fuzzy Hash: af4310e9b39cca901a5d1314b420d0cb8dcc45e5e4c57381aff5f4c6b2a277ec
Instruction Fuzzy Hash: F8812D71A10109EFCB04DF94D984DEEB7B9FF89319F204199E505EB250DB71AE45CB60

Function 00288902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00288928
CharUpperBuffW.USER32(?,?), ref: 00288A37
VariantClear.OLEAUT32(?), ref: 00288BAF

Part of subcall function 00277804: VariantInit.OLEAUT32(00000000), ref: 00277844
Part of subcall function 00277804: VariantCopy.OLEAUT32(00000000,?), ref: 0027784D
Part of subcall function 00277804: VariantClear.OLEAUT32(00000000), ref: 00277859

Strings

AUTOIT.ERROR, xrefs: 00288A3D
Incorrect Parameter format, xrefs: 00288960, 00288B22

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: bc0c5045c167c183386f5d7d8ed47861269a74626cc05b180237683f78f9639b
Instruction ID: f25fa961ad70a5f8dde1fc5d500bfbdf3d6a4887d82c74663ee29032e2e00482
Opcode Fuzzy Hash: bc0c5045c167c183386f5d7d8ed47861269a74626cc05b180237683f78f9639b
Instruction Fuzzy Hash: CB918C756283019FC710EF24C48496ABBE4AFC9304F04896EF89ACB3A1DB31E955CB52

Function 00272F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0022FEC6: _wcscpy.LIBCMT ref: 0022FEE9

_memset.LIBCMT ref: 00273077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002730A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00273159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00273187

Strings

0, xrefs: 00273063

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: e41ae76529631c05aa4b841e2450b9247951bd1c16c5e58cc311a965860a8d45
Instruction ID: ee95580077a83fe20c3fe938bde7e652eb9ecd6a073a12201b95cf9ee757c659
Opcode Fuzzy Hash: e41ae76529631c05aa4b841e2450b9247951bd1c16c5e58cc311a965860a8d45
Instruction Fuzzy Hash: 2551E3716383029ED715DF28D849AABB7E4EF45320F44892EF88DD3190DB70CE64AB52

Function 00272C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00272CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00272CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00272D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,002D6890,00000000), ref: 00272D5A

Strings

0, xrefs: 00272CA4

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 3a83cd5c056350a3b228aeec638fbd6b784148798b5676e746427ee58bb51ec7
Instruction ID: 56f135bff00abc0c035411d34e4a7b8ce8fe53b95cd442d58783a87a5d92f670
Opcode Fuzzy Hash: 3a83cd5c056350a3b228aeec638fbd6b784148798b5676e746427ee58bb51ec7
Instruction Fuzzy Hash: 6041A030214302DFD724DF24D845B5ABBE8FF85320F14862EF96997291D770E928CBA2

Function 0028DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0028DAD9

Part of subcall function 002179AB: _memmove.LIBCMT ref: 002179F9

Strings

winapi, xrefs: 0028DB4A
cdecl, xrefs: 0028DB30
stdcall, xrefs: 0028DB5B
none, xrefs: 0028DBB4

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 227b8e3bef24d534e0cab64946b22ba5aacf9628f59f81076cee5869e8ea606d
Instruction ID: e70333020ea3889cf21c07e9931879d1a9fc9f025b2e62e3330953946a989ea3
Opcode Fuzzy Hash: 227b8e3bef24d534e0cab64946b22ba5aacf9628f59f81076cee5869e8ea606d
Instruction Fuzzy Hash: 5531B27452021A9BCF00EF54C8819EEB3F8FF55314B008A29E825976D1CB31A96ACF80

Function 00269372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00217F41: _memmove.LIBCMT ref: 00217F82

Part of subcall function 0026B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0026B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 002693F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00269409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00269439

Part of subcall function 00217D2C: _memmove.LIBCMT ref: 00217D66

Strings

ListBox, xrefs: 002693B5
ComboBox, xrefs: 00269380

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: f58fc7efb433f83cb31d8e890a9525bf5675df1a28a6a8985505fef928a843d0
Instruction ID: eb83fc526ae328a1790931f631f218aeb5d0f51e3f0a664329400efc944f4cc3
Opcode Fuzzy Hash: f58fc7efb433f83cb31d8e890a9525bf5675df1a28a6a8985505fef928a843d0
Instruction Fuzzy Hash: 8821F671920104BBDB14ABB0DC85DFFB7BCDF55350B104129F825972E0DF3509EA9A20

Function 00281B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00281B40
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00281B66
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00281B96
InternetCloseHandle.WININET(00000000), ref: 00281BDD

Part of subcall function 00282777: GetLastError.KERNEL32(?,?,00281B0B,00000000,00000000,00000001), ref: 0028278C
Part of subcall function 00282777: SetEvent.KERNEL32(?,?,00281B0B,00000000,00000000,00000001), ref: 002827A1

Strings

, xrefs: 00281B87

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: f0b3800074ecec8e1e0f1c38ed611834159ec2dd8440379800bed84414285a0a
Instruction ID: 2d4aff75e5c1b19dcc30a90f92e0343668ba7cfa965620b47b4e6edd417ebd73
Opcode Fuzzy Hash: f0b3800074ecec8e1e0f1c38ed611834159ec2dd8440379800bed84414285a0a
Instruction Fuzzy Hash: 1521C5B9511208BFEB11AF51DCC5EBFB7ECEB49748F10011AF405D21C0EA609D265B61

Function 00296656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00211D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00211D73
Part of subcall function 00211D35: GetStockObject.GDI32(00000011), ref: 00211D87
Part of subcall function 00211D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00211D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 002966D0
LoadLibraryW.KERNEL32(?), ref: 002966D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 002966EC
DestroyWindow.USER32(?), ref: 002966F4

Strings

SysAnimate32, xrefs: 002966AB

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 1485ccced6744ed8ec73257d3db77a33817a02bd5967b92075abf7e4c58c8858
Instruction ID: 88995686903602ebb3a9076d59dbce19ebf860a04fdd68cc62d76629da9fbd3f
Opcode Fuzzy Hash: 1485ccced6744ed8ec73257d3db77a33817a02bd5967b92075abf7e4c58c8858
Instruction Fuzzy Hash: 1821AE71220206AFEF104FA4EC88EBB77EDEF59368F10462AF910D2190D7B5CC619B60

Function 0027703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 0027705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00277091
GetStdHandle.KERNEL32(0000000C), ref: 002770A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 002770DD

Strings

nul, xrefs: 002770D8

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 3232dfe0062f2333752091faad5658f337822dc50ed04c0158c32f133433752a
Instruction ID: 1e4ab07236acecdb8d040953dea5266b70feeae6151d95a76f5753bfd39817a8
Opcode Fuzzy Hash: 3232dfe0062f2333752091faad5658f337822dc50ed04c0158c32f133433752a
Instruction Fuzzy Hash: F321537552420A9BDF209F39DC09B9A77B4BF54720F20861AFCA5D72D0D7719860CB50

Function 0027710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0027712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0027715D
GetStdHandle.KERNEL32(000000F6), ref: 0027716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 002771A8

Strings

nul, xrefs: 002771A3

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 09b8983f0413cb53e0220626953f61513664cc3cabce96dfedac5b4c1d8b874d
Instruction ID: 6982f9ff435a2c11edd0cdc59fb71ebbd4d3ec1425c80143fcd436275a3a2bb7
Opcode Fuzzy Hash: 09b8983f0413cb53e0220626953f61513664cc3cabce96dfedac5b4c1d8b874d
Instruction Fuzzy Hash: CF21B3755243069BDF209F689C08BAAB7E8AF55730F60861AFCADD32D0D7709861CB61

Function 0027AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0027AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0027AF13
__swprintf.LIBCMT ref: 0027AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,0029F910), ref: 0027AF6A

Strings

%lu, xrefs: 0027AF26

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: b8e40df063d2f45d6a5a384f650ab264a7be857fd6125da9062707c92cdc7933
Instruction ID: d235bcc2858b3a2f01a9430227db6129db9cee7901ff204237620f7075794305
Opcode Fuzzy Hash: b8e40df063d2f45d6a5a384f650ab264a7be857fd6125da9062707c92cdc7933
Instruction Fuzzy Hash: B3216230A10209AFCB50EF54D985EEE77F8EF89704B104069F909DB251DB31EA51CF61

Function 0026A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00217D2C: _memmove.LIBCMT ref: 00217D66

Part of subcall function 0026A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0026A399
Part of subcall function 0026A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0026A3AC
Part of subcall function 0026A37C: GetCurrentThreadId.KERNEL32 ref: 0026A3B3
Part of subcall function 0026A37C: AttachThreadInput.USER32(00000000), ref: 0026A3BA

GetFocus.USER32 ref: 0026A554

Part of subcall function 0026A3C5: GetParent.USER32(?), ref: 0026A3D3

GetClassNameW.USER32(?,?,00000100), ref: 0026A59D
EnumChildWindows.USER32(?,0026A615), ref: 0026A5C5
__swprintf.LIBCMT ref: 0026A5DF

Strings

%s%d, xrefs: 0026A5D9

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: a4a824034b95130f411b0df14b715430b8a0a89f6911d38c6769d7859b60707e
Instruction ID: 54d2b42957f5d5083f7f4db21ed071e1893b98370d25346e985bb1e1003a9956
Opcode Fuzzy Hash: a4a824034b95130f411b0df14b715430b8a0a89f6911d38c6769d7859b60707e
Instruction Fuzzy Hash: E511A271610209ABDF10BFA4ED8AFEA77BCAF49700F0440B5B908AA152CA7059A58F75

Function 00272017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00272048

Strings

KEYS, xrefs: 0027205F
EXISTS, xrefs: 00272070
REMOVE, xrefs: 0027204E
APPEND, xrefs: 00272081

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 1fc9bf033aad793db07c71b938f1458cb2a949400b45425a0e55f2c045e5ed94
Instruction ID: 9af2296fb0b80c31680bc5cf27a80e8c89bc5e3230ed1487bd464d6b740da3b0
Opcode Fuzzy Hash: 1fc9bf033aad793db07c71b938f1458cb2a949400b45425a0e55f2c045e5ed94
Instruction Fuzzy Hash: D5112A7493010ECF8F00EFA4D9919EEB7B4FF25304F108569D859A7251DB72592ACB60

Function 0028EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0028EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0028EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0028F07E
CloseHandle.KERNEL32(?), ref: 0028F0FF

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 567635979c69556a3de9b8b17c61b198277c4b8dcde8eef451c6b4a034b13668
Instruction ID: 69067c5c4637573d61d85d1f084825cf56a0fd97a73307d6c76c5625aa913f6e
Opcode Fuzzy Hash: 567635979c69556a3de9b8b17c61b198277c4b8dcde8eef451c6b4a034b13668
Instruction Fuzzy Hash: 9B8193756203019FD720EF28C896F6AB7E5AF58710F14881DF599DB2D2DB70AC908F91

Function 002902C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00217F41: _memmove.LIBCMT ref: 00217F82

Part of subcall function 002910A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00290038,?,?), ref: 002910BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00290388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002903C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0029040E
RegCloseKey.ADVAPI32(?,?), ref: 0029043A
RegCloseKey.ADVAPI32(00000000), ref: 00290447

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 9f51e29243bc45ce79e456f1036d50149fe13c1cd43f8cb88f9832a71530dbae
Instruction ID: 3d76feed5f49a021917ebcc8e87efbe667c0daac2142fec406721e8508bcda99
Opcode Fuzzy Hash: 9f51e29243bc45ce79e456f1036d50149fe13c1cd43f8cb88f9832a71530dbae
Instruction Fuzzy Hash: BC515B31228205AFDB04EF54D885FAEB7E8FF84304F04896DB59587291DB31ED65CB52

Function 0027E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0027E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0027E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0027E8F2

Part of subcall function 00219997: __itow.LIBCMT ref: 002199C2
Part of subcall function 00219997: __swprintf.LIBCMT ref: 00219A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0027E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0027E91F

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 631792869d5bb5746427513ea664a70238838f1e513c8d6bd7065f7fa14a4404
Instruction ID: c6f2ca57d9a1b3f18196ff4af810522c0b8cccd9d26ecd0d1509721e368287c7
Opcode Fuzzy Hash: 631792869d5bb5746427513ea664a70238838f1e513c8d6bd7065f7fa14a4404
Instruction Fuzzy Hash: 41513D35A10205DFCF01EF64C995AAEBBF5EF08310B148099E849AB361CB31EDA1CF60

Function 0029A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51faa813335e39e096dd2952a9edfa8617cd343378c6cf97f21fd6ba035ad9e5
Instruction ID: 0afcbff902b579682a0c4aa62daaac4bc455e479fcd593009cff2e6fffa03e39
Opcode Fuzzy Hash: 51faa813335e39e096dd2952a9edfa8617cd343378c6cf97f21fd6ba035ad9e5
Instruction Fuzzy Hash: AE411335920305AFDF20DF28DC48FA9BBA8EB09310F1541A5F816E72E0C770AD61DAD5

Function 00212344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00212357
ScreenToClient.USER32(002D67B0,?), ref: 00212374
GetAsyncKeyState.USER32(00000001), ref: 00212399
GetAsyncKeyState.USER32(00000002), ref: 002123A7

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: cc6b013ef518e4deeb6772c9fdbcc4323ad638360c0cb5bee48f1e369f02dfee
Instruction ID: 8b7f0fb4d9e745a0e58e94d1b4bf39e34a01f9305e5398c987d34d12ba0731d0
Opcode Fuzzy Hash: cc6b013ef518e4deeb6772c9fdbcc4323ad638360c0cb5bee48f1e369f02dfee
Instruction Fuzzy Hash: DC41813152411AFBDF599F68C848AE9BBB4FF05360F20435AF83892290C7B459B4DFA1

Function 00266920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0026695D
TranslateAcceleratorW.USER32(?,?,?), ref: 002669A9
TranslateMessage.USER32(?), ref: 002669D2
DispatchMessageW.USER32(?), ref: 002669DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002669EB

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 78103db15d4f1028a074004a1e67b55bebb842780fdc29bbdbcff8c3b1fdc041
Instruction ID: f2e947e80af354d509bce3d032279a37683db87b02a2c049d9cc097cf5ebdfb2
Opcode Fuzzy Hash: 78103db15d4f1028a074004a1e67b55bebb842780fdc29bbdbcff8c3b1fdc041
Instruction Fuzzy Hash: 0D31A571922247AADB60CFB4EC4CBB6BBBCAB05304F144166E821D21A1D7749CE5DB90

Function 00268F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00268F12
PostMessageW.USER32(?,00000201,00000001), ref: 00268FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00268FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00268FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00268FDA

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: e7ca852e270122259cf6f9b6cfc15ca0c1143a9afff64ec94487082c1786f980
Instruction ID: 6d812b5c52eb3b449018c88342e5af127bef324b99b28f4b45a4d4b9fd1adcc2
Opcode Fuzzy Hash: e7ca852e270122259cf6f9b6cfc15ca0c1143a9afff64ec94487082c1786f980
Instruction Fuzzy Hash: 1B31C07150021AEFDF14CF68E94CA9E7BB6FB04315F104229F925E61D0C7B099A4DB91

Function 0026B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0026B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0026B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0026B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0026B742
_wcsstr.LIBCMT ref: 0026B74C

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: fee602a93b7279e8cd299c22a1691d08eff22bcc8709b9f33f240a42b538bd76
Instruction ID: d08812389fa21573bdd8275d17edbea726297acfb70177ddf85f27db38457884
Opcode Fuzzy Hash: fee602a93b7279e8cd299c22a1691d08eff22bcc8709b9f33f240a42b538bd76
Instruction Fuzzy Hash: B121D772614205BAEB265F39ED49E7BBBACDF45710F10403AFD05CA1A1EF61DCE096A0

Function 0029B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00212612: GetWindowLongW.USER32(?,000000EB), ref: 00212623

GetWindowLongW.USER32(?,000000F0), ref: 0029B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0029B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0029B489
GetSystemMetrics.USER32(00000004), ref: 0029B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00281184,00000000), ref: 0029B4D0

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: b18601720345a00b86c99edf52ce4cf4c254f25780a2fab83baef7e9f6c7fdba
Instruction ID: 4db54aa939a25f542575656ffb9349da661aeb256ff75fc7df793c4ebfff10c4
Opcode Fuzzy Hash: b18601720345a00b86c99edf52ce4cf4c254f25780a2fab83baef7e9f6c7fdba
Instruction Fuzzy Hash: 84219171A20256AFCF518F38EE18A6A37A4FB05721F115739F926C61E1E7309830EB90

Function 002697E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00269802

Part of subcall function 00217D2C: _memmove.LIBCMT ref: 00217D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00269834
__itow.LIBCMT ref: 0026984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00269874
__itow.LIBCMT ref: 00269885

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 445f758a3621f6152258eaed5782f71415031cf5f652c610cfc526ab2c336bb2
Instruction ID: f0fc6cb339e2420dc076e7806c6fc8745ba135747d6f1a3be4a80fc707570a26
Opcode Fuzzy Hash: 445f758a3621f6152258eaed5782f71415031cf5f652c610cfc526ab2c336bb2
Instruction Fuzzy Hash: 2721C571B10208ABDB109F659C8AEEE7BBCEF9A710F040029FD04DB251DA708DE19B91

Function 002112F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0021134D
SelectObject.GDI32(?,00000000), ref: 0021135C
BeginPath.GDI32(?), ref: 00211373
SelectObject.GDI32(?,00000000), ref: 0021139C

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 1cab15f553780a4c96d27ba4a30d87ee9c5ddeea4609bff61991db3ab927740b
Instruction ID: cccf11f88845c45643b8bd4aed4ef10cfb7241172e0f9bacfe2d970d558647c7
Opcode Fuzzy Hash: 1cab15f553780a4c96d27ba4a30d87ee9c5ddeea4609bff61991db3ab927740b
Instruction Fuzzy Hash: 48214A70C21209EBDB119F65FD0C7A97BE8EB20321F148267F920D61A4D3719CB9EB90

Function 0026C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0026C176
_memcmp.LIBCMT ref: 0026C194
_memcmp.LIBCMT ref: 0026C1A7
_memcmp.LIBCMT ref: 0026C1BF
_memcmp.LIBCMT ref: 0026C1D7

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 97dc0d3b769c5925a473fcbf59d59105785800a756aaab2098037dce3cb26557
Instruction ID: 3bc766ff09661e3bb15fb526f1a22d30dbe9eb6420b3ce271ec9df8dda2aaf7c
Opcode Fuzzy Hash: 97dc0d3b769c5925a473fcbf59d59105785800a756aaab2098037dce3cb26557
Instruction Fuzzy Hash: A401B9F16391067BD204BA245C42F7B735C9B533A4F144051FD4996283EA90DE758AE0

Function 00274D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00274D5C
__beginthreadex.LIBCMT ref: 00274D7A
MessageBoxW.USER32(?,?,?,?), ref: 00274D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00274DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00274DAC

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 32708e613d232acf7578410d2ccbfb307eebfbb12dd23ffab57b711279ae2815
Instruction ID: b5d641b63ccb6ee71acf647afc24800da9190ce4bdf248c25ebc08da0c68ae2f
Opcode Fuzzy Hash: 32708e613d232acf7578410d2ccbfb307eebfbb12dd23ffab57b711279ae2815
Instruction Fuzzy Hash: 0B1121B2915249ABC710AFB8AC0CA9A7BACEB45320F14826AFC18D3250D6718D108BA0

Function 0026874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00268766
GetLastError.KERNEL32(?,0026822A,?,?,?), ref: 00268770
GetProcessHeap.KERNEL32(00000008,?,?,0026822A,?,?,?), ref: 0026877F
HeapAlloc.KERNEL32(00000000,?,0026822A,?,?,?), ref: 00268786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0026879D

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 00888078dde38cc9cdf715f4a87b53f2a7bb868eda09c5e677d5af631729c1cf
Instruction ID: c490343c776785f97bf947187d9725fb156c137d70d09dd4cb7b7a810e04f978
Opcode Fuzzy Hash: 00888078dde38cc9cdf715f4a87b53f2a7bb868eda09c5e677d5af631729c1cf
Instruction Fuzzy Hash: D1016D75210205FFDB614FA6ED8CD6BBBACFF89355720057AF849D2260DA318C50CA60

Function 002754E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00275502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00275510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00275518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00275522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0027555E

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: d6ad06ab8b17654ceeac1e1c697ce4697e1611735e1645b7f4a789812b80e0ed
Instruction ID: c5f9b86f1176a1b02075a314752b2017e495875a295a9a95d4dcdab1863e5669
Opcode Fuzzy Hash: d6ad06ab8b17654ceeac1e1c697ce4697e1611735e1645b7f4a789812b80e0ed
Instruction Fuzzy Hash: 94013931C20A29DBCF40EFE8E9886EDFB79FB09701F404156E909F2140DBB095608BA1

Function 00267652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0026758C,80070057,?,?,?,0026799D), ref: 0026766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0026758C,80070057,?,?), ref: 0026768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0026758C,80070057,?,?), ref: 00267698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0026758C,80070057,?), ref: 002676A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0026758C,80070057,?,?), ref: 002676B4

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: bb6261a7d6716004e6744ed12344c8a68d1f0079ad677c5b609ef3894354c5aa
Instruction ID: f8ccf5235cc9407898c5c08f39b9b054c610367681592235d7fb4a5160b01bbb
Opcode Fuzzy Hash: bb6261a7d6716004e6744ed12344c8a68d1f0079ad677c5b609ef3894354c5aa
Instruction Fuzzy Hash: 4E01D472620604BBDB904F18ED08BAA7BACEB44B55F200129FD05D2211E771DDA087A0

Function 002685F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00268608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00268612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00268621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00268628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0026863E

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 4476195efece6c6dcd59d13570a90737397fd044e1865c610da20588103d896f
Instruction ID: c3610da7c79c25eb6c02bd9b2a760ce3129b62b023aa33b7b273a3e009695cb4
Opcode Fuzzy Hash: 4476195efece6c6dcd59d13570a90737397fd044e1865c610da20588103d896f
Instruction Fuzzy Hash: 86F0C230210205BFEB500FA4ED8DE6F3BACEF89754B004226F909C2160CB709C91DA60

Function 00268652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00268669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00268673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00268682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00268689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0026869F

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 5499208740c135cb961a6c177a5c687d361afc6daaa64ae973c09ec271047a0f
Instruction ID: a16d3d854f43e60a5820d0a7995d2565a6b1e22c643827546e0dd48ee47967ac
Opcode Fuzzy Hash: 5499208740c135cb961a6c177a5c687d361afc6daaa64ae973c09ec271047a0f
Instruction Fuzzy Hash: D8F06271210315BFEB511FA5EC8DE6B3BACEF89758B100126F949C6150CB71DD91DA60

Function 0026C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0026C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 0026C6D1
MessageBeep.USER32(00000000), ref: 0026C6E9
KillTimer.USER32(?,0000040A), ref: 0026C705
EndDialog.USER32(?,00000001), ref: 0026C71F

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 872265b4e1b2439072dcbb97270a3ed557cced90c9189d3ac94d2263d3cce52c
Instruction ID: d478bfd4f6b0b5ae31b706d5701441a1f8714be9dd0c345d4825c95ab5c54e84
Opcode Fuzzy Hash: 872265b4e1b2439072dcbb97270a3ed557cced90c9189d3ac94d2263d3cce52c
Instruction Fuzzy Hash: A701677051070497EB616F60ED8EFA6B7BCFF00705F14056AF592E14E1DBE4A9A48F40

Function 002113B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 002113BF
StrokeAndFillPath.GDI32(?,?,0024BAD8,00000000,?), ref: 002113DB
SelectObject.GDI32(?,00000000), ref: 002113EE
DeleteObject.GDI32 ref: 00211401
StrokePath.GDI32(?), ref: 0021141C

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 93d50d59f03ecf91fee7a6fd4d1ace043819c9cd1559de8f2ce6acea69c94ef7
Instruction ID: ffcb112caad8fbda9dd1a0408448b63a14f1c77a794cd8a2e06926e898e96c6f
Opcode Fuzzy Hash: 93d50d59f03ecf91fee7a6fd4d1ace043819c9cd1559de8f2ce6acea69c94ef7
Instruction Fuzzy Hash: 8FF01430412349EBDB915FA6FD0C7983BE8AB10326F148226E529C40F5C73189B9EF50

Function 00222E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00230FF6: std::exception::exception.LIBCMT ref: 0023102C
Part of subcall function 00230FF6: __CxxThrowException@8.LIBCMT ref: 00231041

Part of subcall function 00217F41: _memmove.LIBCMT ref: 00217F82

Part of subcall function 00217BB1: _memmove.LIBCMT ref: 00217C0B

__swprintf.LIBCMT ref: 0022302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00222EC6

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 3e38dec4ff272a684e958ceff6a8ca6911e6d298b937474af9baf219fe793525
Instruction ID: f5fcb97853cab2ab36f393d84b62034b6bc62ee713ae9ec592b91288204068c0
Opcode Fuzzy Hash: 3e38dec4ff272a684e958ceff6a8ca6911e6d298b937474af9baf219fe793525
Instruction Fuzzy Hash: 8B917E71528311AFC714EF64D885CAEB7E4EF95710F00491DF846972A1DA70EEA8CB62

Function 0026B7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0026B981

Strings

Container, xrefs: 0026B8FE
%*, xrefs: 0026BA24
AutoIt3GUI, xrefs: 0026B8F9

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%*
API String ID: 3565006973-702153088
Opcode ID: 543d1f3dc02c68200715acf003ab9f334a8cd52182e1eee7bb7082c926c14e80
Instruction ID: 9bc5a412add1c0ce3bd239f47de88446ee94766fd8d1ddc6588cd9ac98725065
Opcode Fuzzy Hash: 543d1f3dc02c68200715acf003ab9f334a8cd52182e1eee7bb7082c926c14e80
Instruction Fuzzy Hash: C9915A706206019FDB65DF68C884B6AB7E8FF49710F24856EF94ACB691DB70E890CF50

Function 0023524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 002352DD

Part of subcall function 00240340: __87except.LIBCMT ref: 0024037B

Strings

pow, xrefs: 002352B5, 002352D2

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: bc1ee7a938b8aab27cbf4edb1369b9ce80738221837d1a6f56a843afdaa39714
Instruction ID: a34067354e9e43bb4d69d2e028aa23cf4f05a719e59d5c3431e3164700a5ce67
Opcode Fuzzy Hash: bc1ee7a938b8aab27cbf4edb1369b9ce80738221837d1a6f56a843afdaa39714
Instruction Fuzzy Hash: 55516BB1E3D60387C7197F24DD8137E2B949B00750F204D99E6D9822E6EFB48DF49A46

Function 0023023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00230280
+, xrefs: 00230277

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: cc24f8142c5bf1adbfea0f419f4a93fa1b1fee9ceffd7ccbbc6d0b481837c304
Instruction ID: deca220a9a4725ad6d7bea301860b6322e499a7c15e40145c1ea3e23e8f8f3d7
Opcode Fuzzy Hash: cc24f8142c5bf1adbfea0f419f4a93fa1b1fee9ceffd7ccbbc6d0b481837c304
Instruction Fuzzy Hash: 3F5121B5124667CFCF15DF28C498AFA7BA4EF65310F184095EC919B2E0D7349DA2CB60

Function 00223297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002233D7
_memmove.LIBCMT ref: 00223470
_free.LIBCMT ref: 00223496
_memmove.LIBCMT ref: 00223549

Strings

Oa", xrefs: 00223482

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: _memmove$_free
String ID: Oa"
API String ID: 2620147621-755042541
Opcode ID: 84b28c02a8a3fe4e7b86eca06eeea24edcb552d28bc430909a730adebe726b51
Instruction ID: 80d8f0f5efb0fa0f11b794e6e8740c31f6da4b97a29976c990768b8ae8d0b508
Opcode Fuzzy Hash: 84b28c02a8a3fe4e7b86eca06eeea24edcb552d28bc430909a730adebe726b51
Instruction Fuzzy Hash: 00518CB1A28312AFDB24CF68D44072ABBE5BF89300F44492DE889C7350DB35D961CF92

Function 002262F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002263A8
_memmove.LIBCMT ref: 00226446
_memset.LIBCMT ref: 0022646A

Strings

ERCP, xrefs: 00226313

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 25ee2abe9fff8f6fc6f995e8e38068677253b6a536d351fc06d55ebdcb740a5a
Instruction ID: 54a56013c9f7f8f028d19868a83f07aee45cb2af05c8ffeb50f0e2182e0783a0
Opcode Fuzzy Hash: 25ee2abe9fff8f6fc6f995e8e38068677253b6a536d351fc06d55ebdcb740a5a
Instruction Fuzzy Hash: 3A51D87292031ADFCB24DF95D8857AABBF4FF04714F24456EE58AC7240E770A5A4CB40

Function 00297648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 002976D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 002976E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00297708

Strings

SysMonthCal32, xrefs: 0029769B

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 0fc8d6d9b13d4c375147e7e30ff86ea3926af1111ff7465709504446a7f9bbc2
Instruction ID: c6e51601cd60992d290956f4bb8cabd963bb9c9d604d69f1de57552cb45a2569
Opcode Fuzzy Hash: 0fc8d6d9b13d4c375147e7e30ff86ea3926af1111ff7465709504446a7f9bbc2
Instruction Fuzzy Hash: 2821A133524219BBDF11CFA4DC46FEA3B69EF48714F110214FE15AB1D0D6B1A8618BA0

Function 00296F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00296FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00296FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00296FDF

Strings

Listbox, xrefs: 00296F77

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: a23a5275b76fc4bcfb9685432d60fbc4a89455353e5b6dac5197914a3a68f01d
Instruction ID: bcc79cdb1b67657478be353e63565b4621c8f4001fc0e59452655afeca5f6f1f
Opcode Fuzzy Hash: a23a5275b76fc4bcfb9685432d60fbc4a89455353e5b6dac5197914a3a68f01d
Instruction Fuzzy Hash: 26219232620119BFDF128F54EC89FEB37AAEF89754F018124F9159B590C671AC61CBA0

Function 0029797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 002979E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 002979F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00297A03

Strings

msctls_trackbar32, xrefs: 002979B8

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: fd21866d040f34a4a1039596daee08221e562282b8ef8145f3f3df568d0e900c
Instruction ID: 89fac71df614947e7f6439aa4daadc2e0a5f00bfd37517fbe7abf1f9cb549a47
Opcode Fuzzy Hash: fd21866d040f34a4a1039596daee08221e562282b8ef8145f3f3df568d0e900c
Instruction Fuzzy Hash: 4B110672264249BFEF109F74CC05FEB77ADEF89764F010519FA41A6090D271E861CB60

Function 00214C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00214C2E), ref: 00214CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00214CB5

Strings

kernel32.dll, xrefs: 00214C9E
GetNativeSystemInfo, xrefs: 00214CAF

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: d2e457df7e4ec912ec9798616f066ded277a140e06ea9831e63dc75ffc8edd0c
Instruction ID: e6032575d9da3915cc1f65881624e2e01b1d7cd0505399aa9526612cf0cdaded
Opcode Fuzzy Hash: d2e457df7e4ec912ec9798616f066ded277a140e06ea9831e63dc75ffc8edd0c
Instruction Fuzzy Hash: C6D01230520723CFDBA05F31EB1864676D5AF16795B15883B9889D6550D670D4D0CA90

Function 00214D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00214D2E,?,00214F4F,?,002D62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00214D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00214D81

Strings

kernel32.dll, xrefs: 00214D6A
Wow64DisableWow64FsRedirection, xrefs: 00214D7B

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 0bbb1ccd1c0dc36c8a05f83108a8ec1b3c96113df34a1ac4b3818d07c2d75345
Instruction ID: 0a3fc73357c2c8a27fc9f7f6c6d50de4c4511f7b399cc94de69e6489b52464db
Opcode Fuzzy Hash: 0bbb1ccd1c0dc36c8a05f83108a8ec1b3c96113df34a1ac4b3818d07c2d75345
Instruction Fuzzy Hash: 59D01230520713CFDB605F31E90865676D8AF16751B11893ED48AD6250D670D4D0CB91

Function 00214D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00214CE1,?), ref: 00214DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00214DB4

Strings

Wow64RevertWow64FsRedirection, xrefs: 00214DAE
kernel32.dll, xrefs: 00214D9D

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: be3b69fb1b5594ad61041a947a1dc73dff988f97c640ddac3e353a58edf8ecb0
Instruction ID: 6a2ec3b75f4f4d2c6c2cacd273fa196056d581232cd62b88bf4c1e42e643f87b
Opcode Fuzzy Hash: be3b69fb1b5594ad61041a947a1dc73dff988f97c640ddac3e353a58edf8ecb0
Instruction Fuzzy Hash: 60D01731660713CFDBB0AF31E908A8676E4AF1A355B11883ED8CAD6160E770D8D0CAA1

Function 00291072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,002912C1), ref: 00291080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00291092

Strings

RegDeleteKeyExW, xrefs: 0029108C
advapi32.dll, xrefs: 0029107B

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 49df3b18765aa7d672bc3727ba5d46db2cb20a8f907ff403d353c50fdc91c6bb
Instruction ID: 2835ebc64795d439e111789289738b0ba8791286d6eff8dcffee042f0bce14df
Opcode Fuzzy Hash: 49df3b18765aa7d672bc3727ba5d46db2cb20a8f907ff403d353c50fdc91c6bb
Instruction Fuzzy Hash: 6FD01230520713CFD7605F35E919A1676E4EF15362F118D3EAC8DD6150D770C4E0C651

Function 002893F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00289009,?,0029F910), ref: 00289403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00289415

Strings

GetModuleHandleExW, xrefs: 0028940F
kernel32.dll, xrefs: 002893FE

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: a60194adf7169ba7c2275d89c70adc4569df781fb22e5e5113cd78487357778a
Instruction ID: b3756e064b8788c816d10127d99dab45a11e052bca0926fd57b4fbaf45bb7380
Opcode Fuzzy Hash: a60194adf7169ba7c2275d89c70adc4569df781fb22e5e5113cd78487357778a
Instruction Fuzzy Hash: 12D01234520717CFD7605F31EA4C61676D5AF06355B15C83F9489D6590D670C4D0CB50

Function 00251B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00251B42
__swprintf.LIBCMT ref: 00251B73

Strings

%.3d, xrefs: 00251B4D
WIN_XPe, xrefs: 00251BB2

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: cd147c82e7f7d6f844eadaf014b842f657dcbd21442d659a1ac3b31e5eb49e29
Instruction ID: 00aabae0f8b02799803e01a077d69af7773516677f7016aea636da39e5ce35e3
Opcode Fuzzy Hash: cd147c82e7f7d6f844eadaf014b842f657dcbd21442d659a1ac3b31e5eb49e29
Instruction Fuzzy Hash: 61D012B5C34118EACB449B909C44EF9737CAB08317F100593BD02D1040F3B49BB9DB29

Function 002676C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15583230881d079814b4ef6b8aa0debc740c01bf4c3a4c7ef9e0fad5df14d780
Instruction ID: a793aec2a5f96d3f7f6fda5301d11b60eec26d604a0dd646f9d1efd68771c7c5
Opcode Fuzzy Hash: 15583230881d079814b4ef6b8aa0debc740c01bf4c3a4c7ef9e0fad5df14d780
Instruction Fuzzy Hash: EDC18D74A24216EFDB14CFA4D884EAEB7F5FF48718B108598E805EB251D730EE91DB90

Function 0028E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0028E3D2
CharLowerBuffW.USER32(?,?), ref: 0028E415

Part of subcall function 0028DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0028DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0028E615
_memmove.LIBCMT ref: 0028E628

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: cdb0317330df671161489250f3d03c371152d69dd6649cc5018d35632aca5031
Instruction ID: b2868643db07ecc2d54ccb9e49ef0e7f10c2ff369cc0ec8a32962670a43e03ef
Opcode Fuzzy Hash: cdb0317330df671161489250f3d03c371152d69dd6649cc5018d35632aca5031
Instruction Fuzzy Hash: F7C18B756283118FCB14EF28C49096ABBE4FF88318F15896DF8999B391D730E955CF82

Function 002883A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 002883D8
CoUninitialize.OLE32 ref: 002883E3

Part of subcall function 0026DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0026DAC5

VariantInit.OLEAUT32(?), ref: 002883EE
VariantClear.OLEAUT32(?), ref: 002886BF

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 82bd992a90e5368471bfcc833bb42975902554740c979e7e76d9faefd9eb7d8a
Instruction ID: fdf60235c8091190d8c8814a5a4f6f69b8550b9f5cc271b8ae1e02700de11d66
Opcode Fuzzy Hash: 82bd992a90e5368471bfcc833bb42975902554740c979e7e76d9faefd9eb7d8a
Instruction Fuzzy Hash: D2A15A792247119FCB10EF14C891B5AB7E4BF98314F544449F99A9B3A2DB30EDA4CF42

Function 00266DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00266E04
SysAllocString.OLEAUT32(00000000), ref: 00266EAD
VariantCopy.OLEAUT32 ref: 00266EDC
VariantClear.OLEAUT32(?), ref: 00266F03

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 085fe06666cf818a161aadbb19416cf1c9c4f8c070e98bd61c69133be25a70f6
Instruction ID: 62c53d041cf8b9d3f37e4aacb4d734e62e082c17a1f19955424afac3af16a37c
Opcode Fuzzy Hash: 085fe06666cf818a161aadbb19416cf1c9c4f8c070e98bd61c69133be25a70f6
Instruction Fuzzy Hash: 3251C8306383029ADB30AF65E895B6EB3E5AF58314F30981FE556CB691DF7098E09F11

Function 00299A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0158EBC8,?), ref: 00299AD2
ScreenToClient.USER32(00000002,00000002), ref: 00299B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00299B72

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 234522650896a984c663a2e3bd32cc29225e76c6e1dc8f677068de564240e3db
Instruction ID: 99e16f3f46d8637d3b55084fefa748812c39f3e26dfeee5a451ee3f7a33833b5
Opcode Fuzzy Hash: 234522650896a984c663a2e3bd32cc29225e76c6e1dc8f677068de564240e3db
Instruction Fuzzy Hash: 54514D34A1020AAFCF10CF58E9949AE7BB9FF55324F14816EF8159B290D730ADA1CB90

Function 00286CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00286CE4
WSAGetLastError.WSOCK32(00000000), ref: 00286CF4

Part of subcall function 00219997: __itow.LIBCMT ref: 002199C2
Part of subcall function 00219997: __swprintf.LIBCMT ref: 00219A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00286D58
WSAGetLastError.WSOCK32(00000000), ref: 00286D64

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 2a8877b04a08d4abcec17975014cdf4defd40cb0a709bb75a87a7bf5ebfde909
Instruction ID: 2515b130e15e88d3c68b3edb634ce342cc18499646770c716688343c52bb017f
Opcode Fuzzy Hash: 2a8877b04a08d4abcec17975014cdf4defd40cb0a709bb75a87a7bf5ebfde909
Instruction Fuzzy Hash: 0041C574750200AFEB20BF24DC9AFBA77E5EF14B10F548018FA599F2D2DA719D908B91

Function 0028672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0029F910), ref: 002867BA
_strlen.LIBCMT ref: 002867EC

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: a155db88b1a973e8048cd07527460874fbf5895afa8510f34a3e97ffd7f602a1
Instruction ID: b739702577eb2d42a46142c47ed9eac02a90f5d849f8e3b5a477c1a11940589b
Opcode Fuzzy Hash: a155db88b1a973e8048cd07527460874fbf5895afa8510f34a3e97ffd7f602a1
Instruction Fuzzy Hash: E841B335A21104AFCB14FBA4DCD9FAEB3E9AF58314F148165F819972D2DB309DA4CB90

Function 0027BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0027BB09
GetLastError.KERNEL32(?,00000000), ref: 0027BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0027BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0027BB80

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 6d172819d68903d78127e62b1d6d01ba0aa6816c564ffad22597bf1c6f3a6ee8
Instruction ID: bcce299efd330a8e84fa5713ba133a3db74da6d5f5628ca2a4bae66b8b3f446f
Opcode Fuzzy Hash: 6d172819d68903d78127e62b1d6d01ba0aa6816c564ffad22597bf1c6f3a6ee8
Instruction Fuzzy Hash: 59414339610611DFCB11EF14C595A9DBBE1AF99320B18C089EC4A9B362CB30FCA0CF91

Function 00298AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00298B4D

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 3383fa7a5a13c70b5fcd270dc3d3d0b9fdbdc128233923e38da303111dbcd9f3
Instruction ID: d825cdc8bf1dde97172698beb9bfee6e02be70abab2467cb9d52b83a3bf87146
Opcode Fuzzy Hash: 3383fa7a5a13c70b5fcd270dc3d3d0b9fdbdc128233923e38da303111dbcd9f3
Instruction Fuzzy Hash: 5931F2B5620205BFEF209E18DCA9FAD37A4EB07318F6C4516FA55D72A1CE30AD709A41

Function 0029ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0029AE1A
GetWindowRect.USER32(?,?), ref: 0029AE90
PtInRect.USER32(?,?,0029C304), ref: 0029AEA0
MessageBeep.USER32(00000000), ref: 0029AF11

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: a1e88e21b18ae9a15ea9511c18c3c8fc2f1f37c0d735041c622311af3debe33a
Instruction ID: 91086080ae507b56b1dbd515d13038147c89dbeb33b726ee0f2853d4392acf28
Opcode Fuzzy Hash: a1e88e21b18ae9a15ea9511c18c3c8fc2f1f37c0d735041c622311af3debe33a
Instruction Fuzzy Hash: 99418B70A1021ADFCF11CF58D888AA9BBF5FF49340F2881BAE854DB251D731A851DF92

Function 00270FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00271037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00271053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 002710B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0027110B

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 915a61ff05888dc3b543cc9871e89efd71c5c79a313b6d374baa5f1185161e93
Instruction ID: 9871b185a639575ec218055c3679a062d8104c68922e22c0f2297bcd53e27f3e
Opcode Fuzzy Hash: 915a61ff05888dc3b543cc9871e89efd71c5c79a313b6d374baa5f1185161e93
Instruction Fuzzy Hash: 5C315E30E60699AEFF308F6D8C097F9BBA9AF45310F04C21AE99C521D1C37549F49755

Function 00271121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00271176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00271192
PostMessageW.USER32(00000000,00000101,00000000), ref: 002711F1
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00271243

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 263639903bee3a16f0c4f26696df8eda069f98e1b974ff55627bb498213c114e
Instruction ID: fefe4d19a17c775e93d790f8586f5b623790a7259bfbaa638f74310bcdf9e4fd
Opcode Fuzzy Hash: 263639903bee3a16f0c4f26696df8eda069f98e1b974ff55627bb498213c114e
Instruction Fuzzy Hash: E7314830960219AAEF308E6D8C19BFABBAAAF49310F94C31BE98C961D1C3744D749751

Function 00246415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0024644B
__isleadbyte_l.LIBCMT ref: 00246479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 002464A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 002464DD

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: c0ce49154ce2d8f0a8cdfb4db08dfaff6d6adf31aaeab368a5afd4c79d18018a
Instruction ID: ede17de6a807f3b8e33ebaec3481e780f49c5644367701e56da7fd513378e2c7
Opcode Fuzzy Hash: c0ce49154ce2d8f0a8cdfb4db08dfaff6d6adf31aaeab368a5afd4c79d18018a
Instruction Fuzzy Hash: E331DE71620247AFDF398F64C848BAA7BA9FF42310F154029E855871A0EB71D8A0DB92

Function 00295175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00295189

Part of subcall function 0027387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00273897
Part of subcall function 0027387D: GetCurrentThreadId.KERNEL32 ref: 0027389E
Part of subcall function 0027387D: AttachThreadInput.USER32(00000000,?,002752A7), ref: 002738A5

GetCaretPos.USER32(?), ref: 0029519A
ClientToScreen.USER32(00000000,?), ref: 002951D5
GetForegroundWindow.USER32 ref: 002951DB

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 3d2f982cc41073451cdc6d436eb6ee006f100a008be2cb4aa830a7df4faa1a14
Instruction ID: 1409ea8af4e809fef6bc25c6153db2722fa8396d024cc0441b42baee1be26aac
Opcode Fuzzy Hash: 3d2f982cc41073451cdc6d436eb6ee006f100a008be2cb4aa830a7df4faa1a14
Instruction Fuzzy Hash: F5313E72D10108AFDB00EFA5D985AEFB7F9EF98300F10406AE415E7241EA759E95CFA0

Function 0029C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00212612: GetWindowLongW.USER32(?,000000EB), ref: 00212623

GetCursorPos.USER32(?), ref: 0029C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0024BBFB,?,?,?,?,?), ref: 0029C7D7
GetCursorPos.USER32(?), ref: 0029C824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0024BBFB,?,?,?), ref: 0029C85E

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: b117047871ca8ffab8cb77a62d3f48815bca536bcb6a890eebfe8d5122c03387
Instruction ID: 3b9d7982ad7b5dc442cb54d6204dbd60d8c3e4156c065e19675606b052ff7d53
Opcode Fuzzy Hash: b117047871ca8ffab8cb77a62d3f48815bca536bcb6a890eebfe8d5122c03387
Instruction Fuzzy Hash: B8318075610018AFCF16CF58D898EEA7BBAFB49310F54406AF9098B261C7319D60DFA0

Function 00268B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00268652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00268669
Part of subcall function 00268652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00268673
Part of subcall function 00268652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00268682
Part of subcall function 00268652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00268689
Part of subcall function 00268652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0026869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00268BEB
_memcmp.LIBCMT ref: 00268C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00268C44
HeapFree.KERNEL32(00000000), ref: 00268C4B

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: cebdb6c0a1a5b833dba5cb2158555b76e44673498e27339ddc128bb868b59ff0
Instruction ID: d1b56218d91a1b4123f074676e4a531f3ca61f2d8f80e61fc43dc4b22e58895a
Opcode Fuzzy Hash: cebdb6c0a1a5b833dba5cb2158555b76e44673498e27339ddc128bb868b59ff0
Instruction Fuzzy Hash: DA21BD71E11209EFCB04CFA4C949BEEB7F8EF44344F14415AE454A7240EB31AE96CBA0

Function 00230BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00230BF2

Part of subcall function 00215B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00277B20,?,?,00000000), ref: 00215B8C
Part of subcall function 00215B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00277B20,?,?,00000000,?,?), ref: 00215BB0

_fprintf.LIBCMT ref: 00230C29
OutputDebugStringW.KERNEL32(?), ref: 00266331

Part of subcall function 00234CDA: _flsall.LIBCMT ref: 00234CF3

__setmode.LIBCMT ref: 00230C5E

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 1f7a1a65425b15dfedd50afe56a27ee4c0c0d41cd0f1acd58859cacb3da0e7a6
Instruction ID: 76d504f74c5b28b62e85540b516b850fc2a0f7de33d9c63a4acf8ff772e7fddb
Opcode Fuzzy Hash: 1f7a1a65425b15dfedd50afe56a27ee4c0c0d41cd0f1acd58859cacb3da0e7a6
Instruction Fuzzy Hash: 2F110AB2A24208BFCB0477B4AC879FEBBA99F41320F14419BF104572D1DE616DB64BA5

Function 00281A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00281A97

Part of subcall function 00281B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00281B40
Part of subcall function 00281B21: InternetCloseHandle.WININET(00000000), ref: 00281BDD

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 15e513ffaa4f5f7eb252414f63558c2629552ebffdb3afdfa906f9701fed334b
Instruction ID: 7755d3b10d1d0f1ac4ae3381030bf6fa4c7d8f9833894d4de47af4ee6a2a9aa6
Opcode Fuzzy Hash: 15e513ffaa4f5f7eb252414f63558c2629552ebffdb3afdfa906f9701fed334b
Instruction Fuzzy Hash: 77218E39212601BFDB15AF60DC05FBAB7ADFF44705F10001AFA56966D0EB71E8369BA0

Function 0026E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0026F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0026E1C4,?,?,?,0026EFB7,00000000,000000EF,00000119,?,?), ref: 0026F5BC
Part of subcall function 0026F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 0026F5E2
Part of subcall function 0026F5AD: lstrcmpiW.KERNEL32(00000000,?,0026E1C4,?,?,?,0026EFB7,00000000,000000EF,00000119,?,?), ref: 0026F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0026EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0026E1DD
lstrcpyW.KERNEL32(00000000,?), ref: 0026E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,0026EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0026E237

Strings

cdecl, xrefs: 0026E22E

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 6384094218e7bdb28e339f385a8a254844a042add93b48f0e4ba9827448c9a1b
Instruction ID: efbb814ffdb0dbccf71dd52baa2bebf5efdf50055fa370d8f35b0aad9805cd41
Opcode Fuzzy Hash: 6384094218e7bdb28e339f385a8a254844a042add93b48f0e4ba9827448c9a1b
Instruction Fuzzy Hash: 3011D37A120341EFCF25AF64DC59D7A77A9FF85310B41402AFC06CB264EB7198A0CBA0

Function 00245332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00245351

Part of subcall function 0023594C: __FF_MSGBANNER.LIBCMT ref: 00235963
Part of subcall function 0023594C: __NMSG_WRITE.LIBCMT ref: 0023596A
Part of subcall function 0023594C: RtlAllocateHeap.NTDLL(01570000,00000000,00000001,00000000,?,?,?,00231013,?), ref: 0023598F

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 0bf7c50f7e96f533285e544cbbbb3195e2275bca99b846169e55ef47bca5b991
Instruction ID: 64c703f89b31e7003a881faf6d5db667d0e7da766cf858699cbb29fb3385170c
Opcode Fuzzy Hash: 0bf7c50f7e96f533285e544cbbbb3195e2275bca99b846169e55ef47bca5b991
Instruction Fuzzy Hash: A711E772524B2AAFCB352F70AC4466D3F945F147A0F2004AAF9849A192DFB58D608B90

Function 00214531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00214560

Part of subcall function 0021410D: _memset.LIBCMT ref: 0021418D
Part of subcall function 0021410D: _wcscpy.LIBCMT ref: 002141E1
Part of subcall function 0021410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002141F1

KillTimer.USER32(?,00000001,?,?), ref: 002145B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002145C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0024D6CE

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: ef9a9a3db578c8ffeb034ccd18959a267a4260326e5cc0bfe3d275b083f29d90
Instruction ID: c76d1cee774bcf049bfd536c2b9efd9e889ef048a4281c714fa0924cf9f2a62a
Opcode Fuzzy Hash: ef9a9a3db578c8ffeb034ccd18959a267a4260326e5cc0bfe3d275b083f29d90
Instruction Fuzzy Hash: C921F970914784AFEB729F24EC49BE7BBED9F21304F04009EE69E96242C7B45AD4CB51

Function 002740B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 002740D1
_memset.LIBCMT ref: 002740F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00274144
CloseHandle.KERNEL32(00000000), ref: 0027414D

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 1f86df5d6e09640d29a596e1a00dd2eba385a89346f3728c1ecaf1927b91acc3
Instruction ID: 7a9e9cd7f5473bf5754e701f366fa05aaaff4a7dcee8e314be7cd6fc17a8bc67
Opcode Fuzzy Hash: 1f86df5d6e09640d29a596e1a00dd2eba385a89346f3728c1ecaf1927b91acc3
Instruction Fuzzy Hash: 1F11A7759112287AD730ABA5AC4DFABBB7CEF44760F1041AAF908D7180D6744E808BA4

Function 0028667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00215B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00277B20,?,?,00000000), ref: 00215B8C
Part of subcall function 00215B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00277B20,?,?,00000000,?,?), ref: 00215BB0

gethostbyname.WSOCK32(?,?,?), ref: 002866AC
WSAGetLastError.WSOCK32(00000000), ref: 002866B7
_memmove.LIBCMT ref: 002866E4
inet_ntoa.WSOCK32(?), ref: 002866EF

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: fa9f9cd7a943f0a42101998fb4afeed1db395a2c16770b3122c2a3d702040d16
Instruction ID: d1b9f5ecbfb9ce3eacc6e6916d45a599b2195b6a4d4233373795f6c93f53ec04
Opcode Fuzzy Hash: fa9f9cd7a943f0a42101998fb4afeed1db395a2c16770b3122c2a3d702040d16
Instruction Fuzzy Hash: 90117C35520108AFCB40FFA0D99ADEEB7B8AF54310B144065F502A72A1DB30AE64CFA1

Function 00269023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00269043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00269055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0026906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00269086

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8cd0a085348585e7d7797b33c5694febcc1584c0723062eda704e9da9c89159c
Instruction ID: cc066cf31c8fc680f33d8b64a9fdd6d463b82295e0d9e4058f3e42597964a617
Opcode Fuzzy Hash: 8cd0a085348585e7d7797b33c5694febcc1584c0723062eda704e9da9c89159c
Instruction Fuzzy Hash: 74115E79900218FFDB10DFA5CD84E9DBB78FB48310F204095E904B7250DA726EA0DB90

Function 00211290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00212612: GetWindowLongW.USER32(?,000000EB), ref: 00212623

DefDlgProcW.USER32(?,00000020,?), ref: 002112D8
GetClientRect.USER32(?,?), ref: 0024B84B
GetCursorPos.USER32(?), ref: 0024B855
ScreenToClient.USER32(?,?), ref: 0024B860

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 8d468ff33722f8a12eb3d6453221663bf481fe575e76572ad9177a44cc6cbb58
Instruction ID: c61ea77ece010322209ac832a0ab469a7daeb02eca410037970c1c847ec6717d
Opcode Fuzzy Hash: 8d468ff33722f8a12eb3d6453221663bf481fe575e76572ad9177a44cc6cbb58
Instruction Fuzzy Hash: FA115835920129ABCF10DF98D8899EE77F8EB15300F100456FA11E3240C734AAB18BA5

Function 00271652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,002701FD,?,00271250,?,00008000), ref: 0027166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,002701FD,?,00271250,?,00008000), ref: 00271694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,002701FD,?,00271250,?,00008000), ref: 0027169E
Sleep.KERNEL32(?,?,?,?,?,?,?,002701FD,?,00271250,?,00008000), ref: 002716D1

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: eb6da1b6ba6d717a7ae45191ee43edcc243518d129dd6043b771d20b164d19bd
Instruction ID: e837676575e0837469392cfc7b28f694c76bf5387b2f7b48530e67f47ef46a35
Opcode Fuzzy Hash: eb6da1b6ba6d717a7ae45191ee43edcc243518d129dd6043b771d20b164d19bd
Instruction Fuzzy Hash: 26115E31C2051DD7CF009FAAE949AEEBB7CFF09751F05805AE988B6240CB7055708BD6

Function 00247207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0024722B

Part of subcall function 00247912: __fltout2.LIBCMT ref: 0024793B

__cftog_l.LIBCMT ref: 00247251
__cftoe_l.LIBCMT ref: 00247283

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 0b290eadb9a7964d83df808711fee44ff9afe8eabc4df1c464445ed0dd2893e7
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 6001403606414ABBCF1A9E94CC018EE3F62BF59351F598615FE2858031D377C9B1AB81

Function 0029B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0029B59E
ScreenToClient.USER32(?,?), ref: 0029B5B6
ScreenToClient.USER32(?,?), ref: 0029B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0029B5F5

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 0efaf12d50f45c9d28615a425e9023b56eab5fd2cad674f68b02e19d6ab0f97b
Instruction ID: b44a8a529563b0acfc0fc102781ce605e58f62176a37cd86807a2ebd7dfc5ef3
Opcode Fuzzy Hash: 0efaf12d50f45c9d28615a425e9023b56eab5fd2cad674f68b02e19d6ab0f97b
Instruction Fuzzy Hash: 001146B5D00209EFDB41CF99D544AEEFBB9FB08310F504166E914E3220D735AA658F50

Function 0029B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0029B8FE
_memset.LIBCMT ref: 0029B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,002D7F20,002D7F64), ref: 0029B93C
CloseHandle.KERNEL32 ref: 0029B94E

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: d734ae0d7ac2a09e585be15117538d92f1eaf38ec58a3d13a1d82287ee501773
Instruction ID: 5c18193e94d474efb5be017898d0d4d5ab856d072df2ee9ed6bd348f3601d583
Opcode Fuzzy Hash: d734ae0d7ac2a09e585be15117538d92f1eaf38ec58a3d13a1d82287ee501773
Instruction Fuzzy Hash: 5EF05EF2A653407FF2606B71BC09FBB3B5CEB08354F404062BA08D5692E7794D208BA8

Function 00276E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00276E88

Part of subcall function 0027794E: _memset.LIBCMT ref: 00277983

_memmove.LIBCMT ref: 00276EAB
_memset.LIBCMT ref: 00276EB8
LeaveCriticalSection.KERNEL32(?), ref: 00276EC8

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 96159de71723cd18e681bc283678a7077756c21f9fcd6c535e2c95f8ed8d1681
Instruction ID: eff096d75d7c033027ad7572486b6ad58c05ab1758bd70aca8b2ad59c36747cf
Opcode Fuzzy Hash: 96159de71723cd18e681bc283678a7077756c21f9fcd6c535e2c95f8ed8d1681
Instruction Fuzzy Hash: C0F0547A100200ABCF416F55ED85B4ABB29EF45320F04C061FE089E216C731A921CFB4

Function 0029C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 002112F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0021134D
Part of subcall function 002112F3: SelectObject.GDI32(?,00000000), ref: 0021135C
Part of subcall function 002112F3: BeginPath.GDI32(?), ref: 00211373
Part of subcall function 002112F3: SelectObject.GDI32(?,00000000), ref: 0021139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0029C030
LineTo.GDI32(00000000,?,?), ref: 0029C03D
EndPath.GDI32(00000000), ref: 0029C04D
StrokePath.GDI32(00000000), ref: 0029C05B

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: f20a03798c79f202e97e86e9cb91005cc19c41c43d44b3078d684e8939fb2f65
Instruction ID: 02643e6bde403386a12addfccf0941421babff1058415b23b4bf56df7d68674b
Opcode Fuzzy Hash: f20a03798c79f202e97e86e9cb91005cc19c41c43d44b3078d684e8939fb2f65
Instruction Fuzzy Hash: 66F0BE3200126ABBDB522F90BD0EFCE3F98AF05310F144002FA11A10E2C7750A64DFD5

Function 0026A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0026A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 0026A3AC
GetCurrentThreadId.KERNEL32 ref: 0026A3B3
AttachThreadInput.USER32(00000000), ref: 0026A3BA

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 19dac21a77cc6fa30929e6ddebf7a4e6aa7e26f44c13541a01597bee90db70a2
Instruction ID: a934d27820cf7ab67583ab4e766d88f93a20dce30e77567f227da289f7b8cec8
Opcode Fuzzy Hash: 19dac21a77cc6fa30929e6ddebf7a4e6aa7e26f44c13541a01597bee90db70a2
Instruction Fuzzy Hash: 53E06D32141328BADBA01FA2ED0CEDB3F1CEF167A1F008026F609D4060C671C5A0CBE0

Function 00212218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00212231
SetTextColor.GDI32(?,000000FF), ref: 0021223B
SetBkMode.GDI32(?,00000001), ref: 00212250
GetStockObject.GDI32(00000005), ref: 00212258
GetWindowDC.USER32(?,00000000), ref: 0024C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 0024C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 0024C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 0024C112
GetPixel.GDI32(00000000,?,?), ref: 0024C132
ReleaseDC.USER32(?,00000000), ref: 0024C13D

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 44f9bed801ec8fb3e46c2277220d6d3d90ba1751668ee9593b19e78f43cb7c6c
Instruction ID: c22f490afa331c703298ec2a9dac9342e4528557f166eaee61efe662a037a475
Opcode Fuzzy Hash: 44f9bed801ec8fb3e46c2277220d6d3d90ba1751668ee9593b19e78f43cb7c6c
Instruction Fuzzy Hash: F0E06D32200245EADFA55F68FD0D7D83B10EB15332F108377FA6D880E1877149A0DB51

Function 00268C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00268C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,0026882E), ref: 00268C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0026882E), ref: 00268C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,0026882E), ref: 00268C7E

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 98ed28e399b59671f174c6fffa6027197b1386ebf68e4703ad4ab6e2aa269055
Instruction ID: e2f80ab7039e101b49ffc8e83e6c6f4435b54954cd020af1fd64939f568a60e4
Opcode Fuzzy Hash: 98ed28e399b59671f174c6fffa6027197b1386ebf68e4703ad4ab6e2aa269055
Instruction Fuzzy Hash: CEE02672602211DBD7E01FB07E0CB463BACEF50792F04482AB245D9080DA348481CB20

Function 00252187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00252187
GetDC.USER32(00000000), ref: 00252191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 002521B1
ReleaseDC.USER32(?), ref: 002521D2

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 509d2b7f827bb9e67744d0118d02bb4165e718546c1d943d1736579aa541e449
Instruction ID: dfb5e20c2ee7f6fa3e844fbe26cb0fe699072dd949713f05a5cecece87658676
Opcode Fuzzy Hash: 509d2b7f827bb9e67744d0118d02bb4165e718546c1d943d1736579aa541e449
Instruction Fuzzy Hash: BCE0E576850704EFDB819F60E90CA9D7BF9EF5C351F208426F96AD7260CB7881929F40

Function 0025219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0025219B
GetDC.USER32(00000000), ref: 002521A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 002521B1
ReleaseDC.USER32(?), ref: 002521D2

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 6d9548b02efcee16e1920ddca61153aeef636413e9eefa598481e4d5b822cfad
Instruction ID: 1e581de689ac279c21260f6a556151dab0ccc3b9bdf72163bfb659e60017204b
Opcode Fuzzy Hash: 6d9548b02efcee16e1920ddca61153aeef636413e9eefa598481e4d5b822cfad
Instruction Fuzzy Hash: 41E0E576810304AFCB819F60E90C69D7BE9AF5C310F208426F96AD7260CB7891919F40

Function 002163A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%*, xrefs: 002163AE

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID:
String ID: %*
API String ID: 0-3615067565
Opcode ID: 5b72275beed698e7a47817261925b8a5c8f51a76eefeb87d5d5863845f4c60e6
Instruction ID: a22f8fe3d1b02a5b217e860e95128db4ac56312213506e2c961cc75bba6103c5
Opcode Fuzzy Hash: 5b72275beed698e7a47817261925b8a5c8f51a76eefeb87d5d5863845f4c60e6
Instruction Fuzzy Hash: 2CB1C57192010AABCF24EF98C4899FEB7F9FF64310F544066E901A7191DB319EE6CB91

Function 0028B1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0028B2C3

Strings

xr-, xrefs: 0028B325
xr-, xrefs: 0028B2F9

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: __itow_s
String ID: xr-$xr-
API String ID: 3653519197-271859917
Opcode ID: abe6013ee397f0193bee1cf2800a8fa5a98b553db01f4f7430fb64d41206ca32
Instruction ID: 0193fab846c4ef6a41395cf81183558e4e550b606c6e2eef9b902e2d734a77ee
Opcode Fuzzy Hash: abe6013ee397f0193bee1cf2800a8fa5a98b553db01f4f7430fb64d41206ca32
Instruction Fuzzy Hash: 10B19D74A10209AFDB11EF54C891EAEB7F9FF58300F148059F9459B292EB70E9A1CB60

Function 0027B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0022FEC6: _wcscpy.LIBCMT ref: 0022FEE9

Part of subcall function 00219997: __itow.LIBCMT ref: 002199C2
Part of subcall function 00219997: __swprintf.LIBCMT ref: 00219A0C

__wcsnicmp.LIBCMT ref: 0027B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0027B361

Strings

LPT, xrefs: 0027B292

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 0df1fa31bbdf2b8a2851c249114e234b10b2fbf916f104c397746be5fb3577e2
Instruction ID: 4546ec5a101a7633aca66298898202cdbda7f941acaaca6f7dc2d77bf198fb82
Opcode Fuzzy Hash: 0df1fa31bbdf2b8a2851c249114e234b10b2fbf916f104c397746be5fb3577e2
Instruction Fuzzy Hash: 17617575A20215AFCB15DF94C995FAEB7F4EF08310F1180AAF94AAB251D770AE90CB50

Function 00258A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00258B1E
_memmove.LIBCMT ref: 00258B78

Strings

Oa", xrefs: 00258BF2, 0025E39A, 0025E3B6

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: _memmove
String ID: Oa"
API String ID: 4104443479-755042541
Opcode ID: 25bd6bed1504a795c89d2f9705666d271e264ae311ab73f4bf195c96a8fca5bd
Instruction ID: c06d1883da9d9605b55564469e14c4defee981bbb435fa1054a3eb137355b33f
Opcode Fuzzy Hash: 25bd6bed1504a795c89d2f9705666d271e264ae311ab73f4bf195c96a8fca5bd
Instruction Fuzzy Hash: 6A51A470E1061ADFCF24CFA8D480AAEB7F5FF44309F14455AE85AE7240DB70A969CB51

Function 00222AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00222AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00222AE1

Strings

@, xrefs: 00222AD5

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: cd84778d36ad1e02bdfb2b7462e5dddccfb2a594ab46157f75d074d67767c922
Instruction ID: ad1a5a9416910544c264c3ad6d02574c1dffa528f1bdf65f4a161ee03d32340d
Opcode Fuzzy Hash: cd84778d36ad1e02bdfb2b7462e5dddccfb2a594ab46157f75d074d67767c922
Instruction Fuzzy Hash: 335157714287449BD320AF10E896BAFBBE8FF94314F42895DF2D9410A1DB3085B9CB26

Function 002799BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0021506B: __fread_nolock.LIBCMT ref: 00215089

_wcscmp.LIBCMT ref: 00279AAE
_wcscmp.LIBCMT ref: 00279AC1

Strings

FILE, xrefs: 002799FA

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 5c0eebc54a5f2ed98acb8cc6332f3a29a2f5de0b390db24eb6fa15feefdc7259
Instruction ID: 5185c15674c4c20e7923902530b0025a9703bf95460c81d553c8be65345c1a9b
Opcode Fuzzy Hash: 5c0eebc54a5f2ed98acb8cc6332f3a29a2f5de0b390db24eb6fa15feefdc7259
Instruction Fuzzy Hash: 48413971A1071ABADF209EE0CC46FEFB7FDDF49714F0040A9F904A7180CA75AA548BA0

Function 0025099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 002509A9

Strings

Dt-, xrefs: 0021A477
Dt-, xrefs: 0021A2B1

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ClearVariant
String ID: Dt-$Dt-
API String ID: 1473721057-3531986820
Opcode ID: 610c6586b92a57ec56ba6f777bbe8058ec3c3ae670891a71c9f9240b5a8f9680
Instruction ID: 30fa84cb65fff85fd2ca04db4229b26a332872c8f163090e18dd07cd04fddc87
Opcode Fuzzy Hash: 610c6586b92a57ec56ba6f777bbe8058ec3c3ae670891a71c9f9240b5a8f9680
Instruction Fuzzy Hash: F9512574A2A3428FC754CF18C484A6ABBF1BFA9354F54485DE8858B321E331ECA5CF42

Function 00282882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00282892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 002828C8

Strings

|, xrefs: 00282899

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 9b56412a14766730343efacfebb89b67f46107b5d20e23297127a50ee0b886af
Instruction ID: 6d0cdc100fd50a7653c28e7ec428f69651c34fc37894543554f44f3d77e209cb
Opcode Fuzzy Hash: 9b56412a14766730343efacfebb89b67f46107b5d20e23297127a50ee0b886af
Instruction Fuzzy Hash: 0531F971821119AFCF01AFA1DC85EEEBFB9FF18310F104069E815A6165DA315AA6DFA0

Function 00296CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00296D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00296DC2

Strings

static, xrefs: 00296D22

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 25a431c903d03f5471e2a5ce63335c28613eee106e018d0174a4ae60fdff9b3f
Instruction ID: bb84ae31591454532742f59a19cd90f31f278567bf7e2aacdba516f48c3c9899
Opcode Fuzzy Hash: 25a431c903d03f5471e2a5ce63335c28613eee106e018d0174a4ae60fdff9b3f
Instruction Fuzzy Hash: 4E317071220605AADF119F64DC44AFB77F9FF48720F108519F9A5D7190DA71ACA1CB60

Function 00272D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00272E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00272E3B

Strings

0, xrefs: 00272DF9

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 287b8698435a80861a8e445351b02fccdadd7588d82dc4b1e7865d4176da6cf5
Instruction ID: fc8e27b35279f28b44cfbf1b668e1e4e4a121cf78842488ff697bd2fe2c92b94
Opcode Fuzzy Hash: 287b8698435a80861a8e445351b02fccdadd7588d82dc4b1e7865d4176da6cf5
Instruction Fuzzy Hash: 9E310B31920306DBDB24CF54D84579E7BB5FF05300F14802EEDC9E61A0D770A968CB11

Function 00296943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 002969D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002969DB

Strings

Combobox, xrefs: 0029699D

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 99264079d06c7fd523192b9684e68fe5d23694c0d78f5ab13ee56c03fbf069ee
Instruction ID: ffe13a80f5288237aa153cf678be1f037f81baaf4d64e9df9562dc08e24d8d5c
Opcode Fuzzy Hash: 99264079d06c7fd523192b9684e68fe5d23694c0d78f5ab13ee56c03fbf069ee
Instruction Fuzzy Hash: EC11C87172020A6FFF119F14DC94FFB37AEEB993A4F110125F95897290D6719C618BA0

Function 00296E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00211D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00211D73
Part of subcall function 00211D35: GetStockObject.GDI32(00000011), ref: 00211D87
Part of subcall function 00211D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00211D91

GetWindowRect.USER32(00000000,?), ref: 00296EE0
GetSysColor.USER32(00000012), ref: 00296EFA

Strings

static, xrefs: 00296EBD

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: d6877ec3967fde7947b5f1ecff099177b1285f5e26911ada90464f47dd629d57
Instruction ID: 42120a02f1f18eb1a34ad2bcaaf5f6477886e4aae1d2705c986e9d29253953fc
Opcode Fuzzy Hash: d6877ec3967fde7947b5f1ecff099177b1285f5e26911ada90464f47dd629d57
Instruction Fuzzy Hash: F721297262020AAFDF04DFA8DE49EEA7BF8FB08314F054629FD55D3250D634E8619B50

Function 00296B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00296C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00296C20

Strings

edit, xrefs: 00296BF5

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 5a1f6abbafecedea7e8f78b64c8d8e93d4e028f8a2ef944bd331c4aa307edd46
Instruction ID: 3191aa65eaff077a01449cbb8252da996a74aac4b63c3f3aee6329fb4f5be744
Opcode Fuzzy Hash: 5a1f6abbafecedea7e8f78b64c8d8e93d4e028f8a2ef944bd331c4aa307edd46
Instruction Fuzzy Hash: 8311EC71120209ABEF108E64EC59EEB37AEEB04378F200725F960E31E0D771DCA09B60

Function 00272E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00272F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00272F30

Strings

0, xrefs: 00272F07

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: c80721f583554c075e0657cd617ba5799c03105ce2db08084d1116eece859b3b
Instruction ID: f8fa9110e3c9cfe335a594d7acef3bd551c7087d20293e8ea3f5b8cb4bb0bc50
Opcode Fuzzy Hash: c80721f583554c075e0657cd617ba5799c03105ce2db08084d1116eece859b3b
Instruction Fuzzy Hash: C0119031D21115EBDB25DF58DC48BA977B9FB05310F1480A6E858E72A0D7B0BE288792

Function 002824CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00282520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00282549

Strings

<local>, xrefs: 00282511

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 937724138182ca28d25ca8043446b907605068b3a73a81f769fdd514c1982086
Instruction ID: ee0fb7c725b842e6133d2d522712cc8322343343ecbe6ae34c8de3b8313abb7b
Opcode Fuzzy Hash: 937724138182ca28d25ca8043446b907605068b3a73a81f769fdd514c1982086
Instruction Fuzzy Hash: 19110A78162226FAD728AF518C98EF7FF5CFF06351F50812AF90542080D2B45968D7F0

Function 002880A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0028830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,002880C8,?,00000000,?,?), ref: 00288322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 002880CB
htons.WSOCK32(00000000,?,00000000), ref: 00288108

Strings

255.255.255.255, xrefs: 002880E3

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: e77073b8c80e3b90e88569c19b8fe06925b8ff8d8d2f30ae831f6258f72a6469
Instruction ID: b515669f888afee656d9141a34af2638fb00e61efd4f1a31d593ea623958703d
Opcode Fuzzy Hash: e77073b8c80e3b90e88569c19b8fe06925b8ff8d8d2f30ae831f6258f72a6469
Instruction Fuzzy Hash: 1411E538520205ABCB20AFA4CC4AFFDB364FF14310F208557E915972D1DF72A821CB91

Function 00220A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00213C26,002D62F8,?,?,?), ref: 00220ACE

Part of subcall function 00217D2C: _memmove.LIBCMT ref: 00217D66

_wcscat.LIBCMT ref: 002550E1

Strings

c-, xrefs: 00220B0E

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: c-
API String ID: 257928180-4013879437
Opcode ID: 871b98f87310fd65924f0d7e771e235bfd051a6c241f49f9eba2f2f5be7a3745
Instruction ID: ff9a8356309e67a1e940e97b288461bccf330efc830869328e5d04a863a2af35
Opcode Fuzzy Hash: 871b98f87310fd65924f0d7e771e235bfd051a6c241f49f9eba2f2f5be7a3745
Instruction Fuzzy Hash: E511A53093422CAB8B50EBE4EC45EDD77F9EF1C344B0000A6B948D7242EA709BE88F11

Function 002692E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00217F41: _memmove.LIBCMT ref: 00217F82

Part of subcall function 0026B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0026B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00269355

Strings

ListBox, xrefs: 0026931F
ComboBox, xrefs: 002692F4

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 0a1f5f03d31003d253e5333dfb60d892c01e37d14b833e59056399eda81eaff7
Instruction ID: 6b07493df8849568e5b8e01a9aaa86348f9b22fb7356ff8fa345b98f6afe678d
Opcode Fuzzy Hash: 0a1f5f03d31003d253e5333dfb60d892c01e37d14b833e59056399eda81eaff7
Instruction Fuzzy Hash: 3D01DE71A61224AB8B04EBA0CC91CFE77ADBF56320B100699B832973D1DF3158BC8A50

Function 002691DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00217F41: _memmove.LIBCMT ref: 00217F82

Part of subcall function 0026B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0026B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 0026924D

Strings

ListBox, xrefs: 00269217
ComboBox, xrefs: 002691EC

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 2c64f51c93dfb0dda51324927c9b86f1e92c37cc8c857a13a58aa93be126d1ea
Instruction ID: ad7eb595a086b76e1e177f1bd317d70bcd0e47119ca35fefa359856effb4a725
Opcode Fuzzy Hash: 2c64f51c93dfb0dda51324927c9b86f1e92c37cc8c857a13a58aa93be126d1ea
Instruction Fuzzy Hash: 5401FC71A61104B7CB04EBA0C9A6EFF77EC9F55300F140159791263281DF215FEC8AB1

Function 00269264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00217F41: _memmove.LIBCMT ref: 00217F82

Part of subcall function 0026B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0026B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 002692D0

Strings

ListBox, xrefs: 0026929C
ComboBox, xrefs: 00269271

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 64c9c35a103f7ff70fe1a96b85753411b7dd33fdee0a1319c00b98e122c84257
Instruction ID: 460ffc8b199f87c5a3742b5075b571d5db273a3a85285efaf020c147f4d684f3
Opcode Fuzzy Hash: 64c9c35a103f7ff70fe1a96b85753411b7dd33fdee0a1319c00b98e122c84257
Instruction Fuzzy Hash: F101A771A61105B7CB05EAA4C996EFF77EC9F11340F140156B812A32C1DE315EEC9A71

Function 00236DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00236DD0
__calloc_crt.LIBCMT ref: 00236DE9

Strings

@R-, xrefs: 00236E00

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: __calloc_crt
String ID: @R-
API String ID: 3494438863-1116288881
Opcode ID: 8bd1f12af7756bbdbcd2a5bbe35603c23ae935e743b441abac94163cb145a8f7
Instruction ID: 4e695a0dc2d7a178087d8789da2246dd67d052001eb594fecbd5bee978e2c6b0
Opcode Fuzzy Hash: 8bd1f12af7756bbdbcd2a5bbe35603c23ae935e743b441abac94163cb145a8f7
Instruction Fuzzy Hash: F6F04FF172971AABE7248F59FD0DB61279AE710720F10852BE500CA690EB709CA18A84

Function 002751CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 002751E8
_wcscmp.LIBCMT ref: 002751FA

Strings

#32770, xrefs: 002751F4

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 1bf4da075a96ef0592e4231292e68c7f311698ff4ed1d150f2f07bac278d0cb9
Instruction ID: 048874a7ddd5f47d6cb14710a5a382ee5f240ad08801394c9432422ad6138014
Opcode Fuzzy Hash: 1bf4da075a96ef0592e4231292e68c7f311698ff4ed1d150f2f07bac278d0cb9
Instruction Fuzzy Hash: 0AE02272A0022D2AE3209A99AC0AFA7F7ACEB41761F00016BFD18D3040E5609A248BE1

Function 002681BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 002681CA

Part of subcall function 00233598: _doexit.LIBCMT ref: 002335A2

Strings

Error allocating memory., xrefs: 002681C3
AutoIt, xrefs: 002681BE

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 4449ea43d74114cc3fb9723c2a6c030105936905abbadbf61d70261e6fee94d4
Instruction ID: 6db3cb7bd0c01d92b4fca16cd2d7ae7d2bf2787141c360f1c5849dc723964813
Opcode Fuzzy Hash: 4449ea43d74114cc3fb9723c2a6c030105936905abbadbf61d70261e6fee94d4
Instruction Fuzzy Hash: EED05B323E531832D25832A57D0BFC575884B1AB62F004026BF0C955D38DD155F146D9

Function 0024B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0024B564: _memset.LIBCMT ref: 0024B571

Part of subcall function 00230B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0024B540,?,?,?,0021100A), ref: 00230B89

IsDebuggerPresent.KERNEL32(?,?,?,0021100A), ref: 0024B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0021100A), ref: 0024B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0024B54E

Memory Dump Source

Source File: 00000000.00000002.1215865496.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1215849472.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.000000000029F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1215911961.00000000002C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216032040.00000000002CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1216049942.00000000002D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_llD1w4ROY5.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: f8a79472af2a391eec8b251d57d4b69ffcd96a07e06cf961d18ef4964b0d1ff5
Instruction ID: 329a4e6a06e2de65e55e740be94c4d5a3d5470f2c1ce04855a5e1607e0019fbb
Opcode Fuzzy Hash: f8a79472af2a391eec8b251d57d4b69ffcd96a07e06cf961d18ef4964b0d1ff5
Instruction Fuzzy Hash: 04E092B0620351CFD365DF39E508782BBE0AF04784F00892DE88AC3650D7B4E868CF61

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report llD1w4ROY5.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SzvWIzD.exe.log

C:\Users\user\AppData\Local\Temp\aut4D89.tmp

C:\Users\user\AppData\Local\Temp\aut4DE8.tmp

C:\Users\user\AppData\Local\Temp\hurtling

C:\Users\user\AppData\Local\Temp\spiketop

C:\Users\user\AppData\Roaming\SzvWIzD\SzvWIzD.exe

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
llD1w4ROY5.exe

Function 00213B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 00214FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Function 00214AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 002793DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00213015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 75
windowregistryCOMMON

Function 00213041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 002171EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00213633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 00213A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00213778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 0021F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre