Edit tour

Windows Analysis Report
mIzAhxUQjY.exe

Overview

General Information

Sample name:	mIzAhxUQjY.exe renamed because original name is a hash value
Original sample name:	501ae6c21ceb803f00f565f4de6a476ee71c7a7cf336edf8a722dc00033e42c8.exe
Analysis ID:	1466962
MD5:	fb520aa6e750c9527a1f06587b71d541
SHA1:	8e559f1ef60d530817c65669eafa53fd27a83c82
SHA256:	501ae6c21ceb803f00f565f4de6a476ee71c7a7cf336edf8a722dc00033e42c8
Tags:	exe
Infos:

Detection

Score:	54
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Uses Windows timers to delay execution

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Program does not show much activity (idle)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

mIzAhxUQjY.exe (PID: 7028 cmdline: "C:\Users\user\Desktop\mIzAhxUQjY.exe" MD5: FB520AA6E750C9527A1F06587B71D541)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: mIzAhxUQjY.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: mIzAhxUQjY.exe

ReversingLabs: Detection: 58%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.9% probability

Machine Learning detection for sample

Source: mIzAhxUQjY.exe

Joe Sandbox ML: detected

Source: mIzAhxUQjY.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00E04696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00E04696
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00E0C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00E0C9C7
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00E0C93C FindFirstFileW,FindClose,	0_2_00E0C93C
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00E0F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00E0F200
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00E0F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00E0F35D
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00E0F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00E0F65E
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00E03A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00E03A2B
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00E03D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00E03D4E
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00E0BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00E0BF27

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00E125E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00E125E2

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00E1425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00E1425A

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00E14458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00E14458

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

0_2_00E1425A

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00E00219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00E00219

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00E2CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00E2CDAC

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00DA3B4C
Source: mIzAhxUQjY.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: mIzAhxUQjY.exe, 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f134cc75-a
Source: mIzAhxUQjY.exe, 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_4f9c3a53-3
Source: mIzAhxUQjY.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8a9653f3-4
Source: mIzAhxUQjY.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_80d038bb-a

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00E040B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_00E040B1

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00DF8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00DF8858

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00E0545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00E0545F

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00E2804A	0_2_00E2804A
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DAE060	0_2_00DAE060
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DB4140	0_2_00DB4140
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DC2405	0_2_00DC2405
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DD6522	0_2_00DD6522
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00E20665	0_2_00E20665
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DD267E	0_2_00DD267E
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DB6843	0_2_00DB6843
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DAE800	0_2_00DAE800
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DC283A	0_2_00DC283A
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DD89DF	0_2_00DD89DF
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00E20AE2	0_2_00E20AE2
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DD6A94	0_2_00DD6A94
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DB8A0E	0_2_00DB8A0E
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DFEB07	0_2_00DFEB07
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00E08B13	0_2_00E08B13
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DCCD61	0_2_00DCCD61
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DD7006	0_2_00DD7006
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DB3190	0_2_00DB3190
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DB710E	0_2_00DB710E
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DA1287	0_2_00DA1287
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DC33C7	0_2_00DC33C7
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DCF419	0_2_00DCF419
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DC16C4	0_2_00DC16C4
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DB5680	0_2_00DB5680
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DC78D3	0_2_00DC78D3
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DB58C0	0_2_00DB58C0
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DC1BB8	0_2_00DC1BB8
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DCDBB5	0_2_00DCDBB5
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DD9D05	0_2_00DD9D05
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DAFE40	0_2_00DAFE40
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DC1FD0	0_2_00DC1FD0
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DCBFE6	0_2_00DCBFE6

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: String function: 00DC8B40 appears 42 times
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: String function: 00DC0D27 appears 70 times
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: String function: 00DA7F41 appears 35 times

Source: mIzAhxUQjY.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal54.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00E0A2D5 GetLastError,FormatMessageW,

0_2_00E0A2D5

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DF8713 AdjustTokenPrivileges,CloseHandle,		0_2_00DF8713
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DF8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00DF8CC3

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00E0B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00E0B59E

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00E1F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00E1F121

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00E186D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00E186D0

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00DA4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00DA4FE9

Source: mIzAhxUQjY.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: mIzAhxUQjY.exe

ReversingLabs: Detection: 58%

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Section loaded: ndfapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Section loaded: wdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Section loaded: ndfapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Section loaded: wdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Section loaded: xmllite.dll	Jump to behavior

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Automated click: OK
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: mIzAhxUQjY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: mIzAhxUQjY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: mIzAhxUQjY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: mIzAhxUQjY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: mIzAhxUQjY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: mIzAhxUQjY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: mIzAhxUQjY.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: mIzAhxUQjY.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: mIzAhxUQjY.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: mIzAhxUQjY.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: mIzAhxUQjY.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: mIzAhxUQjY.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00E1C304 LoadLibraryA,GetProcAddress,

0_2_00E1C304

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00E08719 push FFFFFF8Bh; iretd	0_2_00E0871B
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DCE94F push edi; ret	0_2_00DCE951
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DCEA68 push esi; ret	0_2_00DCEA6A
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DC8B85 push ecx; ret	0_2_00DC8B98
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DCEC43 push esi; ret	0_2_00DCEC45
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DCED2C push edi; ret	0_2_00DCED2E

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DA4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00DA4A35
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00E255FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00E255FD

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00DC33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00DC33C7

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Uses Windows timers to delay execution

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	User Timer Set: Timeout: 750ms	Jump to behavior
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	User Timer Set: Timeout: 750ms	Jump to behavior
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	User Timer Set: Timeout: 750ms	Jump to behavior

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

API coverage: 3.8 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00E04696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00E04696
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00E0C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00E0C9C7
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00E0C93C FindFirstFileW,FindClose,	0_2_00E0C93C
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00E0F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00E0F200
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00E0F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00E0F35D
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00E0F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00E0F65E
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00E03A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00E03A2B
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00E03D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00E03D4E
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00E0BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00E0BF27

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00DA4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00DA4AFE

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00E141FD BlockInput,

0_2_00E141FD

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00DA3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00DA3B4C

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00DD5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00DD5CCC

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00E1C304 LoadLibraryA,GetProcAddress,

0_2_00E1C304

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00DF81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00DF81F7

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DCA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00DCA395
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00DCA364 SetUnhandledExceptionFilter,		0_2_00DCA364

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00DF8C93 LogonUserW,

0_2_00DF8C93

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00DA3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00DA3B4C

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00DA4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00DA4A35

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00E04EF5 mouse_event,

0_2_00E04EF5

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

0_2_00DF81F7

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00E04C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00E04C03

Source: mIzAhxUQjY.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: mIzAhxUQjY.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00DC886B cpuid

0_2_00DC886B

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00DD50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00DD50D7

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00DE2230 GetUserNameW,

0_2_00DE2230

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00DD418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00DD418A

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe

Code function: 0_2_00DA4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00DA4AFE

Source: mIzAhxUQjY.exe	Binary or memory string: WIN_81
Source: mIzAhxUQjY.exe	Binary or memory string: WIN_XP
Source: mIzAhxUQjY.exe	Binary or memory string: WIN_XPe
Source: mIzAhxUQjY.exe	Binary or memory string: WIN_VISTA
Source: mIzAhxUQjY.exe	Binary or memory string: WIN_7
Source: mIzAhxUQjY.exe	Binary or memory string: WIN_8
Source: mIzAhxUQjY.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00E16596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00E16596
Source: C:\Users\user\Desktop\mIzAhxUQjY.exe	Code function: 0_2_00E16A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00E16A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	21 Input Capture	2 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Virtualization/Sandbox Evasion	LSASS Memory	3 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	21 Access Token Manipulation	1 Disable or Modify Tools	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Process Injection	21 Access Token Manipulation	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	1 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	2 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	15 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
mIzAhxUQjY.exe	58%	ReversingLabs	Win32.Trojan.AutoitInject
mIzAhxUQjY.exe	100%	Avira	WORM/FakeExt.Gen8
mIzAhxUQjY.exe	100%	Joe Sandbox ML

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466962
Start date and time:	2024-07-03 15:47:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	mIzAhxUQjY.exe renamed because original name is a hash value
Original Sample Name:	501ae6c21ceb803f00f565f4de6a476ee71c7a7cf336edf8a722dc00033e42c8.exe
Detection:	MAL
Classification:	mal54.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 30 Number of non-executed functions: 301
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, conhost.exe
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: mIzAhxUQjY.exe

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.594312478444017
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	mIzAhxUQjY.exe
File size:	847'872 bytes
MD5:	fb520aa6e750c9527a1f06587b71d541
SHA1:	8e559f1ef60d530817c65669eafa53fd27a83c82
SHA256:	501ae6c21ceb803f00f565f4de6a476ee71c7a7cf336edf8a722dc00033e42c8
SHA512:	fe6e2f08204978fa92ddda73e3056291dfaffbcdb649ede033607619c4aa5cd518bfea56e07220a0068a8cea047d2086b72415a922cd15eafb5ab1e37c9c0273
SSDEEP:	24576:gAHnh+eWsN3skA4RV1Hom2KXMmHa7xK5:Xh+ZkldoPK8Ya7+
TLSH:	D4057B0273D2D036FFAB92739B6AB20156BD7D650123852F13983DB9BD701B1263E663
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	70e4968a8c84dc71

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x666B2A47 [Thu Jun 13 17:20:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F7C8CB73C0Dh
jmp 00007F7C8CB669C4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F7C8CB66B4Ah
cmp edi, eax
jc 00007F7C8CB66EAEh
bt dword ptr [004C41FCh], 01h
jnc 00007F7C8CB66B49h
rep movsb
jmp 00007F7C8CB66E5Ch
cmp ecx, 00000080h
jc 00007F7C8CB66D14h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F7C8CB66B50h
bt dword ptr [004BF324h], 01h
jc 00007F7C8CB67020h
bt dword ptr [004C41FCh], 00000000h
jnc 00007F7C8CB66CEDh
test edi, 00000003h
jne 00007F7C8CB66CFEh
test esi, 00000003h
jne 00007F7C8CB66CDDh
bt edi, 02h
jnc 00007F7C8CB66B4Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F7C8CB66B53h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F7C8CB66BA5h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x490c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xcd000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x490c	0x4a00	46b6a4730ca207062fa4119df17f086b	False	0.37410261824324326	data	4.932600749031585	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xcd000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc8350	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8478	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	Great Britain	0.18667917448405252
RT_STRING	0xc9520	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xc9ab4	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xca140	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xca5d0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcabcc	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcb228	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcb690	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcb7e8	0xa36	data			1.0042081101759754
RT_GROUP_ICON	0xcc220	0x14	data	English	Great Britain	1.2
RT_GROUP_ICON	0xcc234	0x14	data	English	Great Britain	1.15
RT_VERSION	0xcc248	0x2d4	data	English	Great Britain	0.5359116022099447
RT_MANIFEST	0xcc51c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Target ID:	0
Start time:	09:48:08
Start date:	03/07/2024
Path:	C:\Users\user\Desktop\mIzAhxUQjY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\mIzAhxUQjY.exe"
Imagebase:	0xda0000
File size:	847'872 bytes
MD5 hash:	FB520AA6E750C9527A1F06587B71D541
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.7%
Total number of Nodes:	1550
Total number of Limit Nodes:	124

Executed Functions

Function 00DA3B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00DA3B7A
IsDebuggerPresent.KERNEL32 ref: 00DA3B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,00E662F8,00E662E0,?,?), ref: 00DA3BFD

Part of subcall function 00DA7D2C: _memmove.LIBCMT ref: 00DA7D66

Part of subcall function 00DB0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00DA3C26,00E662F8,?,?,?), ref: 00DB0ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00DA3C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00E593F0,00000010), ref: 00DDD4BC
SetCurrentDirectoryW.KERNEL32(?,00E662F8,?,?,?), ref: 00DDD4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00E55D40,00E662F8,?,?,?), ref: 00DDD57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00DDD581

Part of subcall function 00DA3A58: GetSysColorBrush.USER32(0000000F), ref: 00DA3A62
Part of subcall function 00DA3A58: LoadCursorW.USER32(00000000,00007F00), ref: 00DA3A71
Part of subcall function 00DA3A58: LoadIconW.USER32(00000063), ref: 00DA3A88
Part of subcall function 00DA3A58: LoadIconW.USER32(000000A4), ref: 00DA3A9A
Part of subcall function 00DA3A58: LoadIconW.USER32(000000A2), ref: 00DA3AAC
Part of subcall function 00DA3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00DA3AD2
Part of subcall function 00DA3A58: RegisterClassExW.USER32(?), ref: 00DA3B28

Part of subcall function 00DA39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00DA3A15
Part of subcall function 00DA39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00DA3A36
Part of subcall function 00DA39E7: ShowWindow.USER32(00000000,?,?), ref: 00DA3A4A
Part of subcall function 00DA39E7: ShowWindow.USER32(00000000,?,?), ref: 00DA3A53

Part of subcall function 00DA43DB: _memset.LIBCMT ref: 00DA4401
Part of subcall function 00DA43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00DA44A6

Strings

%, xrefs: 00DA3C56
This is a third-party compiled AutoIt script., xrefs: 00DDD4B4
runas, xrefs: 00DDD575

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%
API String ID: 529118366-3343222573
Opcode ID: 075ed5fe2b5b8b7b97ba18a1744e7ff8db564549687f2571b3bd52b5fce818d6
Instruction ID: b50d7afd3a9e5f15e9136dcc1c54067b858e7daa3a87f0ed9d90a162c05f9cf7
Opcode Fuzzy Hash: 075ed5fe2b5b8b7b97ba18a1744e7ff8db564549687f2571b3bd52b5fce818d6
Instruction Fuzzy Hash: 75511731944248BECF11EBB5EC16DEE7B7AEB46750F044075F461721B1DAB48A0ACB31

Function 00DA4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00DA4B2B

Part of subcall function 00DA7D2C: _memmove.LIBCMT ref: 00DA7D66

GetCurrentProcess.KERNEL32(?,00E2FAEC,00000000,00000000,?), ref: 00DA4BF8
IsWow64Process.KERNEL32(00000000), ref: 00DA4BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00DA4C45
FreeLibrary.KERNEL32(00000000), ref: 00DA4C50
GetSystemInfo.KERNEL32(00000000), ref: 00DA4C81
GetSystemInfo.KERNEL32(00000000), ref: 00DA4C8D

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 1b81703ced6131569cc3a4ca30cf9008557baeb10dd76d1a4d2730730144f52f
Instruction ID: 197417d63abce05140a8867d6e5e0647020cd231b0cfe222480521598db0d9e3
Opcode Fuzzy Hash: 1b81703ced6131569cc3a4ca30cf9008557baeb10dd76d1a4d2730730144f52f
Instruction Fuzzy Hash: 2791C33154A7C0DECB31CB7885515AAFFF5AF6A300F4849AED0CA93B41D260E908C779

Function 00DA4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00DA4EEE,?,?,00000000,00000000), ref: 00DA4FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00DA4EEE,?,?,00000000,00000000), ref: 00DA5010
LoadResource.KERNEL32(?,00000000,?,?,00DA4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00DA4F8F), ref: 00DDDD60
SizeofResource.KERNEL32(?,00000000,?,?,00DA4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00DA4F8F), ref: 00DDDD75
LockResource.KERNEL32(00DA4EEE,?,?,00DA4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00DA4F8F,00000000), ref: 00DDDD88

Strings

SCRIPT, xrefs: 00DA5006

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 76d83ba345d17c5e4a218a64c94a5b4b3411b632a9f73ba86763ee8dedddb89f
Instruction ID: 53bd3fa69cf3bb26ad0f7e92dc9df841399c5a830e4d83752a19bf0999085be6
Opcode Fuzzy Hash: 76d83ba345d17c5e4a218a64c94a5b4b3411b632a9f73ba86763ee8dedddb89f
Instruction Fuzzy Hash: 61115E75200700AFDB318B66EC58F6B7BB9EBCAB12F144178F50596260DB61E8058671

Function 00DB0B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DB0BBB
timeGetTime.WINMM ref: 00DB0E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DB0FB3
TranslateMessage.USER32(?), ref: 00DB0FC7
DispatchMessageW.USER32(?), ref: 00DB0FD5
Sleep.KERNEL32(0000000A), ref: 00DB0FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 00DB105A
DestroyWindow.USER32 ref: 00DB1066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DB1080
Sleep.KERNEL32(0000000A,?,?), ref: 00DE52AD
TranslateMessage.USER32(?), ref: 00DE608A
DispatchMessageW.USER32(?), ref: 00DE6098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DE60AC

Strings

pr, xrefs: 00DE53D8
@GUI_CTRLHANDLE, xrefs: 00DE540E
pr, xrefs: 00DE542D
@GUI_WINHANDLE, xrefs: 00DE53B9
pr, xrefs: 00DE5383
@GUI_CTRLID, xrefs: 00DE5364
pr, xrefs: 00DE5BDE
@COM_EVENTOBJ, xrefs: 00DE591A
@TRAY_ID, xrefs: 00DE5BB9

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pr$pr$pr$pr
API String ID: 4003667617-1825247661
Opcode ID: 85942c08aaf2e74849a97ab8512215cef131cd6b6ad3426c4e79bc19677b3881
Instruction ID: fc9bbb58e186e4345a9d7e98c1467a201f5813380c12d61dd709d3ce7921a1bf
Opcode Fuzzy Hash: 85942c08aaf2e74849a97ab8512215cef131cd6b6ad3426c4e79bc19677b3881
Instruction Fuzzy Hash: 22B2B070608781DFD724DF25D894BAABBE4FF84348F18491DE49A972A1D770E844CBB2

Function 00DA3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00DA3074
RegisterClassExW.USER32(00000030), ref: 00DA309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00DA30AF
InitCommonControlsEx.COMCTL32(?), ref: 00DA30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00DA30DC
LoadIconW.USER32(000000A9), ref: 00DA30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00DA3101

Strings

AutoIt v3 GUI, xrefs: 00DA3090
TaskbarCreated, xrefs: 00DA30A4
0, xrefs: 00DA3056
+, xrefs: 00DA305D

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 52544e1365089f15d6b8cb75cc675b32b98f6a49817fe5dd398152f0a88229a6
Instruction ID: 5a630d34db39304ff29f005e26dc7fda14aae045d6978df2862dbc6a71072b4e
Opcode Fuzzy Hash: 52544e1365089f15d6b8cb75cc675b32b98f6a49817fe5dd398152f0a88229a6
Instruction Fuzzy Hash: 2A3134B1861309AFDB509FA5E889ADABBF4FB09310F10456AE580B62A0E7B50549CF91

Function 00DA3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00DA3074
RegisterClassExW.USER32(00000030), ref: 00DA309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00DA30AF
InitCommonControlsEx.COMCTL32(?), ref: 00DA30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00DA30DC
LoadIconW.USER32(000000A9), ref: 00DA30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00DA3101

Strings

AutoIt v3 GUI, xrefs: 00DA3090
TaskbarCreated, xrefs: 00DA30A4
0, xrefs: 00DA3056
+, xrefs: 00DA305D

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 683a6b8fcd7a02bc437d74803b1207772d32fc217c1642da189c285612221d42
Instruction ID: aea2c393ba239f133f039c20416c966c32d79832e815f5c9b2f83344e7363c54
Opcode Fuzzy Hash: 683a6b8fcd7a02bc437d74803b1207772d32fc217c1642da189c285612221d42
Instruction Fuzzy Hash: 8121C4B1D20218AFDB10DFA6ED89B9EBBF4FB08740F00412AF911B72A0D7B145498F95

Function 00DA71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DA4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00E662F8,?,00DA37C0,?), ref: 00DA4882

Part of subcall function 00DC074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00DA72C5), ref: 00DC0771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00DA7308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00DDECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00DDED32
RegCloseKey.ADVAPI32(?), ref: 00DDED70
_wcscat.LIBCMT ref: 00DDEDC9

Strings

\, xrefs: 00DDEDEC
\Include\, xrefs: 00DA72C5
Software\AutoIt v3\AutoIt, xrefs: 00DA72FE
Include, xrefs: 00DDECE8, 00DDED29

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 7fbdf136103cc2cd7c913c0646f097cb540e83f9c8422e8171a1ce16c366bc38
Instruction ID: e7b62921b09e2763b3ebabc1843ac0b57a9b38943a02e0903d9dc921756f68ca
Opcode Fuzzy Hash: 7fbdf136103cc2cd7c913c0646f097cb540e83f9c8422e8171a1ce16c366bc38
Instruction Fuzzy Hash: D0715CB14083019EC714EF66EC9195BBBE8FF95784B44092EF485A72B0EB709948CB71

Function 00DA3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00DA36D2
KillTimer.USER32(?,00000001), ref: 00DA36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00DA371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00DA372A
CreatePopupMenu.USER32 ref: 00DA373E
PostQuitMessage.USER32(00000000), ref: 00DA375F

Strings

%, xrefs: 00DDD2D1, 00DDD31F
TaskbarCreated, xrefs: 00DA3725

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%
API String ID: 129472671-3835587964
Opcode ID: ed85f5be6e375c798ad2b06c99f7380ec73f7fa6640bc9ba24507eed1e0aef3b
Instruction ID: e66d5dc9bb327e72c1e29b8717dbef9febb2059e6976370319093aae534ab0bb
Opcode Fuzzy Hash: ed85f5be6e375c798ad2b06c99f7380ec73f7fa6640bc9ba24507eed1e0aef3b
Instruction Fuzzy Hash: 664107B2210105BFDF246F69EC09B7A3767E742380F1C0129F542A62F1CAE4DE1993B1

Function 00DA3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00DA3A62
LoadCursorW.USER32(00000000,00007F00), ref: 00DA3A71
LoadIconW.USER32(00000063), ref: 00DA3A88
LoadIconW.USER32(000000A4), ref: 00DA3A9A
LoadIconW.USER32(000000A2), ref: 00DA3AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00DA3AD2
RegisterClassExW.USER32(?), ref: 00DA3B28

Part of subcall function 00DA3041: GetSysColorBrush.USER32(0000000F), ref: 00DA3074
Part of subcall function 00DA3041: RegisterClassExW.USER32(00000030), ref: 00DA309E
Part of subcall function 00DA3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00DA30AF
Part of subcall function 00DA3041: InitCommonControlsEx.COMCTL32(?), ref: 00DA30CC
Part of subcall function 00DA3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00DA30DC
Part of subcall function 00DA3041: LoadIconW.USER32(000000A9), ref: 00DA30F2
Part of subcall function 00DA3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00DA3101

Strings

#, xrefs: 00DA3B0D
0, xrefs: 00DA3B06
AutoIt v3, xrefs: 00DA3B17

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 6429322b33c853a4761cee1b61cfacde431b0b937cc71dfea892865de79f29d6
Instruction ID: 16b4bafa6d7d7bc6e6558cfac1dfeb345369d3fb0120f72b1eb5df9470c07828
Opcode Fuzzy Hash: 6429322b33c853a4761cee1b61cfacde431b0b937cc71dfea892865de79f29d6
Instruction Fuzzy Hash: E2213971920304AFEB109FA6FC19B9E7FB5EB08750F00012AF504BA2B0D7F656588F94

Function 00DA3778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteLine, xrefs: 00DA38B9
/AutoIt3ExecuteScript, xrefs: 00DA38CE
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00DA37C0
CMDLINE, xrefs: 00DA3834
CMDLINERAW, xrefs: 00DA380D
/AutoIt3OutputDebug, xrefs: 00DA38A4
b, xrefs: 00DDD44E
/ErrorStdOut, xrefs: 00DA388F

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$b
API String ID: 1825951767-3834736419
Opcode ID: 2a0cb4113827d5419d787242e3376e749dbb1ea3c76495a303e6186723f9a31d
Instruction ID: 0fd7d51fbad16bddab074e9b62778c055ac769c59d0c05d5582d80cee654d246
Opcode Fuzzy Hash: 2a0cb4113827d5419d787242e3376e749dbb1ea3c76495a303e6186723f9a31d
Instruction Fuzzy Hash: 12A13F71910229AACF04EBA0DC92EEEB779FF56300F54052AF416B7191EF749A09CB70

Function 00DAFBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00DAFC06
OleUninitialize.OLE32(?,00000000), ref: 00DAFCA5
UnregisterHotKey.USER32(?), ref: 00DAFDFC
DestroyWindow.USER32(?), ref: 00DE4A00
FreeLibrary.KERNEL32(?), ref: 00DE4A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00DE4A92

Strings

close all, xrefs: 00DAFC01

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 27fd3b73fd0ace69879e45a788ea0a1eb6b88a5222fcbda8afd3e080d151cffe
Instruction ID: 745fd00ae155e76967d02c29c14ac6bcd63c95b637a61ce5fc359acb3003c09f
Opcode Fuzzy Hash: 27fd3b73fd0ace69879e45a788ea0a1eb6b88a5222fcbda8afd3e080d151cffe
Instruction Fuzzy Hash: 57A14A31701212CFCB29EF55C495A69F7A4EF05714F1842ADE84AAB262DB30ED16CF74

Function 00DAF8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DC03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00DC03D3
Part of subcall function 00DC03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00DC03DB
Part of subcall function 00DC03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00DC03E6
Part of subcall function 00DC03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00DC03F1
Part of subcall function 00DC03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00DC03F9
Part of subcall function 00DC03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00DC0401

Part of subcall function 00DB6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00DAFA90), ref: 00DB62B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00DAFB2D
OleInitialize.OLE32(00000000), ref: 00DAFBAA
CloseHandle.KERNEL32(00000000), ref: 00DE49F2

Strings

%, xrefs: 00DAF8F6, 00DAF908, 00DAFACE, 00DAFBB1
\d, xrefs: 00DAF957
<g, xrefs: 00DAFA90
c, xrefs: 00DAF94B

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <g$\d$%$c
API String ID: 1986988660-619945097
Opcode ID: 3a241dbd9cc95ddda95e60842248d3bcd9d6a5b3bb8fd7fe366f2dde89137f66
Instruction ID: 0210cee82493d8311c05f824bbe9b5a1f4deb8b253ac17d151c204567dac9ce1
Opcode Fuzzy Hash: 3a241dbd9cc95ddda95e60842248d3bcd9d6a5b3bb8fd7fe366f2dde89137f66
Instruction Fuzzy Hash: 3281BBB09602509FC784DF2BB9566167BF4FB98388710953ED029E7362EBB1940DCFA1

Function 00E1F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00E1F75C
_memset.LIBCMT ref: 00E1F825
ShellExecuteExW.SHELL32(?), ref: 00E1F86A

Part of subcall function 00DA9997: __itow.LIBCMT ref: 00DA99C2
Part of subcall function 00DA9997: __swprintf.LIBCMT ref: 00DA9A0C

Part of subcall function 00DBFEC6: _wcscpy.LIBCMT ref: 00DBFEE9

GetProcessId.KERNEL32(00000000), ref: 00E1F8E1
CloseHandle.KERNEL32(00000000), ref: 00E1F910

Strings

@, xrefs: 00E1F839

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 5b056568bfbce53d0b6839f66c8d4d73ea5f973ceaaf1179602f74d6de46540d
Instruction ID: ae6eb09230c76906cb73b844b6db27cfc2b03a73e0505d9ee237d462772e5c89
Opcode Fuzzy Hash: 5b056568bfbce53d0b6839f66c8d4d73ea5f973ceaaf1179602f74d6de46540d
Instruction Fuzzy Hash: 8B617D75A00619DFCB14EF64C4919AEFBF5FF49314B148469E856BB361CB30AD81CBA0

Function 00DA39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00DA3A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00DA3A36
ShowWindow.USER32(00000000,?,?), ref: 00DA3A4A
ShowWindow.USER32(00000000,?,?), ref: 00DA3A53

Strings

edit, xrefs: 00DA3A30
AutoIt v3, xrefs: 00DA3A0D, 00DA3A12, 00DA3A13

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 0532e674b5618fb76c9a09851865f1ac196662737aed2b91c155baff1ded70ef
Instruction ID: c66f7e3baa1eb16ead0ed81bbbae8f4ca95f31156a347f9ee0b90dda10dae806
Opcode Fuzzy Hash: 0532e674b5618fb76c9a09851865f1ac196662737aed2b91c155baff1ded70ef
Instruction Fuzzy Hash: 13F0DA716612907EEB3117277C59E672E7DD7C6F90B00413AF904B6170C6E51855DAB0

Function 00DA69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DA4F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00E662F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00DA4F6F

_free.LIBCMT ref: 00DDE68C
_free.LIBCMT ref: 00DDE6D3

Part of subcall function 00DA6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00DA6D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00DDE462
Bad directive syntax error, xrefs: 00DDE6BB

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: dd78552da8bb0ae1e9ebebd29e22604a6431c819bfe3c5b972fff5e2c486c6f6
Instruction ID: a6a267efbe60971c9e0b83f75d073a59f375a9f5458f1ba15b3e4be801c1e1cb
Opcode Fuzzy Hash: dd78552da8bb0ae1e9ebebd29e22604a6431c819bfe3c5b972fff5e2c486c6f6
Instruction Fuzzy Hash: 84912871910219AFCF04EFA4D8919EDB7B4FF19314F14446AF816AB2A1EB70E945CB70

Function 00DA35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00DA35A1,SwapMouseButtons,00000004,?), ref: 00DA35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00DA35A1,SwapMouseButtons,00000004,?,?,?,?,00DA2754), ref: 00DA35F5
RegCloseKey.KERNELBASE(00000000,?,?,00DA35A1,SwapMouseButtons,00000004,?,?,?,?,00DA2754), ref: 00DA3617

Strings

Control Panel\Mouse, xrefs: 00DA35D2

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 4aa4e3dffc817fbc4dcd01c0a930fa06db6c354f5152cd77bbf676b161d580b7
Instruction ID: c27f24639c2fa4994f001f2226c20e7c4a4ab4ca51a6684d8c73f938012d3afa
Opcode Fuzzy Hash: 4aa4e3dffc817fbc4dcd01c0a930fa06db6c354f5152cd77bbf676b161d580b7
Instruction Fuzzy Hash: 08115A71910208BFDB208FA5DC40DAFB7B9EF05740F08446AF805E7210E2719F459B70

Function 00DA4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DA4560

Part of subcall function 00DA410D: _memset.LIBCMT ref: 00DA418D
Part of subcall function 00DA410D: _wcscpy.LIBCMT ref: 00DA41E1
Part of subcall function 00DA410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00DA41F1

KillTimer.USER32(?,00000001,?,?), ref: 00DA45B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00DA45C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00DDD6CE

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 8e6426b2dd3c526d16681202d0ef579bd22d90c8e5de5d960335e59ce4d06a30
Instruction ID: 55df0af632422c429582a0011ad48be433f317e1bcb4f71945ebdbdc2f6ad7fa
Opcode Fuzzy Hash: 8e6426b2dd3c526d16681202d0ef579bd22d90c8e5de5d960335e59ce4d06a30
Instruction Fuzzy Hash: D321DA71904788AFEB328B24DC55BE7BBED9F41304F04009EE69E56241C7B49A898BA1

Function 00DA4DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DA4E1A

Strings

EA06, xrefs: 00DDDCF5
AU3!P/, xrefs: 00DA4E14

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/$EA06
API String ID: 4104443479-182974850
Opcode ID: 276a265f5d0add7f2ae853984b00a37ec5bcaefe59d01e005819beecc5a9ccd5
Instruction ID: d1fbb1d4816359846db48b07ac4916c98be283c20c0df6fc052571e15e887192
Opcode Fuzzy Hash: 276a265f5d0add7f2ae853984b00a37ec5bcaefe59d01e005819beecc5a9ccd5
Instruction Fuzzy Hash: CF415C61A041549BDF219F64D8517BE7FA6EF87300F2C4065F882AB286D6E1DE4487F1

Function 00DA73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DDEE62
GetOpenFileNameW.COMDLG32(?), ref: 00DDEEAC

Part of subcall function 00DA48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DA48A1,?,?,00DA37C0,?), ref: 00DA48CE

Part of subcall function 00DC09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00DC09F4

Strings

X, xrefs: 00DDEE7A

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: a30642397d2677d24bcaac997ff9337bb401ff8d7b689d2deaa0f2b0904862d6
Instruction ID: e8644643d7f60d6ad0b1d191826839b480d1a2b316d80baf41fe8d51be41d65c
Opcode Fuzzy Hash: a30642397d2677d24bcaac997ff9337bb401ff8d7b689d2deaa0f2b0904862d6
Instruction Fuzzy Hash: 7E219F31A002589BCB119F94DC45BEE7BF8DF49311F04401AE808BB242DBB8998E8FB1

Function 00DC594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00DC5963

Part of subcall function 00DCA3AB: __NMSG_WRITE.LIBCMT ref: 00DCA3D2
Part of subcall function 00DCA3AB: __NMSG_WRITE.LIBCMT ref: 00DCA3DC

__NMSG_WRITE.LIBCMT ref: 00DC596A

Part of subcall function 00DCA408: GetModuleFileNameW.KERNEL32(00000000,00E643BA,00000104,?,00000001,00000000), ref: 00DCA49A
Part of subcall function 00DCA408: ___crtMessageBoxW.LIBCMT ref: 00DCA548

Part of subcall function 00DC32DF: ___crtCorExitProcess.LIBCMT ref: 00DC32E5
Part of subcall function 00DC32DF: ExitProcess.KERNEL32 ref: 00DC32EE

Part of subcall function 00DC8D68: __getptd_noexit.LIBCMT ref: 00DC8D68

RtlAllocateHeap.NTDLL(00FB0000,00000000,00000001,00000000,?,?,?,00DC1013,?), ref: 00DC598F

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 1be77a670a02820f5dc4b7c42f58bc4b26dba4b6700bdf45f4dc27f949507d3a
Instruction ID: 953e61f3b071ec51b0c234323737a2f015ca3a992095910644838a4d4ba27434
Opcode Fuzzy Hash: 1be77a670a02820f5dc4b7c42f58bc4b26dba4b6700bdf45f4dc27f949507d3a
Instruction Fuzzy Hash: 7401D231201A17DEEA217B65F852F2E7258CF52B70F1401AEF402AB1D1DEB0AD818B70

Function 00DA492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00DA4992

Part of subcall function 00DC35AC: __lock.LIBCMT ref: 00DC35B2
Part of subcall function 00DC35AC: DecodePointer.KERNEL32(00000001,?,00DA49A7,00DF81BC), ref: 00DC35BE
Part of subcall function 00DC35AC: EncodePointer.KERNEL32(?,?,00DA49A7,00DF81BC), ref: 00DC35C9

Part of subcall function 00DA4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00DA4A73
Part of subcall function 00DA4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00DA4A88

Part of subcall function 00DA3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00DA3B7A
Part of subcall function 00DA3B4C: IsDebuggerPresent.KERNEL32 ref: 00DA3B8C
Part of subcall function 00DA3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00E662F8,00E662E0,?,?), ref: 00DA3BFD
Part of subcall function 00DA3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00DA3C81

SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 00DA49D2

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: eadb1a4908d97f6030c2c9f120fc931c8ad881fd220a65901bc83158afe6d6f4
Instruction ID: 8e815eac677ea39f2d88bdc73ca7b21f19cc2baa9b3f0829ffaf61174c140923
Opcode Fuzzy Hash: eadb1a4908d97f6030c2c9f120fc931c8ad881fd220a65901bc83158afe6d6f4
Instruction Fuzzy Hash: 9A116A719283119FC700EF2AE80590BFFF8EB95750F00852EF095A72B1DBB09559CBA2

Function 00DC0FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DC594C: __FF_MSGBANNER.LIBCMT ref: 00DC5963
Part of subcall function 00DC594C: __NMSG_WRITE.LIBCMT ref: 00DC596A
Part of subcall function 00DC594C: RtlAllocateHeap.NTDLL(00FB0000,00000000,00000001,00000000,?,?,?,00DC1013,?), ref: 00DC598F

std::exception::exception.LIBCMT ref: 00DC102C
__CxxThrowException@8.LIBCMT ref: 00DC1041

Part of subcall function 00DC87DB: RaiseException.KERNEL32(?,?,?,00E5BAF8,00000000,?,?,?,?,00DC1046,?,00E5BAF8,?,00000001), ref: 00DC8830

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 68197a932870fc28e9bcb75ecb3b06a33097359e9f04d707cb9eb1ab98dfcb73
Instruction ID: b3abb4a509677c13facc2b6fb3f014f7829579ecaf5a37726b52e70e922ca53e
Opcode Fuzzy Hash: 68197a932870fc28e9bcb75ecb3b06a33097359e9f04d707cb9eb1ab98dfcb73
Instruction Fuzzy Hash: C9F0A93950021BA6C720AA94EC06FDF7BA8DF01351F50045EFD04A7592EF719A84E6F0

Function 00DC55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DC8D68: __getptd_noexit.LIBCMT ref: 00DC8D68

__lock_file.LIBCMT ref: 00DC561B

Part of subcall function 00DC6E4E: __lock.LIBCMT ref: 00DC6E71

__fclose_nolock.LIBCMT ref: 00DC5626

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 7ce9487a680a35e84fb5ebf6566038baa888897c3de6632bb549b09bdc9defd7
Instruction ID: e1d8cdcb638481c20a87daaea7594575af09d50a260f1f32a602695cf957ca0c
Opcode Fuzzy Hash: 7ce9487a680a35e84fb5ebf6566038baa888897c3de6632bb549b09bdc9defd7
Instruction Fuzzy Hash: 4DF0F031840A039AD720AF749802F6E66A1EF81334F54820DE411AB1C5CF7CA981AB79

Function 00DC32DF Relevance: 3.0, APIs: 2, Instructions: 7COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 00DC32E5

Part of subcall function 00DC32AB: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,00DC32EA,00000000,?,00DC9EFE,000000FF,0000001E,00E5BE28,00000008,00DC9E62,00000000,00000000), ref: 00DC32BA
Part of subcall function 00DC32AB: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 00DC32CC

ExitProcess.KERNEL32 ref: 00DC32EE

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: ac68c7d481303444318fd2981b131504c7ae9a249e2c9b2b7df9314d7350f52e
Instruction ID: e19b58ab8112ebcd7ff9624d99794aae8cd0d7ac10cbd264014fabbd5e649270
Opcode Fuzzy Hash: ac68c7d481303444318fd2981b131504c7ae9a249e2c9b2b7df9314d7350f52e
Instruction Fuzzy Hash: EAB09230000208BFCF012F12DC0AC487F39FF00A90B108034F80409031DB72AA92DAA8

Function 00DA4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA4D13: FreeLibrary.KERNEL32(00000000,?), ref: 00DA4D4D

Part of subcall function 00DC548B: __wfsopen.LIBCMT ref: 00DC5496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00E662F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00DA4F6F

Part of subcall function 00DA4CC8: FreeLibrary.KERNEL32(00000000), ref: 00DA4D02

Part of subcall function 00DA4DD0: _memmove.LIBCMT ref: 00DA4E1A

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 87fe63cc51b469c833470eb8040bdbb78f30b88cc0aabff086ccd7ab294314f6
Instruction ID: a4488a4419e5f62d484b9d0ac721b33933a1241963b3fbbc438214a17a6e2e05
Opcode Fuzzy Hash: 87fe63cc51b469c833470eb8040bdbb78f30b88cc0aabff086ccd7ab294314f6
Instruction Fuzzy Hash: 2E11E732600305AECF14AF70DC02F6E77A5DFC1711F108839F541A62C1DAB19A059B70

Function 00DC0941 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00DC09F4

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: fc4831c5b9fe0a17e60dedba01d7d320620ea650522a6126a09f7d384d45b55f
Instruction ID: 64e35a576dd293890f9d33314a64e64a686c23de95f25fc2e0db51e52a8d9e1a
Opcode Fuzzy Hash: fc4831c5b9fe0a17e60dedba01d7d320620ea650522a6126a09f7d384d45b55f
Instruction Fuzzy Hash: F8017C3218D145CFD722CBE5D8A97D17BB4FF0732831841CBDC458B83AEA62552AEB60

Function 00DA4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00E662F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00DA4FDE

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: bb0f0c291d5d13b393742b8e028b5a67b081f982baa26a80e8ecab7532766b02
Instruction ID: 55663afac1e26e21801fc504bb08fe8e76749dcc9e7ca632ed6a400d49d872e1
Opcode Fuzzy Hash: bb0f0c291d5d13b393742b8e028b5a67b081f982baa26a80e8ecab7532766b02
Instruction Fuzzy Hash: 12F03972105712CFCB349F64E494812BBF1BF4632A3249A3EE1D682610C7B1A894DF60

Function 00DC09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00DC09F4

Part of subcall function 00DA7D2C: _memmove.LIBCMT ref: 00DA7D66

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: e74b85ba91e88f5685817f3b59f3f281aac72161c358c7f94499667ba5a11e31
Instruction ID: 6aa75a1ac0974523348dbeaf84580813fc72abd75d870270b08f8e908dbd923d
Opcode Fuzzy Hash: e74b85ba91e88f5685817f3b59f3f281aac72161c358c7f94499667ba5a11e31
Instruction Fuzzy Hash: DEE086379042289BC720D6989C05FFA77ADDF89690F0501B6FC4CD7214D9A09C8586A1

Function 00DC548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00DC5496

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: bec64cde0ff6573baf9e6dc2d48aa8758604500a7fa3d996531549fc9e44fc8e
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: FCB0927684420C77DE012E82FC02F593B199B40679F808020FB0C19162A673A6A096A9

Function 00DC3598 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

_doexit.LIBCMT ref: 00DC35A2

Part of subcall function 00DC3469: __lock.LIBCMT ref: 00DC3477
Part of subcall function 00DC3469: DecodePointer.KERNEL32(00E5BB70,0000001C,00DC33C2,00000000,00000001,00000000,?,00DC3310,000000FF,?,00DC9E6E,00000011,00000000,?,00DC9CBC,0000000D), ref: 00DC34B6
Part of subcall function 00DC3469: DecodePointer.KERNEL32(?,00DC3310,000000FF,?,00DC9E6E,00000011,00000000,?,00DC9CBC,0000000D), ref: 00DC34C7
Part of subcall function 00DC3469: EncodePointer.KERNEL32(00000000,?,00DC3310,000000FF,?,00DC9E6E,00000011,00000000,?,00DC9CBC,0000000D), ref: 00DC34E0
Part of subcall function 00DC3469: DecodePointer.KERNEL32(-00000004,?,00DC3310,000000FF,?,00DC9E6E,00000011,00000000,?,00DC9CBC,0000000D), ref: 00DC34F0
Part of subcall function 00DC3469: EncodePointer.KERNEL32(00000000,?,00DC3310,000000FF,?,00DC9E6E,00000011,00000000,?,00DC9CBC,0000000D), ref: 00DC34F6
Part of subcall function 00DC3469: DecodePointer.KERNEL32(?,00DC3310,000000FF,?,00DC9E6E,00000011,00000000,?,00DC9CBC,0000000D), ref: 00DC350C
Part of subcall function 00DC3469: DecodePointer.KERNEL32(?,00DC3310,000000FF,?,00DC9E6E,00000011,00000000,?,00DC9CBC,0000000D), ref: 00DC3517

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Pointer$Decode$Encode$__lock_doexit
String ID:
API String ID: 2158581194-0
Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction ID: 838aa4fa79968e20e6c08bab9238e84cd19d8fb297dae8f399ca6e424c4961b2
Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction Fuzzy Hash: 3CB0123158430C73D9112A85EC03F153B1C8740B50F104020FA0C5D1E1A5D3767044E9

Non-executed Functions

Function 00E2CDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA2612: GetWindowLongW.USER32(?,000000EB), ref: 00DA2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00E2CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E2CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00E2CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E2CF00
SendMessageW.USER32 ref: 00E2CF29
_wcsncpy.LIBCMT ref: 00E2CFA1
GetKeyState.USER32(00000011), ref: 00E2CFC2
GetKeyState.USER32(00000009), ref: 00E2CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E2CFE5
GetKeyState.USER32(00000010), ref: 00E2CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E2D018
SendMessageW.USER32 ref: 00E2D03F
SendMessageW.USER32(?,00001030,?,00E2B602), ref: 00E2D145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00E2D15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00E2D16E
SetCapture.USER32(?), ref: 00E2D177
ClientToScreen.USER32(?,?), ref: 00E2D1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00E2D1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E2D203
ReleaseCapture.USER32 ref: 00E2D20E
GetCursorPos.USER32(?), ref: 00E2D248
ScreenToClient.USER32(?,?), ref: 00E2D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 00E2D2B1
SendMessageW.USER32 ref: 00E2D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 00E2D31C
SendMessageW.USER32 ref: 00E2D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00E2D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00E2D37B
GetCursorPos.USER32(?), ref: 00E2D39B
ScreenToClient.USER32(?,?), ref: 00E2D3A8
GetParent.USER32(?), ref: 00E2D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 00E2D431
SendMessageW.USER32 ref: 00E2D462
ClientToScreen.USER32(?,?), ref: 00E2D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00E2D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 00E2D51A
SendMessageW.USER32 ref: 00E2D53D
ClientToScreen.USER32(?,?), ref: 00E2D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00E2D5C3

Part of subcall function 00DA25DB: GetWindowLongW.USER32(?,000000EB), ref: 00DA25EC

GetWindowLongW.USER32(?,000000F0), ref: 00E2D65F

Strings

F, xrefs: 00E2D543
pr, xrefs: 00E2D1BD
@GUI_DRAGID, xrefs: 00E2D1AA

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pr
API String ID: 3977979337-1436871235
Opcode ID: c279ce00fa3103b4062e9ec4abca22b6bdce88c244fb56785a6d07ba570dfda8
Instruction ID: baf7ae64ac377b482dea3e091b08afcd56f09790f6ff6311a612b375c559f651
Opcode Fuzzy Hash: c279ce00fa3103b4062e9ec4abca22b6bdce88c244fb56785a6d07ba570dfda8
Instruction Fuzzy Hash: 7A42CF30208250AFD725CF28E844FAABBF5FF49318F24152DF695A72A0CB71D855CB92

Function 00E2804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00E2873F

Strings

%d/%02d/%02d, xrefs: 00E28478

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 361e101a948983c0770a92eb460564dcfdb1e7d19c1deecc8c808f4c51ceec8b
Instruction ID: 5a17b0b46bdf9f9c93380f75185814a37489170e885f3f198136d7cdd8fdbe3b
Opcode Fuzzy Hash: 361e101a948983c0770a92eb460564dcfdb1e7d19c1deecc8c808f4c51ceec8b
Instruction Fuzzy Hash: 8712E171501228AFEB248F25ED49FAE7BB8EF49314F205129F915FA2A1DF708945CB60

Function 00DB710E Relevance: 50.6, APIs: 19, Strings: 7, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DB75C2
_memset.LIBCMT ref: 00DB76B1
_memmove.LIBCMT ref: 00DB7C4B
_memmove.LIBCMT ref: 00DB7E4F

Strings

Q\E, xrefs: 00DB81C1
\b(?=\w), xrefs: 00DF3C34
[:<:]], xrefs: 00DB75F1
[:>:]], xrefs: 00DB760A
DEFINE, xrefs: 00DF25AF
0w, xrefs: 00DF1F5B
\b(?<=\w), xrefs: 00DF3C41

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: _memmove$_memset
String ID: 0w$DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-3460961967
Opcode ID: a0c926712e765589b7c74a1d716b5945469f631416309ed379385fd02bb49ce0
Instruction ID: e82ec3157d7be00222d281e6648b62384d1db888dc14e4d4aee9c3e5bb3df905
Opcode Fuzzy Hash: a0c926712e765589b7c74a1d716b5945469f631416309ed379385fd02bb49ce0
Instruction Fuzzy Hash: 13937175A04219DBDB24CF58C8817FDB7B1FF48710F2A816AEA55EB280D7709E81DB60

Function 00DA4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00DA4A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00DDDA8E
IsIconic.USER32(?), ref: 00DDDA97
ShowWindow.USER32(?,00000009), ref: 00DDDAA4
SetForegroundWindow.USER32(?), ref: 00DDDAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00DDDAC4
GetCurrentThreadId.KERNEL32 ref: 00DDDACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 00DDDAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 00DDDAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 00DDDAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 00DDDAF8
SetForegroundWindow.USER32(?), ref: 00DDDAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 00DDDB10
keybd_event.USER32(00000012,00000000), ref: 00DDDB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00DDDB25
keybd_event.USER32(00000012,00000000), ref: 00DDDB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00DDDB33
keybd_event.USER32(00000012,00000000), ref: 00DDDB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 00DDDB42
keybd_event.USER32(00000012,00000000), ref: 00DDDB47
SetForegroundWindow.USER32(?), ref: 00DDDB4A
AttachThreadInput.USER32(?,?,00000000), ref: 00DDDB71

Strings

Shell_TrayWnd, xrefs: 00DDDA89

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 692497d331c8a97d6484feccdc3586d1ed9d73ef4f045855ece50cfb501de222
Instruction ID: fd5abd2f84323184d90ee9fe3b90836565cc5e970e15d014410f1579d305297d
Opcode Fuzzy Hash: 692497d331c8a97d6484feccdc3586d1ed9d73ef4f045855ece50cfb501de222
Instruction Fuzzy Hash: DB315271A80318BEEF316F629C49F7E3E7DEB44B50F154036FA04BA1D1C6B09D11AAA0

Function 00DF8858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00DF8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DF8D0D
Part of subcall function 00DF8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DF8D3A
Part of subcall function 00DF8CC3: GetLastError.KERNEL32 ref: 00DF8D47

_memset.LIBCMT ref: 00DF889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00DF88ED
CloseHandle.KERNEL32(?), ref: 00DF88FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00DF8915
GetProcessWindowStation.USER32 ref: 00DF892E
SetProcessWindowStation.USER32(00000000), ref: 00DF8938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00DF8952

Part of subcall function 00DF8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00DF8851), ref: 00DF8728
Part of subcall function 00DF8713: CloseHandle.KERNEL32(?,?,00DF8851), ref: 00DF873A

Strings

, xrefs: 00DF88AA
winsta0, xrefs: 00DF8910
default, xrefs: 00DF894D

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: d4bbe1ffdedb84b7fdfead5baa75e1200d397ae6c17d5e1be11a8f6405d61564
Instruction ID: 38fa3ce25283a3376b43dea3ea8a8c29223e46adc54dd3c2a93c5f10ed444787
Opcode Fuzzy Hash: d4bbe1ffdedb84b7fdfead5baa75e1200d397ae6c17d5e1be11a8f6405d61564
Instruction Fuzzy Hash: 9B81297190024DAFDF21DFA4DC45AFE7BB8EF04305F09816AFA10B6161DB318A15AB71

Function 00E1425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00E2F910), ref: 00E14284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00E14292
GetClipboardData.USER32(0000000D), ref: 00E1429A
CloseClipboard.USER32 ref: 00E142A6
GlobalLock.KERNEL32(00000000), ref: 00E142C2
CloseClipboard.USER32 ref: 00E142CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00E142E1
IsClipboardFormatAvailable.USER32(00000001), ref: 00E142EE
GetClipboardData.USER32(00000001), ref: 00E142F6
GlobalLock.KERNEL32(00000000), ref: 00E14303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00E14337
CloseClipboard.USER32 ref: 00E14447

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 3b2b5218d1b0dc12f08d636866aad85e1a213382b54e20de67096e3d208fb02c
Instruction ID: c40b3f8923d441042e16d51588bd201fda28cf770248e4ed3b40cf9afa1975be
Opcode Fuzzy Hash: 3b2b5218d1b0dc12f08d636866aad85e1a213382b54e20de67096e3d208fb02c
Instruction Fuzzy Hash: F1519E71204205AFD320AB61EC95FAE77B8EB84B00F104539F556E22F1DB70D94A8B72

Function 00E0C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00E0C9F8
FindClose.KERNEL32(00000000), ref: 00E0CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E0CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E0CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 00E0CAAF
__swprintf.LIBCMT ref: 00E0CAFB
__swprintf.LIBCMT ref: 00E0CB3E

Part of subcall function 00DA7F41: _memmove.LIBCMT ref: 00DA7F82

__swprintf.LIBCMT ref: 00E0CB92

Part of subcall function 00DC38D8: __woutput_l.LIBCMT ref: 00DC3931

__swprintf.LIBCMT ref: 00E0CBE0

Part of subcall function 00DC38D8: __flsbuf.LIBCMT ref: 00DC3953
Part of subcall function 00DC38D8: __flsbuf.LIBCMT ref: 00DC396B

__swprintf.LIBCMT ref: 00E0CC2F
__swprintf.LIBCMT ref: 00E0CC7E
__swprintf.LIBCMT ref: 00E0CCCD

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00E0CAF5
%4d, xrefs: 00E0CB38
%02d, xrefs: 00E0CB86, 00E0CB90, 00E0CBDE, 00E0CC2D, 00E0CC7C, 00E0CCCB

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 6afd34c20312301057af45e3d20b0c14ea779604041f2874f89485b7938f590e
Instruction ID: 52531faa26ca779c302d9dd03f2e495cf1ee74c04e468387857555025f5ee119
Opcode Fuzzy Hash: 6afd34c20312301057af45e3d20b0c14ea779604041f2874f89485b7938f590e
Instruction Fuzzy Hash: 30A13CB2508305ABC710EB64C896DAFB7ECEF95700F40492DF586D7191EA34EA49CB72

Function 00E0F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00E0F221
_wcscmp.LIBCMT ref: 00E0F236
_wcscmp.LIBCMT ref: 00E0F24D
GetFileAttributesW.KERNEL32(?), ref: 00E0F25F
SetFileAttributesW.KERNEL32(?,?), ref: 00E0F279
FindNextFileW.KERNEL32(00000000,?), ref: 00E0F291
FindClose.KERNEL32(00000000), ref: 00E0F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 00E0F2B8
_wcscmp.LIBCMT ref: 00E0F2DF
_wcscmp.LIBCMT ref: 00E0F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 00E0F308
SetCurrentDirectoryW.KERNEL32(00E5A5A0), ref: 00E0F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 00E0F330
FindClose.KERNEL32(00000000), ref: 00E0F33D
FindClose.KERNEL32(00000000), ref: 00E0F34F

Strings

*.*, xrefs: 00E0F2B3

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 931df7274167e616107182218f458f8b4820b2963cadcdba5d7463f9315c0aac
Instruction ID: 109dfd5ec62fcb8c8ee83005e1726faf8a474c48a0b1b10fff720d52a70d787a
Opcode Fuzzy Hash: 931df7274167e616107182218f458f8b4820b2963cadcdba5d7463f9315c0aac
Instruction Fuzzy Hash: 2D31B176500219AFDB30DBB4EC58EDE73ACAF09365F145275E800F30E0EB34DA998A60

Function 00E20AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E20BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00E2F910,00000000,?,00000000,?,?), ref: 00E20C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00E20C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00E20D1D
RegCloseKey.ADVAPI32(?), ref: 00E2103D
RegCloseKey.ADVAPI32(00000000), ref: 00E2104A

Strings

REG_BINARY, xrefs: 00E20FD8
REG_MULTI_SZ, xrefs: 00E20E05
REG_DWORD, xrefs: 00E20F0E
REG_QWORD, xrefs: 00E20F8B
REG_SZ, xrefs: 00E20D5B
REG_EXPAND_SZ, xrefs: 00E20CBA

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 3e2764c0aa70d3ae01edbf6f2dcd19d1aab06906231adedbba9c397ae2f61213
Instruction ID: bc8abea6bbcf99dfb296ae15087a31e7f61386c4a2fd8aa30257aa56e790dccd
Opcode Fuzzy Hash: 3e2764c0aa70d3ae01edbf6f2dcd19d1aab06906231adedbba9c397ae2f61213
Instruction Fuzzy Hash: C6025D752006119FCB14DF24D891E2AB7E5FF89714F04985DF88AAB3A2DB30ED45CBA1

Function 00E0F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00E0F37E
_wcscmp.LIBCMT ref: 00E0F393
_wcscmp.LIBCMT ref: 00E0F3AA

Part of subcall function 00E045C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00E045DC

FindNextFileW.KERNEL32(00000000,?), ref: 00E0F3D9
FindClose.KERNEL32(00000000), ref: 00E0F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 00E0F400
_wcscmp.LIBCMT ref: 00E0F427
_wcscmp.LIBCMT ref: 00E0F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 00E0F450
SetCurrentDirectoryW.KERNEL32(00E5A5A0), ref: 00E0F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00E0F478
FindClose.KERNEL32(00000000), ref: 00E0F485
FindClose.KERNEL32(00000000), ref: 00E0F497

Strings

*.*, xrefs: 00E0F3FB

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 13df4cf70ffd24ad2bf8921c79d135b2e9a36e1d529621835d3ae2845c3b4bba
Instruction ID: 1aa80c0eb2ee250eb0880a658fafb60bd39c01faedc6e06bd0dbcb7bb7a1b563
Opcode Fuzzy Hash: 13df4cf70ffd24ad2bf8921c79d135b2e9a36e1d529621835d3ae2845c3b4bba
Instruction Fuzzy Hash: 6231D3725012196FCB30AF64EC88EDE77AC9F49325F145275EC50B34E0EB74DA99CA60

Function 00DF81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00DF8766
Part of subcall function 00DF874A: GetLastError.KERNEL32(?,00DF822A,?,?,?), ref: 00DF8770
Part of subcall function 00DF874A: GetProcessHeap.KERNEL32(00000008,?,?,00DF822A,?,?,?), ref: 00DF877F
Part of subcall function 00DF874A: HeapAlloc.KERNEL32(00000000,?,00DF822A,?,?,?), ref: 00DF8786
Part of subcall function 00DF874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00DF879D

Part of subcall function 00DF87E7: GetProcessHeap.KERNEL32(00000008,00DF8240,00000000,00000000,?,00DF8240,?), ref: 00DF87F3
Part of subcall function 00DF87E7: HeapAlloc.KERNEL32(00000000,?,00DF8240,?), ref: 00DF87FA
Part of subcall function 00DF87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00DF8240,?), ref: 00DF880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00DF825B
_memset.LIBCMT ref: 00DF8270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00DF828F
GetLengthSid.ADVAPI32(?), ref: 00DF82A0
GetAce.ADVAPI32(?,00000000,?), ref: 00DF82DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00DF82F9
GetLengthSid.ADVAPI32(?), ref: 00DF8316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00DF8325
HeapAlloc.KERNEL32(00000000), ref: 00DF832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00DF834D
CopySid.ADVAPI32(00000000), ref: 00DF8354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00DF8385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00DF83AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00DF83BF

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 5aafedacf34bee7f001cb7b3f9bbab273de5cf08c093c197b24d04cc4d98e92e
Instruction ID: 876325edd0853902f9f1699a8058c18567a60349dfbb8b3a4f330318bebe4e35
Opcode Fuzzy Hash: 5aafedacf34bee7f001cb7b3f9bbab273de5cf08c093c197b24d04cc4d98e92e
Instruction Fuzzy Hash: FE616771900219AFCF109FA5DC84EFEBBB9FF04700F048129EA15E72A1DB319A05DB62

Function 00DB6843 Relevance: 19.6, Strings: 15, Instructions: 883COMMON

Download Yara Rule

Strings

BSR_UNICODE), xrefs: 00DF1771
LIMIT_RECURSION=, xrefs: 00DF1635
UCP), xrefs: 00DF1546
NO_START_OPT), xrefs: 00DF1588
NO_AUTO_POSSESS), xrefs: 00DF1567
CR), xrefs: 00DF16C0
LF), xrefs: 00DF16DD
LIMIT_MATCH=, xrefs: 00DF15A9
ANYCRLF), xrefs: 00DF1734
UTF16), xrefs: 00DF1508
CRLF), xrefs: 00DF16FA
UTF), xrefs: 00DF1533
BSR_ANYCRLF), xrefs: 00DF1757
PJ, xrefs: 00DB68B3
ANY), xrefs: 00DF1717

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$PJ$UCP)$UTF)$UTF16)
API String ID: 0-1624373025
Opcode ID: 7bb0dcbdf314b5390f0022637b08fb79884d0db46d997be4b95c8540f129f0a2
Instruction ID: c80d42c27d3f87e3c2e0d739e6c5539208a0662fe4908f1809e680791e7c74cf
Opcode Fuzzy Hash: 7bb0dcbdf314b5390f0022637b08fb79884d0db46d997be4b95c8540f129f0a2
Instruction Fuzzy Hash: D0726E75E00219DBDB14CF59C8807FEB7B5EF48310F19816AE94AEB290DB74D981CBA0

Function 00E20665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E210A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E20038,?,?), ref: 00E210BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E20737

Part of subcall function 00DA9997: __itow.LIBCMT ref: 00DA99C2
Part of subcall function 00DA9997: __swprintf.LIBCMT ref: 00DA9A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00E207D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00E2086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00E20AAD
RegCloseKey.ADVAPI32(00000000), ref: 00E20ABA

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 686f04269789612c89117ca532020cc753e86d7648c8f1b58e26e367519bb5dc
Instruction ID: 63a8126d18a88d9573cadf6ad94e491e8d0b19aa5114c568cc5645c030da5a24
Opcode Fuzzy Hash: 686f04269789612c89117ca532020cc753e86d7648c8f1b58e26e367519bb5dc
Instruction Fuzzy Hash: E7E14C71204310AFCB14DF25D895E6BBBF4FF89714B04956DF84AEB2A2DA30E905CB61

Function 00E00219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00E00241
GetAsyncKeyState.USER32(000000A0), ref: 00E002C2
GetKeyState.USER32(000000A0), ref: 00E002DD
GetAsyncKeyState.USER32(000000A1), ref: 00E002F7
GetKeyState.USER32(000000A1), ref: 00E0030C
GetAsyncKeyState.USER32(00000011), ref: 00E00324
GetKeyState.USER32(00000011), ref: 00E00336
GetAsyncKeyState.USER32(00000012), ref: 00E0034E
GetKeyState.USER32(00000012), ref: 00E00360
GetAsyncKeyState.USER32(0000005B), ref: 00E00378
GetKeyState.USER32(0000005B), ref: 00E0038A

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 269a72f65c4b26586d44c325ebd0addf6c52087e37295ff88b24e9afd0beef63
Instruction ID: ba3b4d423962c5ff0453766280430dabb4158ea23b15638a2794ae42b6f355e9
Opcode Fuzzy Hash: 269a72f65c4b26586d44c325ebd0addf6c52087e37295ff88b24e9afd0beef63
Instruction Fuzzy Hash: D3419B345447CA6FFF329A6488083B5BFA06F12348F0851ADD5C6761C3EBA85DC887A2

Function 00E186D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA9997: __itow.LIBCMT ref: 00DA99C2
Part of subcall function 00DA9997: __swprintf.LIBCMT ref: 00DA9A0C

CoInitialize.OLE32 ref: 00E18718
CoUninitialize.OLE32 ref: 00E18723
CoCreateInstance.OLE32(?,00000000,00000017,00E32BEC,?), ref: 00E18783
IIDFromString.OLE32(?,?), ref: 00E187F6
VariantInit.OLEAUT32(?), ref: 00E18890
VariantClear.OLEAUT32(?), ref: 00E188F1

Strings

Failed to create object, xrefs: 00E1878E, 00E18844
Invalid parameter, xrefs: 00E1880F
NULL Pointer assignment, xrefs: 00E187C8

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 48bbdd81a70c2dfbc5ecd5e1c286b50f0b5f7ac7dcb534d7f0e0060bd62336a9
Instruction ID: 510fe4aea94a8114ad900668b9a41957821ce81125851fe2b75c1e77e947a22d
Opcode Fuzzy Hash: 48bbdd81a70c2dfbc5ecd5e1c286b50f0b5f7ac7dcb534d7f0e0060bd62336a9
Instruction Fuzzy Hash: 3861AF706083019FD714DF24CA48BAABBE4EF45714F54591EF985AB291CB70ED88CBA2

Function 00E14458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00E1447F
EmptyClipboard.USER32 ref: 00E14485
GlobalAlloc.KERNEL32(00000002,?), ref: 00E1449A
CloseClipboard.USER32 ref: 00E14539

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: c98f7fe2a41c862c5f6b80ea3d986a84fcad280b30b8dd94e91e3c62b5a72b74
Instruction ID: ef212151e7bb440b60dc4a2f06aeeebe3e7f807478fb1867497d7b3646c766fa
Opcode Fuzzy Hash: c98f7fe2a41c862c5f6b80ea3d986a84fcad280b30b8dd94e91e3c62b5a72b74
Instruction Fuzzy Hash: CA21A3753002109FDB209F21EC19FAA77B8EF04714F10802AF946EB2B1DB74AC01CBA5

Function 00E03A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DA48A1,?,?,00DA37C0,?), ref: 00DA48CE

Part of subcall function 00E04CD3: GetFileAttributesW.KERNEL32(?,00E03947), ref: 00E04CD4

FindFirstFileW.KERNEL32(?,?), ref: 00E03ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00E03B87
MoveFileW.KERNEL32(?,?), ref: 00E03B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00E03BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00E03BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00E03BF5

Strings

\*.*, xrefs: 00E03A8A, 00E03A93, 00E03AA8

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 3b37d12cbca6928a1b340b606e4b429ac4e4c7a324a7ad1a0e613531bdff813a
Instruction ID: 1fdaca6ee56b95ee8addac1a0d4a81bbbcae85b2fc6d181542c661b10c8d69a8
Opcode Fuzzy Hash: 3b37d12cbca6928a1b340b606e4b429ac4e4c7a324a7ad1a0e613531bdff813a
Instruction Fuzzy Hash: 6D516C31901249AECF15EBA0DE929EDB7B9AF15304F6451A9E442770D2EF306F49CBB0

Function 00E0F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA7F41: _memmove.LIBCMT ref: 00DA7F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00E0F6AB
Sleep.KERNEL32(0000000A), ref: 00E0F6DB
_wcscmp.LIBCMT ref: 00E0F6EF
_wcscmp.LIBCMT ref: 00E0F70A
FindNextFileW.KERNEL32(?,?), ref: 00E0F7A8
FindClose.KERNEL32(00000000), ref: 00E0F7BE

Strings

*.*, xrefs: 00E0F690

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 67175a9ef44472ace43ce16e5a03a888938c6240387aade43e720ebcae66b67b
Instruction ID: f30b42f18cfa8e9749b7bc89697d483d60249e392829f7a65c8cb5bd8149a5f8
Opcode Fuzzy Hash: 67175a9ef44472ace43ce16e5a03a888938c6240387aade43e720ebcae66b67b
Instruction Fuzzy Hash: B7418E7190020A9FCF21DF64CC85AEEBBB4FF05314F184566E814B32A0EB309E94CBA1

Function 00DB4140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00DB4520
VUUU, xrefs: 00DB44ED
ERCP, xrefs: 00DB421F
VUUU, xrefs: 00DB44DB
VUUU, xrefs: 00DE7B0C

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: b95c48cb7d62803eb8ca619ddbc6a5b9ec1c0ee1df4b5947ec0880033c483aa2
Instruction ID: 3ce6a01d4a69034f81c4223ef8c71f0775d5524da5aa554732951b36bfc4a839
Opcode Fuzzy Hash: b95c48cb7d62803eb8ca619ddbc6a5b9ec1c0ee1df4b5947ec0880033c483aa2
Instruction Fuzzy Hash: 34A2B074E0425ACBDF24DF59C9807EDB7B1BF55314F1881AAD84AA7281DB309E81DFA0

Function 00DB58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DB5A05
_memmove.LIBCMT ref: 00DB5A55
_memmove.LIBCMT ref: 00DB5ABB

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 96914e21bf8fc990d26df89d1b99d0d2927fb996d0a2ba40a0835d16a036de7b
Instruction ID: 4ca1b0a7c275847f959c2b9479f314005b6fa8c90b27fb5982d3ba4cd5069953
Opcode Fuzzy Hash: 96914e21bf8fc990d26df89d1b99d0d2927fb996d0a2ba40a0835d16a036de7b
Instruction Fuzzy Hash: 66129A70A00609DFDF04DFA5E981AEEB7F5FF48300F148669E846A7255EB35A911CB70

Function 00E03D4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DA48A1,?,?,00DA37C0,?), ref: 00DA48CE

Part of subcall function 00E04CD3: GetFileAttributesW.KERNEL32(?,00E03947), ref: 00E04CD4

FindFirstFileW.KERNEL32(?,?), ref: 00E03DC5
DeleteFileW.KERNEL32(?,?,?,?), ref: 00E03E15
FindNextFileW.KERNEL32(00000000,00000010), ref: 00E03E26
FindClose.KERNEL32(00000000), ref: 00E03E3D
FindClose.KERNEL32(00000000), ref: 00E03E46

Strings

\*.*, xrefs: 00E03D97

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: db920eafdad9f37d071cb92b1787cb03d5103fcacd0b74b4c49553269d844af2
Instruction ID: c619f0de413e0f37f4df5075f7d61eabc1513904c3cf7d15fea00963d278548a
Opcode Fuzzy Hash: db920eafdad9f37d071cb92b1787cb03d5103fcacd0b74b4c49553269d844af2
Instruction Fuzzy Hash: 96312B31009385ABC211EB64DC958AFB7E8AF96704F445E2DF4D5A21D1EB209A0EC7B2

Function 00E0545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DF8D0D
Part of subcall function 00DF8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DF8D3A
Part of subcall function 00DF8CC3: GetLastError.KERNEL32 ref: 00DF8D47

ExitWindowsEx.USER32(?,00000000), ref: 00E0549B

Strings

SeShutdownPrivilege, xrefs: 00E0546B
, xrefs: 00E05489
@, xrefs: 00E0548E

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 54d21ce128acefb4b7131487d29e8791cd1c2641037feb4f8937650bd7e2b30c
Instruction ID: 445b4c55f71ed526dbd9bb978601915740cbfde030cd5219469096748c829242
Opcode Fuzzy Hash: 54d21ce128acefb4b7131487d29e8791cd1c2641037feb4f8937650bd7e2b30c
Instruction Fuzzy Hash: 6D012433654A156EE7386674AC4AFFB7268EB05343F242531FD27F20D2DAA00CC089A0

Function 00E16596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00E165EF
WSAGetLastError.WSOCK32(00000000), ref: 00E165FE
bind.WSOCK32(00000000,?,00000010), ref: 00E1661A
listen.WSOCK32(00000000,00000005), ref: 00E16629
WSAGetLastError.WSOCK32(00000000), ref: 00E16643
closesocket.WSOCK32(00000000,00000000), ref: 00E16657

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: c59b6ccb54ce9323ea1b38291e80d1f32c028be748805e5674e24c3399b502d3
Instruction ID: 3444d01e691e8cc164265295e225260cca48c5118eb57cc45b6a18649e6beb5b
Opcode Fuzzy Hash: c59b6ccb54ce9323ea1b38291e80d1f32c028be748805e5674e24c3399b502d3
Instruction Fuzzy Hash: CD219E312006049FCB14EF24C945AAEB7B9EF49724F14816AF956B72E1CB70AD458B61

Function 00DB5680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00DC0FF6: std::exception::exception.LIBCMT ref: 00DC102C
Part of subcall function 00DC0FF6: __CxxThrowException@8.LIBCMT ref: 00DC1041

_memmove.LIBCMT ref: 00DF062F
_memmove.LIBCMT ref: 00DF0744
_memmove.LIBCMT ref: 00DF07EB

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 47ffbf2cd29b716db05fbf42588670a5f107097d4eec06e7ff1064ed1662f98b
Instruction ID: 877aae534a8d67831aeaa70534d314eabaeebc913d4459b64b9677d2da62d5e0
Opcode Fuzzy Hash: 47ffbf2cd29b716db05fbf42588670a5f107097d4eec06e7ff1064ed1662f98b
Instruction Fuzzy Hash: 6A027FB0E00209DBDF04DF64D981ABEBBB5EF44300F1580A9E946DB256EB31D955CBB1

Function 00DA1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00DA2612: GetWindowLongW.USER32(?,000000EB), ref: 00DA2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00DA19FA
GetSysColor.USER32(0000000F), ref: 00DA1A4E
SetBkColor.GDI32(?,00000000), ref: 00DA1A61

Part of subcall function 00DA1290: DefDlgProcW.USER32(?,00000020,?), ref: 00DA12D8

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 75d868a41a243dee581aa483c9e0c63aa89e8c3cb2c6cb9269025aa1ef1727cc
Instruction ID: 4f5e128ce227ea1ab8c5f40369e7dbb306d78768fb4b0638347b2c85d6ef12b7
Opcode Fuzzy Hash: 75d868a41a243dee581aa483c9e0c63aa89e8c3cb2c6cb9269025aa1ef1727cc
Instruction Fuzzy Hash: E4A19979116555FED638AB39AC45EBF359CEB43395F2D011BF042E6292CE20DC02C2B2

Function 00E16A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E180A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00E180CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00E16AB1
WSAGetLastError.WSOCK32(00000000), ref: 00E16ADA
bind.WSOCK32(00000000,?,00000010), ref: 00E16B13
WSAGetLastError.WSOCK32(00000000), ref: 00E16B20
closesocket.WSOCK32(00000000,00000000), ref: 00E16B34

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: b025a47617e33dbdef6a9744a421ca72732f8f3e39369f929ab4ce9575db5b83
Instruction ID: f9206ad2811ec1937af1e0cb088a21ddfea61e1a4ea14514afe7080ba347e1bd
Opcode Fuzzy Hash: b025a47617e33dbdef6a9744a421ca72732f8f3e39369f929ab4ce9575db5b83
Instruction Fuzzy Hash: 5C41D475B00214AFEB10AF24DC96F6EB7A8DF09710F04845DF91AAB3D2DA709D018BB1

Function 00E255FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00E2564C
IsWindowEnabled.USER32 ref: 00E2565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00E25667
IsIconic.USER32 ref: 00E25675
IsZoomed.USER32 ref: 00E25683

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 771bd2aafd5f947e1a9ffde7d268cab43b0bc407d1ceadaaa6965c35b6b7c5da
Instruction ID: 1b0838f3cdffde267437229aa7f3bfe569bf68bd74859b82313fa1a04127187d
Opcode Fuzzy Hash: 771bd2aafd5f947e1a9ffde7d268cab43b0bc407d1ceadaaa6965c35b6b7c5da
Instruction Fuzzy Hash: 1B11C432740920AFE7211F26ED44B6FB7A9FF45721B454439F806E7251CB70DD028AB5

Function 00DAE800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00DE428C
Dt, xrefs: 00DAEC21
Dt, xrefs: 00DE3F58
Dt, xrefs: 00DE3F1F
Dt, xrefs: 00DAEC1A

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID:
String ID: Dt$Dt$Dt$Dt$Variable must be of type 'Object'.
API String ID: 0-3952547859
Opcode ID: 9a37678ed27112791f5188a2eccd10a01e130b3b31abceca0887d92f0f9b90a8
Instruction ID: cb75daa954566aec475598d41126cf0373865bd21a3e6e254a4a69bedeae1cbe
Opcode Fuzzy Hash: 9a37678ed27112791f5188a2eccd10a01e130b3b31abceca0887d92f0f9b90a8
Instruction Fuzzy Hash: 5EA2B174A04205CFCB24DF98C484AAEB7B1FF4A314F288069E956AB351D775ED42CBB1

Function 00E1C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00DE1D88,?), ref: 00E1C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00E1C324

Strings

kernel32.dll, xrefs: 00E1C30D
GetSystemWow64DirectoryW, xrefs: 00E1C31E

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 5676ed312dccb3208e49304e21f3443f7da2eee1d354a8fe18b4513915922db5
Instruction ID: c4988edc203d0963fafc8cbb1eb2eae13b9d3ca20546cdd70285342103dbcb00
Opcode Fuzzy Hash: 5676ed312dccb3208e49304e21f3443f7da2eee1d354a8fe18b4513915922db5
Instruction Fuzzy Hash: FCE01274641713DFDB304F26D808A8676E4EF08759B90E47AE8A5F2250E770D896CB60

Function 00DB3190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 599d5be8c3aee9f0eccb5e3648260ad09577d4ccaec8daa6430dff46313b9091
Instruction ID: a4c6099d9b61a2a7f7cc6e8bf2a4350f869cdfb5652c1dd0cc5a4cb51f88055b
Opcode Fuzzy Hash: 599d5be8c3aee9f0eccb5e3648260ad09577d4ccaec8daa6430dff46313b9091
Instruction Fuzzy Hash: 2B227871608341DFC724EF24C891BAAB7E4EF85704F14492DF99A97291DB70EA04DBB2

Function 00E1F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00E1F151
Process32FirstW.KERNEL32(00000000,?), ref: 00E1F15F

Part of subcall function 00DA7F41: _memmove.LIBCMT ref: 00DA7F82

Process32NextW.KERNEL32(00000000,?), ref: 00E1F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00E1F22E

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 374898830aa2e1e22d29def3f1749b512f70a853d30e191dd2a55a2eaa18a43a
Instruction ID: 1a4555f624b0d13ebda495f2056b0a24260df6849dcbdace6df47888a9938441
Opcode Fuzzy Hash: 374898830aa2e1e22d29def3f1749b512f70a853d30e191dd2a55a2eaa18a43a
Instruction Fuzzy Hash: 5C515E71504300AFD310EF24DC85EABB7E8FF95710F54492DF595972A2EB70AA09CBA2

Function 00E040B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00E040D1
_memset.LIBCMT ref: 00E040F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00E04144
CloseHandle.KERNEL32(00000000), ref: 00E0414D

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 5920189c26fa2ab60ff3d8c192e07f32cd1a532cd6c722473c32deb4fc6acb46
Instruction ID: 8df762af5d7250aa272400c1ade2f923c4b32289fb9774395457711c3ddc2e12
Opcode Fuzzy Hash: 5920189c26fa2ab60ff3d8c192e07f32cd1a532cd6c722473c32deb4fc6acb46
Instruction Fuzzy Hash: 4A11EBB59012287AD7309BA59C4DFEBBB7CEF44764F1041AAF908F71C0D6744E848BA4

Function 00DFEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00DFEB19

Strings

|, xrefs: 00DFEB49
(, xrefs: 00DFEB5F

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 4a260aeaf72265fbb5481365e489f4fe33ef3aac765280d8dc63c5adadcdf935
Instruction ID: 8dc87856f94bd1ce028131f4e5223aac6922915b7214eb38c743ad96fa975b57
Opcode Fuzzy Hash: 4a260aeaf72265fbb5481365e489f4fe33ef3aac765280d8dc63c5adadcdf935
Instruction Fuzzy Hash: 2F322575A007059FD728CF19C481A6AB7F1FF48310B16C56EE99ADB3A1EB70E981CB50

Function 00E125E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00E126D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00E1270C

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 4b16dfa752fa59e9b1d90a790225a79b8f08f131da47de04bb4cfaac74f4bb2b
Instruction ID: a7c290dbdc23bb19e94a3e54dd45bac9da89c29d01e811e942a3577904645ed9
Opcode Fuzzy Hash: 4b16dfa752fa59e9b1d90a790225a79b8f08f131da47de04bb4cfaac74f4bb2b
Instruction Fuzzy Hash: A841C371900209BFEB20DA95DC85EFBB7BCEB40718F10506EFB01B6180EA719EE19664

Function 00E0B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00E0B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00E0B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00E0B655

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 2f336ba2b8e1ce2b47f96435138543b85089a401fa960173594e68323ace0833
Instruction ID: 20ae0dd15407420de3a8a04297ea6e1384665370154be27c244495032a184474
Opcode Fuzzy Hash: 2f336ba2b8e1ce2b47f96435138543b85089a401fa960173594e68323ace0833
Instruction Fuzzy Hash: A1216075A00518EFCB00EF65D881AADFBB8FF49310F1480A9E905AB361DB31A956CB61

Function 00DF8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00DC0FF6: std::exception::exception.LIBCMT ref: 00DC102C
Part of subcall function 00DC0FF6: __CxxThrowException@8.LIBCMT ref: 00DC1041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DF8D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DF8D3A
GetLastError.KERNEL32 ref: 00DF8D47

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 23c7deef3dbcebad48b53c2a9f4e39afa4c40f36815ee84c689ed55bd203e837
Instruction ID: 5b8c0b977575bfec25fa7b3e6d59938bbb7f04e022e6f41d8d49beb20afa6dc9
Opcode Fuzzy Hash: 23c7deef3dbcebad48b53c2a9f4e39afa4c40f36815ee84c689ed55bd203e837
Instruction Fuzzy Hash: B5116DB1414209AFD7289F54DC85D6BB7FCEF44710B25852EF85693241EF30A8418A70

Function 00E04C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00E04C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00E04C43
FreeSid.ADVAPI32(?), ref: 00E04C53

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 1ce1485bf496a7ebc5bcdbc48f91354ef100a9752d57da5e7f56849cfbf93ff2
Instruction ID: 5f5909c3d16103c827008398ef75e5865476525b5d37c1e1c5edcfcf02c3c43d
Opcode Fuzzy Hash: 1ce1485bf496a7ebc5bcdbc48f91354ef100a9752d57da5e7f56849cfbf93ff2
Instruction Fuzzy Hash: 96F03C75911308BFDB04DFE09D89EADB7B8EB08201F004469E501E2181D6705A448B50

Function 00E04696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00DDE7C1), ref: 00E046A6
FindFirstFileW.KERNEL32(?,?), ref: 00E046B7
FindClose.KERNEL32(00000000), ref: 00E046C7

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 031894f6c3bec1fa557202deae3e51520d518383e90c5cf72168ad9720214354
Instruction ID: 7bc1958ead47062887c88f5c3a49be43c20d71a350692d5b38e7f6ff2ead16a0
Opcode Fuzzy Hash: 031894f6c3bec1fa557202deae3e51520d518383e90c5cf72168ad9720214354
Instruction Fuzzy Hash: A7E0D8B28104009F8220A738FD4D8EA776C9F17335F100725F975E10F0F7B059948595

Function 00E08B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00E08B25

Part of subcall function 00DC543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00E091F8,00000000,?,?,?,?,00E093A9,00000000,?), ref: 00DC5443
Part of subcall function 00DC543A: __aulldiv.LIBCMT ref: 00DC5463

Strings

0u, xrefs: 00E08B1C

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0u
API String ID: 2893107130-1339160046
Opcode ID: 591856db8eae3c687833eda60a7ebd44b3a56ed66f230d0138e83e4d912a136f
Instruction ID: 11234162a23c181c07e4275e921db3218de77fcc134ab32d33909cab93196e61
Opcode Fuzzy Hash: 591856db8eae3c687833eda60a7ebd44b3a56ed66f230d0138e83e4d912a136f
Instruction Fuzzy Hash: 6021E4726356108FC329CF25E441A52B3E1EBA5321B289E6CD0E6DB2D0CA74B949CB94

Function 00DAE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 767df49ac9d63ff105b518bb759f6e49200995c1d0bc8567253f9d605b8ace64
Instruction ID: 9449563fd212ecbfd0ac95816196285ef60ade38d61edadc8edd4ca983717df3
Opcode Fuzzy Hash: 767df49ac9d63ff105b518bb759f6e49200995c1d0bc8567253f9d605b8ace64
Instruction Fuzzy Hash: E7229D74A00216CFDB24DF54C494ABEB7F4FF0A300F188569E896AB351E774E985CBA1

Function 00E0C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00E0C966
FindClose.KERNEL32(00000000), ref: 00E0C996

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: a7103606816c046f2ad6a5c821c7fac064b3d25cb90552bb835acf7ec30648a9
Instruction ID: 59880ab165dcb1aeb3efe39091240f0ffe55000a5619e5d054bf07f98daceaaf
Opcode Fuzzy Hash: a7103606816c046f2ad6a5c821c7fac064b3d25cb90552bb835acf7ec30648a9
Instruction Fuzzy Hash: CE11C8326006009FD710DF29C85592AF7E5FF85324F00851EF9A5D72A1DB30EC05CB91

Function 00E0A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00E1977D,?,00E2FB84,?), ref: 00E0A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00E1977D,?,00E2FB84,?), ref: 00E0A314

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: b761342d44a2a334527ec5754b6048396477e01421b9796178ff8f5720d92feb
Instruction ID: d2c1f34d8048b3ffeea40abb19848317e5560339807a4e615c4e681784171056
Opcode Fuzzy Hash: b761342d44a2a334527ec5754b6048396477e01421b9796178ff8f5720d92feb
Instruction Fuzzy Hash: DDF05E3554522DABDB209EA4CC48FEA776DEF09761F004166F908A6191DA309944CBB1

Function 00DF8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00DF8851), ref: 00DF8728
CloseHandle.KERNEL32(?,?,00DF8851), ref: 00DF873A

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: ff649cb895045a8604a2662cf35655cea02357bb35f2d97e7378dd4eaa98ab2f
Instruction ID: 4ff0c7c8d85707855ae32ed8beaa9b36456e0cbd30461a341c617dc4f8272098
Opcode Fuzzy Hash: ff649cb895045a8604a2662cf35655cea02357bb35f2d97e7378dd4eaa98ab2f
Instruction Fuzzy Hash: 9CE0B676010611EEE7352B61EC09E777BA9EB04751B24883DF99681471DB62AC91EB20

Function 00DCA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00DC8F97,?,?,?,00000001), ref: 00DCA39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00DCA3A3

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a77c2c5be1f8501aeaf2e4fbd623c9460b72c25bbec20e481157cbbbd778875c
Instruction ID: f4e5196703f84dbbeadd9ff93849c4bbe074edab2fc277d1b4e5bf9f3bcae39c
Opcode Fuzzy Hash: a77c2c5be1f8501aeaf2e4fbd623c9460b72c25bbec20e481157cbbbd778875c
Instruction Fuzzy Hash: ADB09231054208EFCA106B92EC09B883F78FB44AA2F404030F60D94060CB6254568A91

Function 00DCF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dd4395e69c1fd6ad12903eb8b5b5661b4c5cca1798596aa27600a8b5a2d8c0a
Instruction ID: d68dbbf0300cff8b0b35ba34ae33404dad3299c702d6d273a55389c59a7e8b64
Opcode Fuzzy Hash: 2dd4395e69c1fd6ad12903eb8b5b5661b4c5cca1798596aa27600a8b5a2d8c0a
Instruction Fuzzy Hash: 3F325862D29F0A4DD7235635C876335A69AAFB73C4F14D73BF859B69A5EB28C4830100

Function 00DD267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4679146e7c556cc12c0dbe9dbc4b5fe9c08a4960789dcc603c113d1117418ac6
Instruction ID: 58e92d78a310b0b0b577c7a767e183a2188420948b9ac216d3e778cb120cdac5
Opcode Fuzzy Hash: 4679146e7c556cc12c0dbe9dbc4b5fe9c08a4960789dcc603c113d1117418ac6
Instruction Fuzzy Hash: B4B1F020D2AF454DD223963A8835336BA8CAFBB2C5F55D72BFC6670D22EB2285C74141

Function 00E141FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00E14218

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 3f1393a7013bf625149d109b75bb99d60c9da386dfccb508ca954e25e7cdd4ee
Instruction ID: e95110db0edf26130a5e72663af53d8ba6f790498884946a8bcb1265b59cf78a
Opcode Fuzzy Hash: 3f1393a7013bf625149d109b75bb99d60c9da386dfccb508ca954e25e7cdd4ee
Instruction Fuzzy Hash: FAE048712401145FC710DF59D844A9AF7E8EF55760F008026FC49D7361DA70E881CBB1

Function 00E04EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00E04F18

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 7b6dea2a614d8d09e170106ff9ba2d638631f4f7151bbc9f1511d61a3ef307e5
Instruction ID: b92d1c055fac5ebfadcd1a826c3c9ccbf77f105eb564a38f8f17d469d2479aed
Opcode Fuzzy Hash: 7b6dea2a614d8d09e170106ff9ba2d638631f4f7151bbc9f1511d61a3ef307e5
Instruction Fuzzy Hash: FCD05EF03642073CFC284B60AE0FFB60108F340785F8479897301F94D198E56CD1A035

Function 00DF8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00DF88D1), ref: 00DF8CB3

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: e13b840651e647c5ec9dafb257fc63777f7fbc4bb89dbe6db6c197274dcb20e4
Instruction ID: cbf5db747e9a6e93c5ed254fbc155770e4f9b51445b5cc4aa9abc077a6504c7e
Opcode Fuzzy Hash: e13b840651e647c5ec9dafb257fc63777f7fbc4bb89dbe6db6c197274dcb20e4
Instruction Fuzzy Hash: 0AD05E3226050EAFEF018EA4DD01EAE3B69EB04B01F408121FE15D50A1C775D835AB60

Function 00DE2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00DE2242

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: b668a332513a2b7d6c0b631c4d851f7b40fb90dc72d32a741679684edd3d8a13
Instruction ID: ff02447a81d2480ac3212dfa9d69d119eeca702bf523e11c77d0c244f1c2aa85
Opcode Fuzzy Hash: b668a332513a2b7d6c0b631c4d851f7b40fb90dc72d32a741679684edd3d8a13
Instruction Fuzzy Hash: B3C048F5C00109DBEB15EBA1DA88DEFB7BCAB08304F2040A6E142F2100E7749B488A71

Function 00DCA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00DCA36A

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d7beded5301d1b8d71a9f87a1e79a84a63fbc12fc4a6027aa0874b86279d6073
Instruction ID: 189d982b38a1115094de461dff23aeaaa34af3acd748be5b7e348605988dc46e
Opcode Fuzzy Hash: d7beded5301d1b8d71a9f87a1e79a84a63fbc12fc4a6027aa0874b86279d6073
Instruction Fuzzy Hash: 26A0113000020CEB8A002B82EC08888BFACEB002A0B008030F80C800228B32A8228A80

Function 00DB8A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61246d783e58cc91362cb0d725d5356a9c6e9f924312178d197eadef678b28f9
Instruction ID: 9669cb217405be79e4fa1cfef60495bd1904a0d89c7f1efa2a53fa8aa47866f1
Opcode Fuzzy Hash: 61246d783e58cc91362cb0d725d5356a9c6e9f924312178d197eadef678b28f9
Instruction Fuzzy Hash: 4322597050161ADBCF288F28D4946FD7BA5EB41300F2D846ADA939B295DF30DD81EBB4

Function 00DC2405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: effc06800418c74eca8d85c00b6b56f24d17d9af0cae2cf5888272a7be26bd50
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 12C16F362051A30ADF2D86399474A3EBAE15EA27B131E076DE4B3CB5C5EF20D534E630

Function 00DC283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 3c308b1745d201093a3b68ab323245a404c08a31075c44ef8484844f47afb68c
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 56C18F372051A309DF2D463A8474A3EBAE15EA37B131E076DE4B2DB5C5EF20D934A630

Function 00DC1BB8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 9c7768ad4e9edf6cde8b0553242cbb99a99082c7a5565cc4e45d627b7ffd1ef0
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 1AC15E3B2051B309DF2D463A9434A3EBAA15EA37B131E076DE4B3CB5D6EF20D5249630

Function 00E17B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00E17B70
DeleteObject.GDI32(00000000), ref: 00E17B82
DestroyWindow.USER32 ref: 00E17B90
GetDesktopWindow.USER32 ref: 00E17BAA
GetWindowRect.USER32(00000000), ref: 00E17BB1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00E17CF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00E17D02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E17D4A
GetClientRect.USER32(00000000,?), ref: 00E17D56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00E17D90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E17DB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E17DC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E17DD0
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E17DD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E17DE8
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E17DF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E17DF8
GlobalFree.KERNEL32(00000000), ref: 00E17E03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E17E15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00E32CAC,00000000), ref: 00E17E2B
GlobalFree.KERNEL32(00000000), ref: 00E17E3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00E17E61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00E17E80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E17EA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E1808F

Strings

, xrefs: 00E18015
DISPLAY, xrefs: 00E17EF2
static, xrefs: 00E17D8A, 00E17EE1
AutoIt v3, xrefs: 00E17D42

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 8c6a0e96c3a09bbf6ccf1cdd404339b1baa4558f293c21a0c00c450d14679823
Instruction ID: 8841de43aa2b96e9e65fc7d4646912c32a836a501356e245a10fb5736c5e47e3
Opcode Fuzzy Hash: 8c6a0e96c3a09bbf6ccf1cdd404339b1baa4558f293c21a0c00c450d14679823
Instruction Fuzzy Hash: DE029C71A00108EFDB14DF65DD99EAFBBB9FB49710F108168F905AB2A1CB70AD45CB60

Function 00E237F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00E2F910), ref: 00E238AF
IsWindowVisible.USER32(?), ref: 00E238D3

Strings

GETLINE, xrefs: 00E23C23
SENDCOMMANDID, xrefs: 00E23C62
HIDEDROPDOWN, xrefs: 00E23988
ISVISIBLE, xrefs: 00E238BF
GETCURRENTLINE, xrefs: 00E23B75
DELSTRING, xrefs: 00E239D1
GETLINECOUNT, xrefs: 00E23B4E
SETCURRENTSELECTION, xrefs: 00E23A3E
GETCURRENTCOL, xrefs: 00E23BB0
UNCHECK, xrefs: 00E23B0B
GETSELECTED, xrefs: 00E23B2B
CURRENTTAB, xrefs: 00E23945
FINDSTRING, xrefs: 00E239FE
SHOWDROPDOWN, xrefs: 00E23968
ISCHECKED, xrefs: 00E23AC1
CHECK, xrefs: 00E23AF5
TABLEFT, xrefs: 00E2390F
ADDSTRING, xrefs: 00E2399E
EDITPASTE, xrefs: 00E23BE7
GETCURRENTSELECTION, xrefs: 00E23A6B
ISENABLED, xrefs: 00E238F3
SELECTSTRING, xrefs: 00E23A8E
TABRIGHT, xrefs: 00E23925

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 9413df594d5fa1eb0330c57d73aabb719409f720c0783eb22a896db4dd0737a8
Instruction ID: 64b9efc1e3be92cfd871be4a5f81c0ac0cc1a3bec7e0a5297dd5bdf2efc6ebae
Opcode Fuzzy Hash: 9413df594d5fa1eb0330c57d73aabb719409f720c0783eb22a896db4dd0737a8
Instruction Fuzzy Hash: E0D19330204319DBCB14EF20D452A6ABBA1EF95344F11585CB8867B7A2DB35EE4ACF71

Function 00E2A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00E2A89F
GetSysColorBrush.USER32(0000000F), ref: 00E2A8D0
GetSysColor.USER32(0000000F), ref: 00E2A8DC
SetBkColor.GDI32(?,000000FF), ref: 00E2A8F6
SelectObject.GDI32(?,?), ref: 00E2A905
InflateRect.USER32(?,000000FF,000000FF), ref: 00E2A930
GetSysColor.USER32(00000010), ref: 00E2A938
CreateSolidBrush.GDI32(00000000), ref: 00E2A93F
FrameRect.USER32(?,?,00000000), ref: 00E2A94E
DeleteObject.GDI32(00000000), ref: 00E2A955
InflateRect.USER32(?,000000FE,000000FE), ref: 00E2A9A0
FillRect.USER32(?,?,?), ref: 00E2A9D2
GetWindowLongW.USER32(?,000000F0), ref: 00E2A9FD

Part of subcall function 00E2AB60: GetSysColor.USER32(00000012), ref: 00E2AB99
Part of subcall function 00E2AB60: SetTextColor.GDI32(?,?), ref: 00E2AB9D
Part of subcall function 00E2AB60: GetSysColorBrush.USER32(0000000F), ref: 00E2ABB3
Part of subcall function 00E2AB60: GetSysColor.USER32(0000000F), ref: 00E2ABBE
Part of subcall function 00E2AB60: GetSysColor.USER32(00000011), ref: 00E2ABDB
Part of subcall function 00E2AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E2ABE9
Part of subcall function 00E2AB60: SelectObject.GDI32(?,00000000), ref: 00E2ABFA
Part of subcall function 00E2AB60: SetBkColor.GDI32(?,00000000), ref: 00E2AC03
Part of subcall function 00E2AB60: SelectObject.GDI32(?,?), ref: 00E2AC10
Part of subcall function 00E2AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00E2AC2F
Part of subcall function 00E2AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E2AC46
Part of subcall function 00E2AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00E2AC5B

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: f96abdcf7a3d37356b4797c003992b563b25916d8b3bc4e37091a98c69a09b5d
Instruction ID: 84e1d964026def92ee5230a438a652c089a4f4439b29aa135bacae98217fa5e8
Opcode Fuzzy Hash: f96abdcf7a3d37356b4797c003992b563b25916d8b3bc4e37091a98c69a09b5d
Instruction Fuzzy Hash: 2EA19F72008311EFD7209F65EC08E6B7BB9FF88325F145A39F962A61A1D734D849CB52

Function 00DA2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00DA2CA2
DeleteObject.GDI32(00000000), ref: 00DA2CE8
DeleteObject.GDI32(00000000), ref: 00DA2CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00DA2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00DA2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00DDC68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00DDC6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00DDCAED

Part of subcall function 00DA1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00DA2036,?,00000000,?,?,?,?,00DA16CB,00000000,?), ref: 00DA1B9A

SendMessageW.USER32(?,00001053), ref: 00DDCB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00DDCB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00DDCB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00DDCB62

Strings

0, xrefs: 00DDC981

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 06bb474989c554f642fca2274c8a27d1e7b4ba020a80cd6b91824f1f0e0e550f
Instruction ID: 568816ec34b6840ea703452b74df6576532ce0e2b89e90dae411530dfd0d8972
Opcode Fuzzy Hash: 06bb474989c554f642fca2274c8a27d1e7b4ba020a80cd6b91824f1f0e0e550f
Instruction Fuzzy Hash: 97129C30610202EFDB21CF29C884BA9B7E5FF45311F58557AE885DB662CB31EC46DBA0

Function 00E177BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00E177F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00E178B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00E178EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00E17900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00E17946
GetClientRect.USER32(00000000,?), ref: 00E17952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00E17996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00E179A5
GetStockObject.GDI32(00000011), ref: 00E179B5
SelectObject.GDI32(00000000,00000000), ref: 00E179B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00E179C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E179D2
DeleteDC.GDI32(00000000), ref: 00E179DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00E17A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00E17A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00E17A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00E17A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00E17A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00E17AAE
GetStockObject.GDI32(00000011), ref: 00E17AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00E17AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00E17ACE

Strings

DISPLAY, xrefs: 00E1799B
static, xrefs: 00E17990, 00E17AA8
msctls_progress32, xrefs: 00E17A4F
AutoIt v3, xrefs: 00E1793E

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 9cbe4b7162ed30f01dcd3e4143d81ecc914164c99b24cbb98948b959ec7f4eb1
Instruction ID: 8aa4e24881ac86c03ffa9a1191fb2b4c58b0defc08ed4f0494a9951bcd6df1e7
Opcode Fuzzy Hash: 9cbe4b7162ed30f01dcd3e4143d81ecc914164c99b24cbb98948b959ec7f4eb1
Instruction Fuzzy Hash: 3BA17E71A50215BFEB149BA5DC4AFAFBBB9EB44710F004624FA15B72E0C7B0AD45CB60

Function 00E0AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00E0AF89
GetDriveTypeW.KERNEL32(?,00E2FAC0,?,\\.\,00E2F910), ref: 00E0B066
SetErrorMode.KERNEL32(00000000,00E2FAC0,?,\\.\,00E2F910), ref: 00E0B1C4

Strings

PhysicalDrive, xrefs: 00E0B012
\\.\, xrefs: 00E0AFDB
iSCSI, xrefs: 00E0B169
Removable, xrefs: 00E0B0B8
CDROM, xrefs: 00E0B09A
SATA, xrefs: 00E0B177
ATA, xrefs: 00E0B13F
RAID, xrefs: 00E0B162
Network, xrefs: 00E0B0A4
SAS, xrefs: 00E0B170
USB, xrefs: 00E0B15B
FileBackedVirtual, xrefs: 00E0B193
SCSI, xrefs: 00E0B131
1394, xrefs: 00E0B146
RAMDisk, xrefs: 00E0B090
SSA, xrefs: 00E0B14D
Unknown, xrefs: 00E0B086, 00E0B12A
Fixed, xrefs: 00E0B0AE
Virtual, xrefs: 00E0B18C
Fibre, xrefs: 00E0B154
SSD, xrefs: 00E0B0F1
MMC, xrefs: 00E0B185
ATAPI, xrefs: 00E0B138

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 639c812db3e816dd960cbb8259b85bb0985a0fcb6227bc800083eb6db997930d
Instruction ID: 0ad076ca2e8a8108019314014cda11e54cc1fcf72d163126de23a628dc08dba4
Opcode Fuzzy Hash: 639c812db3e816dd960cbb8259b85bb0985a0fcb6227bc800083eb6db997930d
Instruction Fuzzy Hash: 7451B330681305EBCB00DB10C9A2DBD77B0FF1A746B286526F80AB72D1D7759D85DB62

Function 00DA6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00DA6A91
__wcsnicmp.LIBCMT ref: 00DA6AA9
__wcsnicmp.LIBCMT ref: 00DA6AC1
__wcsnicmp.LIBCMT ref: 00DA6AD9
__wcsnicmp.LIBCMT ref: 00DA6AF1
__wcsnicmp.LIBCMT ref: 00DA6B09
__wcsnicmp.LIBCMT ref: 00DA6B21
__wcsnicmp.LIBCMT ref: 00DA6B35
__wcsnicmp.LIBCMT ref: 00DA6B76
__wcsnicmp.LIBCMT ref: 00DA6B8A
__wcsnicmp.LIBCMT ref: 00DA6B9E
__wcsnicmp.LIBCMT ref: 00DA6BB2

Strings

Cannot parse #include, xrefs: 00DDE819
#comments-end, xrefs: 00DA6B98
#requireadmin, xrefs: 00DA6ABB
#comments-start, xrefs: 00DA6B1B, 00DA6B70
#ce, xrefs: 00DA6BAC
#include-once, xrefs: 00DA6AEB
#OnAutoItStartRegister, xrefs: 00DA6AD3
#cs, xrefs: 00DA6B2F, 00DA6B84
#pragma compile, xrefs: 00DA6A8B
#include, xrefs: 00DA6B03
#notrayicon, xrefs: 00DA6AA3
Bad directive syntax error, xrefs: 00DDE743
Unterminated group of comments, xrefs: 00DDE82C

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 61a955d37076db13e540002ac675e0be594d9219085b2b1390cb5e0d0aa48294
Instruction ID: b38fba0a825ea37b32281055a6d82ebaaa077faa0d1bb35d93b0764551258428
Opcode Fuzzy Hash: 61a955d37076db13e540002ac675e0be594d9219085b2b1390cb5e0d0aa48294
Instruction Fuzzy Hash: 7981D871640356FACB21BB60DD83FAE7769EF16700F0C8029FD46AB182EB60DA55D271

Function 00E2AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00E2AB99
SetTextColor.GDI32(?,?), ref: 00E2AB9D
GetSysColorBrush.USER32(0000000F), ref: 00E2ABB3
GetSysColor.USER32(0000000F), ref: 00E2ABBE
CreateSolidBrush.GDI32(?), ref: 00E2ABC3
GetSysColor.USER32(00000011), ref: 00E2ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E2ABE9
SelectObject.GDI32(?,00000000), ref: 00E2ABFA
SetBkColor.GDI32(?,00000000), ref: 00E2AC03
SelectObject.GDI32(?,?), ref: 00E2AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 00E2AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E2AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 00E2AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E2ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00E2ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 00E2ACEC
DrawFocusRect.USER32(?,?), ref: 00E2ACF7
GetSysColor.USER32(00000011), ref: 00E2AD05
SetTextColor.GDI32(?,00000000), ref: 00E2AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00E2AD21
SelectObject.GDI32(?,00E2A869), ref: 00E2AD38
DeleteObject.GDI32(?), ref: 00E2AD43
SelectObject.GDI32(?,?), ref: 00E2AD49
DeleteObject.GDI32(?), ref: 00E2AD4E
SetTextColor.GDI32(?,?), ref: 00E2AD54
SetBkColor.GDI32(?,?), ref: 00E2AD5E

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 41b4073ce2ebd13daea9055a484b9b7f58939d20fd12c2cd88eaf4db25f1ae01
Instruction ID: 559a6ec749435e067574b311f65e478090dbc3f3edae6b8d4e977f99b45741c9
Opcode Fuzzy Hash: 41b4073ce2ebd13daea9055a484b9b7f58939d20fd12c2cd88eaf4db25f1ae01
Instruction Fuzzy Hash: AF618C71900218EFDF219FA5DC48EAEBB79FB08320F144135F911BB2A1D6719D41CB90

Function 00E28C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00E28D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E28D45
CharNextW.USER32(0000014E), ref: 00E28D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00E28DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00E28DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E28DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00E28DF9
SetWindowTextW.USER32(?,0000014E), ref: 00E28E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00E28E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00E28E8C
_memset.LIBCMT ref: 00E28EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00E28EFA
_memset.LIBCMT ref: 00E28F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00E28F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00E28FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00E29088
InvalidateRect.USER32(?,00000000,00000001), ref: 00E290AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E290F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E29121
DrawMenuBar.USER32(?), ref: 00E29130
SetWindowTextW.USER32(?,0000014E), ref: 00E29158

Strings

0, xrefs: 00E290C2

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: bed4d4f21ab8a08cf3405ba36e843f58ccd10b85722755f0d3cc3cb88ff52879
Instruction ID: 60cd5a9f9396b5ac859b290d1da0696e86326dd9d3d6f67ba974b2b515fb6586
Opcode Fuzzy Hash: bed4d4f21ab8a08cf3405ba36e843f58ccd10b85722755f0d3cc3cb88ff52879
Instruction Fuzzy Hash: B9E1B370901229AFDF209F51DC84EEE7BB9EF05714F00916AF915BB291DB708A85DF60

Function 00E24B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00E24C51
GetDesktopWindow.USER32 ref: 00E24C66
GetWindowRect.USER32(00000000), ref: 00E24C6D
GetWindowLongW.USER32(?,000000F0), ref: 00E24CCF
DestroyWindow.USER32(?), ref: 00E24CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00E24D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E24D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00E24D68
SendMessageW.USER32(?,00000421,?,?), ref: 00E24D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00E24D90
IsWindowVisible.USER32(?), ref: 00E24DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00E24DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00E24DDF
GetWindowRect.USER32(?,?), ref: 00E24DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00E24E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00E24E37
CopyRect.USER32(?,?), ref: 00E24E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00E24EB9

Strings

(, xrefs: 00E24E2A
tooltips_class32, xrefs: 00E24D1D
0, xrefs: 00E24BFC

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 25478bb10ce56a98f3519a19e86d0ed0feb6f1e106b4fceae2d727b6a6af31e4
Instruction ID: 2d9645e9c4e9f6e99d3d1bd4eb50e4a51eac0955a1b463e408e90412fff7f4bd
Opcode Fuzzy Hash: 25478bb10ce56a98f3519a19e86d0ed0feb6f1e106b4fceae2d727b6a6af31e4
Instruction Fuzzy Hash: F6B18BB1604350AFDB14DF25D845B6ABBE4FF89714F00892CF599AB2A1D770EC05CBA1

Function 00DA27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00DA28BC
GetSystemMetrics.USER32(00000007), ref: 00DA28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00DA28EF
GetSystemMetrics.USER32(00000008), ref: 00DA28F7
GetSystemMetrics.USER32(00000004), ref: 00DA291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00DA2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00DA2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00DA297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00DA2990
GetClientRect.USER32(00000000,000000FF), ref: 00DA29AE
GetStockObject.GDI32(00000011), ref: 00DA29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00DA29D5

Part of subcall function 00DA2344: GetCursorPos.USER32(?), ref: 00DA2357
Part of subcall function 00DA2344: ScreenToClient.USER32(00E667B0,?), ref: 00DA2374
Part of subcall function 00DA2344: GetAsyncKeyState.USER32(00000001), ref: 00DA2399
Part of subcall function 00DA2344: GetAsyncKeyState.USER32(00000002), ref: 00DA23A7

SetTimer.USER32(00000000,00000000,00000028,00DA1256), ref: 00DA29FC

Strings

AutoIt v3 GUI, xrefs: 00DA2974

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 2acc52a1300055179bd4476e011408ebec03fb21d673ff9349e9c3c6bb499611
Instruction ID: 45cc8124cc64ad49f20377c55e2bf4776f3047de72307a43923f3ba088b64244
Opcode Fuzzy Hash: 2acc52a1300055179bd4476e011408ebec03fb21d673ff9349e9c3c6bb499611
Instruction Fuzzy Hash: AFB17E71A5020AEFDB14DFADDC45BAE7BB5FB08711F108129FA15A7290CB74E845CBA0

Function 00E24069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00E240F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00E241B6

Strings

FINDITEM, xrefs: 00E24329
ISSELECTED, xrefs: 00E241C1
VIEWCHANGE, xrefs: 00E24375
SELECTCLEAR, xrefs: 00E24235
GETTEXT, xrefs: 00E2415F
GETITEMCOUNT, xrefs: 00E24128
SELECTALL, xrefs: 00E2421D
GETSELECTED, xrefs: 00E242E4
SELECTINVERT, xrefs: 00E24286
DESELECT, xrefs: 00E242A4
GETSELECTEDCOUNT, xrefs: 00E24199
SELECT, xrefs: 00E24250
GETSUBITEMCOUNT, xrefs: 00E24141

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 849093df78615bf439863a338123b30be6c22cd6a58a05b224dd9a7ee4e44d14
Instruction ID: 0bf8dd318b2029253ba39d41d07c02beda04fb0845b3da44341b78c6399081e8
Opcode Fuzzy Hash: 849093df78615bf439863a338123b30be6c22cd6a58a05b224dd9a7ee4e44d14
Instruction Fuzzy Hash: 9FA1AF70214315DBCB14EF20D852E6AB7A5FF85314F14986CB896AB6E2DB30ED09CB71

Function 00E152F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00E15309
LoadCursorW.USER32(00000000,00007F8A), ref: 00E15314
LoadCursorW.USER32(00000000,00007F00), ref: 00E1531F
LoadCursorW.USER32(00000000,00007F03), ref: 00E1532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00E15335
LoadCursorW.USER32(00000000,00007F01), ref: 00E15340
LoadCursorW.USER32(00000000,00007F81), ref: 00E1534B
LoadCursorW.USER32(00000000,00007F88), ref: 00E15356
LoadCursorW.USER32(00000000,00007F80), ref: 00E15361
LoadCursorW.USER32(00000000,00007F86), ref: 00E1536C
LoadCursorW.USER32(00000000,00007F83), ref: 00E15377
LoadCursorW.USER32(00000000,00007F85), ref: 00E15382
LoadCursorW.USER32(00000000,00007F82), ref: 00E1538D
LoadCursorW.USER32(00000000,00007F84), ref: 00E15398
LoadCursorW.USER32(00000000,00007F04), ref: 00E153A3
LoadCursorW.USER32(00000000,00007F02), ref: 00E153AE
GetCursorInfo.USER32(?), ref: 00E153BE
GetLastError.KERNEL32(00000001,00000000), ref: 00E153E9

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 14d76d9662842c15da4f3333a50a700ffb1589bc47c9975f71e1f76d3fb276cd
Instruction ID: 7dcc968287e3484c265564cc33e455f61fa54c1c67d94a3e2c714a2e8113e6f2
Opcode Fuzzy Hash: 14d76d9662842c15da4f3333a50a700ffb1589bc47c9975f71e1f76d3fb276cd
Instruction Fuzzy Hash: 9A417470E04319AADB109FB68C498AEFFB8EF91B10B10452FE519E7290DAB89441CE61

Function 00DFAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00DFAAA5
__swprintf.LIBCMT ref: 00DFAB46
_wcscmp.LIBCMT ref: 00DFAB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00DFABAE
_wcscmp.LIBCMT ref: 00DFABEA
GetClassNameW.USER32(?,?,00000400), ref: 00DFAC21
GetDlgCtrlID.USER32(?), ref: 00DFAC73
GetWindowRect.USER32(?,?), ref: 00DFACA9
GetParent.USER32(?), ref: 00DFACC7
ScreenToClient.USER32(00000000), ref: 00DFACCE
GetClassNameW.USER32(?,?,00000100), ref: 00DFAD48
_wcscmp.LIBCMT ref: 00DFAD5C
GetWindowTextW.USER32(?,?,00000400), ref: 00DFAD82
_wcscmp.LIBCMT ref: 00DFAD96

Part of subcall function 00DC386C: _iswctype.LIBCMT ref: 00DC3874

Strings

%s%u, xrefs: 00DFAB40

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 964c40bd0cf726208129d0cacb7fb8c394a1341a38bfe4ba5ea8633900d1219f
Instruction ID: e87ea3cde2979bc4f2ec1a7523ffec136cecc05962d0a80cb395f3cb55f41801
Opcode Fuzzy Hash: 964c40bd0cf726208129d0cacb7fb8c394a1341a38bfe4ba5ea8633900d1219f
Instruction Fuzzy Hash: 6FA1A3B120430AAFD714DF68C884BBAB7E8FF04315F058629FA9D92550E730E945CBB2

Function 00DFB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00DFB3DB
_wcscmp.LIBCMT ref: 00DFB3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 00DFB414
CharUpperBuffW.USER32(?,00000000), ref: 00DFB431
_wcscmp.LIBCMT ref: 00DFB44F
_wcsstr.LIBCMT ref: 00DFB460
GetClassNameW.USER32(00000018,?,00000400), ref: 00DFB498
_wcscmp.LIBCMT ref: 00DFB4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 00DFB4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 00DFB518
_wcscmp.LIBCMT ref: 00DFB528
GetClassNameW.USER32(00000010,?,00000400), ref: 00DFB550
GetWindowRect.USER32(00000004,?), ref: 00DFB5B9

Strings

ThumbnailClass, xrefs: 00DFB4A3, 00DFB523
@, xrefs: 00DFB3BC

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: eb37be6c9913fc0714e245e83922375b9226c718042e6cc74c524297f6cce882
Instruction ID: cc57f7e61cd2c7d7469e8c9df22cd1e541957cd10baaa183125f86f7561f0093
Opcode Fuzzy Hash: eb37be6c9913fc0714e245e83922375b9226c718042e6cc74c524297f6cce882
Instruction Fuzzy Hash: 4E816C710082499FDB14DF10C985FBA7BE8EF44724F08C56AEE899A192DB34DD49CBB1

Function 00E2C8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA2612: GetWindowLongW.USER32(?,000000EB), ref: 00DA2623

DragQueryPoint.SHELL32(?,?), ref: 00E2C917

Part of subcall function 00E2ADF1: ClientToScreen.USER32(?,?), ref: 00E2AE1A
Part of subcall function 00E2ADF1: GetWindowRect.USER32(?,?), ref: 00E2AE90
Part of subcall function 00E2ADF1: PtInRect.USER32(?,?,00E2C304), ref: 00E2AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 00E2C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00E2C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00E2C9AE
_wcscat.LIBCMT ref: 00E2C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00E2C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 00E2CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 00E2CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 00E2CA47
DragFinish.SHELL32(?), ref: 00E2CA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00E2CB41

Strings

@GUI_DRAGFILE, xrefs: 00E2CAF0
@GUI_DROPID, xrefs: 00E2CA6E
pr, xrefs: 00E2CA8B
@GUI_DRAGID, xrefs: 00E2CAB9

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pr
API String ID: 169749273-2073472848
Opcode ID: 3b528748ebf1b6692fa6b3adfd1b02287b2f5c0123854b45013fa77c07d5c57b
Instruction ID: 579b6ef94959aa07a5179f0091216ec2101bb99c8d8418d3dc17081558f137e2
Opcode Fuzzy Hash: 3b528748ebf1b6692fa6b3adfd1b02287b2f5c0123854b45013fa77c07d5c57b
Instruction Fuzzy Hash: C0614771108301AFC711EF65DC85D9FBBF8EF89750F100A2EF591A61A1DB709A49CBA2

Function 00DFB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00DFB23F

Strings

[LAST, xrefs: 00DFB2EC
CLASSNAME=, xrefs: 00DFB27C
[HANDLE:, xrefs: 00DFB24B
LAST, xrefs: 00DFB204
ALL, xrefs: 00DFB2D3
ACTIVE, xrefs: 00DFB21A
[REGEXPTITLE:, xrefs: 00DFB267
REGEXP=, xrefs: 00DFB254
[ACTIVE, xrefs: 00DFB22C
[CLASS:, xrefs: 00DFB28F
HANDLE=, xrefs: 00DFB238
[ALL, xrefs: 00DFB2E5

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 038edcd38d94aaf5931758ea3ea49195247564a7dd5b0af11e5656c948b0e0bc
Instruction ID: c9c32e1736ece0290d738e284b1cbac971a0c2b2ae78775f213d28543124a5d3
Opcode Fuzzy Hash: 038edcd38d94aaf5931758ea3ea49195247564a7dd5b0af11e5656c948b0e0bc
Instruction Fuzzy Hash: 5031EF31A4430AE6DB14FA60CD43EFE77A4DF25761F64482AF941720D2EF61AE08C6B5

Function 00DFC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00DFC4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00DFC4E6
SetWindowTextW.USER32(?,?), ref: 00DFC4FD
GetDlgItem.USER32(?,000003EA), ref: 00DFC512
SetWindowTextW.USER32(00000000,?), ref: 00DFC518
GetDlgItem.USER32(?,000003E9), ref: 00DFC528
SetWindowTextW.USER32(00000000,?), ref: 00DFC52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00DFC54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00DFC569
GetWindowRect.USER32(?,?), ref: 00DFC572
SetWindowTextW.USER32(?,?), ref: 00DFC5DD
GetDesktopWindow.USER32 ref: 00DFC5E3
GetWindowRect.USER32(00000000), ref: 00DFC5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00DFC636
GetClientRect.USER32(?,?), ref: 00DFC643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00DFC668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00DFC693

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: c3f0f91fcfb8170a507c8e0d7fb2cc8b0649f749a7b4117a66a4c0b6041a16e6
Instruction ID: f63be6d6223c12acc4c0bb560906cc6fff75499cec281782f74fb3327be0d29f
Opcode Fuzzy Hash: c3f0f91fcfb8170a507c8e0d7fb2cc8b0649f749a7b4117a66a4c0b6041a16e6
Instruction Fuzzy Hash: 70516F7090070DAFDB209FA9DE85B6EBBB5FF04704F014929E686A26A0C774A915CB60

Function 00E2A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E2A4C8
DestroyWindow.USER32(00000000,?), ref: 00E2A542

Part of subcall function 00DA7D2C: _memmove.LIBCMT ref: 00DA7D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00E2A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00E2A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E2A5F1
DestroyWindow.USER32(00000000), ref: 00E2A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00DA0000,00000000), ref: 00E2A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E2A663
GetDesktopWindow.USER32 ref: 00E2A67C
GetWindowRect.USER32(00000000), ref: 00E2A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00E2A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00E2A6B3

Part of subcall function 00DA25DB: GetWindowLongW.USER32(?,000000EB), ref: 00DA25EC

Strings

tooltips_class32, xrefs: 00E2A5B5, 00E2A643
0, xrefs: 00E2A4DE

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 0581726ec165d07b2b39ffce2e97ec1197959454446037c331f3221fb1848144
Instruction ID: afbefabdc545f74342f430d9733541b6dcc961c1d2dbfed7cf1ce4c83e5f142f
Opcode Fuzzy Hash: 0581726ec165d07b2b39ffce2e97ec1197959454446037c331f3221fb1848144
Instruction Fuzzy Hash: B6717C71140205AFD724CF29DC49F6677F6FB88704F08492DF986A72A0D7B1E94ACB62

Function 00E24619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00E246AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E246F6

Strings

EXPAND, xrefs: 00E247A8
ISCHECKED, xrefs: 00E24879
SELECT, xrefs: 00E248A7
CHECK, xrefs: 00E24716
GETTEXT, xrefs: 00E24849
GETITEMCOUNT, xrefs: 00E247D8
COLLAPSE, xrefs: 00E2473C
GETTOTALCOUNT, xrefs: 00E246DD
UNCHECK, xrefs: 00E248D2
GETSELECTED, xrefs: 00E24806
EXISTS, xrefs: 00E2475F

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 32d95bea196af74aa5bb68183764f90ce0c60b513db7d0993e60a8d72d1f62e4
Instruction ID: b0a03a409ae6e825b382aef5db78578e94e81229a40c1cdc383072a806010597
Opcode Fuzzy Hash: 32d95bea196af74aa5bb68183764f90ce0c60b513db7d0993e60a8d72d1f62e4
Instruction Fuzzy Hash: F091A174204716DFCB14EF20C451A6ABBE1EF85314F04985DF8966B7A2DB30ED4ACBA1

Function 00E2BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00E2BB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00E26D80,?), ref: 00E2BBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E2BC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00E2BC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E2BC7D
FreeLibrary.KERNEL32(?), ref: 00E2BC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E2BC99
DestroyIcon.USER32(?), ref: 00E2BCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00E2BCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00E2BCD1

Part of subcall function 00DC313D: __wcsicmp_l.LIBCMT ref: 00DC31C6

Strings

.icl, xrefs: 00E2BAE4
.exe, xrefs: 00E2BB04
.dll, xrefs: 00E2BB27

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 10903b84103b52ffe8700ac3d55c770c3c9c4b896b1657c117b8a1471d0b8474
Instruction ID: 4003b059dc6814c3b59048add2499391da9fb196dd39eb1960e731dacc051656
Opcode Fuzzy Hash: 10903b84103b52ffe8700ac3d55c770c3c9c4b896b1657c117b8a1471d0b8474
Instruction Fuzzy Hash: 8361D071500629BEEB24DF64DC46FBAB7B8FB08710F10412AF915E61D0DB749A94CBA0

Function 00E0DE85 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00E0DF47
SystemTimeToFileTime.KERNEL32(?,?), ref: 00E0DF57
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00E0DF63
__wsplitpath.LIBCMT ref: 00E0DFC1
_wcscat.LIBCMT ref: 00E0DFD9
_wcscat.LIBCMT ref: 00E0DFEB
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E0E000
SetCurrentDirectoryW.KERNEL32(?), ref: 00E0E014
SetCurrentDirectoryW.KERNEL32(?), ref: 00E0E046
SetCurrentDirectoryW.KERNEL32(?), ref: 00E0E067
_wcscpy.LIBCMT ref: 00E0E073
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00E0E0B2

Strings

*.*, xrefs: 00E0E06D

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 992cb4a449ed7c0781948532462d14f5897d2de7d9ec2ed775dfdf71c1e48f7c
Instruction ID: 560b0fca0848ed20afba3fa4906a857214e21a4e42615e651f707aceb8d33999
Opcode Fuzzy Hash: 992cb4a449ed7c0781948532462d14f5897d2de7d9ec2ed775dfdf71c1e48f7c
Instruction Fuzzy Hash: C7614C765083059FC710EF60C8549AEB7E8FF89314F04892EF989A7291DB35E945CB62

Function 00E0A0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00E2FB78), ref: 00E0A0FC

Part of subcall function 00DA7F41: _memmove.LIBCMT ref: 00DA7F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 00E0A11E
__swprintf.LIBCMT ref: 00E0A177
__swprintf.LIBCMT ref: 00E0A190
_wprintf.LIBCMT ref: 00E0A246
_wprintf.LIBCMT ref: 00E0A264

Strings

%, xrefs: 00E0A0C9
^ ERROR, xrefs: 00E0A1E8
"%s" (%d) : ==> %s:, xrefs: 00E0A25F
"%s" (%d) : ==> %s:%s%s, xrefs: 00E0A241
Error: , xrefs: 00E0A20E
Line %d (File "%s"):, xrefs: 00E0A171, 00E0A18A

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%
API String ID: 311963372-1048875529
Opcode ID: be919bdfd54b7377914e844637b8018a8c66b1ebcf313189cb22a9ad0a4170e5
Instruction ID: ec81889614635f6981dbd62d89c904c08490e57fd78920b9dfde325a3693a03b
Opcode Fuzzy Hash: be919bdfd54b7377914e844637b8018a8c66b1ebcf313189cb22a9ad0a4170e5
Instruction Fuzzy Hash: 7D515A7290020AAACF15EBE0DD86EEEB779EF05300F144565F505720A2EB316F99DBB1

Function 00E09EA3 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00E09EEA

Part of subcall function 00DA7F41: _memmove.LIBCMT ref: 00DA7F82

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00E09F0B
__swprintf.LIBCMT ref: 00E09F64
__swprintf.LIBCMT ref: 00E09F7D
_wprintf.LIBCMT ref: 00E0A024
_wprintf.LIBCMT ref: 00E0A042

Strings

"%s" (%d) : ==> %s:, xrefs: 00E0A03D
"%s" (%d) : ==> %s:%s%s, xrefs: 00E0A01F
Error: , xrefs: 00E09FEC
^ ERROR , xrefs: 00E09FB9
Incorrect parameters to object property !, xrefs: 00E09FC6
Line %d (File "%s"):, xrefs: 00E09F5E, 00E09F77

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 57603f353d1fd16290e3558d3cd6039ec33c068591bec4ac886687ece140fd51
Instruction ID: 360f0129218909058d9c33df19d65823eefc2adf5ad0a8494f99d4e7f653bfd2
Opcode Fuzzy Hash: 57603f353d1fd16290e3558d3cd6039ec33c068591bec4ac886687ece140fd51
Instruction Fuzzy Hash: DE517F7190020AAACF15EBE0DD82EEEB779EF05300F140565F505720A2EB752F99DB71

Function 00E0A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00DA9997: __itow.LIBCMT ref: 00DA99C2
Part of subcall function 00DA9997: __swprintf.LIBCMT ref: 00DA9A0C

CharLowerBuffW.USER32(?,?), ref: 00E0A636
GetDriveTypeW.KERNEL32 ref: 00E0A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E0A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E0A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E0A730

Part of subcall function 00DA7D2C: _memmove.LIBCMT ref: 00DA7D66

Strings

set cd door , xrefs: 00E0A6D1
type cdaudio alias cd wait, xrefs: 00E0A6AE
close, xrefs: 00E0A63C
wait, xrefs: 00E0A6ED
open , xrefs: 00E0A692
open, xrefs: 00E0A65D
close cd wait, xrefs: 00E0A71B
closed, xrefs: 00E0A64A, 00E0A653

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 9d6f4263929d98b48a40e635d3acc913382fcce560bdcf8da147a08199dd2144
Instruction ID: dfd5950e1783ec8f4e8f2558aac2ad71d692dad0c660435c519800cfb24c079e
Opcode Fuzzy Hash: 9d6f4263929d98b48a40e635d3acc913382fcce560bdcf8da147a08199dd2144
Instruction Fuzzy Hash: 54514E711043059FC700EF20C89196AB7F4FF95718F18996DF896672A1DB31EE0ACBA2

Function 00DFFDBA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000001,?,00DDE452,00000001,0000138C,00000001,00000001,00000001,?,00000000,00000001), ref: 00DFFDEF
LoadStringW.USER32(00000000,?,00DDE452,00000001), ref: 00DFFDF8

Part of subcall function 00DA7F41: _memmove.LIBCMT ref: 00DA7F82

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,00DDE452,00000001,0000138C,00000001,00000001,00000001,?,00000000,00000001,00000001), ref: 00DFFE1A
LoadStringW.USER32(00000000,?,00DDE452,00000001), ref: 00DFFE1D
__swprintf.LIBCMT ref: 00DFFE6D
__swprintf.LIBCMT ref: 00DFFE7E
_wprintf.LIBCMT ref: 00DFFF27
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00DFFF3E

Strings

^ ERROR, xrefs: 00DFFED3
Error: , xrefs: 00DFFEF5
%s (%d) : ==> %s: %s %s, xrefs: 00DFFF22
Line %d:, xrefs: 00DFFE78
Line %d (File "%s"):, xrefs: 00DFFE67

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: cf5a9d2def3e63c3cfb2d077b18d633a40c38a397a84cb8605f7a207822d26bc
Instruction ID: 8f17ed518a8519537ea28e465548eebb1c5f902cf33d55116c7282f371c4bf4b
Opcode Fuzzy Hash: cf5a9d2def3e63c3cfb2d077b18d633a40c38a397a84cb8605f7a207822d26bc
Instruction Fuzzy Hash: 69412A7290420EAACF15EBE0DD86DEEB778EF15700F500565F605B20A2EA316F49CBB1

Function 00E0A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E0A47A
__swprintf.LIBCMT ref: 00E0A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 00E0A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00E0A4FE
_memset.LIBCMT ref: 00E0A51D
_wcsncpy.LIBCMT ref: 00E0A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00E0A58E
CloseHandle.KERNEL32(00000000), ref: 00E0A599
RemoveDirectoryW.KERNEL32(?), ref: 00E0A5A2
CloseHandle.KERNEL32(00000000), ref: 00E0A5AC

Strings

\, xrefs: 00E0A4B2
\??\%s, xrefs: 00E0A496
:, xrefs: 00E0A4BD

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 825122e8d914630bf500e56a33079df21e8bb511ca877ea8d597da0f185ec92b
Instruction ID: 4318197f9f77acdf524e5524dc3953ce86b4be9522745f2a1903a03786c6fb5c
Opcode Fuzzy Hash: 825122e8d914630bf500e56a33079df21e8bb511ca877ea8d597da0f185ec92b
Instruction Fuzzy Hash: CB31807650020AABDB21DFA1DC49FEB73BCEF89705F1441B6F908E21A0E67096858B35

Function 00DDAB1B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 00DDAB7B
___wtomb_environ.LIBCMT ref: 00DDAB9D

Part of subcall function 00DC8D68: __getptd_noexit.LIBCMT ref: 00DC8D68

__malloc_crt.LIBCMT ref: 00DDABC5
__malloc_crt.LIBCMT ref: 00DDABE2
_free.LIBCMT ref: 00DDAC19
__recalloc_crt.LIBCMT ref: 00DDAC52
__recalloc_crt.LIBCMT ref: 00DDAC97
_strlen.LIBCMT ref: 00DDACC3
__calloc_crt.LIBCMT ref: 00DDACCD
_strlen.LIBCMT ref: 00DDACDC
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 00DDAD0A
_free.LIBCMT ref: 00DDAD24
_free.LIBCMT ref: 00DDAD31
_free.LIBCMT ref: 00DDAD43
__invoke_watson.LIBCMT ref: 00DDAD5D

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID:
API String ID: 884005220-0
Opcode ID: 8e15ee2c7eb46dd0ddd1c058db17e2ca2e4034833fd4e0ae290ef60322e0be74
Instruction ID: 77c9087e7705ab7db0b83e9e37f66308bb99bbcc80362947a93e95e17acd643b
Opcode Fuzzy Hash: 8e15ee2c7eb46dd0ddd1c058db17e2ca2e4034833fd4e0ae290ef60322e0be74
Instruction Fuzzy Hash: 6E610572501206AFDB205F2CE841F6A77A9EF12371F19811BE801AB3D1EB75D842C7B2

Function 00E2BCED Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00E2BD10
GetFileSize.KERNEL32(00000000,00000000), ref: 00E2BD27
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00E2BD32
CloseHandle.KERNEL32(00000000), ref: 00E2BD3F
GlobalLock.KERNEL32(00000000), ref: 00E2BD48
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00E2BD57
GlobalUnlock.KERNEL32(00000000), ref: 00E2BD60
CloseHandle.KERNEL32(00000000), ref: 00E2BD67
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00E2BD78
OleLoadPicture.OLEAUT32(?,00000000,00000000,00E32CAC,?), ref: 00E2BD91
GlobalFree.KERNEL32(00000000), ref: 00E2BDA1
GetObjectW.GDI32(?,00000018,000000FF), ref: 00E2BDC5
CopyImage.USER32(?,00000000,?,?,00002000), ref: 00E2BDF0
DeleteObject.GDI32(00000000), ref: 00E2BE18
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00E2BE2E

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 77dbe33fceffad81f3e19f239a738da0d41aa03f4ede4d62fe24120d610e88b8
Instruction ID: c1966a693a1d82eda0173e79e0be65432f266da6817379db640b642af10dd44d
Opcode Fuzzy Hash: 77dbe33fceffad81f3e19f239a738da0d41aa03f4ede4d62fe24120d610e88b8
Instruction Fuzzy Hash: 7E412A75600218EFDB219F66DC48EABBBB8FF89715F104068F905E7260D770AD46CB60

Function 00E0DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00E0DC7B
_wcscat.LIBCMT ref: 00E0DC93
_wcscat.LIBCMT ref: 00E0DCA5
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E0DCBA
SetCurrentDirectoryW.KERNEL32(?), ref: 00E0DCCE
GetFileAttributesW.KERNEL32(?), ref: 00E0DCE6
SetFileAttributesW.KERNEL32(?,00000000), ref: 00E0DD00
SetCurrentDirectoryW.KERNEL32(?), ref: 00E0DD12

Strings

*.*, xrefs: 00E0DD51

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: c8bbe32b9393a9b1e59b97766de0b310f8d4d9fddc8b7c8b7f2153407bda3931
Instruction ID: 80fbb4a3ecf2580081006c0c265c390785db0bad35b62b52095ea20fd456edea
Opcode Fuzzy Hash: c8bbe32b9393a9b1e59b97766de0b310f8d4d9fddc8b7c8b7f2153407bda3931
Instruction Fuzzy Hash: E481A2715083459FCB20DFA4CC859AAB7E8FF89314F15982EF885E7290E630DD85CB62

Function 00E2C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA2612: GetWindowLongW.USER32(?,000000EB), ref: 00DA2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00E2C4EC
GetFocus.USER32 ref: 00E2C4FC
GetDlgCtrlID.USER32(00000000), ref: 00E2C507
_memset.LIBCMT ref: 00E2C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00E2C65D
GetMenuItemCount.USER32(?), ref: 00E2C67D
GetMenuItemID.USER32(?,00000000), ref: 00E2C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00E2C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00E2C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E2C744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00E2C779

Strings

0, xrefs: 00E2C62A

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: b9b1782c225fd5fdc7b8483c2b9421ff67cdcfc8586bfe865535f20f3434612b
Instruction ID: e516abd62e50b9e4167a4eec32add8db3d9a4666fe2df67f5dbb3025caa728c6
Opcode Fuzzy Hash: b9b1782c225fd5fdc7b8483c2b9421ff67cdcfc8586bfe865535f20f3434612b
Instruction Fuzzy Hash: 83819E701083219FD720CF25E984A6FBBE8FB88758F20152EF995A3291D771D945CBA2

Function 00DF83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00DF8766
Part of subcall function 00DF874A: GetLastError.KERNEL32(?,00DF822A,?,?,?), ref: 00DF8770
Part of subcall function 00DF874A: GetProcessHeap.KERNEL32(00000008,?,?,00DF822A,?,?,?), ref: 00DF877F
Part of subcall function 00DF874A: HeapAlloc.KERNEL32(00000000,?,00DF822A,?,?,?), ref: 00DF8786
Part of subcall function 00DF874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00DF879D

Part of subcall function 00DF87E7: GetProcessHeap.KERNEL32(00000008,00DF8240,00000000,00000000,?,00DF8240,?), ref: 00DF87F3
Part of subcall function 00DF87E7: HeapAlloc.KERNEL32(00000000,?,00DF8240,?), ref: 00DF87FA
Part of subcall function 00DF87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00DF8240,?), ref: 00DF880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00DF8458
_memset.LIBCMT ref: 00DF846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00DF848C
GetLengthSid.ADVAPI32(?), ref: 00DF849D
GetAce.ADVAPI32(?,00000000,?), ref: 00DF84DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00DF84F6
GetLengthSid.ADVAPI32(?), ref: 00DF8513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00DF8522
HeapAlloc.KERNEL32(00000000), ref: 00DF8529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00DF854A
CopySid.ADVAPI32(00000000), ref: 00DF8551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00DF8582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00DF85A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00DF85BC

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 61c93a56b8d32a901146b614c5e9dc5a50c7d9935048e099ca623ccd338c0354
Instruction ID: b3293bfe7981391cca183b641d0dd1b3cfeab99e730be9555075eebed7c1bd34
Opcode Fuzzy Hash: 61c93a56b8d32a901146b614c5e9dc5a50c7d9935048e099ca623ccd338c0354
Instruction Fuzzy Hash: FA614571A0020AAFDF10DFA5DC45EBEBBB9FF05300F148169EA15AB291DB319A05DF61

Function 00E1762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00E176A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00E176AE
CreateCompatibleDC.GDI32(?), ref: 00E176BA
SelectObject.GDI32(00000000,?), ref: 00E176C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00E1771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00E17757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00E1777B
SelectObject.GDI32(00000006,?), ref: 00E17783
DeleteObject.GDI32(?), ref: 00E1778C
DeleteDC.GDI32(00000006), ref: 00E17793
ReleaseDC.USER32(00000000,?), ref: 00E1779E

Strings

(, xrefs: 00E17723

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 66aff1b4a83a6cf5348101337e8372728c6e7fe1c4e8487c18c4e20c71085822
Instruction ID: e54fe355e749f22df6be44d03ef879cc94a8e918e0ec141dbcff46596e4ad949
Opcode Fuzzy Hash: 66aff1b4a83a6cf5348101337e8372728c6e7fe1c4e8487c18c4e20c71085822
Instruction Fuzzy Hash: 6C516B75904209EFCB25CFA9CC84EEEBBB9EF48710F14852DF989A7210D731A845CB60

Function 00E093DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E091E9: __time64.LIBCMT ref: 00E091F3

Part of subcall function 00DA5045: _fseek.LIBCMT ref: 00DA505D

__wsplitpath.LIBCMT ref: 00E094BE

Part of subcall function 00DC432E: __wsplitpath_helper.LIBCMT ref: 00DC436E

_wcscpy.LIBCMT ref: 00E094D1
_wcscat.LIBCMT ref: 00E094E4
__wsplitpath.LIBCMT ref: 00E09509
_wcscat.LIBCMT ref: 00E0951F
_wcscat.LIBCMT ref: 00E09532

Part of subcall function 00E0922F: _memmove.LIBCMT ref: 00E09268
Part of subcall function 00E0922F: _memmove.LIBCMT ref: 00E09277

_wcscmp.LIBCMT ref: 00E09479

Part of subcall function 00E099BE: _wcscmp.LIBCMT ref: 00E09AAE
Part of subcall function 00E099BE: _wcscmp.LIBCMT ref: 00E09AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00E096DC
_wcsncpy.LIBCMT ref: 00E0974F
DeleteFileW.KERNEL32(?,?), ref: 00E09785
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00E0979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E097AC
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E097BE

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 67f3b4a8dea324878566ae2a671ee3d5df679a2c19951ea39ac5c4451baea942
Instruction ID: 35391fc416b6abf5e7f2d4a055c95e47a67d14ec0c3ddc5c2e272b10cd94061e
Opcode Fuzzy Hash: 67f3b4a8dea324878566ae2a671ee3d5df679a2c19951ea39ac5c4451baea942
Instruction Fuzzy Hash: D7C11AB1900219AADF21DF95DC85EDEB7BDEF45310F0040AAF609F7192DB709A848F65

Function 00DA6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00DC0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00DA6C6C,?,00008000), ref: 00DC0BB7

Part of subcall function 00DA48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DA48A1,?,?,00DA37C0,?), ref: 00DA48CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00DA6D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00DA6E5A

Part of subcall function 00DA59CD: _wcscpy.LIBCMT ref: 00DA5A05

Part of subcall function 00DC387D: _iswctype.LIBCMT ref: 00DC3885

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00DDE8BF
AU3!, xrefs: 00DA6CC1
Unterminated string, xrefs: 00DDEC0D
Bad directive syntax error, xrefs: 00DDEBC6
Error opening the file, xrefs: 00DDE866, 00DDE8E1
EA06, xrefs: 00DDE87B
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00DDE84A

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: a3bb9c55212625a4162577a17b71acb633b11eea5ae33b56d42e700e10c41fad
Instruction ID: b087474402b6438d44d5cd8630b23900a8995dfae7503c9666b6e9eec35f79f3
Opcode Fuzzy Hash: a3bb9c55212625a4162577a17b71acb633b11eea5ae33b56d42e700e10c41fad
Instruction Fuzzy Hash: 6D025E711083419FC724EF24C891AAFBBE5EF96354F08491EF496972A1DB30D949CB72

Function 00DA45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DA45F9
GetMenuItemCount.USER32(00E66890), ref: 00DDD7CD
GetMenuItemCount.USER32(00E66890), ref: 00DDD87D
GetCursorPos.USER32(?), ref: 00DDD8C1
SetForegroundWindow.USER32(00000000), ref: 00DDD8CA
TrackPopupMenuEx.USER32(00E66890,00000000,?,00000000,00000000,00000000), ref: 00DDD8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00DDD8E9

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: c407387739e90e293c5ae1479b946a12642342774861f24092f4dbf49092806c
Instruction ID: 05a7dc5dcaf9f1d448b711e9ade43c9afe31b827d4297e8c48d45b8357f4e4a6
Opcode Fuzzy Hash: c407387739e90e293c5ae1479b946a12642342774861f24092f4dbf49092806c
Instruction Fuzzy Hash: 7C71F470640205BEEF318F65DC49FAABFA5FF45364F280226F515662E0C7B1AC50DBA1

Function 00E18BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E18BEC
CoInitialize.OLE32(00000000), ref: 00E18C19
CoUninitialize.OLE32 ref: 00E18C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00E18D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00E18E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00E32C0C), ref: 00E18E84
CoGetObject.OLE32(?,00000000,00E32C0C,?), ref: 00E18EA7
SetErrorMode.KERNEL32(00000000), ref: 00E18EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00E18F3A
VariantClear.OLEAUT32(?), ref: 00E18F4A

Strings

,,, xrefs: 00E18BD6

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,
API String ID: 2395222682-1556401989
Opcode ID: e27ef84fbba10fc0a1631d12d12f1456bfb122c39b9fb7ee4d5b1beb7691ece0
Instruction ID: 3f101b7daf14d3c316d1290aa92f8770dc961a3a2960897f274344d97eb39ba6
Opcode Fuzzy Hash: e27ef84fbba10fc0a1631d12d12f1456bfb122c39b9fb7ee4d5b1beb7691ece0
Instruction Fuzzy Hash: 44C15670204305AFC704DF24C9849ABBBE9FF89308F00596DF58AAB251DB31ED46CB62

Function 00DF7D24 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA7D2C: _memmove.LIBCMT ref: 00DA7D66

_memset.LIBCMT ref: 00DF7DB3
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00DF7DE8
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00DF7E04
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00DF7E20
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00DF7E4A
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00DF7E72
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00DF7E7D
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00DF7E82

Strings

\IPC$, xrefs: 00DF7DCA
SOFTWARE\Classes\, xrefs: 00DF7D54
\CLSID, xrefs: 00DF7D6A

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 30a2c0e7a7c32eec77045442fd935775c14c923fc3bafc177288bb11a660f022
Instruction ID: 3f74d9088745008b8d2dc189507007d25fc84cca14b910220be54be1c672d360
Opcode Fuzzy Hash: 30a2c0e7a7c32eec77045442fd935775c14c923fc3bafc177288bb11a660f022
Instruction Fuzzy Hash: 0041F672C1422DABDB21EBA4DC85DEEB778FF08700B444569F915A7161EA305E09CBA0

Function 00E210A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E20038,?,?), ref: 00E210BC

Strings

HKCR, xrefs: 00E21164
HKEY_LOCAL_MACHINE, xrefs: 00E21125
HKCU, xrefs: 00E211AC
HKEY_CURRENT_CONFIG, xrefs: 00E21179
HKLM, xrefs: 00E2113A
HKEY_CURRENT_USER, xrefs: 00E2119B
HKU, xrefs: 00E211CE
HKEY_USERS, xrefs: 00E211BD
HKCC, xrefs: 00E2118A
HKEY_CLASSES_ROOT, xrefs: 00E2114F

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 3d8dbda77b76c0f3c3d48d85c2c7b5e91a9714301e13450f783d34703b537915
Instruction ID: 7a047e1218a2b9cd4dbca002fa0788b93cc80446d684d372a80fe031c6d84780
Opcode Fuzzy Hash: 3d8dbda77b76c0f3c3d48d85c2c7b5e91a9714301e13450f783d34703b537915
Instruction Fuzzy Hash: 17415E3110125ACBCF11EF90ED91AEA3724EF61344F505498FC926B692DB70AF1ACB70

Function 00DFFCB1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00DDE6C9,00000010,?,Bad directive syntax error,00E2F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00DFFCD2
LoadStringW.USER32(00000000,?,00DDE6C9,00000010), ref: 00DFFCD9

Part of subcall function 00DA7F41: _memmove.LIBCMT ref: 00DA7F82

_wprintf.LIBCMT ref: 00DFFD0C
__swprintf.LIBCMT ref: 00DFFD2E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00DFFD9D

Strings

Error: , xrefs: 00DFFD6B
%s (%d) : ==> %s.: %s %s, xrefs: 00DFFD07
., xrefs: 00DFFD83
Line %d:, xrefs: 00DFFD28
Line %d (File "%s"):, xrefs: 00DFFD43

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: b65d6eb5c03defddeb53fe30233697972877eda0c5b52ded2b560484ffcc8436
Instruction ID: bbe1a423bd2880eef1c81fadda730dda0b9e541caccb0a78aa26a5bba71939d2
Opcode Fuzzy Hash: b65d6eb5c03defddeb53fe30233697972877eda0c5b52ded2b560484ffcc8436
Instruction Fuzzy Hash: AE215C3294021EEBCF22EB90CC46EEE7779FF14300F044869F505660A2EA719A59DB70

Function 00E05569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00DA7D2C: _memmove.LIBCMT ref: 00DA7D66

Part of subcall function 00DA7A84: _memmove.LIBCMT ref: 00DA7B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00E055D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00E055E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E055F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00E0560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00E0561C

Strings

play PlayMe, xrefs: 00E05617
play PlayMe wait, xrefs: 00E05606
close PlayMe, xrefs: 00E055E3, 00E05610
open , xrefs: 00E05581
alias PlayMe, xrefs: 00E055AB
status PlayMe mode, xrefs: 00E055CD

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 453e9ddc37eb3929e15c0fa7111adec9b43c51bca0d3eff1530c5a51db4cc1ef
Instruction ID: e3ea4d0a1a8e925967a5727295f102a5e4056e7c7bd1d09554c6b182d1f39688
Opcode Fuzzy Hash: 453e9ddc37eb3929e15c0fa7111adec9b43c51bca0d3eff1530c5a51db4cc1ef
Instruction Fuzzy Hash: 5911C42169026979D720B761DC4ADFF7B7CEF92B04F481979B801B20D1EE611E49C9B1

Function 00E048F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00E0490E
gethostname.WSOCK32(?,00000100), ref: 00E04928
gethostbyname.WSOCK32(?), ref: 00E04935
_wcscpy.LIBCMT ref: 00E0495D
_memmove.LIBCMT ref: 00E04970
inet_ntoa.WSOCK32(?), ref: 00E0497B
_strcat.LIBCMT ref: 00E04989
_wcscpy.LIBCMT ref: 00E049A0
WSACleanup.WSOCK32 ref: 00E049AE
_wcscpy.LIBCMT ref: 00E049BC

Strings

0.0.0.0, xrefs: 00E04957

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: abac8fed05c0a7c6e263cbb34cfb4f2a7eef1d90d2a52c4c7cce8a0b21348d71
Instruction ID: f0bb5ddbcad792a0e82404107c5be0b557c50dab105c23603f18df0e63d72738
Opcode Fuzzy Hash: abac8fed05c0a7c6e263cbb34cfb4f2a7eef1d90d2a52c4c7cce8a0b21348d71
Instruction Fuzzy Hash: FD11F3B190421AAFCB24AB619D4AEEB77BCDF81710F04017AF504B20D1EF709AC59AB1

Function 00E05217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00E0521C

Part of subcall function 00DC0719: timeGetTime.WINMM(?,75C0B400,00DB0FF9), ref: 00DC071D

Sleep.KERNEL32(0000000A), ref: 00E05248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00E0526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00E0528E
SetActiveWindow.USER32 ref: 00E052AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00E052BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 00E052DA
Sleep.KERNEL32(000000FA), ref: 00E052E5
IsWindow.USER32 ref: 00E052F1
EndDialog.USER32(00000000), ref: 00E05302

Strings

BUTTON, xrefs: 00E05280

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: c6720094ae48506f108455e1bb85977d2b7e1243988969083fef315021b1a158
Instruction ID: 833022680c8c1badac9a5d0b9e1267ef129bbbbeb697451d6cf1208fae10f80e
Opcode Fuzzy Hash: c6720094ae48506f108455e1bb85977d2b7e1243988969083fef315021b1a158
Instruction Fuzzy Hash: F8218E71204705AFE7105B62FD89E273B7AEB4538EF042478F402B11F1DBA59C898A61

Function 00E0D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA9997: __itow.LIBCMT ref: 00DA99C2
Part of subcall function 00DA9997: __swprintf.LIBCMT ref: 00DA9A0C

CoInitialize.OLE32(00000000), ref: 00E0D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00E0D8E8
SHGetDesktopFolder.SHELL32(?), ref: 00E0D8FC
CoCreateInstance.OLE32(00E32D7C,00000000,00000001,00E5A89C,?), ref: 00E0D948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00E0D9B7
CoTaskMemFree.OLE32(?,?), ref: 00E0DA0F
_memset.LIBCMT ref: 00E0DA4C
SHBrowseForFolderW.SHELL32(?), ref: 00E0DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00E0DAAB
CoTaskMemFree.OLE32(00000000), ref: 00E0DAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00E0DAE9
CoUninitialize.OLE32(00000001,00000000), ref: 00E0DAEB

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: bf2352c2e41ccb91c33a4ca80be53e54a73cf7f2214fb239fae2c271efd1c711
Instruction ID: a7a3e730b328faf8dbea06e561268c0e0e1c2bdb51141dbf460dd18918f06672
Opcode Fuzzy Hash: bf2352c2e41ccb91c33a4ca80be53e54a73cf7f2214fb239fae2c271efd1c711
Instruction Fuzzy Hash: 6DB1FB75A00109AFDB14DFA4CC98DAEBBB9FF49314B048469F909EB261DB30ED45CB60

Function 00E0052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00E005A7
SetKeyboardState.USER32(?), ref: 00E00612
GetAsyncKeyState.USER32(000000A0), ref: 00E00632
GetKeyState.USER32(000000A0), ref: 00E00649
GetAsyncKeyState.USER32(000000A1), ref: 00E00678
GetKeyState.USER32(000000A1), ref: 00E00689
GetAsyncKeyState.USER32(00000011), ref: 00E006B5
GetKeyState.USER32(00000011), ref: 00E006C3
GetAsyncKeyState.USER32(00000012), ref: 00E006EC
GetKeyState.USER32(00000012), ref: 00E006FA
GetAsyncKeyState.USER32(0000005B), ref: 00E00723
GetKeyState.USER32(0000005B), ref: 00E00731

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d78861ca4b1d0b5fe977bd6b7e4f167cd635ba03cc1d015ab70d3ac5ac696098
Instruction ID: ef134e9990d86f391fc77e391946a96d61d4fa41d6d0a197c1bce5bc77a6d19a
Opcode Fuzzy Hash: d78861ca4b1d0b5fe977bd6b7e4f167cd635ba03cc1d015ab70d3ac5ac696098
Instruction Fuzzy Hash: 98511B30A0478429FB35EBB088547EABFF59F11384F08559AD5C27B5C2DA649BCCCB62

Function 00DFC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00DFC746
GetWindowRect.USER32(00000000,?), ref: 00DFC758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00DFC7B6
GetDlgItem.USER32(?,00000002), ref: 00DFC7C1
GetWindowRect.USER32(00000000,?), ref: 00DFC7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00DFC827
GetDlgItem.USER32(?,000003E9), ref: 00DFC835
GetWindowRect.USER32(00000000,?), ref: 00DFC846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00DFC889
GetDlgItem.USER32(?,000003EA), ref: 00DFC897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00DFC8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 00DFC8C1

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: b9e423c703ea8b626ebf004fe66a19c11e40265cc47d7b06d23285d1b39cbdf2
Instruction ID: a6e2d96d68d212cc4c6ee2deced2fca9fa0dde1780cc6751dda59f5f2ff85460
Opcode Fuzzy Hash: b9e423c703ea8b626ebf004fe66a19c11e40265cc47d7b06d23285d1b39cbdf2
Instruction Fuzzy Hash: 9F515071B10209AFDB18CF69DD89AAEBBB6FB88710F14813DF615E7290D7709D048B50

Function 00DA201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00DA2036,?,00000000,?,?,?,?,00DA16CB,00000000,?), ref: 00DA1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00DA20D3
KillTimer.USER32(-00000001,?,?,?,?,00DA16CB,00000000,?,?,00DA1AE2,?,?), ref: 00DA216E
DestroyAcceleratorTable.USER32(00000000), ref: 00DDBEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00DA16CB,00000000,?,?,00DA1AE2,?,?), ref: 00DDBF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00DA16CB,00000000,?,?,00DA1AE2,?,?), ref: 00DDBF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00DA16CB,00000000,?,?,00DA1AE2,?,?), ref: 00DDBF5A
DeleteObject.GDI32(00000000), ref: 00DDBF6C

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: e4eb8ec7209be542e6dae67dcb72566e6d9c13981bba81b675074bbeb5f24530
Instruction ID: 176ac3907f4a177db144097c0c94629d4f6e586b0b7b7073f56a891f3c88ee8f
Opcode Fuzzy Hash: e4eb8ec7209be542e6dae67dcb72566e6d9c13981bba81b675074bbeb5f24530
Instruction Fuzzy Hash: D0618930110710DFCB399F2AED48B3AB7B1FF41316F14442AE58267A60C7B2A895DFA0

Function 00DA21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00DA25DB: GetWindowLongW.USER32(?,000000EB), ref: 00DA25EC

GetSysColor.USER32(0000000F), ref: 00DA21D3

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 7407d2042c586e427d9b2844fa7cde70789c72cb78c87ff41492d0566029efce
Instruction ID: 97da7114eacf09d9db23e95c213854d84b74380769a008e049438c79429f0095
Opcode Fuzzy Hash: 7407d2042c586e427d9b2844fa7cde70789c72cb78c87ff41492d0566029efce
Instruction Fuzzy Hash: 3541AF31000250AEDB255F2EEC88BB93B76EB07331F584266FD659A2E2C7318C46DB75

Function 00E0AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00E2F910), ref: 00E0AB76
GetDriveTypeW.KERNEL32(00000061,00E5A620,00000061), ref: 00E0AC40
_wcscpy.LIBCMT ref: 00E0AC6A

Strings

fixed, xrefs: 00E0ABBE
unknown, xrefs: 00E0AC01
ramdisk, xrefs: 00E0ABEA
network, xrefs: 00E0ABD4
all, xrefs: 00E0AB7C
cdrom, xrefs: 00E0AB92
removable, xrefs: 00E0ABA8

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 05bb415b594b27f22d7fc68049f544ea956a31861c1ae5209a3f07aeb53bb29a
Instruction ID: 3fe68109006f85a23db6b4a0a6cc24c82f905954004fd92519fc29334115c5d5
Opcode Fuzzy Hash: 05bb415b594b27f22d7fc68049f544ea956a31861c1ae5209a3f07aeb53bb29a
Instruction Fuzzy Hash: 8D519E311083059BC710EF14C892EAAB7A5EF95305F18592DF496672E2DB31DE89CB63

Function 00E2C27C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA2612: GetWindowLongW.USER32(?,000000EB), ref: 00DA2623

Part of subcall function 00DA2344: GetCursorPos.USER32(?), ref: 00DA2357
Part of subcall function 00DA2344: ScreenToClient.USER32(00E667B0,?), ref: 00DA2374
Part of subcall function 00DA2344: GetAsyncKeyState.USER32(00000001), ref: 00DA2399
Part of subcall function 00DA2344: GetAsyncKeyState.USER32(00000002), ref: 00DA23A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00E2C2E4
ImageList_EndDrag.COMCTL32 ref: 00E2C2EA
ReleaseCapture.USER32 ref: 00E2C2F0
SetWindowTextW.USER32(?,00000000), ref: 00E2C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00E2C3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00E2C48F

Strings

@GUI_DRAGFILE, xrefs: 00E2C424
@GUI_DROPID, xrefs: 00E2C3E1
pr, xrefs: 00E2C3FD
pr, xrefs: 00E2C438

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$pr$pr
API String ID: 1924731296-488423084
Opcode ID: c43ca060155e51ffc77a36ed0c7023cbd4f1fac15e39a9c636ca2128b8134736
Instruction ID: fe311d3d4645d0df071c879ab0e6cb70bc47f54018a6e7869754589153529755
Opcode Fuzzy Hash: c43ca060155e51ffc77a36ed0c7023cbd4f1fac15e39a9c636ca2128b8134736
Instruction Fuzzy Hash: 8651AC70204304AFD714EF24EC56F6B7BE5EB88314F10492DF991AB2E1DB70A948CB62

Function 00DA9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00DA99C2
__swprintf.LIBCMT ref: 00DA9A0C
__i64tow.LIBCMT ref: 00DDFA0F

Strings

0x%p, xrefs: 00DDF9F1
True, xrefs: 00DDF9D0
%.15g, xrefs: 00DA9A06
False, xrefs: 00DDF9D7

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: cb41cb106d90ca519aec4fed7852c35c5f65956e890ca3f45a137296fe90c033
Instruction ID: 5063a59a3a907cceead6de09bfc788af62a3d35995f387df5b85bfaea458ee93
Opcode Fuzzy Hash: cb41cb106d90ca519aec4fed7852c35c5f65956e890ca3f45a137296fe90c033
Instruction Fuzzy Hash: 0B41B471A04206AEDB249B74DC52F7AB7E8EF45300F24486FF58AD7291EA71D9428F31

Function 00E273C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E273D9
CreateMenu.USER32 ref: 00E273F4
SetMenu.USER32(?,00000000), ref: 00E27403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E27490
IsMenu.USER32(?), ref: 00E274A6
CreatePopupMenu.USER32 ref: 00E274B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E274DD
DrawMenuBar.USER32 ref: 00E274E5

Strings

F, xrefs: 00E274D1
0, xrefs: 00E273CF

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: a7eed64dfe781c32da2551ef16336b640a279ae477ce2f861e5be01aec5800b7
Instruction ID: 2b0fec9b036f1e1fe7429fa04ca34e55b0f94f2dc564d506bbc7438592a33b92
Opcode Fuzzy Hash: a7eed64dfe781c32da2551ef16336b640a279ae477ce2f861e5be01aec5800b7
Instruction Fuzzy Hash: A9416874A00215EFDB20EF65E884E9ABBB9FF49305F144029E955A7360D730AD14CB60

Function 00E2772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00E277CD
CreateCompatibleDC.GDI32(00000000), ref: 00E277D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00E277E7
SelectObject.GDI32(00000000,00000000), ref: 00E277EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 00E277FA
DeleteDC.GDI32(00000000), ref: 00E27803
GetWindowLongW.USER32(?,000000EC), ref: 00E2780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00E27821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00E2782D

Strings

static, xrefs: 00E27765

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: afc592e8e233d629e17d4ad09360043c5190dd355f78f608bf0ccb3eab13de3d
Instruction ID: 895e8f32a47957a26f9c429fda923c7355bfbc01ba32748af2ca16b98ef6872e
Opcode Fuzzy Hash: afc592e8e233d629e17d4ad09360043c5190dd355f78f608bf0ccb3eab13de3d
Instruction Fuzzy Hash: 54318A32105225AFDF269FA5EC08FDA3B79FF09725F100225FA55B60A0C771D826DBA4

Function 00DC7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DC707B

Part of subcall function 00DC8D68: __getptd_noexit.LIBCMT ref: 00DC8D68

__gmtime64_s.LIBCMT ref: 00DC7114
__gmtime64_s.LIBCMT ref: 00DC714A
__gmtime64_s.LIBCMT ref: 00DC7167
__allrem.LIBCMT ref: 00DC71BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DC71D9
__allrem.LIBCMT ref: 00DC71F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DC720E
__allrem.LIBCMT ref: 00DC7225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DC7243
__invoke_watson.LIBCMT ref: 00DC72B4

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: a41ef6f5b1172ee23da77fb4910e8d639b9f7bf6b9845ea26cdc11fb0fbc11b3
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 1E718171A04717ABD7149EB9CC42F5AB3B8EF14324F18422EF914E7281E770D9409BB4

Function 00E02A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E02A31
GetMenuItemInfoW.USER32(00E66890,000000FF,00000000,00000030), ref: 00E02A92
SetMenuItemInfoW.USER32(00E66890,00000004,00000000,00000030), ref: 00E02AC8
Sleep.KERNEL32(000001F4), ref: 00E02ADA
GetMenuItemCount.USER32(?), ref: 00E02B1E
GetMenuItemID.USER32(?,00000000), ref: 00E02B3A
GetMenuItemID.USER32(?,-00000001), ref: 00E02B64
GetMenuItemID.USER32(?,?), ref: 00E02BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E02BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E02C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E02C24

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 15dd2c451c87ebff82e9db6234328e25b4ad35fd3e27b9a6f86b90c374a66f1e
Instruction ID: 50ad492079984903d47f93e242f95fee9c0cd48e2ce28ad678d52cbfc2962484
Opcode Fuzzy Hash: 15dd2c451c87ebff82e9db6234328e25b4ad35fd3e27b9a6f86b90c374a66f1e
Instruction Fuzzy Hash: 096193B0900249AFDB21CF54DC8CEAEBBF8EB41348F14556DE941B7291D771AD89DB20

Function 00E27192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00E27214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00E27217
GetWindowLongW.USER32(?,000000F0), ref: 00E2723B
_memset.LIBCMT ref: 00E2724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E2725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00E272D6

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 8e7bcdc3aa7d8f9bc94e676018754f4f6bd7abb1cd3fc7474e266c9106694ad5
Instruction ID: 811881aae3768013b56d1e9c045bcb68593fb4b5c4bd8d04aca19e032dc6f5d2
Opcode Fuzzy Hash: 8e7bcdc3aa7d8f9bc94e676018754f4f6bd7abb1cd3fc7474e266c9106694ad5
Instruction Fuzzy Hash: 60617975A00218AFDB10DFA4DC81EEE77F8EB09704F14016AFA55B72A1C770AD45DBA0

Function 00DF710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00DF7135
SafeArrayAllocData.OLEAUT32(?), ref: 00DF718E
VariantInit.OLEAUT32(?), ref: 00DF71A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 00DF71C0
VariantCopy.OLEAUT32(?,?), ref: 00DF7213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00DF7227
VariantClear.OLEAUT32(?), ref: 00DF723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00DF7249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00DF7252
VariantClear.OLEAUT32(?), ref: 00DF7264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00DF726F

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 2564069eceb59684666df93146efb5557474a3c4621ed0ed10c2273bf1c77368
Instruction ID: 2e3ed7ede0fd29145869ff9233bc9aee55022197012a0ed3a4a5b44dc60c070e
Opcode Fuzzy Hash: 2564069eceb59684666df93146efb5557474a3c4621ed0ed10c2273bf1c77368
Instruction Fuzzy Hash: A3414235A0421DAFCB10EF65D8449EEBBB9FF08354F018075F955A7261DB70AA46CBA0

Function 00E15A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00E15AA6
inet_addr.WSOCK32(?,?,?), ref: 00E15AEB
gethostbyname.WSOCK32(?), ref: 00E15AF7
IcmpCreateFile.IPHLPAPI ref: 00E15B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00E15B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00E15B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00E15C00
WSACleanup.WSOCK32 ref: 00E15C06

Strings

Ping, xrefs: 00E15B29

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: d8962ba1b456aab070b044952a7029cd256009c1a5274a6e0d90bbbaca531a33
Instruction ID: a28eb98e2da0a39a0a5c18afaeda55ce6f42387bf254af16599037c1af05a728
Opcode Fuzzy Hash: d8962ba1b456aab070b044952a7029cd256009c1a5274a6e0d90bbbaca531a33
Instruction Fuzzy Hash: FC519032608700DFDB209F25DC45FAAB7E4EF85714F14892AF556EB2A1DB70E844CB61

Function 00E0B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00E0B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00E0B7B1
GetLastError.KERNEL32 ref: 00E0B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 00E0B828

Strings

UNKNOWN, xrefs: 00E0B7E0
NOTREADY, xrefs: 00E0B7E7
READY, xrefs: 00E0B801
READONLY, xrefs: 00E0B7F3
INVALID, xrefs: 00E0B7FA

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 35b61ccb0e9f24e06db709d92008d73b642568d86cf71b18158e6b816158f8bd
Instruction ID: 27ab4a18c9107c35cac1ebda6682e0cd0ac6c463bcc3ba8982b74d8ed407ec01
Opcode Fuzzy Hash: 35b61ccb0e9f24e06db709d92008d73b642568d86cf71b18158e6b816158f8bd
Instruction Fuzzy Hash: 85318335A002059FDB14EF64C885AAEB7B4FF45704F18912AE902F72D1DB719986C761

Function 00DF9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA7F41: _memmove.LIBCMT ref: 00DA7F82

Part of subcall function 00DFB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00DFB0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00DF94F6
GetDlgCtrlID.USER32 ref: 00DF9501
GetParent.USER32 ref: 00DF951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00DF9520
GetDlgCtrlID.USER32(?), ref: 00DF9529
GetParent.USER32(?), ref: 00DF9545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00DF9548

Strings

ListBox, xrefs: 00DF94B3
ComboBox, xrefs: 00DF947E

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 8fab58faf4baf67fd56f9cc964193efdce0ba08192371503ecfe7a11b42e055f
Instruction ID: 2875d11cebcc301c13e290b58df63d648f760598114f71e2ff17e4ccd665c3ea
Opcode Fuzzy Hash: 8fab58faf4baf67fd56f9cc964193efdce0ba08192371503ecfe7a11b42e055f
Instruction Fuzzy Hash: A521A170E00208AFCF05AB65CC95EFEBB74EF45310F114125FA61A72A2DB7599199B70

Function 00DF955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA7F41: _memmove.LIBCMT ref: 00DA7F82

Part of subcall function 00DFB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00DFB0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00DF95DF
GetDlgCtrlID.USER32 ref: 00DF95EA
GetParent.USER32 ref: 00DF9606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00DF9609
GetDlgCtrlID.USER32(?), ref: 00DF9612
GetParent.USER32(?), ref: 00DF962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00DF9631

Strings

ListBox, xrefs: 00DF959E
ComboBox, xrefs: 00DF9569

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 0ccc25e1afda433c71b61b160e700f462918f3458ed904c154466f00a9cd9d84
Instruction ID: ae19a44c37defe96829a797046b1f5dde077dcc82ecfd5388ade9903ab0b16a1
Opcode Fuzzy Hash: 0ccc25e1afda433c71b61b160e700f462918f3458ed904c154466f00a9cd9d84
Instruction Fuzzy Hash: AB219074A00208AFDF11AB61CC95EFEBB78EF49300F114126FA51A72A1DB75995D9A30

Function 00DF9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00DF9651
GetClassNameW.USER32(00000000,?,00000100), ref: 00DF9666
_wcscmp.LIBCMT ref: 00DF9678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00DF96F3

Strings

smallicons, xrefs: 00DF96BB
list, xrefs: 00DF96D5
SHELLDLL_DefView, xrefs: 00DF9672
largeicons, xrefs: 00DF9687
details, xrefs: 00DF96A1

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: d8d76d9a8cc192284b17165c98366d3e2bb7e595c0524d3026a2db43edd1d09d
Instruction ID: 002dbd816f0196535875e155acae3524a2af25501922438d029070013d98ef16
Opcode Fuzzy Hash: d8d76d9a8cc192284b17165c98366d3e2bb7e595c0524d3026a2db43edd1d09d
Instruction Fuzzy Hash: 6D110A7A64830BBEFA152621DC16FF6B79CDB04761B21812AFF00F60D2FE51A9154978

Function 00E07C1A Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00E07CF6

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: bc3c5513a0ea180794ee51808422e15d391bc70b5ccc73345e01974e6eff9f17
Instruction ID: a9641a6eb074e3e4ece38431450b7cead927e3c514e78a95fd221b5f6493d5a8
Opcode Fuzzy Hash: bc3c5513a0ea180794ee51808422e15d391bc70b5ccc73345e01974e6eff9f17
Instruction Fuzzy Hash: C7B15D71E0821A9FDB10DF94C484BBEB7B4EF09315F145069EA91F7291D774A981CBA0

Function 00E04189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00E0419D
__swprintf.LIBCMT ref: 00E041AA

Part of subcall function 00DC38D8: __woutput_l.LIBCMT ref: 00DC3931

FindResourceW.KERNEL32(?,?,0000000E), ref: 00E041D4
LoadResource.KERNEL32(?,00000000), ref: 00E041E0
LockResource.KERNEL32(00000000), ref: 00E041ED
FindResourceW.KERNEL32(?,?,00000003), ref: 00E0420D
LoadResource.KERNEL32(?,00000000), ref: 00E0421F
SizeofResource.KERNEL32(?,00000000), ref: 00E0422E
LockResource.KERNEL32(?), ref: 00E0423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00E0429B

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 0be6ca4cad17da1d915e432a6af123eb9f9c5a035781bf5b2e149cfb1c97fa49
Instruction ID: 8f6643b02a70e3fad0060fc983b4344238a411798b0cb8cb5c972bf4572fbc12
Opcode Fuzzy Hash: 0be6ca4cad17da1d915e432a6af123eb9f9c5a035781bf5b2e149cfb1c97fa49
Instruction Fuzzy Hash: 7C3191F160521AAFCB119FA1DE44EBB7BB8EF05345F004525F901F21A0D770DA928BB0

Function 00E016DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00E01700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00E00778,?,00000001), ref: 00E01714
GetWindowThreadProcessId.USER32(00000000), ref: 00E0171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E00778,?,00000001), ref: 00E0172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00E0173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E00778,?,00000001), ref: 00E01755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E00778,?,00000001), ref: 00E01767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00E00778,?,00000001), ref: 00E017AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00E00778,?,00000001), ref: 00E017C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00E00778,?,00000001), ref: 00E017CC

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 18472fd179a6e5c9cb48b1968f7c9e84527d082de76d87ee73027c5f9fcd5503
Instruction ID: a17877a44b9e91e8553e0bb44891ea83ae8f393963342d51d6581ac0e69b5b9c
Opcode Fuzzy Hash: 18472fd179a6e5c9cb48b1968f7c9e84527d082de76d87ee73027c5f9fcd5503
Instruction Fuzzy Hash: 4331C375600204BFEB219F16ED84F7A37F9EB16759F1440AAF800FA2E0D7B49D888B50

Function 00E19428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E1947C
VariantInit.OLEAUT32(?), ref: 00E1954D
VariantInit.OLEAUT32(?), ref: 00E1964E
VariantClear.OLEAUT32(?), ref: 00E19658
VariantClear.OLEAUT32(?), ref: 00E196B5

Strings

Null Object assignment in FOR..IN loop, xrefs: 00E194DD, 00E1960B, 00E196C3
Incorrect Object type in FOR..IN loop, xrefs: 00E19631
,,, xrefs: 00E194FA

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-218231672
Opcode ID: ac7c5de2c3985e4f841f55f9b812fdc90bd2944b471dac01a5b45af3d4326bc0
Instruction ID: 7a96c6e1004ae45474648536058ccc9a91213a6a2477f18365cf4d01a02de46d
Opcode Fuzzy Hash: ac7c5de2c3985e4f841f55f9b812fdc90bd2944b471dac01a5b45af3d4326bc0
Instruction Fuzzy Hash: BC91BC71A00205ABDF24DFA1C858FEEBBB8EF85314F109529F515BB282D7709985CBA0

Function 00DFA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00DFAA64), ref: 00DFA9A2

Strings

CLASSNN, xrefs: 00DFA744
TEXT, xrefs: 00DFA8D9
INSTANCE, xrefs: 00DFA8B0
CLASS, xrefs: 00DFA721
REGEXPCLASS, xrefs: 00DFA767
NAME, xrefs: 00DFA7D4

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: eb3350456952a75536a57f20e39f62eaa00da3c694df014479d99dcffe09f0d3
Instruction ID: 659625bdbb26736e5f9d4f6dcb2e1ab7c08ffae20208e0743dbdc192d7848c78
Opcode Fuzzy Hash: eb3350456952a75536a57f20e39f62eaa00da3c694df014479d99dcffe09f0d3
Instruction Fuzzy Hash: 7D9193B060020AEADB08DF64C482BF9FB74FF04344F55C129DA9EA7151DB70AA59CBB1

Function 00DA2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00DA2EAE

Part of subcall function 00DA1DB3: GetClientRect.USER32(?,?), ref: 00DA1DDC
Part of subcall function 00DA1DB3: GetWindowRect.USER32(?,?), ref: 00DA1E1D
Part of subcall function 00DA1DB3: ScreenToClient.USER32(?,?), ref: 00DA1E45

GetDC.USER32 ref: 00DDCF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00DDCF95
SelectObject.GDI32(00000000,00000000), ref: 00DDCFA3
SelectObject.GDI32(00000000,00000000), ref: 00DDCFB8
ReleaseDC.USER32(?,00000000), ref: 00DDCFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00DDD04B

Strings

U, xrefs: 00DDCF20

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: ab0de9f4ef920cb15b5aeeaa3efbef96d0bdf272f7eed44688645a4560643c26
Instruction ID: 210c3c48aafc8ff15213a9ccaa44bb2db3d1f64fd26e8d6376315395d37b37aa
Opcode Fuzzy Hash: ab0de9f4ef920cb15b5aeeaa3efbef96d0bdf272f7eed44688645a4560643c26
Instruction Fuzzy Hash: 4E719130500205DFCF259F68C884AFA7BB6FF49350F18426AFD956A2A6C7318D86DB70

Function 00E11D09 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00E11D44
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00E11D70
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00E11DB2
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00E11DC7
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E11DD4
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00E11E04
InternetCloseHandle.WININET(00000000), ref: 00E11E4B

Part of subcall function 00E12777: GetLastError.KERNEL32(?,?,00E11B0B,00000000,00000000,00000001), ref: 00E1278C
Part of subcall function 00E12777: SetEvent.KERNEL32(?,?,00E11B0B,00000000,00000000,00000001), ref: 00E127A1

Strings

, xrefs: 00E11DF5

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: b33072fc18fdc7dd0cae2444b5a02da986adcf7acaa7314a7ac6ba983f76396e
Instruction ID: d017cca3c007820c8b8f4b03c06e7df5761b291fffee6b262019af76da5621a7
Opcode Fuzzy Hash: b33072fc18fdc7dd0cae2444b5a02da986adcf7acaa7314a7ac6ba983f76396e
Instruction Fuzzy Hash: EB415BB1510208BFEB129F50CC89FFB77ACFF08754F00516AFA05AA281D7709E859BA1

Function 00E18F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00E2F910), ref: 00E1903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00E2F910), ref: 00E19071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00E191EB
SysFreeString.OLEAUT32(?), ref: 00E19215

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 6f4a05e569a7f4123f70b1be68123d001c04566ee221a38ffec9db9b8a2744a8
Instruction ID: 595a43e4b7b779c580c305ba44a7e089cd2aed27d8ce80579b57aec7fec5bd67
Opcode Fuzzy Hash: 6f4a05e569a7f4123f70b1be68123d001c04566ee221a38ffec9db9b8a2744a8
Instruction Fuzzy Hash: 06F11971A00209EFDB14DF94C898EEEB7B9FF49314F108059F516AB251DB31AE86CB60

Function 00E1F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E1F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E1FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E1FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E1FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E1FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E1FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00E1FD90
CloseHandle.KERNEL32(?), ref: 00E1FDBF
CloseHandle.KERNEL32(?), ref: 00E1FE36

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 4ca56c54e1270e81991db26575cdc763fb652f1d29a4209081452107499a6256
Instruction ID: 6cdcbbbdee234e13edba0c3e3435e2b89ee59e7463ea1d6cb012f8c01ac4c7de
Opcode Fuzzy Hash: 4ca56c54e1270e81991db26575cdc763fb652f1d29a4209081452107499a6256
Instruction Fuzzy Hash: 0DE1A531204341DFC714EF24C491BAABBE1EF85354F14956DF899AB2A2DB31DC85CBA2

Function 00E04F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E048AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E038D3,?), ref: 00E048C7

Part of subcall function 00E048AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E038D3,?), ref: 00E048E0

Part of subcall function 00E04CD3: GetFileAttributesW.KERNEL32(?,00E03947), ref: 00E04CD4

lstrcmpiW.KERNEL32(?,?), ref: 00E04FE2
_wcscmp.LIBCMT ref: 00E04FFC
MoveFileW.KERNEL32(?,?), ref: 00E05017

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: a02d09a3b3647f42caa91319993d3b82844b90e98b62dc49d9f53d9d65cac313
Instruction ID: bb8199907cdf700c8b1aafc639090a741cb9e3c9ce4442ff4beeb86593b2770f
Opcode Fuzzy Hash: a02d09a3b3647f42caa91319993d3b82844b90e98b62dc49d9f53d9d65cac313
Instruction Fuzzy Hash: F95155F21087859BD724EB50D8819DFB7ECEF85341F00592EF285E3191EE74A6888B76

Function 00E288B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00E2896E

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 24b40a00ca459392260a2010aa7c29ce06d7a8095136039233337c29b4275b3a
Instruction ID: 932d68043c7b5add974649a81ab863bbf650463aa0cca8bab8d294ff31d968a1
Opcode Fuzzy Hash: 24b40a00ca459392260a2010aa7c29ce06d7a8095136039233337c29b4275b3a
Instruction Fuzzy Hash: 27510670502228BFDF389F29EE85BAA3B75FB05354F605122F515F65A1CF70A980CB91

Function 00DA2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00DDC547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00DDC569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00DDC581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00DDC59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00DDC5C0
DestroyIcon.USER32(00000000), ref: 00DDC5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00DDC5EC
DestroyIcon.USER32(?), ref: 00DDC5FB

Part of subcall function 00E2A71E: DeleteObject.GDI32(00000000), ref: 00E2A757

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: af173869c62cd9cf4b89bf67f457b8beaf79de2694c3e8ed7db9117cc9e5a25c
Instruction ID: fb18d59496a89238270c6bc88b25f8a47b9e472fbe09403ff05b543ab79b78e8
Opcode Fuzzy Hash: af173869c62cd9cf4b89bf67f457b8beaf79de2694c3e8ed7db9117cc9e5a25c
Instruction Fuzzy Hash: F7516A7061020AAFDB24DF2ADC45FBA77B5EB45350F140529F942A72A0DBB0ED91DB70

Function 00DF9B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DFAE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DFAE77
Part of subcall function 00DFAE57: GetCurrentThreadId.KERNEL32 ref: 00DFAE7E
Part of subcall function 00DFAE57: AttachThreadInput.USER32(00000000,?,00DF9B65,?,00000001), ref: 00DFAE85

MapVirtualKeyW.USER32(00000025,00000000), ref: 00DF9B70
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00DF9B8D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00DF9B90
MapVirtualKeyW.USER32(00000025,00000000), ref: 00DF9B99
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00DF9BB7
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00DF9BBA
MapVirtualKeyW.USER32(00000025,00000000), ref: 00DF9BC3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00DF9BDA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00DF9BDD

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: b73420929397b9a9215d6143a3798db0456b291bfaf4c68f91f982e46ef3f8b7
Instruction ID: 73796b27b37b5ebb2a87caaa4bd1bac7d4280c242c176a1ce0edce09d8fbad81
Opcode Fuzzy Hash: b73420929397b9a9215d6143a3798db0456b291bfaf4c68f91f982e46ef3f8b7
Instruction Fuzzy Hash: 1511E571950218BEF6206B65DC89F6A7B2DEB4C751F510425F344AB0A1CAF25C21DAB4

Function 00DF8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00DF8A84,00000B00,?,?), ref: 00DF8E0C
HeapAlloc.KERNEL32(00000000,?,00DF8A84,00000B00,?,?), ref: 00DF8E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00DF8A84,00000B00,?,?), ref: 00DF8E28
GetCurrentProcess.KERNEL32(?,00000000,?,00DF8A84,00000B00,?,?), ref: 00DF8E30
DuplicateHandle.KERNEL32(00000000,?,00DF8A84,00000B00,?,?), ref: 00DF8E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00DF8A84,00000B00,?,?), ref: 00DF8E43
GetCurrentProcess.KERNEL32(00DF8A84,00000000,?,00DF8A84,00000B00,?,?), ref: 00DF8E4B
DuplicateHandle.KERNEL32(00000000,?,00DF8A84,00000B00,?,?), ref: 00DF8E4E
CreateThread.KERNEL32(00000000,00000000,00DF8E74,00000000,00000000,00000000), ref: 00DF8E68

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 615765fe32a44b20540f474a290c86c481820b987c9ebb44744a8fd4af58e8ab
Instruction ID: 68e1e1c3352afe35dc3951d213f0fc4504766c35d4322f1afa0dcc6d6320b578
Opcode Fuzzy Hash: 615765fe32a44b20540f474a290c86c481820b987c9ebb44744a8fd4af58e8ab
Instruction Fuzzy Hash: 4F01BF75641308FFE720AB65DD4EF6B3B6CEB89711F414421FA05DB1A2CA71D815CB20

Function 00E19A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00DF7652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00DF758C,80070057,?,?,?,00DF799D), ref: 00DF766F
Part of subcall function 00DF7652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00DF758C,80070057,?,?), ref: 00DF768A
Part of subcall function 00DF7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00DF758C,80070057,?,?), ref: 00DF7698
Part of subcall function 00DF7652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00DF758C,80070057,?), ref: 00DF76A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00E19B1B
_memset.LIBCMT ref: 00E19B28
_memset.LIBCMT ref: 00E19C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00E19C97
CoTaskMemFree.OLE32(?), ref: 00E19CA2

Strings

NULL Pointer assignment, xrefs: 00E19CF0

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 11d43410763bc8cd8deb805b31463006a0187ece6c6909fb1b02d2001d97fab8
Instruction ID: b5fee1ece08714ecdd38ed548ead0bf93ce6b1d436f7fce404009ed3bb17c2a7
Opcode Fuzzy Hash: 11d43410763bc8cd8deb805b31463006a0187ece6c6909fb1b02d2001d97fab8
Instruction Fuzzy Hash: 03912971D00219ABDB10DFA5DC91EDEBBB8EF09710F20416AF519B7281DB71AA45CFA0

Function 00E26FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00E27093
SendMessageW.USER32(?,00001036,00000000,?), ref: 00E270A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00E270C1
_wcscat.LIBCMT ref: 00E2711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00E27133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00E27161

Strings

SysListView32, xrefs: 00E27065

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 4dbb811c60b818be43d299818057fdb60936ef916620129277fc424a15959144
Instruction ID: 343450697aba94edd23bdc673d57146a7ded6e111fbbbc62e700965ac444c8b5
Opcode Fuzzy Hash: 4dbb811c60b818be43d299818057fdb60936ef916620129277fc424a15959144
Instruction Fuzzy Hash: C241A370904318AFEB219FA4DC85FEE77B8EF08354F10146AF984B7191D7719D888B60

Function 00E1EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00E03E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00E03EB6
Part of subcall function 00E03E91: Process32FirstW.KERNEL32(00000000,?), ref: 00E03EC4
Part of subcall function 00E03E91: CloseHandle.KERNEL32(00000000), ref: 00E03F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E1ECB8
GetLastError.KERNEL32 ref: 00E1ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E1ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00E1ED77
GetLastError.KERNEL32(00000000), ref: 00E1ED82
CloseHandle.KERNEL32(00000000), ref: 00E1EDB7

Strings

SeDebugPrivilege, xrefs: 00E1ECD6

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: a3f192757d20132d1c9d90aea0ddc20dc70c92c2381f22fc25f50f70f3d54dbd
Instruction ID: 5dea35154ab1aebc57a4a74f872d69873372bdfe609c680a008e06c005f9be1c
Opcode Fuzzy Hash: a3f192757d20132d1c9d90aea0ddc20dc70c92c2381f22fc25f50f70f3d54dbd
Instruction Fuzzy Hash: A641AD702002009FDB20EF24CC95FBEB7A5EF45714F088459F942AB3D2DB75A848CBA2

Function 00E03226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00E032C5

Strings

info, xrefs: 00E03266
stop, xrefs: 00E03296
question, xrefs: 00E0327E
blank, xrefs: 00E03247
warning, xrefs: 00E032AE

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: f7f1a05cdb0cc857163ba252ac4886ab81765a04c04f527b7fc600fc62c65a57
Instruction ID: 8ce8d30278b52939b73efc86aa1dde16b8889bb2eeb3fc5656c26a11b88b5392
Opcode Fuzzy Hash: f7f1a05cdb0cc857163ba252ac4886ab81765a04c04f527b7fc600fc62c65a57
Instruction Fuzzy Hash: 97113635208747BFE7056B65DC43DAAB79CEF19374F24103AF900B61D1E6B15B8046B5

Function 00E04534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00E0454E
LoadStringW.USER32(00000000), ref: 00E04555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00E0456B
LoadStringW.USER32(00000000), ref: 00E04572
_wprintf.LIBCMT ref: 00E04598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00E045B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00E04593

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: dfddbc8ea280db842446c22977356407aee3f55f21c3c7d47f67c876d3153947
Instruction ID: e7450ab3dcc585696f4715c7d1c29c759cc8fce203f779e6c326df7294ec2469
Opcode Fuzzy Hash: dfddbc8ea280db842446c22977356407aee3f55f21c3c7d47f67c876d3153947
Instruction Fuzzy Hash: 670121F2500208BFE72197A5DD89EE6777CE708301F4005B5FB46F2051EA749E894B70

Function 00E2D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA2612: GetWindowLongW.USER32(?,000000EB), ref: 00DA2623

GetSystemMetrics.USER32(0000000F), ref: 00E2D78A
GetSystemMetrics.USER32(0000000F), ref: 00E2D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00E2D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00E2DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00E2DA24
ShowWindow.USER32(00000003,00000000), ref: 00E2DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 00E2DA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 00E2DA8B

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 781a088d97b215e7dad9780c631acb45cd24f613162a8982c551ba45360f6c87
Instruction ID: 69939b54fe2664b0fc2721929b047e886468d70470ad859df52c95593ead5710
Opcode Fuzzy Hash: 781a088d97b215e7dad9780c631acb45cd24f613162a8982c551ba45360f6c87
Instruction Fuzzy Hash: 45B1DA71604225EFDF18CF29D985BBD7BB1FF44704F089069EE48AB295DB70A990CB90

Function 00DA2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00DDC417,00000004,00000000,00000000,00000000), ref: 00DA2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00DDC417,00000004,00000000,00000000,00000000,000000FF), ref: 00DA2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00DDC417,00000004,00000000,00000000,00000000), ref: 00DDC46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00DDC417,00000004,00000000,00000000,00000000), ref: 00DDC4D6

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 0ef0ca2378142446dea92ea9fc36b2850092e620b90921f8940b1c67b854ebf3
Instruction ID: 8a8062aa9b370dd9a162c7aed8021eacdeebb6b9e2e15b358a81b2c561399a6e
Opcode Fuzzy Hash: 0ef0ca2378142446dea92ea9fc36b2850092e620b90921f8940b1c67b854ebf3
Instruction Fuzzy Hash: 794119312186809FC7358B2F9D9CB7B7BA2AF87310F1C842EE08796660C675E846D771

Function 00E07368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00E0737F

Part of subcall function 00DC0FF6: std::exception::exception.LIBCMT ref: 00DC102C
Part of subcall function 00DC0FF6: __CxxThrowException@8.LIBCMT ref: 00DC1041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00E073B6
EnterCriticalSection.KERNEL32(?), ref: 00E073D2
_memmove.LIBCMT ref: 00E07420
_memmove.LIBCMT ref: 00E0743D
LeaveCriticalSection.KERNEL32(?), ref: 00E0744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00E07461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00E07480

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 442894e62747416054bd7200cae6c950301be28aaf0f88ac2f97305e6e79c18c
Instruction ID: 3ea29ccdb5958d0304d720fdb2f9baa57dd0ca3b6f355db3aed5eb5af098c406
Opcode Fuzzy Hash: 442894e62747416054bd7200cae6c950301be28aaf0f88ac2f97305e6e79c18c
Instruction Fuzzy Hash: E831CD32900206EFCB10DF65DC85EAE7BB8EF45300B1440B9F900AB286DB30DA54CBB0

Function 00E26442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00E2645A
GetDC.USER32(00000000), ref: 00E26462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E2646D
ReleaseDC.USER32(00000000,00000000), ref: 00E26479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00E264B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00E264C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00E29299,?,?,000000FF,00000000,?,000000FF,?), ref: 00E26500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00E26520

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: b96e5a46e8ffaf6db131d7902cf92492b24fce32a5b1140d9fb975e29b752766
Instruction ID: 9c15382e09be79178a727de96aaf1f5c5b5eb73594e1fd29b1f025451600bdbb
Opcode Fuzzy Hash: b96e5a46e8ffaf6db131d7902cf92492b24fce32a5b1140d9fb975e29b752766
Instruction Fuzzy Hash: E3319F72241214BFEF208F51DC4AFEB3FA9EF09765F040165FE08AA191C6B59C46CBA4

Function 00DFC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00DFC087
_memcmp.LIBCMT ref: 00DFC0A9
_memcmp.LIBCMT ref: 00DFC0C1
_memcmp.LIBCMT ref: 00DFC0D4
_memcmp.LIBCMT ref: 00DFC0EE
_memcmp.LIBCMT ref: 00DFC101
_memcmp.LIBCMT ref: 00DFC119
_memcmp.LIBCMT ref: 00DFC134

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 0e14850c55fe8fab25d5a6ff21a95928f3fcfe24c32305a7167916c6d50bdebd
Instruction ID: c9aac8ec2a282effb49629502a7d2ae33a656b9a4c10b8c67968d89aeda8d9e9
Opcode Fuzzy Hash: 0e14850c55fe8fab25d5a6ff21a95928f3fcfe24c32305a7167916c6d50bdebd
Instruction Fuzzy Hash: 6421D37565031EB7D610B5208E56FBB275CEE11394F09A028FF49A7283EB11DD32C1B5

Function 00E0ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00DA9997: __itow.LIBCMT ref: 00DA99C2
Part of subcall function 00DA9997: __swprintf.LIBCMT ref: 00DA9A0C

Part of subcall function 00DBFEC6: _wcscpy.LIBCMT ref: 00DBFEE9

_wcstok.LIBCMT ref: 00E0EEFF
_wcscpy.LIBCMT ref: 00E0EF8E
_memset.LIBCMT ref: 00E0EFC1

Strings

X, xrefs: 00E0EFFE

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 4a6d3a0d8f7f7723ae87d30460ebf73da432d31ec301603403b3648ad0d0173e
Instruction ID: a1e17f4006b09274bdc2d2a989c472bdeabe21bba87cdb65ef346fc68e834170
Opcode Fuzzy Hash: 4a6d3a0d8f7f7723ae87d30460ebf73da432d31ec301603403b3648ad0d0173e
Instruction Fuzzy Hash: 95C18271608301DFC724EF24D891A9AB7E4FF85314F14496DF899A72A2DB30ED45CBA2

Function 00DA1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 784372a4ad374de156bf510ddab3eca030758d428c273a45ef7a46a2b75858d6
Instruction ID: 2e5c7db73b1062fb0da9c7cedd4f0708c6216be733fee5424451136bb440b2f3
Opcode Fuzzy Hash: 784372a4ad374de156bf510ddab3eca030758d428c273a45ef7a46a2b75858d6
Instruction Fuzzy Hash: CD716B38904109EFCB148F99CC49EBEBB79FF8A324F148159F915AA251C770AA51CFB4

Function 00E16E8A Relevance: 10.7, APIs: 7, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e4d3abfc6df62b43ee425d068d68d1f4ed95021a744a2d67bf4aae8e5d32db6
Instruction ID: 451af026c8e905f6628346c4187141173cc27789437d899267bed51e0c50bd46
Opcode Fuzzy Hash: 0e4d3abfc6df62b43ee425d068d68d1f4ed95021a744a2d67bf4aae8e5d32db6
Instruction Fuzzy Hash: A261AE71508700AFC710EB24CC91EABB7E9EF89B14F104A1DF585A7292DB71AE45C7B2

Function 00E2B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00FC60D0), ref: 00E2B6A5
IsWindowEnabled.USER32(00FC60D0), ref: 00E2B6B1
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00E2B795
SendMessageW.USER32(00FC60D0,000000B0,?,?), ref: 00E2B7CC
IsDlgButtonChecked.USER32(?,?), ref: 00E2B809
GetWindowLongW.USER32(00FC60D0,000000EC), ref: 00E2B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00E2B843

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: b70c753429e16afd5213bdfaaa5b0faed810d0197421750dab9d015a1de800c7
Instruction ID: 1339f6c46b75c4ac63d84c0888ac6818dbfa213ae638d4f91dec5a63cca517ac
Opcode Fuzzy Hash: b70c753429e16afd5213bdfaaa5b0faed810d0197421750dab9d015a1de800c7
Instruction Fuzzy Hash: C4710F34600224AFDB24DF65E894FBA7BB9FF89304F04516AF946B72A1C731AC41CB50

Function 00E0145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00E0149C
GetKeyboardState.USER32(?), ref: 00E014B1
SetKeyboardState.USER32(?), ref: 00E01512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00E01540
PostMessageW.USER32(?,00000101,00000011,?), ref: 00E0155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00E015A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00E015C8

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f0b330c35788060dafbd146036b22aad4fd724f6951ae9f0491e6f9ae8fa0d7d
Instruction ID: dbd1e9c39ebee6e9231178b391f0d24cd2d184a6132dd6477db6a52a3684d773
Opcode Fuzzy Hash: f0b330c35788060dafbd146036b22aad4fd724f6951ae9f0491e6f9ae8fa0d7d
Instruction Fuzzy Hash: A251D1A0A047D53EFB3646348C45BBABEE96B46308F0C95C9E1D56E8D2C299ECC8D750

Function 00E01276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00E012B5
GetKeyboardState.USER32(?), ref: 00E012CA
SetKeyboardState.USER32(?), ref: 00E0132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00E01357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00E01374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00E013B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00E013D9

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 61df71078690c50040d9f67c93eca4c8b475d46932c1cfd6002047cab3bf1aa1
Instruction ID: b3d11ddc88ef058bb5fe237916361fbb16a90488da4d0f762957691dfdda4448
Opcode Fuzzy Hash: 61df71078690c50040d9f67c93eca4c8b475d46932c1cfd6002047cab3bf1aa1
Instruction Fuzzy Hash: 245106A09047D53EFB3687248C45B7A7FA9AF06308F0895C9E1D46E8D2D398ECD8E751

Function 00E0589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00E058AC
_wcsncpy.LIBCMT ref: 00E058E1
_wcsncpy.LIBCMT ref: 00E05913
_wcsncpy.LIBCMT ref: 00E05946
_wcsncpy.LIBCMT ref: 00E05988
_wcsncpy.LIBCMT ref: 00E059C2
_wcsncpy.LIBCMT ref: 00E059F1

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: b7b44bff5fc94b61430977de2db25066c1ca291dee842f620892ae65cb9bfe1c
Instruction ID: 34d21c232ea98ef57745d81e35f53afddf60b5010cb6ff45281f943d871025f7
Opcode Fuzzy Hash: b7b44bff5fc94b61430977de2db25066c1ca291dee842f620892ae65cb9bfe1c
Instruction Fuzzy Hash: 19418E6AC2061976CB10EBB48886ECFB3ACDF04310F50996AF518F3161E634E755C7B9

Function 00DFDA5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00DFDAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00DFDAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00DFDB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00DFDB8E

Strings

,,, xrefs: 00DFDA69
DllGetClassObject, xrefs: 00DFDB01

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,$DllGetClassObject
API String ID: 753597075-2867008933
Opcode ID: f817ae62076b4b58d6149afc1d9e98d9876d84bb4184f39a575a053cae2618e7
Instruction ID: 0cb867f13956e8f06d29462b5f23065c86536f3f02fd4efa6a6bbcf4125d6733
Opcode Fuzzy Hash: f817ae62076b4b58d6149afc1d9e98d9876d84bb4184f39a575a053cae2618e7
Instruction Fuzzy Hash: B5416071600208EFDB15CF55C884AAABBBBEF48310F16C1A9EE059F206D7B1D944CBB0

Function 00E038AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E048AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E038D3,?), ref: 00E048C7

Part of subcall function 00E048AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E038D3,?), ref: 00E048E0

lstrcmpiW.KERNEL32(?,?), ref: 00E038F3
_wcscmp.LIBCMT ref: 00E0390F
MoveFileW.KERNEL32(?,?), ref: 00E03927
_wcscat.LIBCMT ref: 00E0396F
SHFileOperationW.SHELL32(?), ref: 00E039DB

Strings

\*.*, xrefs: 00E03969

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 97b43b7bf01d0a84a18bca614e046f3f4474eb3404bec082fd685ac4e5454fcb
Instruction ID: bdaf27d51b806450042ec9c831c14cb544ce3a82f79423ce24bcc373fa18441d
Opcode Fuzzy Hash: 97b43b7bf01d0a84a18bca614e046f3f4474eb3404bec082fd685ac4e5454fcb
Instruction Fuzzy Hash: EA4181B15083859ED751EF64C481AEFB7ECEF89340F40192EB489E3191EA74D688C762

Function 00E27500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E27519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E275C0
IsMenu.USER32(?), ref: 00E275D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E27620
DrawMenuBar.USER32 ref: 00E27633

Strings

0, xrefs: 00E2750D

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: b9a080cb0a07efbf4f7b9873d6de2b496123185ac12930f41e030333013831fc
Instruction ID: 5341cda6dd72b859dbd64f8b0fb3dd64050b28ad5188fbc0a9f957bed4c4ed46
Opcode Fuzzy Hash: b9a080cb0a07efbf4f7b9873d6de2b496123185ac12930f41e030333013831fc
Instruction Fuzzy Hash: 6B414571A04619EFDB20CF65E884E9ABBB8FB08354F048029FD95A7250D730AD54CFA0

Function 00E2122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00E2125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E21286
FreeLibrary.KERNEL32(00000000), ref: 00E2133D

Part of subcall function 00E2122D: RegCloseKey.ADVAPI32(?), ref: 00E212A3
Part of subcall function 00E2122D: FreeLibrary.KERNEL32(?), ref: 00E212F5
Part of subcall function 00E2122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00E21318

RegDeleteKeyW.ADVAPI32(?,?), ref: 00E212E0

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: cb3c2cfe056f38774e13e0fe221d131bf96814403d437b8443139cf492a49767
Instruction ID: 77bdf578d7384ea8ef94f099c5befb645a79b0024350c93a85adc042c3b18eb4
Opcode Fuzzy Hash: cb3c2cfe056f38774e13e0fe221d131bf96814403d437b8443139cf492a49767
Instruction Fuzzy Hash: 71311B71901119BFDB14DB91EC89EFFB7BCEB18304F0011B9E501F2151DA749F499AA0

Function 00E2653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00E2655B
GetWindowLongW.USER32(00FC60D0,000000F0), ref: 00E2658E
GetWindowLongW.USER32(00FC60D0,000000F0), ref: 00E265C3
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00E265F5
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00E2661F
GetWindowLongW.USER32(?,000000F0), ref: 00E26630
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00E2664A

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 01ec5b0d3e921e3491d8adc55ad4a78cb7f2df063dde8c66e9c517935496c088
Instruction ID: 3da6e7260c3467113d581adb3600b5ea97e9c4bafa60957976dfbee82155c4df
Opcode Fuzzy Hash: 01ec5b0d3e921e3491d8adc55ad4a78cb7f2df063dde8c66e9c517935496c088
Instruction Fuzzy Hash: F4313730684160AFDB20CF29EC84F5537E5FB4A758F1812A8F501AB2B5CB71EC48DB81

Function 00E16486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E180A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00E180CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00E164D9
WSAGetLastError.WSOCK32(00000000), ref: 00E164E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00E16521
connect.WSOCK32(00000000,?,00000010), ref: 00E1652A
WSAGetLastError.WSOCK32 ref: 00E16534
closesocket.WSOCK32(00000000), ref: 00E1655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00E16576

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 8904f3ef9590bd8620b95f8ef9807f02a35e3e27e965fc42c22dbe5c778b64b7
Instruction ID: 71d0647a71a069aab3309c27e305f1aa796d0103dd52af1e907b442129f310fc
Opcode Fuzzy Hash: 8904f3ef9590bd8620b95f8ef9807f02a35e3e27e965fc42c22dbe5c778b64b7
Instruction Fuzzy Hash: FD31A171600118AFDB149F24CC85BFEBBB9EB45724F008069F915A7291DB70AD49CB61

Function 00DFE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DFE0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DFE120
SysAllocString.OLEAUT32(00000000), ref: 00DFE123
SysAllocString.OLEAUT32 ref: 00DFE144
SysFreeString.OLEAUT32 ref: 00DFE14D
StringFromGUID2.OLE32(?,?,00000028), ref: 00DFE167
SysAllocString.OLEAUT32(?), ref: 00DFE175

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 462012626d4d452e294b125922932b4286b2d7a4892500afbff7cb0824237cff
Instruction ID: 9a608233b49eee2c29136b52dbbf19d729fca0cfd718f110427ed817d342b3e2
Opcode Fuzzy Hash: 462012626d4d452e294b125922932b4286b2d7a4892500afbff7cb0824237cff
Instruction Fuzzy Hash: A121903560021CAF9B20AFA9DC88DBB77ECEB09760B058235FA54DB261DA70DC418B70

Function 00DFFB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00DFFB81
__wcsnicmp.LIBCMT ref: 00DFFBA2
__wcsnicmp.LIBCMT ref: 00DFFBBC

Strings

#requireadmin, xrefs: 00DFFB9C
#notrayicon, xrefs: 00DFFB79
#OnAutoItStartRegister, xrefs: 00DFFBB6

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: bf8dc0fdc3e72f4cdb49ef4e448953c0a1226db12b9bf8bd8f61e841e821cfff
Instruction ID: c61ecdd9e1f39d956a11d92039cb7acf8d78b5a0a0a20691426a34ea7d13576b
Opcode Fuzzy Hash: bf8dc0fdc3e72f4cdb49ef4e448953c0a1226db12b9bf8bd8f61e841e821cfff
Instruction Fuzzy Hash: 6C213732104269A6D230A724DC52FB77398DF51344F19C039FAC697141EB51E992D2B5

Function 00E2783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DA1D73
Part of subcall function 00DA1D35: GetStockObject.GDI32(00000011), ref: 00DA1D87
Part of subcall function 00DA1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DA1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00E278A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00E278AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00E278B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00E278C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00E278D4

Strings

Msctls_Progress32, xrefs: 00E27872

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: a10f881cb13c506980046135c9d31636c19eca6e205759f01e814ea5fe293bd4
Instruction ID: 98f257f2c555fa19453fdc0405fbc44052841971496710997b9ad4bf5d97a56d
Opcode Fuzzy Hash: a10f881cb13c506980046135c9d31636c19eca6e205759f01e814ea5fe293bd4
Instruction Fuzzy Hash: 3D118EB2510229BFEF199F61DC85EE77F6DEF08798F015115FA44A2090C772AC21DBA0

Function 00DC9D26 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00DC9D26

Part of subcall function 00DC33C7: EncodePointer.KERNEL32(00000000), ref: 00DC33CA
Part of subcall function 00DC33C7: __initp_misc_winsig.LIBCMT ref: 00DC33E5
Part of subcall function 00DC33C7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00DCA0E0
Part of subcall function 00DC33C7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00DCA0F4
Part of subcall function 00DC33C7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00DCA107
Part of subcall function 00DC33C7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00DCA11A
Part of subcall function 00DC33C7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00DCA12D
Part of subcall function 00DC33C7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00DCA140
Part of subcall function 00DC33C7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00DCA153
Part of subcall function 00DC33C7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00DCA166
Part of subcall function 00DC33C7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00DCA179
Part of subcall function 00DC33C7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00DCA18C
Part of subcall function 00DC33C7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00DCA19F
Part of subcall function 00DC33C7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00DCA1B2
Part of subcall function 00DC33C7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00DCA1C5
Part of subcall function 00DC33C7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00DCA1D8
Part of subcall function 00DC33C7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00DCA1EB
Part of subcall function 00DC33C7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00DCA1FE

__mtinitlocks.LIBCMT ref: 00DC9D2B
__mtterm.LIBCMT ref: 00DC9D34

Part of subcall function 00DC9D9C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00DC9D39,00DC7F0D,00E5BD38,00000014), ref: 00DC9E96
Part of subcall function 00DC9D9C: _free.LIBCMT ref: 00DC9E9D
Part of subcall function 00DC9D9C: DeleteCriticalSection.KERNEL32(0B,?,?,00DC9D39,00DC7F0D,00E5BD38,00000014), ref: 00DC9EBF

__calloc_crt.LIBCMT ref: 00DC9D59
__initptd.LIBCMT ref: 00DC9D7B
GetCurrentThreadId.KERNEL32 ref: 00DC9D82

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 93244d19eb595ff27af3f2281360899a7da1d02b742381ad39cbe23e77271387
Instruction ID: 81602fef2fa1cf1cfee056148a351c588295a4638f0c84deaada41f7db5ab3f6
Opcode Fuzzy Hash: 93244d19eb595ff27af3f2281360899a7da1d02b742381ad39cbe23e77271387
Instruction Fuzzy Hash: D3F062325157136DE6347775BC2AF86A690DF01731F154B2EF455E74D2EF1084424570

Function 00DC41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00DC4292,?), ref: 00DC41E3
GetProcAddress.KERNEL32(00000000), ref: 00DC41EA
EncodePointer.KERNEL32(00000000), ref: 00DC41F6
DecodePointer.KERNEL32(00000001,00DC4292,?), ref: 00DC4213

Strings

RoInitialize, xrefs: 00DC41D2
combase.dll, xrefs: 00DC41DE

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 37642835956a474ed348343d301d8f4f0bc15229c26870cf706d2f1fc3ec19ba
Instruction ID: a0fe3012d2252a4eff03c1949b5b3ab3f687e52aa2c654381397562ed48fd690
Opcode Fuzzy Hash: 37642835956a474ed348343d301d8f4f0bc15229c26870cf706d2f1fc3ec19ba
Instruction Fuzzy Hash: F3E0E5B0691301AFEB20ABB2FC0DB053AA4AB66B42F505438F591F60E0DBF5409ACB14

Function 00DC429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00DC41B8), ref: 00DC42B8
GetProcAddress.KERNEL32(00000000), ref: 00DC42BF
EncodePointer.KERNEL32(00000000), ref: 00DC42CA
DecodePointer.KERNEL32(00DC41B8), ref: 00DC42E5

Strings

RoUninitialize, xrefs: 00DC42A7
combase.dll, xrefs: 00DC42B3

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: c498f7d31579dfbd2606f41667520adf94cca9c7b3a5bc19b4453702bdccf76c
Instruction ID: 31771b96a9ec701fcb56db161ee1102334696b3bdd2335c929e23a62622f6a85
Opcode Fuzzy Hash: c498f7d31579dfbd2606f41667520adf94cca9c7b3a5bc19b4453702bdccf76c
Instruction Fuzzy Hash: 7CE0BFB8542301EFEB209B62FD0DB063AB4BB16B86F545038F111F10E0CBB44559CB18

Function 00DA1DB3 Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00DA1DDC
GetWindowRect.USER32(?,?), ref: 00DA1E1D
ScreenToClient.USER32(?,?), ref: 00DA1E45
GetClientRect.USER32(?,?), ref: 00DA1F74
GetWindowRect.USER32(?,?), ref: 00DA1F8D

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: b9480426241075d887f54add3225f2e23865383d1e6106a400290e621690ff7c
Instruction ID: 87c90f332f6b8c7138e8a5397b758ff65fa255d3e329e979f3c63483fd6e804d
Opcode Fuzzy Hash: b9480426241075d887f54add3225f2e23865383d1e6106a400290e621690ff7c
Instruction Fuzzy Hash: C8B15C7990024ADFDF10CFA9C5807EEB7B1FF09314F18952AED999B250DB30AA50CB65

Function 00E0675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E068AD
_memmove.LIBCMT ref: 00E067E8

Part of subcall function 00DA9997: __itow.LIBCMT ref: 00DA99C2
Part of subcall function 00DA9997: __swprintf.LIBCMT ref: 00DA9A0C

_memmove.LIBCMT ref: 00E0685B
_memmove.LIBCMT ref: 00E06942
_memmove.LIBCMT ref: 00E0695B
_memmove.LIBCMT ref: 00E06977

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 332a0019674531f161066eb251dfbe9e1734f3fbe53b1b894ce2488a7b4617b0
Instruction ID: 3a2dacb25d329c35f6f285a745d76ce0607d66f97159b1df03ad7a5e34f066e3
Opcode Fuzzy Hash: 332a0019674531f161066eb251dfbe9e1734f3fbe53b1b894ce2488a7b4617b0
Instruction Fuzzy Hash: 3E61983050025AABDB15EF60C892FFE77A8EF46308F044519F85A6B292DB30E991DB70

Function 00E2046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA7F41: _memmove.LIBCMT ref: 00DA7F82

Part of subcall function 00E210A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E20038,?,?), ref: 00E210BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E20548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E20588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00E205AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00E205D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00E20617
RegCloseKey.ADVAPI32(00000000), ref: 00E20624

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: a616a9712f79d4a0bd6d805286050a3f18747f8baef40fe6ec93af39bd446701
Instruction ID: 655bbb62418e53531e97685f1bc43f991939861d29c801a559fcb7e6b7cb2b3d
Opcode Fuzzy Hash: a616a9712f79d4a0bd6d805286050a3f18747f8baef40fe6ec93af39bd446701
Instruction Fuzzy Hash: 1B513831208210AFCB14EB64D885E6FBBE9FF89314F04496DF545A72A2DB31E905CB62

Function 00E25A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00E25A82
GetMenuItemCount.USER32(00000000), ref: 00E25AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00E25AE1
GetMenuItemID.USER32(?,?), ref: 00E25B50
GetSubMenu.USER32(?,?), ref: 00E25B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00E25BAF

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: ebe83c25cf6abb56e5ce2a5a4d51badff70b57440052306be16c3812002128b8
Instruction ID: e1330104563018a670cb6e2198c2c1883776ee99b82d5b638da43679440c159e
Opcode Fuzzy Hash: ebe83c25cf6abb56e5ce2a5a4d51badff70b57440052306be16c3812002128b8
Instruction Fuzzy Hash: F9517076A00625EFCF15EFA4D945AAEB7B4FF48320F1054A9F815B7351CB70AE418BA0

Function 00DFF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00DFF3F7
VariantClear.OLEAUT32(00000013), ref: 00DFF469
VariantClear.OLEAUT32(00000000), ref: 00DFF4C4
_memmove.LIBCMT ref: 00DFF4EE
VariantClear.OLEAUT32(?), ref: 00DFF53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00DFF569

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: f3241f9282e7ea2df7911dec1a1525897a1ab8b06923202336e36333bfeaada0
Instruction ID: acf07f73d5bcd504383db22f758e2ec381c0eccf1c038b05d5ddd698f1589e7e
Opcode Fuzzy Hash: f3241f9282e7ea2df7911dec1a1525897a1ab8b06923202336e36333bfeaada0
Instruction Fuzzy Hash: 63516AB5A00209EFCB10DF58D880AAAB7B9FF4C314B158569EA59DB300D730E952CBA0

Function 00E026F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E02747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E02792
IsMenu.USER32(00000000), ref: 00E027B2
CreatePopupMenu.USER32 ref: 00E027E6
GetMenuItemCount.USER32(000000FF), ref: 00E02844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00E02875

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: be562081382a39eb82b59219cd7fd9e6f6355e05e82cc39169f8c0eba44e2197
Instruction ID: a432c1c95775e8f323f7b872b85d32009014268c36fb999e10a0ea624c64a8dd
Opcode Fuzzy Hash: be562081382a39eb82b59219cd7fd9e6f6355e05e82cc39169f8c0eba44e2197
Instruction Fuzzy Hash: 7851A274900206DFDF29CF64D88CAADBBF4AF54318F14916EE611BB2D1D7708984CB61

Function 00DA1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00DA2612: GetWindowLongW.USER32(?,000000EB), ref: 00DA2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00DA179A
GetWindowRect.USER32(?,?), ref: 00DA17FE
ScreenToClient.USER32(?,?), ref: 00DA181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00DA182C
EndPaint.USER32(?,?), ref: 00DA1876

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 0f07418bf3ba04a90cd2dd3ca630ab82e655a580cbd3c83df1eb6c3e915b4967
Instruction ID: dba751730c21d10b1fd464773210cc4456314b58ef5b6d58fc4d3e8758f0c059
Opcode Fuzzy Hash: 0f07418bf3ba04a90cd2dd3ca630ab82e655a580cbd3c83df1eb6c3e915b4967
Instruction Fuzzy Hash: 9741BC34500200AFC720DF26DC84BBA7BF8EB4A764F140629F9A49B2A1C7709809DB72

Function 00E2B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00E667B0,00000000,00FC60D0,?,?,00E667B0,?,00E2B862,?,?), ref: 00E2B9CC
EnableWindow.USER32(?,00000000), ref: 00E2B9F0
ShowWindow.USER32(00E667B0,00000000,00FC60D0,?,?,00E667B0,?,00E2B862,?,?), ref: 00E2BA50
ShowWindow.USER32(?,00000004,?,00E2B862,?,?), ref: 00E2BA62
EnableWindow.USER32(?,00000001), ref: 00E2BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00E2BAA9

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 4d18e82df0ece471500275ca7b0a777c1708cdbf2d462b860e0f10d343e52277
Instruction ID: 9db5b151cf2131b97c4fdacdc5d3e109d429ac1c46106752f346a027065cf867
Opcode Fuzzy Hash: 4d18e82df0ece471500275ca7b0a777c1708cdbf2d462b860e0f10d343e52277
Instruction Fuzzy Hash: 3A418270601254AFDB21CF15E489B957BF0FF45318F1852B9FA58AF6A2C731E846CB50

Function 00E173B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00E15134,?,?,00000000,00000001), ref: 00E173BF

Part of subcall function 00E13C94: GetWindowRect.USER32(?,?), ref: 00E13CA7

GetDesktopWindow.USER32 ref: 00E173E9
GetWindowRect.USER32(00000000), ref: 00E173F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00E17422

Part of subcall function 00E054E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E0555E

GetCursorPos.USER32(?), ref: 00E1744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00E174AC

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 64402706d3830a24bb1161627c4f8d7ab3530c57f471ce0fd37184b092e2fbe5
Instruction ID: 9cc1200076c4a52e2b184fc28f8d5b1d1a3683abf0c998c247368b7a31c117b6
Opcode Fuzzy Hash: 64402706d3830a24bb1161627c4f8d7ab3530c57f471ce0fd37184b092e2fbe5
Instruction Fuzzy Hash: 7A31D272508315AFD720DF14D849E9BBBE9FF88714F001929F599A7191CA30E989CBD2

Function 00DF8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00DF8608
Part of subcall function 00DF85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00DF8612
Part of subcall function 00DF85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00DF8621
Part of subcall function 00DF85F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00DF8628
Part of subcall function 00DF85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00DF863E

GetLengthSid.ADVAPI32(?,00000000,00DF8977), ref: 00DF8DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00DF8DB8
HeapAlloc.KERNEL32(00000000), ref: 00DF8DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00DF8DD8
GetProcessHeap.KERNEL32(00000000,00000000,00DF8977), ref: 00DF8DEC
HeapFree.KERNEL32(00000000), ref: 00DF8DF3

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: a6a8f443b7cb7adbffa4d2677406f7009cb283f86ba9e7dc93ecd9fdd9b4b1c7
Instruction ID: 86f4380bb873ed026c2d5ccec090d68f6d56ac4fad750489d6d9f890a5fd8ee8
Opcode Fuzzy Hash: a6a8f443b7cb7adbffa4d2677406f7009cb283f86ba9e7dc93ecd9fdd9b4b1c7
Instruction Fuzzy Hash: A311DC31A01609FFDB208FA5CC09BBE7BB9EF40315F158029E945A7251CB369905EB71

Function 00DF8AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00DF8B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00DF8B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00DF8B40
CloseHandle.KERNEL32(00000004), ref: 00DF8B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00DF8B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00DF8B8E

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 96dabfc279bb9d86f3768804439b2262c3aaf893d39f4b2794c4fd4553e04dbe
Instruction ID: 41bc073736fc5ff1d5d03a57f071f5bcd8aa4b76f3d0e7a87a0ef3ad44e0607f
Opcode Fuzzy Hash: 96dabfc279bb9d86f3768804439b2262c3aaf893d39f4b2794c4fd4553e04dbe
Instruction Fuzzy Hash: 3B1147B250020DAFDF118FA5ED49FEA7BB9EB08305F098065FE04A2160C7728D65AB61

Function 00E2C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00DA12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00DA134D
Part of subcall function 00DA12F3: SelectObject.GDI32(?,00000000), ref: 00DA135C
Part of subcall function 00DA12F3: BeginPath.GDI32(?), ref: 00DA1373
Part of subcall function 00DA12F3: SelectObject.GDI32(?,00000000), ref: 00DA139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00E2C1C4
LineTo.GDI32(00000000,00000003,?), ref: 00E2C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00E2C1E6
LineTo.GDI32(00000000,00000000,?), ref: 00E2C1F6
EndPath.GDI32(00000000), ref: 00E2C206
StrokePath.GDI32(00000000), ref: 00E2C216

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 47a5f0327a6255d4083a32b95b60e7bb91bfc343efaed5e996c0fc257bad669d
Instruction ID: 4495918a1fb647d626d502f0fbcc5894266c930bdc547ad0ee77cfb88bd85a3b
Opcode Fuzzy Hash: 47a5f0327a6255d4083a32b95b60e7bb91bfc343efaed5e996c0fc257bad669d
Instruction Fuzzy Hash: FF111E7640010CFFDF119F91EC48F9A7FADEB04394F048025F918A6162C7B19D59DBA0

Function 00DFBC53 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00DFBC78
GetDeviceCaps.GDI32(00000000,00000058), ref: 00DFBC89
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DFBC90
ReleaseDC.USER32(00000000,00000000), ref: 00DFBC98
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00DFBCAF
MulDiv.KERNEL32(000009EC,?,?), ref: 00DFBCC1

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: d881899c456084d798ac1cc734c5926ebffd6ad0132f48875a597fc245161656
Instruction ID: 2454141b3221875625d42e1c57605afea21aecaefcf0d26c530b33633326ed44
Opcode Fuzzy Hash: d881899c456084d798ac1cc734c5926ebffd6ad0132f48875a597fc245161656
Instruction Fuzzy Hash: 59014875E00618BFEB105BB69D45E5EBFB8EB48761F044076FA08A7251D6709C15CFA0

Function 00DC03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00DC03D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 00DC03DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00DC03E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00DC03F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00DC03F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00DC0401

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: f5378aed2a29ab36f47f77d2bc3cef4c623e691e6f08b5c86d8627d767bd4658
Instruction ID: 224070fdf7d67371fae4d4790c0fb652cc79b57400f43e75814e3b85c3235b82
Opcode Fuzzy Hash: f5378aed2a29ab36f47f77d2bc3cef4c623e691e6f08b5c86d8627d767bd4658
Instruction Fuzzy Hash: 9F0148B09027597DE3008F5A8C85A52FEA8FF19354F00411BA15847941C7B5A868CBE5

Function 00E0568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00E0569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00E056B1
GetWindowThreadProcessId.USER32(?,?), ref: 00E056C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E056CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E056D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E056E0

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: f76c243624e3cb675e9be4c0dab8e88e1083273ecc1941fc013b67665cf994cb
Instruction ID: 8056b2af8b650dcf9874129887123d48f2fe5853851ddb15d9481ff4585ae8aa
Opcode Fuzzy Hash: f76c243624e3cb675e9be4c0dab8e88e1083273ecc1941fc013b67665cf994cb
Instruction Fuzzy Hash: 66F01D32641158BFE7315BA3EC0EEAB7B7CEBCAB11F000179FA05E109196A15A1686B5

Function 00E074D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00E074E5
EnterCriticalSection.KERNEL32(?,?,00DB1044,?,?), ref: 00E074F6
TerminateThread.KERNEL32(00000000,000001F6,?,00DB1044,?,?), ref: 00E07503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00DB1044,?,?), ref: 00E07510

Part of subcall function 00E06ED7: CloseHandle.KERNEL32(00000000,?,00E0751D,?,00DB1044,?,?), ref: 00E06EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00E07523
LeaveCriticalSection.KERNEL32(?,?,00DB1044,?,?), ref: 00E0752A

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 0ab54482e2eca7d9131a05f315d8007fd8505646a7fd70bded416de59952f909
Instruction ID: 3d95a088c98ae066433dff05f443e22b484e06b295ac146cb564d5ff41c5ba0d
Opcode Fuzzy Hash: 0ab54482e2eca7d9131a05f315d8007fd8505646a7fd70bded416de59952f909
Instruction Fuzzy Hash: A0F05E3B940612EFDB211B65FD8CAEB773AEF46302B001531F642B10B5CB755956CB50

Function 00DF8E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00DF8E7F
UnloadUserProfile.USERENV(?,?), ref: 00DF8E8B
CloseHandle.KERNEL32(?), ref: 00DF8E94
CloseHandle.KERNEL32(?), ref: 00DF8E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00DF8EA5
HeapFree.KERNEL32(00000000), ref: 00DF8EAC

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 6d65e479fae9d35eb8d1adeb37e554f20ce337d26ef4128675ca51973f967698
Instruction ID: 040729fe3d3f3627c189c9ddce482a793ce5b62f892f5f310e41eebefbf7b637
Opcode Fuzzy Hash: 6d65e479fae9d35eb8d1adeb37e554f20ce337d26ef4128675ca51973f967698
Instruction Fuzzy Hash: B1E0C236004001FFDA115FE2ED0C91ABB79FB89322B508231F219A1071CB32943ADB50

Function 00DF7A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00E32C7C,?), ref: 00DF7C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00E32C7C,?), ref: 00DF7C4A
CLSIDFromProgID.OLE32(?,?,00000000,00E2FB80,000000FF,?,00000000,00000800,00000000,?,00E32C7C,?), ref: 00DF7C6F
_memcmp.LIBCMT ref: 00DF7C90

Strings

,,, xrefs: 00DF7A85

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,
API String ID: 314563124-1556401989
Opcode ID: 24a5e27459b52bf4214cd26b8c646a5a6d1a6d8c6b7fcd9aaaf929ceab98cb0a
Instruction ID: 7776e4b9420cfb5877fa421eb9c3dfee0d0f4eb915823e3359d7d115edf71296
Opcode Fuzzy Hash: 24a5e27459b52bf4214cd26b8c646a5a6d1a6d8c6b7fcd9aaaf929ceab98cb0a
Instruction Fuzzy Hash: 94810C75A00109EFCB04DF94C984EEEB7B9FF89315F258198F515AB250DB71AE06CB60

Function 00E18902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E18928
CharUpperBuffW.USER32(?,?), ref: 00E18A37
VariantClear.OLEAUT32(?), ref: 00E18BAF

Part of subcall function 00E07804: VariantInit.OLEAUT32(00000000), ref: 00E07844
Part of subcall function 00E07804: VariantCopy.OLEAUT32(00000000,?), ref: 00E0784D
Part of subcall function 00E07804: VariantClear.OLEAUT32(00000000), ref: 00E07859

Strings

AUTOIT.ERROR, xrefs: 00E18A3D
Incorrect Parameter format, xrefs: 00E18960, 00E18B22

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 92c62792ba069c7e117bcf2603c10f3813b81ab8c683393e6f59f1ffd8ea219a
Instruction ID: 7b5e406b7aa355ba8a50c8b837921f8a61bbbf39d82028bd7c2e33d115bc8da4
Opcode Fuzzy Hash: 92c62792ba069c7e117bcf2603c10f3813b81ab8c683393e6f59f1ffd8ea219a
Instruction Fuzzy Hash: 01917D756083019FC710DF24C5849ABBBF4EF89314F04996EF89A9B362DB31E945CB62

Function 00E02F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DBFEC6: _wcscpy.LIBCMT ref: 00DBFEE9

_memset.LIBCMT ref: 00E03077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E030A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E03159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00E03187

Strings

0, xrefs: 00E03063

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 79cb2d5dc1a023c64d89e686648cf99454a47ea77686a2e6381d47836737e2b1
Instruction ID: 3d09edb3597169d73e83a270c6780465c025e649215c302777d6225ef614893c
Opcode Fuzzy Hash: 79cb2d5dc1a023c64d89e686648cf99454a47ea77686a2e6381d47836737e2b1
Instruction Fuzzy Hash: 4E51B03160A3019ED7259F38D845A6BB7E8EF99354F041A2EF895F31D1DB70CE8487A2

Function 00E02C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E02CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00E02CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00E02D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00E66890,00000000), ref: 00E02D5A

Strings

0, xrefs: 00E02CA4

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: d72d6b5690f2d6b89be3ca424ef89cb08b2b5cfa2edff0c6a73556ca7ec99cd4
Instruction ID: 59ea5b4f3f30c9719f080323b31a1eb458f75df4d04f82502e104e4887b0d702
Opcode Fuzzy Hash: d72d6b5690f2d6b89be3ca424ef89cb08b2b5cfa2edff0c6a73556ca7ec99cd4
Instruction Fuzzy Hash: 5E4180312043029FD724DF24C889B5ABBE8EF85324F14466DFA65A72D1D770ED45CBA2

Function 00E1DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00E1DAD9

Part of subcall function 00DA79AB: _memmove.LIBCMT ref: 00DA79F9

Strings

winapi, xrefs: 00E1DB4A
cdecl, xrefs: 00E1DB30
stdcall, xrefs: 00E1DB5B
none, xrefs: 00E1DBB4

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 165092576dc8f8038060734417457f049264e220f0a8ed92b3dc576eb497b255
Instruction ID: 2295c5be0c5617aede080a1a5cc54ea5c93a2f45c44d560f17fe69ddfeed4e1e
Opcode Fuzzy Hash: 165092576dc8f8038060734417457f049264e220f0a8ed92b3dc576eb497b255
Instruction Fuzzy Hash: 5731947150861AEFCF10EF54CC81DEEB7B4FF45314B108A29E866A76D1DB31AA45CBA0

Function 00DF9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA7F41: _memmove.LIBCMT ref: 00DA7F82

Part of subcall function 00DFB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00DFB0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00DF93F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00DF9409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00DF9439

Part of subcall function 00DA7D2C: _memmove.LIBCMT ref: 00DA7D66

Strings

ListBox, xrefs: 00DF93B5
ComboBox, xrefs: 00DF9380

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 056614722287551f8d5af207f010a8d653e0cd3bc553f2620d6f83950f31cffb
Instruction ID: 910b283a7111549669f249f35d21afaa144c11df1c67ecda2f4e623f25aed9e7
Opcode Fuzzy Hash: 056614722287551f8d5af207f010a8d653e0cd3bc553f2620d6f83950f31cffb
Instruction Fuzzy Hash: 7721E471E00108AEDB14ABB0DC95DFFF778DF06360B158129FA25A71E1DB355A0A9670

Function 00DA410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00DDD5EC

Part of subcall function 00DA7D2C: _memmove.LIBCMT ref: 00DA7D66

_memset.LIBCMT ref: 00DA418D
_wcscpy.LIBCMT ref: 00DA41E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00DA41F1

Strings

Line: , xrefs: 00DDD615

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 086bfa691c83fb8a075b47f7901592a89eea719188f530cc9b3b67ab62e12347
Instruction ID: 762b7aed35ec24e04d216d3666d8f356fd256456c5a6b27490a48439cdcffa06
Opcode Fuzzy Hash: 086bfa691c83fb8a075b47f7901592a89eea719188f530cc9b3b67ab62e12347
Instruction Fuzzy Hash: A931D371008305AED721EB60EC56FDB77E8EF96310F14451EF185A20A1EBB0A64DC7B2

Function 00E11B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00E11B40
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E11B66
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00E11B96
InternetCloseHandle.WININET(00000000), ref: 00E11BDD

Part of subcall function 00E12777: GetLastError.KERNEL32(?,?,00E11B0B,00000000,00000000,00000001), ref: 00E1278C
Part of subcall function 00E12777: SetEvent.KERNEL32(?,?,00E11B0B,00000000,00000000,00000001), ref: 00E127A1

Strings

, xrefs: 00E11B87

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: d5e8f7ca34430618246ca722481c181055245e0c50236286d5a9df2c7b253d89
Instruction ID: 8c6ed29d27702e14acf41df8de95defeee0ce444ccde99d3a1ca8ac142dd60ce
Opcode Fuzzy Hash: d5e8f7ca34430618246ca722481c181055245e0c50236286d5a9df2c7b253d89
Instruction Fuzzy Hash: 1B21CFB1504208BFEB219F218CC5EFF76FCEB49B48F10516AF605B2240EA309D4997B1

Function 00E26656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DA1D73
Part of subcall function 00DA1D35: GetStockObject.GDI32(00000011), ref: 00DA1D87
Part of subcall function 00DA1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DA1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00E266D0
LoadLibraryW.KERNEL32(?), ref: 00E266D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00E266EC
DestroyWindow.USER32(?), ref: 00E266F4

Strings

SysAnimate32, xrefs: 00E266AB

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 0404790bfcb7dca3c4040b64a8d0f47b6061694da58a840c2796083ca7bc51c0
Instruction ID: 0d9f3a3b3ff32175d1b1cc0988a7b0abefcf55f36e2c214749dd197d4c93d132
Opcode Fuzzy Hash: 0404790bfcb7dca3c4040b64a8d0f47b6061694da58a840c2796083ca7bc51c0
Instruction Fuzzy Hash: 80216D7120021AAFEF104F64FC80EBB77ADEB59768F106729F911B61A0D7B1DC519760

Function 00E0703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00E0705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E07091
GetStdHandle.KERNEL32(0000000C), ref: 00E070A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00E070DD

Strings

nul, xrefs: 00E070D8

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 73c40cf722b937168ce91687852b38e6a38183d8e377e28e083f9493a891821d
Instruction ID: d1a004b4935c1405b6141d00a5a07fc558c5747f2db93b71338f2de5bbc81690
Opcode Fuzzy Hash: 73c40cf722b937168ce91687852b38e6a38183d8e377e28e083f9493a891821d
Instruction Fuzzy Hash: 85217F75A04209ABDB209F69DC05A9A77B8BF45724F205B29FCE0E72D0D770A891CB50

Function 00E0710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00E0712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E0715D
GetStdHandle.KERNEL32(000000F6), ref: 00E0716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00E071A8

Strings

nul, xrefs: 00E071A3

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 8a77bfefea10834af04d7e3a7082b21cbf74aca5bdbecdaf59ac0ea46d764fd6
Instruction ID: a8658f0f6a80d9f11c1caf3fbff9ee5e11ca47ea83e5dd81d5e504ba46f4dc7b
Opcode Fuzzy Hash: 8a77bfefea10834af04d7e3a7082b21cbf74aca5bdbecdaf59ac0ea46d764fd6
Instruction Fuzzy Hash: BE21A475A093069BDB209F699C04A9977E8AF55724F201619FDE0F32D0D770A8928750

Function 00E0AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00E0AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00E0AF13
__swprintf.LIBCMT ref: 00E0AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,00E2F910), ref: 00E0AF6A

Strings

%lu, xrefs: 00E0AF26

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: c38d97425d9822ae94d5f0760ee0be71c0defc22700fe9a5c5f921e630b2cc3a
Instruction ID: a4bc97154cbcf49d12dc51e9e9f4337d7a88c3666763b68ee6cc2fb1eaaf6a25
Opcode Fuzzy Hash: c38d97425d9822ae94d5f0760ee0be71c0defc22700fe9a5c5f921e630b2cc3a
Instruction Fuzzy Hash: EA218634600209AFCB10EF65CD85DAEBBB8EF49704B044079F905EB251DB31EA45CB31

Function 00DFA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA7D2C: _memmove.LIBCMT ref: 00DA7D66

Part of subcall function 00DFA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00DFA399
Part of subcall function 00DFA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DFA3AC
Part of subcall function 00DFA37C: GetCurrentThreadId.KERNEL32 ref: 00DFA3B3
Part of subcall function 00DFA37C: AttachThreadInput.USER32(00000000), ref: 00DFA3BA

GetFocus.USER32 ref: 00DFA554

Part of subcall function 00DFA3C5: GetParent.USER32(?), ref: 00DFA3D3

GetClassNameW.USER32(?,?,00000100), ref: 00DFA59D
EnumChildWindows.USER32(?,00DFA615), ref: 00DFA5C5
__swprintf.LIBCMT ref: 00DFA5DF

Strings

%s%d, xrefs: 00DFA5D9

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 491b7541cc74870cca8d006af75a46a61d83ac99590a59693cff9ceda2acdd68
Instruction ID: a4dc3a9b142a7db1ead42cd5a54c767542a6b8174ff893d0d9c15e35a036982f
Opcode Fuzzy Hash: 491b7541cc74870cca8d006af75a46a61d83ac99590a59693cff9ceda2acdd68
Instruction Fuzzy Hash: 251160B1604209ABDF117FA8EC85FFA37B8DF49700F048075FA0CAA152DA7459498B76

Function 00E02017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00E02048

Strings

APPEND, xrefs: 00E02081
REMOVE, xrefs: 00E0204E
KEYS, xrefs: 00E0205F
EXISTS, xrefs: 00E02070

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 00ba811447a0f63de428428ac8ff74826edcef1b6645b19cd262eac6ca796ddd
Instruction ID: b0c8f8aa9cb47311fa1c1155db815970e42514d71a10a8c9023c73c0451a41c7
Opcode Fuzzy Hash: 00ba811447a0f63de428428ac8ff74826edcef1b6645b19cd262eac6ca796ddd
Instruction Fuzzy Hash: 62115E7090021ACFCF00EFA4D9519EEB7B4FF56304B109968D95677291EB326E0ACB60

Function 00E1EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00E1EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00E1EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00E1F07E
CloseHandle.KERNEL32(?), ref: 00E1F0FF

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 87ec8b8a44fbddbf5fd9001e914a1c1b188da4fc17dba455188af537d39f902f
Instruction ID: 24b86c04d9744a2d2c1bbf2f34bf0c77615013b5f303ab2411163c469d3af35d
Opcode Fuzzy Hash: 87ec8b8a44fbddbf5fd9001e914a1c1b188da4fc17dba455188af537d39f902f
Instruction Fuzzy Hash: 258171B16043009FD720DF24C856F6AF7E5EF48720F14881DF995EB292DB71AD418BA2

Function 00DC564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DC56AB
_memcpy_s.LIBCMT ref: 00DC571D
__read_nolock.LIBCMT ref: 00DC577B
__filbuf.LIBCMT ref: 00DC579E
_memset.LIBCMT ref: 00DC57E2

Part of subcall function 00DC8D68: __getptd_noexit.LIBCMT ref: 00DC8D68

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: fd1a262b7e6f1cb596d0076786feeeb097306c284ce0f321d4276a437e8c5e71
Instruction ID: c7cceca272f9b2f798a17956104480886dd47eb2b969799b78f20b2dc86f86e8
Opcode Fuzzy Hash: fd1a262b7e6f1cb596d0076786feeeb097306c284ce0f321d4276a437e8c5e71
Instruction Fuzzy Hash: 1C518534A00B07DBDB249E69A880F6E77A1EF40320F68872DF825972D4D770ADD19B70

Function 00E202C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA7F41: _memmove.LIBCMT ref: 00DA7F82

Part of subcall function 00E210A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E20038,?,?), ref: 00E210BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E20388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E203C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00E2040E
RegCloseKey.ADVAPI32(?,?), ref: 00E2043A
RegCloseKey.ADVAPI32(00000000), ref: 00E20447

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 31d1d5b966caff64ca209cd48a0722765c885c49d07c61dcdbd8e4f3afa4d4a4
Instruction ID: f2c2afb5b88a36c67c45c0e32bebee2f564d1fe3b57c4f7206b111af17b3ac7e
Opcode Fuzzy Hash: 31d1d5b966caff64ca209cd48a0722765c885c49d07c61dcdbd8e4f3afa4d4a4
Instruction Fuzzy Hash: 7C514A31208204AFD714EF64DC91E6EB7E8FF85714F04992DF595AB2A2DB30E905CB62

Function 00E1DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA9997: __itow.LIBCMT ref: 00DA99C2
Part of subcall function 00DA9997: __swprintf.LIBCMT ref: 00DA9A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00E1DC3B
GetProcAddress.KERNEL32(00000000,?), ref: 00E1DCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 00E1DCDA
GetProcAddress.KERNEL32(00000000,?), ref: 00E1DD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00E1DD35

Part of subcall function 00DA5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E07B20,?,?,00000000), ref: 00DA5B8C
Part of subcall function 00DA5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E07B20,?,?,00000000,?,?), ref: 00DA5BB0

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 687d9eef2f7d6c1d96a6e82382d714142c33ff0882e342930964730bd5a19217
Instruction ID: 560e267e3abead5671d1886660590e7bc738e4c597d282aec38f1a468df3bfab
Opcode Fuzzy Hash: 687d9eef2f7d6c1d96a6e82382d714142c33ff0882e342930964730bd5a19217
Instruction Fuzzy Hash: D5512735A046059FCB00EF68D8949EDF7F4FF59324B058569E819AB322DB30ED85CBA1

Function 00E0E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00E0E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00E0E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00E0E8F2

Part of subcall function 00DA9997: __itow.LIBCMT ref: 00DA99C2
Part of subcall function 00DA9997: __swprintf.LIBCMT ref: 00DA9A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00E0E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00E0E91F

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 8d9217a9310a0e5f9cad310ad204c9e0aa7ff81b153d394b51fadda4e394b1b0
Instruction ID: 11da52734247805a0673322f500b7f5b22f531d99b0ce4d89585c40aecf217c8
Opcode Fuzzy Hash: 8d9217a9310a0e5f9cad310ad204c9e0aa7ff81b153d394b51fadda4e394b1b0
Instruction Fuzzy Hash: A8513B35A00205EFCB04EF64C991AAEBBF5EF09314B1484A9E849AB361CB31ED41DF60

Function 00E2A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6014a969f45e4c91a0907ac1361fffe73a09347cc3893e6651d318342ec2570
Instruction ID: f3e2b40771f9a0eba2ebe26694cfdbc92f5b4e0d59c958676dbdcf0f34b601cc
Opcode Fuzzy Hash: b6014a969f45e4c91a0907ac1361fffe73a09347cc3893e6651d318342ec2570
Instruction Fuzzy Hash: C641D035900224AFC724EF28EC48FADBBA9EB09310F1C1175E865B72E1D770AD45DA91

Function 00DA2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00DA2357
ScreenToClient.USER32(00E667B0,?), ref: 00DA2374
GetAsyncKeyState.USER32(00000001), ref: 00DA2399
GetAsyncKeyState.USER32(00000002), ref: 00DA23A7

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 024f7e3fe027943deaf285fa6425711311edccb5a0b42c18b7af04f8a73935ff
Instruction ID: 2a8fc0356726942e749251ea8e4cb1c2cac2cd03f0bda63508489200e325d921
Opcode Fuzzy Hash: 024f7e3fe027943deaf285fa6425711311edccb5a0b42c18b7af04f8a73935ff
Instruction Fuzzy Hash: 1D417F3150411AFFDF159FA9CC44AEEBBB4FF46324F24432AF869A2290C7349954DBA1

Function 00DF6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DF695D
TranslateAcceleratorW.USER32(?,?,?), ref: 00DF69A9
TranslateMessage.USER32(?), ref: 00DF69D2
DispatchMessageW.USER32(?), ref: 00DF69DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DF69EB

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: e2dd13e32293c00503eabc765cc53605fff260e52ca32e6beca67b5f031623f2
Instruction ID: d577cc8e0dfc92d4cee0904814396dc7a89f938af3060613f65a8305cb4426f2
Opcode Fuzzy Hash: e2dd13e32293c00503eabc765cc53605fff260e52ca32e6beca67b5f031623f2
Instruction Fuzzy Hash: 2331043050024AAFCB208F719C44FB67BB8EB01350F198129E625E2861D7B1D98DCBB0

Function 00DF8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00DF8F12
PostMessageW.USER32(?,00000201,00000001), ref: 00DF8FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00DF8FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00DF8FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00DF8FDA

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 5a9a36f35babc741564a2dc0b7058583edd89a0166796797dbe68d52209d5b29
Instruction ID: 262260ea30e053198e3aa0701550a60b468fbca8fc13cfc0acdc7594c1b96d31
Opcode Fuzzy Hash: 5a9a36f35babc741564a2dc0b7058583edd89a0166796797dbe68d52209d5b29
Instruction Fuzzy Hash: 2F31CF7190021DEFDB10CF68D948AAE7BB6FF04315F118229FA24A61D0C7709914DBA2

Function 00DFB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00DFB6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00DFB6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00DFB71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00DFB742
_wcsstr.LIBCMT ref: 00DFB74C

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 7e864eb3b0bfb18346b2bd8f024c3a2df27447fcd8310928c31462511fce36a9
Instruction ID: ead02ce1e426d93abba558f1ed573e06580a26c0b0472d3492be4baa0b6fffc8
Opcode Fuzzy Hash: 7e864eb3b0bfb18346b2bd8f024c3a2df27447fcd8310928c31462511fce36a9
Instruction Fuzzy Hash: A9210731204208BEEB256B79DC49E7B7BADDF49720F15803EFD05DA1A1EB61DC4196B0

Function 00E2B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00DA2612: GetWindowLongW.USER32(?,000000EB), ref: 00DA2623

GetWindowLongW.USER32(?,000000F0), ref: 00E2B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00E2B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00E2B489
GetSystemMetrics.USER32(00000004), ref: 00E2B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00E11184,00000000), ref: 00E2B4D0

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 161df28a6223d7c5d0c4e8e2a9a99b9f37d50a2e9b5227649a7a077ba78f3be9
Instruction ID: 928ef666baf71bacc0cae89f20e24d9b159e5f4981d683628967efb1e3f58c64
Opcode Fuzzy Hash: 161df28a6223d7c5d0c4e8e2a9a99b9f37d50a2e9b5227649a7a077ba78f3be9
Instruction Fuzzy Hash: 5F219131510266AFCB24AF39EC88A6A77A4FB05725F145738F936E31E2F7309811DB90

Function 00DF97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00DF9802

Part of subcall function 00DA7D2C: _memmove.LIBCMT ref: 00DA7D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00DF9834
__itow.LIBCMT ref: 00DF984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00DF9874
__itow.LIBCMT ref: 00DF9885

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 72074d700e59bcb51149d170c3458baac2383c199ec1210d6c090e831cbc065e
Instruction ID: 71830636cb3011f4011d351891195bf8f927572a565ad1e079ed154cf0537acc
Opcode Fuzzy Hash: 72074d700e59bcb51149d170c3458baac2383c199ec1210d6c090e831cbc065e
Instruction Fuzzy Hash: 1521B871A0020CABDB109A658C96FFE7BA8DF4A750F098035FE04AB251D6708D4587F1

Function 00E15D60 Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00E15D81
GetForegroundWindow.USER32 ref: 00E15D98
GetDC.USER32(00000000), ref: 00E15DD4
GetPixel.GDI32(00000000,?,00000003), ref: 00E15DE0
ReleaseDC.USER32(00000000,00000003), ref: 00E15E1B

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: ae06100dad23a922b5ef281d0edb3dda4ece6a57a894bbdf55b21dea72d22de7
Instruction ID: 980d4a9399e2598220ef5695dfcbc15d32f5c1383e52600c045c36292d0dc758
Opcode Fuzzy Hash: ae06100dad23a922b5ef281d0edb3dda4ece6a57a894bbdf55b21dea72d22de7
Instruction Fuzzy Hash: F521A136A00104EFD714EF65DD88AAAB7F5EF89310F048479F84AA7261CA30AD45CBA0

Function 00DA12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00DA134D
SelectObject.GDI32(?,00000000), ref: 00DA135C
BeginPath.GDI32(?), ref: 00DA1373
SelectObject.GDI32(?,00000000), ref: 00DA139C

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: de4d9c3b03bf074dd0fca0bcf02987a05b1f08e37f5e759050fec5572d36ed98
Instruction ID: ad9a09925793190e768cc4a36b461656d0ce02c457baededc9a464977ad584b5
Opcode Fuzzy Hash: de4d9c3b03bf074dd0fca0bcf02987a05b1f08e37f5e759050fec5572d36ed98
Instruction Fuzzy Hash: 8A213074810204EFDF159F66FC05B6E7FB8FB01361F188226F810A75A1D7B19999DBA0

Function 00DFC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00DFC176
_memcmp.LIBCMT ref: 00DFC194
_memcmp.LIBCMT ref: 00DFC1A7
_memcmp.LIBCMT ref: 00DFC1BF
_memcmp.LIBCMT ref: 00DFC1D7

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f3324ec192a9712c996814861f54dda9eda55fb078a0b3d36ef8907d5ee13d7e
Instruction ID: 8d5fac67d3127b14bf4cde54906cc4f91577f99bbc6b54aa19fb01b43e6deb6d
Opcode Fuzzy Hash: f3324ec192a9712c996814861f54dda9eda55fb078a0b3d36ef8907d5ee13d7e
Instruction Fuzzy Hash: B501D67165431E3BD614B6205E56F7B675CDB11394F09D018FF04A7283E650EE31C2B0

Function 00E04D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00E04D5C
__beginthreadex.LIBCMT ref: 00E04D7A
MessageBoxW.USER32(?,?,?,?), ref: 00E04D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00E04DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00E04DAC

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 164cd135712a8b6af964ffd5897d0bc0aaf9d5a8daaf3ad2d562900375ee657d
Instruction ID: 68a1defad6dfeac48b080b7d786828ddd86a8f5c6b4daf0af4e633b84f4bd78d
Opcode Fuzzy Hash: 164cd135712a8b6af964ffd5897d0bc0aaf9d5a8daaf3ad2d562900375ee657d
Instruction Fuzzy Hash: 5611E5B2904209BFC7119BA9AC04A9B7BACEB45324F144269F914F32E1D6B18D4887A0

Function 00DF874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00DF8766
GetLastError.KERNEL32(?,00DF822A,?,?,?), ref: 00DF8770
GetProcessHeap.KERNEL32(00000008,?,?,00DF822A,?,?,?), ref: 00DF877F
HeapAlloc.KERNEL32(00000000,?,00DF822A,?,?,?), ref: 00DF8786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00DF879D

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 1b81d422558397c8e4f87de8cfa4d7a2ee58f934a79094c8e422769fbad1e3c1
Instruction ID: 0987885d558474493524b66b68c1cf68321f4ae7b8621aba1d02b3b9fd65e060
Opcode Fuzzy Hash: 1b81d422558397c8e4f87de8cfa4d7a2ee58f934a79094c8e422769fbad1e3c1
Instruction Fuzzy Hash: 1D014B71601208EFDB205FA6DC89D6B7BBCEF897557204439F949D6260DA318C16DA70

Function 00E054E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E05502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00E05510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E05518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00E05522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E0555E

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 08dd0ceae684f8430cedfe4b28c7cb9e0fbe576a17653f2e1f1f96e1f476304b
Instruction ID: a449af9cf80b9b20ff6735ff25d3951a8ef5a036ca25e1b26d5417839ae353c2
Opcode Fuzzy Hash: 08dd0ceae684f8430cedfe4b28c7cb9e0fbe576a17653f2e1f1f96e1f476304b
Instruction Fuzzy Hash: ED016D36D01A19DBCF10DFE9EC496EEBB79FB09711F410066E901B2180DB3096A5CBA1

Function 00DF7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00DF758C,80070057,?,?,?,00DF799D), ref: 00DF766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00DF758C,80070057,?,?), ref: 00DF768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00DF758C,80070057,?,?), ref: 00DF7698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00DF758C,80070057,?), ref: 00DF76A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00DF758C,80070057,?,?), ref: 00DF76B4

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 0443af7fa29c12e65d57b9304c7d166d3c55adfacfa8cc4e0318430d1c5e2a4f
Instruction ID: c78ee6af3d7d4d31400417fa2331dd1a4f7935957b5ff6243ff68ac88dceb14c
Opcode Fuzzy Hash: 0443af7fa29c12e65d57b9304c7d166d3c55adfacfa8cc4e0318430d1c5e2a4f
Instruction Fuzzy Hash: 0F01D472600608BFDB248F19DC04BAABBBCEB44751F154038FE08E2211EB31DD0187B0

Function 00DF85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00DF8608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00DF8612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00DF8621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00DF8628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00DF863E

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: e089b5f84cb7d868593149ddd3c04477fac6ac21ead498e28fe2f5019903bd49
Instruction ID: 4f304b5eca004039dbbee814093f9a6fd8b8b9afaa81ff3223579101917185be
Opcode Fuzzy Hash: e089b5f84cb7d868593149ddd3c04477fac6ac21ead498e28fe2f5019903bd49
Instruction Fuzzy Hash: 1FF03C31201208AFEB200FA6DC89E7B3BACEF89754B444435FA45D6150CB619D46EA71

Function 00DF8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00DF8669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00DF8673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DF8682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00DF8689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DF869F

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 8098da8e6edc62774a0a24977b17e52a17f7455f8fbbf6b2bd9320c86fcb1073
Instruction ID: b5411ed1a94e2e7a2f92820ca3fdb680be1c2593f6f6798e750ecf6421feec4c
Opcode Fuzzy Hash: 8098da8e6edc62774a0a24977b17e52a17f7455f8fbbf6b2bd9320c86fcb1073
Instruction Fuzzy Hash: 5DF04F71201208AFEB211FA6EC88E773BBCEF89754B140035FA45D6150CB71D946EA71

Function 00DFC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00DFC6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 00DFC6D1
MessageBeep.USER32(00000000), ref: 00DFC6E9
KillTimer.USER32(?,0000040A), ref: 00DFC705
EndDialog.USER32(?,00000001), ref: 00DFC71F

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 56c67f2314a41281092556706126b3b5a720fc357b3a093ddbfb0cab8efcf4b1
Instruction ID: 9e40a33836922bb3c04771fc434183a735f83523f4a9d238834be71ccae7947f
Opcode Fuzzy Hash: 56c67f2314a41281092556706126b3b5a720fc357b3a093ddbfb0cab8efcf4b1
Instruction Fuzzy Hash: 2D01443051470C9BEB316B21DD4EFA67778FB00705F045569F682B14E1DBE4A9698E90

Function 00DA13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00DA13BF
StrokeAndFillPath.GDI32(?,?,00DDBAD8,00000000,?), ref: 00DA13DB
SelectObject.GDI32(?,00000000), ref: 00DA13EE
DeleteObject.GDI32 ref: 00DA1401
StrokePath.GDI32(?), ref: 00DA141C

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 149b5c1c60f12dab93370d74f489e3bc2a6c4fdab0bb59f35c484dc175d65655
Instruction ID: 754fc2515fa1a2abf7a4cd2f205f14f5d105203654a1b04d5e310c9965ea23c0
Opcode Fuzzy Hash: 149b5c1c60f12dab93370d74f489e3bc2a6c4fdab0bb59f35c484dc175d65655
Instruction Fuzzy Hash: 54F0C934014208EFDB295F2BFD0CB593FB5A742366F088224E469A60F1C7B5899ADF60

Function 00E0C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00E0C69D
CoCreateInstance.OLE32(00E32D6C,00000000,00000001,00E32BDC,?), ref: 00E0C6B5

Part of subcall function 00DA7F41: _memmove.LIBCMT ref: 00DA7F82

CoUninitialize.OLE32 ref: 00E0C922

Strings

.lnk, xrefs: 00E0C631, 00E0C659, 00E0C663

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 43d712099d7304f605cf4a3b90068be03db6b352742cee6bc9e26d01bab351ce
Instruction ID: 20349023999828516c6f3be24de7840ff4669ac6e4c1096ce0d5a6f3f2423394
Opcode Fuzzy Hash: 43d712099d7304f605cf4a3b90068be03db6b352742cee6bc9e26d01bab351ce
Instruction Fuzzy Hash: 4EA13B71204305AFD704EF54C891EABB7E8EF95704F00492DF196971A2EB70EA49CB72

Function 00DB2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00DC0FF6: std::exception::exception.LIBCMT ref: 00DC102C
Part of subcall function 00DC0FF6: __CxxThrowException@8.LIBCMT ref: 00DC1041

Part of subcall function 00DA7F41: _memmove.LIBCMT ref: 00DA7F82

Part of subcall function 00DA7BB1: _memmove.LIBCMT ref: 00DA7C0B

__swprintf.LIBCMT ref: 00DB302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00DB2EC6

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 390ea8d89740673388ab0fc92a888ae7ccfd7d008850b431bbbe6a6c0f7100aa
Instruction ID: 2396043bbf88e7b985c41524f8a87b02a26f2f41a0d91c4be1481c6e0004372c
Opcode Fuzzy Hash: 390ea8d89740673388ab0fc92a888ae7ccfd7d008850b431bbbe6a6c0f7100aa
Instruction Fuzzy Hash: 5B916A71108341DFC728FF24D895DAEB7A4EF96750F04491DF4869B2A1EA20EE44DB72

Function 00E0BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DA48A1,?,?,00DA37C0,?), ref: 00DA48CE

CoInitialize.OLE32(00000000), ref: 00E0BC26
CoCreateInstance.OLE32(00E32D6C,00000000,00000001,00E32BDC,?), ref: 00E0BC3F
CoUninitialize.OLE32 ref: 00E0BC5C

Part of subcall function 00DA9997: __itow.LIBCMT ref: 00DA99C2
Part of subcall function 00DA9997: __swprintf.LIBCMT ref: 00DA9A0C

Strings

.lnk, xrefs: 00E0BC08, 00E0BC16

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: d6cc376e0f6a4cfcfe555c120608115e299e96d35c15b8f8f15b53fdfb10ce0e
Instruction ID: e4d19fd2b29f4eb64f27350f765c82c5a0483f4c6d69c2f3a569e7d4a0b963bd
Opcode Fuzzy Hash: d6cc376e0f6a4cfcfe555c120608115e299e96d35c15b8f8f15b53fdfb10ce0e
Instruction Fuzzy Hash: CEA167752043019FCB14DF24C494D6ABBE5FF89318F148998F899AB3A1CB31ED45CBA1

Function 00DFB7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00DFB981

Strings

Container, xrefs: 00DFB8FE
%, xrefs: 00DFBA24
AutoIt3GUI, xrefs: 00DFB8F9

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%
API String ID: 3565006973-1286912533
Opcode ID: a39f355239cd30903ead1f1261e3ece23049c41379f0fc7b0e0121c37647b292
Instruction ID: 0b374a93e9bd57376b8a42440ee6e50de981e832ebc419f4a7ab928e9fef93a8
Opcode Fuzzy Hash: a39f355239cd30903ead1f1261e3ece23049c41379f0fc7b0e0121c37647b292
Instruction Fuzzy Hash: 37913A706006059FDB24DF64C885A7ABBF9FF48720F15856EFA49DB691DBB0E840CB60

Function 00DC524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00DC52DD

Part of subcall function 00DD0340: __87except.LIBCMT ref: 00DD037B

Strings

pow, xrefs: 00DC52B5, 00DC52D2

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: fe589550065c250218411c7b83d63788a65435de846633b8020c1686d46897b8
Instruction ID: 67bfee4d013ed2ac59758dc0b924819ac830d35e30889c766e49bc7f25b2a58b
Opcode Fuzzy Hash: fe589550065c250218411c7b83d63788a65435de846633b8020c1686d46897b8
Instruction Fuzzy Hash: 62516961A0CA078ACB117714E901B6F6FD4DB80350F28495EE4C5833EEEE74DCD89A7A

Function 00DC023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 00DC0277
#, xrefs: 00DC0280

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 6ef6cbb2583be982264502d870d516c2579347136ba2f86ae4345ca4cc0b0818
Instruction ID: 3e448a69f0ff2d9e8e1e9238effa2437fbcb914162c694aa8f64c779b7b03f5a
Opcode Fuzzy Hash: 6ef6cbb2583be982264502d870d516c2579347136ba2f86ae4345ca4cc0b0818
Instruction Fuzzy Hash: 1D51547510664ACFCF259F28E888BF97BA4EF16310F1C8059EA919B2A4D7349D42C770

Function 00DB62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DB63A8
_memmove.LIBCMT ref: 00DB6446
_memset.LIBCMT ref: 00DB646A

Strings

ERCP, xrefs: 00DB6313

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: a14e1ef74fe5096ec05b7393ebe5146c00d41ad2e2ff156fd228fa336307cdb8
Instruction ID: 70a0afb315b7af952233956a8f9de69b812286edb1eab8acb4b16203aea3900b
Opcode Fuzzy Hash: a14e1ef74fe5096ec05b7393ebe5146c00d41ad2e2ff156fd228fa336307cdb8
Instruction Fuzzy Hash: BD51AD71904709DBDB24CF65C881BEABBE4EF04314F24856EEA8ADB241E775D684CB60

Function 00DF9CD7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E019CC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00DF9778,?,?,00000034,00000800,?,00000034), ref: 00E019F6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00DF9D21

Part of subcall function 00E01997: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00DF97A7,?,?,00000800,?,00001073,00000000,?,?), ref: 00E019C1

Part of subcall function 00E018EE: GetWindowThreadProcessId.USER32(?,?), ref: 00E01919
Part of subcall function 00E018EE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00DF973C,00000034,?,?,00001004,00000000,00000000), ref: 00E01929
Part of subcall function 00E018EE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00DF973C,00000034,?,?,00001004,00000000,00000000), ref: 00E0193F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00DF9D8E
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00DF9DDB

Strings

@, xrefs: 00DF9DF3

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 431aaf47cd95cd748e05e53d82d9709d3604f15a6a31f105c5a74892a24bc01e
Instruction ID: 0fe71c8d62a2287e76be5bc3c2da2d05d010da877d597a1e8d659ff9f4953e07
Opcode Fuzzy Hash: 431aaf47cd95cd748e05e53d82d9709d3604f15a6a31f105c5a74892a24bc01e
Instruction Fuzzy Hash: 75413C76D0121CAFDB14DBA4CC51BEEBBB8EB49300F104095FA45B7191DA706E89CBA0

Function 00E27BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00E2F910,00000000,?,?,?,?), ref: 00E27C4E
GetWindowLongW.USER32 ref: 00E27C6B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00E27C7B

Strings

SysTreeView32, xrefs: 00E27C20

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: d75887f7b486b1c54a855dad100a137686e105fb28c9a9fffd3d188137a3a7f0
Instruction ID: b922b96f8b7524079bc19f7c01d8b3587564efd72b4b2a0cb04562f55693158a
Opcode Fuzzy Hash: d75887f7b486b1c54a855dad100a137686e105fb28c9a9fffd3d188137a3a7f0
Instruction Fuzzy Hash: A931B231204215AFDB158F38EC46BEB77A9EF59328F245725F8B5B22E0C731E8519B60

Function 00E27648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00E276D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00E276E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00E27708

Strings

SysMonthCal32, xrefs: 00E2769B

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: fa5ad2d7815f2c044440f1894315683359a55bdd51cdd68a439b4deb99a142d1
Instruction ID: 3dd13d1d659e72be7bb83192536e9d4e91250407965127feae1d3e68c0900748
Opcode Fuzzy Hash: fa5ad2d7815f2c044440f1894315683359a55bdd51cdd68a439b4deb99a142d1
Instruction Fuzzy Hash: C421BF32500229BBDF258F64DC46FEA3BB9EB48714F111214FE557B1D0D6B1A8558BA0

Function 00E26F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00E26FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00E26FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00E26FDF

Strings

Listbox, xrefs: 00E26F77

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 958c715214e0df31d40ffa7b8b24b4bcee19d5d5f8aa469ed1b9a40bedd0b83b
Instruction ID: 23f5c03868159d557ae02e549256a5fb3cebcb8268e75e4afb89c3a45a5f2b47
Opcode Fuzzy Hash: 958c715214e0df31d40ffa7b8b24b4bcee19d5d5f8aa469ed1b9a40bedd0b83b
Instruction Fuzzy Hash: 582195327101287FEF158F54EC85EAB37AAEF89754F019224F914A7190C671AC5187A0

Function 00E13CDD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00E13D5A

Part of subcall function 00DA7F41: _memmove.LIBCMT ref: 00DA7F82

Strings

%, xrefs: 00E13CE8
AUTOITCALLVARIABLE%d, xrefs: 00E13D4C
, $, xrefs: 00E13D9A

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%
API String ID: 3506404897-3879706725
Opcode ID: 3551720c57163fd9bef592087a1029c6398ceaf0bbce2ca99f33be1f6c2973c7
Instruction ID: 850c270ffac7cefc6debdb88a5d068de8bbf9d1b4dd806f2255774464bd24e1d
Opcode Fuzzy Hash: 3551720c57163fd9bef592087a1029c6398ceaf0bbce2ca99f33be1f6c2973c7
Instruction Fuzzy Hash: EC216F71640219AECF10EF64DC82AED77A5FF45700F4054A4F905BB182DB30EA45DBB2

Function 00E2797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00E279E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00E279F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00E27A03

Strings

msctls_trackbar32, xrefs: 00E279B8

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 17b52be7da283c7bfbcc69daedbd6e95a104d2042f9e6cd9bdebfa816027e3cf
Instruction ID: ccdc4d75362a9c3630054973afa5c7681b7f0d93546b6b115b18322dd879afe0
Opcode Fuzzy Hash: 17b52be7da283c7bfbcc69daedbd6e95a104d2042f9e6cd9bdebfa816027e3cf
Instruction Fuzzy Hash: 0411E372244218BFEF249F75DC05FEB37A9EF89768F020529FA41B6090D271A851CB60

Function 00DA4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00DA4C2E), ref: 00DA4CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00DA4CB5

Strings

GetNativeSystemInfo, xrefs: 00DA4CAF
kernel32.dll, xrefs: 00DA4C9E

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: e2165bb12f0b7e5db04905cd95a52c7be91d05f0134e8fd43be005504b8c71f8
Instruction ID: c4989feea630ee348efa8ad9c68ab05f8d1d3e53cd4ad2e76c085736ca8e9c5a
Opcode Fuzzy Hash: e2165bb12f0b7e5db04905cd95a52c7be91d05f0134e8fd43be005504b8c71f8
Instruction Fuzzy Hash: CDD05E30511733CFD7309F32EE1860676F5AF06BA1B19C83ED88AE6150EBB0D891CA60

Function 00DA4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00DA4CE1,?), ref: 00DA4DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00DA4DB4

Strings

kernel32.dll, xrefs: 00DA4D9D
Wow64RevertWow64FsRedirection, xrefs: 00DA4DAE

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 0b2e410c88bdd6f7370488aad4bdf99eaa6e3f1ab11144848ba1207ce50b6645
Instruction ID: fbdb8e811574d2c8bda7730431c43ee8e4278fdcd1aaaa3be560539f2da3d9c7
Opcode Fuzzy Hash: 0b2e410c88bdd6f7370488aad4bdf99eaa6e3f1ab11144848ba1207ce50b6645
Instruction Fuzzy Hash: E1D01231550713CFDB305F31D80864676E4AF05755B158839D8C6E6150DBB0D495C660

Function 00DA4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00DA4D2E,?,00DA4F4F,?,00E662F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00DA4D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00DA4D81

Strings

kernel32.dll, xrefs: 00DA4D6A
Wow64DisableWow64FsRedirection, xrefs: 00DA4D7B

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 12847f7cd2c2062abff40d6d3435afc7427088eb97fba6eed9b3ce3f9f64c797
Instruction ID: 9bf020a50ae58596bb1454e5c94b37ce89021519f3b69fbea9bd48251ebf7093
Opcode Fuzzy Hash: 12847f7cd2c2062abff40d6d3435afc7427088eb97fba6eed9b3ce3f9f64c797
Instruction Fuzzy Hash: A4D01730510723CFDB309F32E80861676E8BF16752B59883AD886EA290E6B0D894CA60

Function 00E21072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00E212C1), ref: 00E21080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00E21092

Strings

advapi32.dll, xrefs: 00E2107B
RegDeleteKeyExW, xrefs: 00E2108C

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 0077a23de126a3b219ff4088009162e1024233b59d74a72c80329e2e7dce95f4
Instruction ID: dc3b6015285cdc3383e571b892d493cb8fe5fb258f042cfbe81a1acf72e7483b
Opcode Fuzzy Hash: 0077a23de126a3b219ff4088009162e1024233b59d74a72c80329e2e7dce95f4
Instruction Fuzzy Hash: 15D01234510722CFD7305F35E81892676F4BF15756F119C79E885F6560D770C4C4C650

Function 00E193F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00E19009,?,00E2F910), ref: 00E19403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00E19415

Strings

kernel32.dll, xrefs: 00E193FE
GetModuleHandleExW, xrefs: 00E1940F

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: d884134aa8f398203cae49918aa4ef169d91ebb1307e4e36744ed7bf7a2ae732
Instruction ID: 7457d8120008ecc993b3736b367e58c6b838c3eca8aedb0f1d296558c95fa207
Opcode Fuzzy Hash: d884134aa8f398203cae49918aa4ef169d91ebb1307e4e36744ed7bf7a2ae732
Instruction Fuzzy Hash: 34D0C730500323CFC7309F32DA48243B6E4AF08342B04D83AE892F2552E670E8C4CA10

Function 00DE1B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00DE1B42
__swprintf.LIBCMT ref: 00DE1B73

Strings

%.3d, xrefs: 00DE1B4D
WIN_XPe, xrefs: 00DE1BB2

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 3935ec488719c502f783fdc467e42ccbde62d4917b199cef556feb39570c2965
Instruction ID: 8c51a8407097fd2aec30dd6b545e68879a1e46339c6503d96c0b253d9a536090
Opcode Fuzzy Hash: 3935ec488719c502f783fdc467e42ccbde62d4917b199cef556feb39570c2965
Instruction Fuzzy Hash: 47D012B9904159EACB54BA92CC44DFA737CAB06311F5406A2F946A2000F334DB899B31

Function 00DF76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8874656f1541b07732125a389004ad5f550e1361d9e5d9ba151d4bf0d86bd351
Instruction ID: c26e8298a999bbd5e343a648d91d7d97424b1183938a89e87fb7a23cf7f5bd38
Opcode Fuzzy Hash: 8874656f1541b07732125a389004ad5f550e1361d9e5d9ba151d4bf0d86bd351
Instruction Fuzzy Hash: 4FC17E74A0421AEFCB14DF98C884EBEB7B5FF48710B168598E945EB251D770DE81CBA0

Function 00E1E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00E1E3D2
CharLowerBuffW.USER32(?,?), ref: 00E1E415

Part of subcall function 00E1DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00E1DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00E1E615
_memmove.LIBCMT ref: 00E1E628

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 8718d37e9a35585be2296c7bcdaec60a703f6e14b45cd235bd25ed6afe527086
Instruction ID: 880ddc5eda88da022ed6dde04626519c3dbbf10934104e3417c702eb6aa08dea
Opcode Fuzzy Hash: 8718d37e9a35585be2296c7bcdaec60a703f6e14b45cd235bd25ed6afe527086
Instruction Fuzzy Hash: 3EC15A716083019FC714DF28C4809AABBE5FF89718F14896DF899AB351D730E985CFA2

Function 00E183A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00E183D8
CoUninitialize.OLE32 ref: 00E183E3

Part of subcall function 00DFDA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00DFDAC5

VariantInit.OLEAUT32(?), ref: 00E183EE
VariantClear.OLEAUT32(?), ref: 00E186BF

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 95f386196fba028f4a596d4da4664074c6cd18b73ab7ac6edea6a4a548c5e488
Instruction ID: 49fface29c8cccfe67db77d8c215ddc5c16536f55039d9f262779c7fdb80fdf1
Opcode Fuzzy Hash: 95f386196fba028f4a596d4da4664074c6cd18b73ab7ac6edea6a4a548c5e488
Instruction Fuzzy Hash: C6A136752047019FCB10DF24C591A6AB7E5FF89314F14945DF99AAB3A2CB30ED84CBA2

Function 00DF6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00DF6E04
SysAllocString.OLEAUT32(00000000), ref: 00DF6EAD
VariantCopy.OLEAUT32 ref: 00DF6EDC
VariantClear.OLEAUT32(?), ref: 00DF6F03

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 97d4ac02d353b0090c5399bc8cf7bbd5377d9c4a96318fb3a6451c67999a1223
Instruction ID: f69ae473813b6500e1bb1ef132722a1aa1301f8754bdf116ce558558f312b8f8
Opcode Fuzzy Hash: 97d4ac02d353b0090c5399bc8cf7bbd5377d9c4a96318fb3a6451c67999a1223
Instruction Fuzzy Hash: 17519831604305AADB20AF65D491A79F3F5EF49310F25C82FE696DB691DE70D8809B31

Function 00E097E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00DA5045: _fseek.LIBCMT ref: 00DA505D

Part of subcall function 00E099BE: _wcscmp.LIBCMT ref: 00E09AAE
Part of subcall function 00E099BE: _wcscmp.LIBCMT ref: 00E09AC1

_free.LIBCMT ref: 00E0992C
_free.LIBCMT ref: 00E09933
_free.LIBCMT ref: 00E0999E

Part of subcall function 00DC2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00DC9C64), ref: 00DC2FA9
Part of subcall function 00DC2F95: GetLastError.KERNEL32(00000000,?,00DC9C64), ref: 00DC2FBB

_free.LIBCMT ref: 00E099A6

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 88e032742d06d326e4d6d5cc1431d5dcb2cd90c0f8f7e6ce6201bb629da5c016
Instruction ID: 21fb6acc1faef386893b9062e33a83d140a00ee0eeb0fb4140940397ab4814e3
Opcode Fuzzy Hash: 88e032742d06d326e4d6d5cc1431d5dcb2cd90c0f8f7e6ce6201bb629da5c016
Instruction Fuzzy Hash: EA5162B1D04218AFDF249F64DC41A9EBBB9EF48310F10449EF649A7282DB715D80CF68

Function 00E29A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00E29AD2
ScreenToClient.USER32(00000002,00000002), ref: 00E29B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00E29B72

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 4e4653bb9de09b1fe25bfdacad7d233ed713d8f949b01228d9f27190b460d7e8
Instruction ID: 5ef7d6c355cb2cb445a2f26be1a411363cfa04c76a43b62c30983174ddc88ac1
Opcode Fuzzy Hash: 4e4653bb9de09b1fe25bfdacad7d233ed713d8f949b01228d9f27190b460d7e8
Instruction Fuzzy Hash: E0518234A00219EFCF24CF68E8809AE7BF5FF54364F109269F815AB2A1D730AD41CB94

Function 00DC493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DC49D0
__flush.LIBCMT ref: 00DC49F0
__write.LIBCMT ref: 00DC4A23
__flsbuf.LIBCMT ref: 00DC4A51

Part of subcall function 00DC8D68: __getptd_noexit.LIBCMT ref: 00DC8D68

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 77f2016c9fe07f3f4c6b5a71a57f6989e74bda5ebcf982639f8c246fb637a88d
Instruction ID: fa55f9e0c2b7a80f7620f997e0f35755f810c5a7dc063ed3eb9b623bad36ab67
Opcode Fuzzy Hash: 77f2016c9fe07f3f4c6b5a71a57f6989e74bda5ebcf982639f8c246fb637a88d
Instruction Fuzzy Hash: 2841D670A006179BDF18CEA9C8A0FAF77A6EF80364B28823DE855C7640DB70DD408B74

Function 00E16CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00E16CE4
WSAGetLastError.WSOCK32(00000000), ref: 00E16CF4

Part of subcall function 00DA9997: __itow.LIBCMT ref: 00DA99C2
Part of subcall function 00DA9997: __swprintf.LIBCMT ref: 00DA9A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00E16D58
WSAGetLastError.WSOCK32(00000000), ref: 00E16D64

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: fcd1512daf99383b911578879e8fd91c26333eddbfccd04b65d7a6d5587d0d5a
Instruction ID: 50c5a2e9fec0b6f7a5423ddc1ca2c3f6a5edab7c5854441dd3cacc51e5bc8bed
Opcode Fuzzy Hash: fcd1512daf99383b911578879e8fd91c26333eddbfccd04b65d7a6d5587d0d5a
Instruction Fuzzy Hash: E941B275740200AFEB20AF24DC96F7AB7E5DB05B14F448418FA59AF2D2DB719D018BB1

Function 00E1672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00E2F910), ref: 00E167BA
_strlen.LIBCMT ref: 00E167EC

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 2e6c81bcdb250c770f868500fd3db67d95f65c8ef0b1bb70a5c5a2c8b7b6206b
Instruction ID: 5d930ad6f5c08665012fc1e99ecfc707b3c39ea379e77392ca6adb43b159f07d
Opcode Fuzzy Hash: 2e6c81bcdb250c770f868500fd3db67d95f65c8ef0b1bb70a5c5a2c8b7b6206b
Instruction Fuzzy Hash: 35417331A00504ABCB18EB64DCD5FEEB7A9EF49314F148169F915AB292DB30ED84C770

Function 00E0BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00E0BB09
GetLastError.KERNEL32(?,00000000), ref: 00E0BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00E0BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00E0BB80

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 1157973f998e5e59d43c1d868c2215a6a698aeb964a7d33f6a576a3dcbf918b8
Instruction ID: 33335d901228c756c69157b33512494e69a2f4d60b7d1e1c99865e4021adf219
Opcode Fuzzy Hash: 1157973f998e5e59d43c1d868c2215a6a698aeb964a7d33f6a576a3dcbf918b8
Instruction Fuzzy Hash: 14411A39200610DFCB10EF25C594A5ABBF1EF4A314B099498E84AAB372CB34FD41CFA1

Function 00E28AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E28B4D

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 8b895be0d9f0f0c44c0f1f88ef2458e93ac70b6752a6ff5618100f4f08d71c8f
Instruction ID: 14e183eca22dacaddc4eff66e8a6e7088c062ba4e80c9ba9f1314b70843991ce
Opcode Fuzzy Hash: 8b895be0d9f0f0c44c0f1f88ef2458e93ac70b6752a6ff5618100f4f08d71c8f
Instruction Fuzzy Hash: D03108B8602224BFEF208F18EE55FE93765FB09314F14561AFA41F72A0CE30AD408B91

Function 00E2ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00E2AE1A
GetWindowRect.USER32(?,?), ref: 00E2AE90
PtInRect.USER32(?,?,00E2C304), ref: 00E2AEA0
MessageBeep.USER32(00000000), ref: 00E2AF11

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 65c2fd47e6ec79d3eb745ff3f89e9f56cd4287a42395d3fd8c4d36bef1a5bb95
Instruction ID: b2d7bd0e0205a9ea8db7eaa9775b6877127b09dd47ec98856ec501f21d90144a
Opcode Fuzzy Hash: 65c2fd47e6ec79d3eb745ff3f89e9f56cd4287a42395d3fd8c4d36bef1a5bb95
Instruction Fuzzy Hash: 4B41C070600229DFCB11CF69E884AA9BBF5FB88340F1D90B9E414AB250C770A846CF92

Function 00E00FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00E01037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00E01053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00E010B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00E0110B

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 19b1d040bb58c07daf2945aa4a73974c8f0245971536a4a208ac7f7b139ab1f3
Instruction ID: 385244a3c27a0584450546e8be66b5693e913d81cbc49c08b6b0cfc7b7ea9428
Opcode Fuzzy Hash: 19b1d040bb58c07daf2945aa4a73974c8f0245971536a4a208ac7f7b139ab1f3
Instruction Fuzzy Hash: 83315830E40688AEFF348B668C05BFEBBB9AB45314F0863AAE5D07A1D1C3758DC59751

Function 00E01121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00E01176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00E01192
PostMessageW.USER32(00000000,00000101,00000000), ref: 00E011F1
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00E01243

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ed1faaa6cd24130aca7895da83698b92a1cd93e300b5358fa1d0323ac766761b
Instruction ID: 7ec4df9352e4f871ee98bcd28411f8da00f249cfea179805099ad7dac2241649
Opcode Fuzzy Hash: ed1faaa6cd24130aca7895da83698b92a1cd93e300b5358fa1d0323ac766761b
Instruction Fuzzy Hash: 5E313A3094165C9EFF388A658C047FE7BBAAB49318F04639EF590BA1E1C3344DD59751

Function 00DD6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00DD644B
__isleadbyte_l.LIBCMT ref: 00DD6479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00DD64A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00DD64DD

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 7a5837c8d382cddde78cd1d363e8937c950685d47cefdb144efae1a6a1db3afa
Instruction ID: b7a328faf2c75ee641937d699ab75b5edd9cd1dcb68f543faa694fd375f14d7a
Opcode Fuzzy Hash: 7a5837c8d382cddde78cd1d363e8937c950685d47cefdb144efae1a6a1db3afa
Instruction Fuzzy Hash: 2A31C13160824AAFDB218F75CC45BAA7BB5FF40310F19446AF85587291D731E851DBF0

Function 00E25175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00E25189

Part of subcall function 00E0387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E03897
Part of subcall function 00E0387D: GetCurrentThreadId.KERNEL32 ref: 00E0389E
Part of subcall function 00E0387D: AttachThreadInput.USER32(00000000,?,00E052A7), ref: 00E038A5

GetCaretPos.USER32(?), ref: 00E2519A
ClientToScreen.USER32(00000000,?), ref: 00E251D5
GetForegroundWindow.USER32 ref: 00E251DB

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 8c02503c3bbb22e45972df3beabe787f419b031ba66ba8c57ca40ca727c44a43
Instruction ID: e19cb6306495cedfb1011e70a80907d78dd13084d5064c4585cfb4d36c9cdbb4
Opcode Fuzzy Hash: 8c02503c3bbb22e45972df3beabe787f419b031ba66ba8c57ca40ca727c44a43
Instruction Fuzzy Hash: FC313A72A00108AFCB00EFA5C8859EFF7F9EF89300B10406AE411E7251EA759E45CBB1

Function 00E2C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA2612: GetWindowLongW.USER32(?,000000EB), ref: 00DA2623

GetCursorPos.USER32(?), ref: 00E2C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00DDBBFB,?,?,?,?,?), ref: 00E2C7D7
GetCursorPos.USER32(?), ref: 00E2C824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00DDBBFB,?,?,?), ref: 00E2C85E

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 1f878c2ea07828d94d468355d24b5904db7964db27aa5d7b84131039deac6809
Instruction ID: 6471bf4baf76eb3835e67a18c78d7e78d46a3b2b84a5b030c1a829c11615fb3d
Opcode Fuzzy Hash: 1f878c2ea07828d94d468355d24b5904db7964db27aa5d7b84131039deac6809
Instruction Fuzzy Hash: 93319635500028AFCB29CF59E898EEE7BB6EB49314F144065F905A7261C7316D51DFA0

Function 00DC0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00DC0BF2

Part of subcall function 00DA5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E07B20,?,?,00000000), ref: 00DA5B8C
Part of subcall function 00DA5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E07B20,?,?,00000000,?,?), ref: 00DA5BB0

_fprintf.LIBCMT ref: 00DC0C29
OutputDebugStringW.KERNEL32(?), ref: 00DF6331

Part of subcall function 00DC4CDA: _flsall.LIBCMT ref: 00DC4CF3

__setmode.LIBCMT ref: 00DC0C5E

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 00ef9f4bcb1f13df1e5b76848949fcd52c2e61edcd754868253e830680a812d6
Instruction ID: 6f071cdc8cc42f4fc25a6a98a929e362d7a07b7da9f401c46690ac69f20088d1
Opcode Fuzzy Hash: 00ef9f4bcb1f13df1e5b76848949fcd52c2e61edcd754868253e830680a812d6
Instruction Fuzzy Hash: FC112732904209BACB04B7B4AC42EBEBB69DF46320F18411DF204A71D1DE205D8687B5

Function 00DF8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00DF8669
Part of subcall function 00DF8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00DF8673
Part of subcall function 00DF8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DF8682
Part of subcall function 00DF8652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00DF8689
Part of subcall function 00DF8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DF869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00DF8BEB
_memcmp.LIBCMT ref: 00DF8C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DF8C44
HeapFree.KERNEL32(00000000), ref: 00DF8C4B

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 3db36e9bfa62262b451e8d2c637eb8962d6acef0f534ce50e55f875d67dc0223
Instruction ID: 57779f91e8c4e0176e4474d90e0ca11baf33c0a225a491a3031ba2be360149d8
Opcode Fuzzy Hash: 3db36e9bfa62262b451e8d2c637eb8962d6acef0f534ce50e55f875d67dc0223
Instruction Fuzzy Hash: 9A218B71E0120CAFCB10DFA4C945BBEB7B8EF40344F1A8069E654AB241DB30AA46DB71

Function 00E11A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00E11A97

Part of subcall function 00E11B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00E11B40
Part of subcall function 00E11B21: InternetCloseHandle.WININET(00000000), ref: 00E11BDD

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 5f4726ec76b62d6d4bb67a44f1dc7be1d6d6f7749d22f2e65f02a38c89ff2a3b
Instruction ID: b111597d96479115adec99680618bc437e1c22c772fb365fba2f8091e3cec114
Opcode Fuzzy Hash: 5f4726ec76b62d6d4bb67a44f1dc7be1d6d6f7749d22f2e65f02a38c89ff2a3b
Instruction Fuzzy Hash: BD218E35204605BFDB259F608C05FFABBB9FF48701F10102AFA51A6650EB71A8659BA0

Function 00E03C66 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00E2FAC0), ref: 00E03CA0
GetLastError.KERNEL32 ref: 00E03CAF
CreateDirectoryW.KERNEL32(?,00000000), ref: 00E03CBE
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00E2FAC0), ref: 00E03D1B

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 870407b56200edb2a3ee50fcae5cfb31fe0713773fe753c36beee9337db00482
Instruction ID: c327aad2b3965a05b66f6b827221c9ff3d196fb0cfab23a7537d9493e88d76e5
Opcode Fuzzy Hash: 870407b56200edb2a3ee50fcae5cfb31fe0713773fe753c36beee9337db00482
Instruction Fuzzy Hash: C92174715083019FC710DF34D88189AB7E8EF56758F145A2DF499E72E1D7309E4ACB62

Function 00DFE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00DFF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00DFE1C4,?,?,?,00DFEFB7,00000000,000000EF,00000119,?,?), ref: 00DFF5BC
Part of subcall function 00DFF5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00DFF5E2
Part of subcall function 00DFF5AD: lstrcmpiW.KERNEL32(00000000,?,00DFE1C4,?,?,?,00DFEFB7,00000000,000000EF,00000119,?,?), ref: 00DFF613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00DFEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00DFE1DD
lstrcpyW.KERNEL32(00000000,?), ref: 00DFE203
lstrcmpiW.KERNEL32(00000002,cdecl,?,00DFEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00DFE237

Strings

cdecl, xrefs: 00DFE22E

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: b70096d952c3076a863d513a28f406da908cd8b33809e3d79d3a3690a1ca8cd1
Instruction ID: ba33596026213376fd2322c77dbefc825c4d01cd893947f9f1fe05924289d92c
Opcode Fuzzy Hash: b70096d952c3076a863d513a28f406da908cd8b33809e3d79d3a3690a1ca8cd1
Instruction Fuzzy Hash: A411B136100309EFCB25AF64D845E7A77B8FF85310B45802AF906CB2A0FB71985197B4

Function 00DD5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00DD5351

Part of subcall function 00DC594C: __FF_MSGBANNER.LIBCMT ref: 00DC5963
Part of subcall function 00DC594C: __NMSG_WRITE.LIBCMT ref: 00DC596A
Part of subcall function 00DC594C: RtlAllocateHeap.NTDLL(00FB0000,00000000,00000001,00000000,?,?,?,00DC1013,?), ref: 00DC598F

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: f910b2754524876460ee3cb97b90677ba2b2bc6b873309978b675746feaea3ca
Instruction ID: a9561df927447bcb61336bb8cb59f3c2f8554372ef57d9c4dd634af00737e0aa
Opcode Fuzzy Hash: f910b2754524876460ee3cb97b90677ba2b2bc6b873309978b675746feaea3ca
Instruction Fuzzy Hash: 09119132504A16AFCB313F70BC45F6A37A89F107E0B24442FF946AB295DEB5C94197B0

Function 00E1667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E07B20,?,?,00000000), ref: 00DA5B8C
Part of subcall function 00DA5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E07B20,?,?,00000000,?,?), ref: 00DA5BB0

gethostbyname.WSOCK32(?,?,?), ref: 00E166AC
WSAGetLastError.WSOCK32(00000000), ref: 00E166B7
_memmove.LIBCMT ref: 00E166E4
inet_ntoa.WSOCK32(?), ref: 00E166EF

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 94b82366ff592015d75478097007f4d94f1e322078d2aacf9bb066b9a430efdc
Instruction ID: 2222c50232e921771d4c727a37ae50ac12953b47f0a60761512afaabf8a5f5bd
Opcode Fuzzy Hash: 94b82366ff592015d75478097007f4d94f1e322078d2aacf9bb066b9a430efdc
Instruction Fuzzy Hash: B7116D36500509AFCB04EBA4ED96DEEB7B8EF19310B144069F506B71A1EF30AE44CB71

Function 00DF9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00DF9043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DF9055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DF906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DF9086

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 23ddb7fe6025bf322ec9868f3eb7b86c62b9d2b52b03cf03479fb2f13d2392db
Instruction ID: b373d8adfd71a8ba0d8d6cefa2cf81b761f20fcd237d2c50f4250deaffea3502
Opcode Fuzzy Hash: 23ddb7fe6025bf322ec9868f3eb7b86c62b9d2b52b03cf03479fb2f13d2392db
Instruction Fuzzy Hash: F8113A79900218BFDB10DFA5C884FADFB74FB48310F2140A5EA04B7250DA726E10DBA0

Function 00DA1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00DA2612: GetWindowLongW.USER32(?,000000EB), ref: 00DA2623

DefDlgProcW.USER32(?,00000020,?), ref: 00DA12D8
GetClientRect.USER32(?,?), ref: 00DDB84B
GetCursorPos.USER32(?), ref: 00DDB855
ScreenToClient.USER32(?,?), ref: 00DDB860

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: a4e0326a566a490f58b2a93c6b3529e9ade230cd8f18e14f230da357359b631f
Instruction ID: 7021e0c7f9299366685f63b286b77dca119a54e310c4708645f8b7d4e8429418
Opcode Fuzzy Hash: a4e0326a566a490f58b2a93c6b3529e9ade230cd8f18e14f230da357359b631f
Instruction Fuzzy Hash: F3113A39900119AFCB10DFA9D886AFE77B8FB06300F000466F941E7250C730FA568BB9

Function 00DA1D35 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DA1D73
GetStockObject.GDI32(00000011), ref: 00DA1D87
SendMessageW.USER32(00000000,00000030,00000000), ref: 00DA1D91

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 4f05b7e1f0791d630f6247beea0a0aa3de597c8f546e77216df288f6d511cb18
Instruction ID: f2824cfb3eda3bbb3f24b6373357af0b33b92800d75c7fcc5dbc3a7a1837c662
Opcode Fuzzy Hash: 4f05b7e1f0791d630f6247beea0a0aa3de597c8f546e77216df288f6d511cb18
Instruction Fuzzy Hash: 56116D72501619BFDF128F91DC45EEA7B6AEF0A7A4F080126FA0462120C731DC65EBB0

Function 00E01652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00E001FD,?,00E01250,?,00008000), ref: 00E0166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00E001FD,?,00E01250,?,00008000), ref: 00E01694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00E001FD,?,00E01250,?,00008000), ref: 00E0169E
Sleep.KERNEL32(?,?,?,?,?,?,?,00E001FD,?,00E01250,?,00008000), ref: 00E016D1

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: d529da94652fea0ddfc0978aadf0474d0a2f75231174ca9bfed7a0de08de4cdf
Instruction ID: 92820e4506a181e2571f680ca72a46036fdb122ddcddf74262d69a9498c7df3d
Opcode Fuzzy Hash: d529da94652fea0ddfc0978aadf0474d0a2f75231174ca9bfed7a0de08de4cdf
Instruction Fuzzy Hash: 58117031C0151DDBCF049FA6EC44AEEBB78FF09741F4440A5E981BA180CB3155A18B96

Function 00DFDD22 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00DFDD3E
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00DFDD55
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00DFDD6A
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00DFDD88

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: a280851b142eb2c74f67b8da0212cab811532fe3798eb20667c158313e7efd79
Instruction ID: e364910c780330a4258598bb179b5a989fb8096578976cb585843ab642222d55
Opcode Fuzzy Hash: a280851b142eb2c74f67b8da0212cab811532fe3798eb20667c158313e7efd79
Instruction Fuzzy Hash: A4117CB1201308AFE720DF11DC48BA2BBBAEB00B18F118569A65AD6150D7B0E909DBB1

Function 00DD7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00DD722B

Part of subcall function 00DD7912: __fltout2.LIBCMT ref: 00DD793B

__cftog_l.LIBCMT ref: 00DD7251
__cftoe_l.LIBCMT ref: 00DD7283

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: d66b9e3c3b1cbb81d0ec91f572d2a0725101951516b0bf132d5fc5f8fd06a988
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 9601433604418ABBCF125E84CC018EE3F62BF59355B588556FA1858231E237C971ABA5

Function 00E2B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00E2B59E
ScreenToClient.USER32(?,?), ref: 00E2B5B6
ScreenToClient.USER32(?,?), ref: 00E2B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E2B5F5

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: e3bed591df64f7102db8a3125af13c8677d112c9ae8df104ec7aac708d0f0342
Instruction ID: 50ef9c443cf5aa2f457c29d703683673d3696f63c55a4a29539292f8d7f09e51
Opcode Fuzzy Hash: e3bed591df64f7102db8a3125af13c8677d112c9ae8df104ec7aac708d0f0342
Instruction Fuzzy Hash: 4C1143B9D00209EFDB51CFA9D8849EEFBB9FB08310F108166E915E3620D735AA558F91

Function 00E2B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E2B8FE
_memset.LIBCMT ref: 00E2B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00E67F20,00E67F64), ref: 00E2B93C
CloseHandle.KERNEL32 ref: 00E2B94E

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 6591e2a847ad3808e0ef08de81304dbc23024fac3a3d61d49d5212814ad49912
Instruction ID: 588f148f3c7da189f1a081f93aa7738cb20a06289b0c1d9d13f24f389ff1b63e
Opcode Fuzzy Hash: 6591e2a847ad3808e0ef08de81304dbc23024fac3a3d61d49d5212814ad49912
Instruction Fuzzy Hash: 22F054B26543107FF2106B62BC16FBB3A5CEB0939DF005030FA48F6192D7B1490497B8

Function 00E06E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00E06E88

Part of subcall function 00E0794E: _memset.LIBCMT ref: 00E07983

_memmove.LIBCMT ref: 00E06EAB
_memset.LIBCMT ref: 00E06EB8
LeaveCriticalSection.KERNEL32(?), ref: 00E06EC8

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 64558f1d8b3c48af643474c17e06561ea2c320661a74f9886053053a9c1c93b9
Instruction ID: 01d0e8cd4c2c8f63083802fb5ea14dce250ea27fec28c8635617326e949212ee
Opcode Fuzzy Hash: 64558f1d8b3c48af643474c17e06561ea2c320661a74f9886053053a9c1c93b9
Instruction Fuzzy Hash: 6CF0543A100210ABCF116F55DC85F89BB69EF45320B04C065FE086F26BC731E951DBB4

Function 00E2C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00DA12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00DA134D
Part of subcall function 00DA12F3: SelectObject.GDI32(?,00000000), ref: 00DA135C
Part of subcall function 00DA12F3: BeginPath.GDI32(?), ref: 00DA1373
Part of subcall function 00DA12F3: SelectObject.GDI32(?,00000000), ref: 00DA139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00E2C030
LineTo.GDI32(00000000,?,?), ref: 00E2C03D
EndPath.GDI32(00000000), ref: 00E2C04D
StrokePath.GDI32(00000000), ref: 00E2C05B

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: f9b0ea485b1fa214b1c25bd87716a89d4d7541e3bf7f4be9138462945007b063
Instruction ID: b772c3572e2f8efb920c9def3c8b6aa935ee9e33ffc567dc454ae51109f019f8
Opcode Fuzzy Hash: f9b0ea485b1fa214b1c25bd87716a89d4d7541e3bf7f4be9138462945007b063
Instruction Fuzzy Hash: 6FF05E31001269FFDB226F56FC0AFCE3F69AF06711F144110FA11710E287B5556ADBA9

Function 00DFA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00DFA399
GetWindowThreadProcessId.USER32(?,00000000), ref: 00DFA3AC
GetCurrentThreadId.KERNEL32 ref: 00DFA3B3
AttachThreadInput.USER32(00000000), ref: 00DFA3BA

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 559fdef28da5f94fa10ab3250499fc6741d3e8445b713ff85fbf8e9b92be3c21
Instruction ID: 9a90b0c9fae05d53f63639c505ff0defffe762d80a4fe3ddd7b4a02a8cb0ac74
Opcode Fuzzy Hash: 559fdef28da5f94fa10ab3250499fc6741d3e8445b713ff85fbf8e9b92be3c21
Instruction Fuzzy Hash: 57E015B1541228BADB202BA2DD0CEE73FACEF167A1F048034F609A8060C675D5458BE0

Function 00DA2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00DA2231
SetTextColor.GDI32(?,000000FF), ref: 00DA223B
SetBkMode.GDI32(?,00000001), ref: 00DA2250
GetStockObject.GDI32(00000005), ref: 00DA2258
GetWindowDC.USER32(?,00000000), ref: 00DDC0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 00DDC0E0
GetPixel.GDI32(00000000,?,00000000), ref: 00DDC0F9
GetPixel.GDI32(00000000,00000000,?), ref: 00DDC112
GetPixel.GDI32(00000000,?,?), ref: 00DDC132
ReleaseDC.USER32(?,00000000), ref: 00DDC13D

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: f72c99f06b343bda80e26890f281189ef54a40af1bb5ece73b4af8366f5b3a8d
Instruction ID: d54e3ac4b278ff4004443de9e058c294d3fe5d243683d29d1f49d48f0d565d5e
Opcode Fuzzy Hash: f72c99f06b343bda80e26890f281189ef54a40af1bb5ece73b4af8366f5b3a8d
Instruction Fuzzy Hash: 7DE06D32100244EEDB315FB9FC0DBE83B20EB05332F088376FA69680E287714995DB21

Function 00DF8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00DF8C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,00DF882E), ref: 00DF8C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00DF882E), ref: 00DF8C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,00DF882E), ref: 00DF8C7E

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: aa748b9a28791d7c7d30e1f57ace1e870847a530c9e41507077141025579101d
Instruction ID: c7636775670d22e005d45d327791751306bde90846e255401bafce5fd7e10b00
Opcode Fuzzy Hash: aa748b9a28791d7c7d30e1f57ace1e870847a530c9e41507077141025579101d
Instruction Fuzzy Hash: F6E04F36642211DFD7305FB26D0DF563BB8AF55792F098838E245EA050DA34844A9B61

Function 00DE2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00DE2187
GetDC.USER32(00000000), ref: 00DE2191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00DE21B1
ReleaseDC.USER32(?), ref: 00DE21D2

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 7d8ea350dfe6fecd3a319c35c4a72ca43939fae84ffc945e100206b756189469
Instruction ID: e108a32f27100d3b9602b3e992c6c07754438d9f3a4f806cacbbbff9535bbf3c
Opcode Fuzzy Hash: 7d8ea350dfe6fecd3a319c35c4a72ca43939fae84ffc945e100206b756189469
Instruction Fuzzy Hash: 50E01AB5900604EFDF219F62CD08AAD7BF5EB4C350F108425F95AA7220DB7881469F90

Function 00DE219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00DE219B
GetDC.USER32(00000000), ref: 00DE21A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00DE21B1
ReleaseDC.USER32(?), ref: 00DE21D2

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 5d0e46b097c6be7553b01e50197d0ee7ad6a04d50ef4c55e12c5b3a0cb40f099
Instruction ID: 224feb71113d37b197eea93ad686d56b2fa9b3dd8a710b7bf31882105b51c457
Opcode Fuzzy Hash: 5d0e46b097c6be7553b01e50197d0ee7ad6a04d50ef4c55e12c5b3a0cb40f099
Instruction Fuzzy Hash: 90E012B5900204AFCF219FB2C908A9DBBF1EB4C320F108029F95AA7220DB7891469F90

Function 00DA63A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%, xrefs: 00DA63AE

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2291192146
Opcode ID: d4e0464d9b49e168e4811dc0936746815670a874d55949c957d77d81290fcc9e
Instruction ID: 1891af3d51a5673653bb4373575e4d8eb949fb834075b9e307eb4b5da85fc360
Opcode Fuzzy Hash: d4e0464d9b49e168e4811dc0936746815670a874d55949c957d77d81290fcc9e
Instruction Fuzzy Hash: 97B19F71D04109DACF14EFA8C8819EEB7B8FF4A310F584426E942A7295EB34DE81CB71

Function 00E1B1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 00E1B2C3

Strings

xr, xrefs: 00E1B325
xr, xrefs: 00E1B2F9

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: __itow_s
String ID: xr$xr
API String ID: 3653519197-2528877900
Opcode ID: 7f2ff07bfc4537cfeb2ff206fbbb383886279c8d18fe3a14adccf2ed749a89c6
Instruction ID: a28836e80bb9c166e96ff31d461a6f3ecff44afdd329c7501e68fd1b56792af9
Opcode Fuzzy Hash: 7f2ff07bfc4537cfeb2ff206fbbb383886279c8d18fe3a14adccf2ed749a89c6
Instruction Fuzzy Hash: 27B18170A00209AFCB14DF54C891EFEB7BAFF59304F149459F945AB292EB70E985CB60

Function 00E0B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00DBFEC6: _wcscpy.LIBCMT ref: 00DBFEE9

Part of subcall function 00DA9997: __itow.LIBCMT ref: 00DA99C2
Part of subcall function 00DA9997: __swprintf.LIBCMT ref: 00DA9A0C

__wcsnicmp.LIBCMT ref: 00E0B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00E0B361

Strings

LPT, xrefs: 00E0B292

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 7a8ae4825071b7c2a58365344e900199339663479f2b998c42d6cf846bc10bfa
Instruction ID: 0d303235b9056aab3a04b4a4178b372f52ec2826ca77253fe77066fc89cca0ab
Opcode Fuzzy Hash: 7a8ae4825071b7c2a58365344e900199339663479f2b998c42d6cf846bc10bfa
Instruction Fuzzy Hash: A8616F75A00215EFCB14DF94C891EAEB7B4FF09310F15506AF946BB2A1DB74AE80CB60

Function 00DB2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00DB2AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00DB2AE1

Strings

@, xrefs: 00DB2AD5

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: ee4454028e60bc5ad09179ab508acb2cf79625b29f3e7e6a001123a31e3d0e7a
Instruction ID: ff8ae591c8166094f47b4508db364870c4a25582a932189f82d5b5af2b079572
Opcode Fuzzy Hash: ee4454028e60bc5ad09179ab508acb2cf79625b29f3e7e6a001123a31e3d0e7a
Instruction Fuzzy Hash: 545146725187449BD320AF11D896BABBBF8FF86310F42885DF1D9911A5EB308529CB26

Function 00E099BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00DA506B: __fread_nolock.LIBCMT ref: 00DA5089

_wcscmp.LIBCMT ref: 00E09AAE
_wcscmp.LIBCMT ref: 00E09AC1

Strings

FILE, xrefs: 00E099FA

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 990f0884c962f65697d6a3f32d708e60760760c5876bcd1684d5a6cc7093b6a2
Instruction ID: 66ee99074471e068a6cf744f86eeeb1e6b6c739da7c9179f9bde859ae698f41a
Opcode Fuzzy Hash: 990f0884c962f65697d6a3f32d708e60760760c5876bcd1684d5a6cc7093b6a2
Instruction Fuzzy Hash: D241D371A0060ABADF209FA0DC46FEFBBB9DF45714F000469B900B71C6DA75AA448BB5

Function 00DE099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00DE09A9

Strings

Dt, xrefs: 00DAA477
Dt, xrefs: 00DAA2B1

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ClearVariant
String ID: Dt$Dt
API String ID: 1473721057-4168040075
Opcode ID: c997d29dfbedf86566838494780e821bccbcd6dcfdcde813e79804a5a2e67946
Instruction ID: c7f1f72c5ef309f951c098fce7b10a2945457e0677cec06a791d9e1dc5030cca
Opcode Fuzzy Hash: c997d29dfbedf86566838494780e821bccbcd6dcfdcde813e79804a5a2e67946
Instruction Fuzzy Hash: 6551E3746083428FC754CF19C084A1ABBE1BB9A394F58895DE9858B321D771EC85CB62

Function 00E12882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E12892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00E128C8

Strings

|, xrefs: 00E12899

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 7fd2e61ef88cfdcea118a0fbe896dc987fea351cb66b48799008f5bd069f7639
Instruction ID: 980046b9ea9318d09a819f70ec0306f6bdfa161d6613398397c43383d9aa4197
Opcode Fuzzy Hash: 7fd2e61ef88cfdcea118a0fbe896dc987fea351cb66b48799008f5bd069f7639
Instruction Fuzzy Hash: CE313771C00219AFCF01AFA5DC85EEEBFB9FF09300F004029F914A6166EA315A56DBB0

Function 00E27CE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00E27DD0
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E27DE5

Strings

', xrefs: 00E27D39

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 4551a056a9d1bb25cdc1d5ae0b914f770da9749b8b802f948290130af0a686a6
Instruction ID: 2ef0030fe30dcb8545b9aed1387fb4a85c5fa0b8294678c76fa7df0eddabad5a
Opcode Fuzzy Hash: 4551a056a9d1bb25cdc1d5ae0b914f770da9749b8b802f948290130af0a686a6
Instruction Fuzzy Hash: FB412874A0521A9FDB14CF69E881BEABBB5FF0A304F10116AED45EB341D770A945CFA0

Function 00E26CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00E26D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00E26DC2

Strings

static, xrefs: 00E26D22

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 75cb2e8d2195cb1a82106206394d33640cab2f839c7b4661ba3066314bf78a3a
Instruction ID: abc1bfbb9229bb5958f81390341fc6a837b293d3fc1e6043b2179c0edcd6e7ca
Opcode Fuzzy Hash: 75cb2e8d2195cb1a82106206394d33640cab2f839c7b4661ba3066314bf78a3a
Instruction Fuzzy Hash: 9A31B371210218AEDB109F74DC40BFB73B9FF48724F109619F995A7190DB71AC91CB60

Function 00E02D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E02E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E02E3B

Strings

0, xrefs: 00E02DF9

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: bbf6d74f49fa4f0c89ca27e5bf6e822dfc29eef5ca8e74d60199790a253f7487
Instruction ID: 29c3e08f236f482c65d36143ccf47929f810191dfae250b39e700053b2a99e53
Opcode Fuzzy Hash: bbf6d74f49fa4f0c89ca27e5bf6e822dfc29eef5ca8e74d60199790a253f7487
Instruction Fuzzy Hash: 7B31F731640305ABEB268F58D849BDEBBF9EF05344F14106DEA85B71E0D77099C5CB50

Function 00E26943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00E269D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E269DB

Strings

Combobox, xrefs: 00E2699D

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: d5bc34efe16991c11b2d8879611d4ac632b014f7a1bc9ffa1b5b492da0c05dc2
Instruction ID: ee30de5cf8efa13f3fc9480dc9b0e5bddf06768f38bad64fa3888d87d28d347b
Opcode Fuzzy Hash: d5bc34efe16991c11b2d8879611d4ac632b014f7a1bc9ffa1b5b492da0c05dc2
Instruction Fuzzy Hash: 8411B2716002196FEF159F14EC80EEB376AEB893A8F111225F958AB290DA759C9187A0

Function 00E26E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00DA1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DA1D73
Part of subcall function 00DA1D35: GetStockObject.GDI32(00000011), ref: 00DA1D87
Part of subcall function 00DA1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DA1D91

GetWindowRect.USER32(00000000,?), ref: 00E26EE0
GetSysColor.USER32(00000012), ref: 00E26EFA

Strings

static, xrefs: 00E26EBD

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: b43fe3ec821b7189f4ac1ca308efaabb6ad3952354f797eedf192c1bc7281446
Instruction ID: ee8ea523c8b33b914389e00b0e7f19bee2556d17ddcb21d886f6208ad60ee287
Opcode Fuzzy Hash: b43fe3ec821b7189f4ac1ca308efaabb6ad3952354f797eedf192c1bc7281446
Instruction Fuzzy Hash: 8421897261021AAFDF04DFA8DD45AEA7BB8FB08304F105628F955E3240D734E8619B60

Function 00E26B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00E26C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00E26C20

Strings

edit, xrefs: 00E26BF5

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 8c7cba4700e3fc4e55c01f648983a10bcc4b0dba5bf556b4c9a2d15a9dcbb093
Instruction ID: 02f5aa85c67d8a534075f072c45ccbf00646383168f3df946f5784544a2e3ee3
Opcode Fuzzy Hash: 8c7cba4700e3fc4e55c01f648983a10bcc4b0dba5bf556b4c9a2d15a9dcbb093
Instruction Fuzzy Hash: 8F119A71500228AFEB109F64EC46AEB3769EB04378F205724F961E31E0C775DC919B60

Function 00E02E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E02F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00E02F30

Strings

0, xrefs: 00E02F07

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: da961abb8e894d71b36cc290fad1f7c36c2b557fc0e9c167b162868a79aa70f7
Instruction ID: dad4825cd3729a20c00f911eed13a5ed4f4afe3b2dae4da5eadac3e4a1044b1a
Opcode Fuzzy Hash: da961abb8e894d71b36cc290fad1f7c36c2b557fc0e9c167b162868a79aa70f7
Instruction Fuzzy Hash: 7F11D031E01115ABCB35DF98DC08B9A73F9EB01398F1450A9FE44B72E0D7B0AD458791

Function 00E124CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00E12520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00E12549

Strings

<local>, xrefs: 00E12511

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: e97aea1a799e72dbeb1668ebce6f50b6cfddd9382a8975771d1945b5355efa73
Instruction ID: 5910522ec65d23b2785009c2ccad75c8422bf46eb1afc5050044c5046e59f363
Opcode Fuzzy Hash: e97aea1a799e72dbeb1668ebce6f50b6cfddd9382a8975771d1945b5355efa73
Instruction Fuzzy Hash: 3811E0B0500225BEDB248F618CD8EFBFF69FB16355F10912EFA0566040E27069A5EAE1

Function 00E180A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E1830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00E180C8,?,00000000,?,?), ref: 00E18322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00E180CB
htons.WSOCK32(00000000,?,00000000), ref: 00E18108

Strings

255.255.255.255, xrefs: 00E180E3

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 799baa66acffa4b16dc38787eb72d778fbe91390358fb881f8454e94c61b9145
Instruction ID: b8a047b518062e1cceeb3e8bb00ea3f579f9dbfdc0aefafb7c37fdfcd911b1d8
Opcode Fuzzy Hash: 799baa66acffa4b16dc38787eb72d778fbe91390358fb881f8454e94c61b9145
Instruction Fuzzy Hash: E211E135200209ABDB20AF64DD46FFEB374FF04320F108527F911A7291DA32A845C7A1

Function 00DB0A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00DA3C26,00E662F8,?,?,?), ref: 00DB0ACE

Part of subcall function 00DA7D2C: _memmove.LIBCMT ref: 00DA7D66

_wcscat.LIBCMT ref: 00DE50E1

Strings

c, xrefs: 00DB0B0E

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: c
API String ID: 257928180-921687731
Opcode ID: 30ad30142f8a5f3bcd32b2c37f84a2db6adb07cea5accda107462b4f296e0baa
Instruction ID: 821af23462cb236097a36925ac1127961a0155e8ac2af879c72b9b2dc207e73a
Opcode Fuzzy Hash: 30ad30142f8a5f3bcd32b2c37f84a2db6adb07cea5accda107462b4f296e0baa
Instruction Fuzzy Hash: EB11883594421CEB8B10FBA4DC02EDE7BB8EF48354B0040A6B999E7251EE70DB888775

Function 00DF92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA7F41: _memmove.LIBCMT ref: 00DA7F82

Part of subcall function 00DFB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00DFB0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00DF9355

Strings

ListBox, xrefs: 00DF931F
ComboBox, xrefs: 00DF92F4

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: f0725837238fc12c412d130946be9f8fe4163f5d8360db2546449dd08918ae00
Instruction ID: 072815b48473754893e80f2b638cc80c88dca13660d4b48ff5c3bb34989a1e1e
Opcode Fuzzy Hash: f0725837238fc12c412d130946be9f8fe4163f5d8360db2546449dd08918ae00
Instruction Fuzzy Hash: 31015271A45218AB8B04EB64CC91DFEB7A9FF06320B154619F972672D2EA31691C8670

Function 00E0901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E09036
__fread_nolock.LIBCMT ref: 00E0904B

Strings

EA06, xrefs: 00E0907D

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: dff914c719de58184942fc6b10c4946e9946911efa2a0a356f2a8c616b999616
Instruction ID: c8f799a67c3c7bc2954babf5ca2be693de43b0a28c0f1b8ac791786b30975cd0
Opcode Fuzzy Hash: dff914c719de58184942fc6b10c4946e9946911efa2a0a356f2a8c616b999616
Instruction Fuzzy Hash: 0401F9718042186EDB28CAA8D816FEE7BF8DF01301F00419EF552D2182E575E6088770

Function 00DF91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA7F41: _memmove.LIBCMT ref: 00DA7F82

Part of subcall function 00DFB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00DFB0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 00DF924D

Strings

ListBox, xrefs: 00DF9217
ComboBox, xrefs: 00DF91EC

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: c602fc17b2f417eaa0dd9771e55627e6a3574041d63181355fff0a54ae909735
Instruction ID: 13056263f0a313e59c2b20293eac5bfc7dc19be603a6baea8f33d4d4a919ac12
Opcode Fuzzy Hash: c602fc17b2f417eaa0dd9771e55627e6a3574041d63181355fff0a54ae909735
Instruction Fuzzy Hash: 6A018871F412087BCB14E7A0C992EFFB3A8DF06310F554015BA12671C2EA156F1C9671

Function 00DF9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA7F41: _memmove.LIBCMT ref: 00DA7F82

Part of subcall function 00DFB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00DFB0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 00DF92D0

Strings

ListBox, xrefs: 00DF929C
ComboBox, xrefs: 00DF9271

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 4d230b781bf592b8f0824faf2bb69f5d5444b8c9764616321f0c864dce88acb7
Instruction ID: 2e771ac8c614a3e6cc48a44d14b4fff522a6f118f70e67d8c8be5880957e0cb3
Opcode Fuzzy Hash: 4d230b781bf592b8f0824faf2bb69f5d5444b8c9764616321f0c864dce88acb7
Instruction Fuzzy Hash: AF018471E412087BCB04E7A4C992EFEB7A8DF12310B554116B91263182EA115F0C9275

Function 00DC6DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00DC6DD0
__calloc_crt.LIBCMT ref: 00DC6DE9

Strings

@R, xrefs: 00DC6E00

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: __calloc_crt
String ID: @R
API String ID: 3494438863-2347139750
Opcode ID: 9aea7206865c496c1b67d10e92937c883e8c5e8812b31faa2905469c51839cfe
Instruction ID: df6ea726aa9df3dfde8b06b33f139ad19d1e90d772c5a2f3bdea2e34a2a7de17
Opcode Fuzzy Hash: 9aea7206865c496c1b67d10e92937c883e8c5e8812b31faa2905469c51839cfe
Instruction Fuzzy Hash: 50F04F71318617EFFB248F2AFD21F622795EB50760B14442FF101EB1A0EBB0C88996B1

Function 00E051CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00E051E8
_wcscmp.LIBCMT ref: 00E051FA

Strings

#32770, xrefs: 00E051F4

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 959d11c5e9783c650809c30bd8f18cba630876d497c4fe26030c2f17b0e838e0
Instruction ID: 20ef1d5945c29cf9a15e0dbec390ccd1c3dda901c3f64ed5e29bffc59c1e0b84
Opcode Fuzzy Hash: 959d11c5e9783c650809c30bd8f18cba630876d497c4fe26030c2f17b0e838e0
Instruction Fuzzy Hash: 43E02B325003291BD720A695AC09F97F7BCEB44761F00016BFD10E3050E56099498BE1

Function 00DF81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00DF81CA

Part of subcall function 00DC3598: _doexit.LIBCMT ref: 00DC35A2

Strings

Error allocating memory., xrefs: 00DF81C3
AutoIt, xrefs: 00DF81BE

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: e79827bdae33f1ff15265a4b5103834b515037e7661853d57748980dd93b23c3
Instruction ID: c40653926a7afed5bae4e624a436e38feb928322af11acc0e4c949edf65dd605
Opcode Fuzzy Hash: e79827bdae33f1ff15265a4b5103834b515037e7661853d57748980dd93b23c3
Instruction Fuzzy Hash: EED0123228535936D21432A56C0BFC969888B05B52F145429BB08765D389D1998252F9

Function 00DDB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00DDB564: _memset.LIBCMT ref: 00DDB571

Part of subcall function 00DC0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00DDB540,?,?,?,00DA100A), ref: 00DC0B89

IsDebuggerPresent.KERNEL32(?,?,?,00DA100A), ref: 00DDB544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00DA100A), ref: 00DDB553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00DDB54E

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 7a8612407158f02ac989a85f2782b967766c084dc97d9dfa80373882b3bd6c30
Instruction ID: 09d7a3456d876a5d121004269c2886d99bdbc4553e2a606ed7a6d08d4175131e
Opcode Fuzzy Hash: 7a8612407158f02ac989a85f2782b967766c084dc97d9dfa80373882b3bd6c30
Instruction Fuzzy Hash: BCE06D70600311CFD721DF29F4047427BE0AB01B58F058A2EE446D3360DBB4E409CBB1

Function 00DE1D5F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00DE1B9F

Part of subcall function 00E1C304: LoadLibraryA.KERNEL32(kernel32.dll,?,00DE1D88,?), ref: 00E1C312
Part of subcall function 00E1C304: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00E1C324

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00DE1D97

Strings

WIN_XPe, xrefs: 00DE1BB2

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 164d3f4d1fa323ac6d20a71806ffe502da93a7564a29936765dee831e7a64f73
Instruction ID: 698d9cedd0d0f1eb781d09fb0d187b9be6965c601db7e6ae2bccfd05b1de9f36
Opcode Fuzzy Hash: 164d3f4d1fa323ac6d20a71806ffe502da93a7564a29936765dee831e7a64f73
Instruction Fuzzy Hash: 74F039B4900049DFDB15EB92C988AEDBBF8AB09304F5400D5E052B2050E7708F89CF30

Function 00E09B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00E09B82
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00E09B99

Strings

aut, xrefs: 00E09B93

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 532af7ed9739278ccd989481465ad8fe51f9c550120327f4c51ddfd9e7be027b
Instruction ID: 8b926f0c2c48cdcb4ce0f3b8fb1c9a11daca8fb6183cdfd41bee5c1485fa0cd7
Opcode Fuzzy Hash: 532af7ed9739278ccd989481465ad8fe51f9c550120327f4c51ddfd9e7be027b
Instruction Fuzzy Hash: 76D0177A54030DABDA209A909C0EF9A773CA704702F0046B1BE64A11A1EEB055998AA1

Function 00E25BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E25BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00E25C08

Part of subcall function 00E054E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E0555E

Strings

Shell_TrayWnd, xrefs: 00E25BEE

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 7455c1104f7520b54f1b4d61dd922ec30dc22f1ff872d3c4b3fdfe69ed174f19
Instruction ID: 8ba60787bdb9266937d7d81bfc0fb240d7c86f3bc20b64ad9827ae5318a76a21
Opcode Fuzzy Hash: 7455c1104f7520b54f1b4d61dd922ec30dc22f1ff872d3c4b3fdfe69ed174f19
Instruction Fuzzy Hash: A7D0A932388300BAE334AB30AC0BFD32A20AB00B01F000834BB06BA0D0C8E05805C640

Function 00E25C1F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E25C35
PostMessageW.USER32(00000000), ref: 00E25C3C

Part of subcall function 00E054E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E0555E

Strings

Shell_TrayWnd, xrefs: 00E25C2E

Memory Dump Source

Source File: 00000000.00000002.1855301649.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1855288320.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855356809.0000000000E55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855401740.0000000000E5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855419470.0000000000E68000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_mIzAhxUQjY.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 0f2a67f1ce0f75f86b06e31b9011b28de9d3c14e39d857c84a2efd1f44143d2e
Instruction ID: 52d791a7ded214db1ea3699cbc85a15ae63206a048a0cc429eaed314b952f38b
Opcode Fuzzy Hash: 0f2a67f1ce0f75f86b06e31b9011b28de9d3c14e39d857c84a2efd1f44143d2e
Instruction Fuzzy Hash: 31D0A9323C43007EE334AB30AC0BFC32620AB00B01F000834BB02BA0D0C8E06805C640

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mIzAhxUQjY.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: mIzAhxUQjY.exePID: 7028, Parent PID: 2580

General

Chronological Activities

Disassembly

Windows Analysis Report
mIzAhxUQjY.exe

Function 00DA3B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 00DA4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00DA4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00DA3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00DA3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00DA71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00DA3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 00DA3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00DA3778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 00DAFBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264
comCOMMON

Function 00DAF8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 00E1F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177
COMMON

Function 00DA39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00DA69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Function 00DA35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59
registryCOMMON