Edit tour

Windows Analysis Report
iQPxJrxxaj.exe

Overview

General Information

Sample name:	iQPxJrxxaj.exe renamed because original name is a hash value
Original sample name:	ca5fb5814ec62c8f04936740aabe2664b3c7d036203afbd8425cd67cf1f4b79d.exe
Analysis ID:	1542283
MD5:	fd379c5ed778ea1000da0b8c9458f7f8
SHA1:	59fa8241388e3020e3f539ffbe3892332b59cd93
SHA256:	ca5fb5814ec62c8f04936740aabe2664b3c7d036203afbd8425cd67cf1f4b79d
Infos:

Detection

PikaBot

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected PikaBot

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to behave differently if execute on a Russian/Kazak computer

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential key logger detected (key state polling based)

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

iQPxJrxxaj.exe (PID: 7352 cmdline: "C:\Users\user\Desktop\iQPxJrxxaj.exe" MD5: FD379C5ED778EA1000DA0B8C9458F7F8)

ctfmon.exe (PID: 7428 cmdline: "C:\Windows\SysWOW64\ctfmon.exe -p 1234" MD5: 1B19D302D7FFA3D0901B3D990A4E8E12)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Pikabot	Introducing Pikabot, an emerging malware family that comprises a downloader/installer, a loader, and a core backdoor component. Despite being in the early stages of development, it already demonstrates advanced techniques in evasion, injection, and anti-analysis. Notably, the loader component incorporates an array of sophisticated anti-debugging and anti-VM measures inspired by the open-source Al-Khaser project, while leveraging steganography to conceal its payload. Additionally, Pikabot utilizes a proprietary C2 framework and supports a diverse range of commands, encompassing host enumeration and advanced secondary payload injection options.	No Attribution	https://blog.cyber5w.com/2024/02/25/pikabotloader/ https://blog.cyber5w.com/malware%20analysis/PikabotLoader/ https://blog.krakz.fr/notes/syswhispers2/ https://blog.pulsedive.com/pikabot/ https://blog.securityonion.net/2023/09/quick-malware-analysis-pikabot.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot

Malware Configuration

Threatname: Pikabot

{"C2 list": ["139.84.237.229:2967", "85.239.243.155:5000", "104.129.55.104:2223", "37.60.242.85:9785", "95.179.191.137:5938", "65.20.66.218:5938", "158.220.80.157:9785", "104.129.55.103:2224", "158.220.80.167:2967"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1821764268.00000000049D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_PikaBot	Yara detected PikaBot	Joe Security
00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_PikaBot	Yara detected PikaBot	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.2.iQPxJrxxaj.exe.5340000.1.unpack	JoeSecurity_PikaBot	Yara detected PikaBot	Joe Security
0.3.iQPxJrxxaj.exe.49d0000.0.raw.unpack	JoeSecurity_PikaBot	Yara detected PikaBot	Joe Security
0.2.iQPxJrxxaj.exe.5340000.1.raw.unpack	JoeSecurity_PikaBot	Yara detected PikaBot	Joe Security
0.3.iQPxJrxxaj.exe.49d0000.0.unpack	JoeSecurity_PikaBot	Yara detected PikaBot	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: iQPxJrxxaj.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.1857877690.0000000005694000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Pikabot {"C2 list": ["139.84.237.229:2967", "85.239.243.155:5000", "104.129.55.104:2223", "37.60.242.85:9785", "95.179.191.137:5938", "65.20.66.218:5938", "158.220.80.157:9785", "104.129.55.103:2224", "158.220.80.167:2967"]}

Multi AV Scanner detection for submitted file

Source: iQPxJrxxaj.exe

ReversingLabs: Detection: 79%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.1% probability

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Code function: 0_2_005A2C20 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,CryptReleaseContext,std::ios_base::_Ios_base_dtor,

0_2_005A2C20

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Unpacked PE file: 0.2.iQPxJrxxaj.exe.5340000.1.unpack

Source: iQPxJrxxaj.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: iQPxJrxxaj.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: E:\cpp\Notepad3\Bin\Release_x86_v143\grepWinNP3.pdb source: iQPxJrxxaj.exe

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_00649310 FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_00649310
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0059EBD0 PathIsDirectoryW,FindFirstFileExW,FindFirstFileW,GetLastError,FindClose,FindClose,		0_2_0059EBD0

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 139.84.237.229:2967
Source: Malware configuration extractor	IPs: 85.239.243.155:5000
Source: Malware configuration extractor	IPs: 104.129.55.104:2223
Source: Malware configuration extractor	IPs: 37.60.242.85:9785
Source: Malware configuration extractor	IPs: 95.179.191.137:5938
Source: Malware configuration extractor	IPs: 65.20.66.218:5938
Source: Malware configuration extractor	IPs: 158.220.80.157:9785
Source: Malware configuration extractor	IPs: 104.129.55.103:2224
Source: Malware configuration extractor	IPs: 158.220.80.167:2967

Source: global traffic

TCP traffic: 192.168.2.4:49738 -> 158.220.80.167:2967

Source: Joe Sandbox View	IP Address: 37.60.242.85 37.60.242.85
Source: Joe Sandbox View	IP Address: 104.129.55.103 104.129.55.103

Source: Joe Sandbox View	ASN Name: SINGLEHOP-LLCUS SINGLEHOP-LLCUS
Source: Joe Sandbox View	ASN Name: CP-ASDE CP-ASDE
Source: Joe Sandbox View	ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS

Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167

Source: iQPxJrxxaj.exe	String found in binary or memory: http://tools.stefankueng.com
Source: iQPxJrxxaj.exe	String found in binary or memory: http://tools.stefankueng.comgrepWinNP3
Source: ctfmon.exe, 00000001.00000003.2787856275.0000000002BF3000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000001.00000002.3074015247.0000000002BF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://158.220.80.167:2967/
Source: ctfmon.exe, 00000001.00000003.2787856275.0000000002BF3000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000001.00000002.3074015247.0000000002BF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://158.220.80.167:2967/GY
Source: ctfmon.exe, 00000001.00000002.3074015247.0000000002BF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://158.220.80.167:2967/api/admin.teams.settings.setIcon
Source: ctfmon.exe, 00000001.00000003.2787674000.0000000002C12000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000001.00000002.3074149438.0000000002C12000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000001.00000003.2787374939.0000000002C0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://158.220.80.167:2967/api/admin.teams.settings.setIconro
Source: iQPxJrxxaj.exe	String found in binary or memory: https://www.boost.org/doc/libs/release/libs/regex/doc/html/boost_regex/syntax/character_classes.html
Source: iQPxJrxxaj.exe	String found in binary or memory: https://www.boost.org/doc/libs/release/libs/regex/doc/html/boost_regex/syntax/perl_syntax.html
Source: iQPxJrxxaj.exe	String found in binary or memory: https://www.cplusplus.com/reference/ctime/strftime/
Source: iQPxJrxxaj.exe	String found in binary or memory: https://www.regular-expressions.info/tutorial.html

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Code function: 0_2_005B0B80 CloseClipboard,Sleep,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,CloseClipboard,

0_2_005B0B80

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Code function: 0_2_005B0B80 CloseClipboard,Sleep,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,CloseClipboard,

0_2_005B0B80

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Code function: 0_2_005E6780 GetDlgItem,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetFocus,SendMessageW,SendMessageW,GetFocus,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetFocus,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,SetFocus,IsDlgButtonChecked,SendMessageW,SendMessageW,

0_2_005E6780

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_05341000 NtAlpcCreateSectionView,		0_2_05341000
Source: C:\Windows\SysWOW64\ctfmon.exe	Code function: 1_2_00781000 NtAcquireCrossVmMutant,		1_2_00781000

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_005A77C0	0_2_005A77C0
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_005CC1D0	0_2_005CC1D0
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_005EC1C0	0_2_005EC1C0
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0061A2C0	0_2_0061A2C0
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_006042D0	0_2_006042D0
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_005EE3E0	0_2_005EE3E0
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_005B15F0	0_2_005B15F0
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_005F47F0	0_2_005F47F0
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0063382B	0_2_0063382B
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_005B9960	0_2_005B9960
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_006389F7	0_2_006389F7
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_005F49B0	0_2_005F49B0
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0063AA60	0_2_0063AA60
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_005D1A20	0_2_005D1A20
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_00633B8A	0_2_00633B8A
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0064CECF	0_2_0064CECF
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_00641FD4	0_2_00641FD4
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_053435F4	0_2_053435F4
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0534844C	0_2_0534844C
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0534B4AC	0_2_0534B4AC
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0534C6A0	0_2_0534C6A0
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_053446E0	0_2_053446E0
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_05341394	0_2_05341394
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0534AF48	0_2_0534AF48
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_05342918	0_2_05342918
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0534997C	0_2_0534997C
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0534A8A0	0_2_0534A8A0
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_053481BC	0_2_053481BC
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_053462A8	0_2_053462A8
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_05347D18	0_2_05347D18
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0534684C	0_2_0534684C
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_05347888	0_2_05347888
Source: C:\Windows\SysWOW64\ctfmon.exe	Code function: 1_2_0078467C	1_2_0078467C
Source: C:\Windows\SysWOW64\ctfmon.exe	Code function: 1_2_00786740	1_2_00786740
Source: C:\Windows\SysWOW64\ctfmon.exe	Code function: 1_2_00785928	1_2_00785928
Source: C:\Windows\SysWOW64\ctfmon.exe	Code function: 1_2_007880CC	1_2_007880CC
Source: C:\Windows\SysWOW64\ctfmon.exe	Code function: 1_2_00781A24	1_2_00781A24
Source: C:\Windows\SysWOW64\ctfmon.exe	Code function: 1_2_0078B4E0	1_2_0078B4E0
Source: C:\Windows\SysWOW64\ctfmon.exe	Code function: 1_2_00782EC0	1_2_00782EC0
Source: C:\Windows\SysWOW64\ctfmon.exe	Code function: 1_2_00782088	1_2_00782088

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: String function: 00580704 appears 184 times
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: String function: 006296D0 appears 54 times

Source: iQPxJrxxaj.exe, 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamegrepWinNP3.exe6 vs iQPxJrxxaj.exe
Source: iQPxJrxxaj.exe	Binary or memory string: OriginalFilenamegrepWinNP3.exe6 vs iQPxJrxxaj.exe

Source: iQPxJrxxaj.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal96.troj.expl.evad.winEXE@3/0@0/9

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Code function: 0_2_0062A8C0 GetLastError,FormatMessageA,LocalFree,

0_2_0062A8C0

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Code function: 0_2_053410E8 CreateToolhelp32Snapshot,Process32FirstW,AnyPopup,GetLastError,

0_2_053410E8

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Code function: 0_2_005DC3D0 CoCreateInstance,

0_2_005DC3D0

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Code function: 0_2_005A7170 MoveWindow,CloseWindow,DestroyWindow,SendMessageW,LoadCursorW,SetCursor,ShellExecuteW,EndDialog,GetClientRect,CreateWindowExW,FindResourceW,LoadResource,LockResource,SizeofResource,SendMessageW,SendMessageW,SetFocus,SendMessageW,SendMessageW,SendMessageW,

0_2_005A7170

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Mutant created: \Sessions\1\BaseNamedObjects\{6473AA76-0EAE-4C96-8C99-AFDFEFFE42B5}
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Mutant created: \Sessions\1\BaseNamedObjects\{6473AA76-0EAE-4C96-8C99-AFDFEFFE42B6}
Source: C:\Windows\SysWOW64\ctfmon.exe	Mutant created: \Sessions\1\BaseNamedObjects\{6F70D3AF-34EF-433C-A803-E83654F6FD7C}

Source: iQPxJrxxaj.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: iQPxJrxxaj.exe

ReversingLabs: Detection: 79%

Source: unknown	Process created: C:\Users\user\Desktop\iQPxJrxxaj.exe "C:\Users\user\Desktop\iQPxJrxxaj.exe"
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Process created: C:\Windows\SysWOW64\ctfmon.exe "C:\Windows\SysWOW64\ctfmon.exe -p 1234"
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Process created: C:\Windows\SysWOW64\ctfmon.exe "C:\Windows\SysWOW64\ctfmon.exe -p 1234"	Jump to behavior

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Section loaded: schannel.dll	Jump to behavior

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: iQPxJrxxaj.exe

Static file information: File size 1361408 > 1048576

Source: iQPxJrxxaj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: iQPxJrxxaj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: iQPxJrxxaj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: iQPxJrxxaj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: iQPxJrxxaj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: iQPxJrxxaj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: iQPxJrxxaj.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: iQPxJrxxaj.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: E:\cpp\Notepad3\Bin\Release_x86_v143\grepWinNP3.pdb source: iQPxJrxxaj.exe

Source: iQPxJrxxaj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: iQPxJrxxaj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: iQPxJrxxaj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: iQPxJrxxaj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: iQPxJrxxaj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Unpacked PE file: 0.2.iQPxJrxxaj.exe.5340000.1.unpack

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Code function: 0_2_0059E040 InitCommonControlsEx,SHGetKnownFolderPath,CoTaskMemFree,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0059E040

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_006290B8 push ecx; ret	0_2_006290CB
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_00565270 push 683BC3B2h; ret	0_2_005688FF
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0056533A push esp; iretd	0_2_0056536B
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_005674CF pushfd ; retf	0_2_0059780D
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_005675EC push ED98EC23h; ret	0_2_00567622
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_005675EC push ds; retf	0_2_0056771C
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_00563641 push ds; iretd	0_2_00563642
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_00563856 push ecx; ret	0_2_0059490E
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0056385B push ecx; ret	0_2_0059490E
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_00561899 push B0C117E4h; iretd	0_2_0056189E
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_005679CE push cs; retf	0_2_005679DA
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_005649E3 push cs; iretd	0_2_0056F727
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_005649AE push cs; iretd	0_2_0056F727
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_00562AFD push ds; retf	0_2_0057CEBA
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_00562B02 push ds; retf	0_2_0057CEBA
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_00561D12 push cs; retf	0_2_00561D1F
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_00563F71 pushfd ; retf	0_2_005757B1
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_00563F6C pushfd ; retf	0_2_005757B1
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0534844C push esi; mov dword ptr [esp], 000013C5h	0_2_05348CB9
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0534844C push edi; mov dword ptr [esp], 000013C5h	0_2_05348CC3
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_05341000 push dword ptr [0535414Ch]; ret	0_2_05341064
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0534DB3C push eax; mov dword ptr [esp], 0536CCA0h	0_2_0534DC12
Source: C:\Windows\SysWOW64\ctfmon.exe	Code function: 1_2_00781000 push dword ptr [0078F790h]; ret	1_2_00781064

Source: iQPxJrxxaj.exe

Static PE information: section name: .text entropy: 6.9913927134244815

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

0_2_0059E040

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to behave differently if execute on a Russian/Kazak computer

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Code function: 0_2_05341394 GetOEMCP,GetWindowTextLengthA,GetDialogBaseUnits,GetMessageTime,GetShellWindow,GetCurrentThreadId,GetSystemDefaultLangID,GetOEMCP,GetDesktopWindow,GetModuleHandleW,GetCurrentThreadId,GetLastActivePopup, mov byte ptr [ebp-00000419h], al

0_2_05341394

Source: C:\Windows\SysWOW64\ctfmon.exe TID: 7772

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_00649310 FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_00649310
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0059EBD0 PathIsDirectoryW,FindFirstFileExW,FindFirstFileW,GetLastError,FindClose,FindClose,		0_2_0059EBD0

Source: ctfmon.exe, 00000001.00000002.3074218679.0000000002C26000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000001.00000003.2787833876.0000000002C23000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000001.00000003.2787856275.0000000002BE9000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000001.00000003.2787374939.0000000002C20000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000001.00000003.2787609025.0000000002C23000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000001.00000003.2787513438.0000000002C21000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000001.00000003.2787898793.0000000002C24000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Code function: 0_2_05343548 GetModuleHandleW,CheckRemoteDebuggerPresent,

0_2_05343548

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\ctfmon.exe

Code function: 1_2_007852F8 LdrLoadDll,LdrLoadDll,

1_2_007852F8

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Code function: 0_2_006294D1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_006294D1

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

0_2_0059E040

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0534C6A0 mov eax, dword ptr fs:[00000030h]	0_2_0534C6A0
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_053460B0 mov edx, dword ptr fs:[00000030h]	0_2_053460B0
Source: C:\Windows\SysWOW64\ctfmon.exe	Code function: 1_2_00781468 mov esi, dword ptr fs:[00000030h]	1_2_00781468
Source: C:\Windows\SysWOW64\ctfmon.exe	Code function: 1_2_0078AE50 mov eax, dword ptr fs:[00000030h]	1_2_0078AE50

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_006294D1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006294D1
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0062986D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0062986D
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0062EA53 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0062EA53

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Process created: C:\Windows\SysWOW64\ctfmon.exe "C:\Windows\SysWOW64\ctfmon.exe -p 1234"

Jump to behavior

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Code function: 0_2_0062929C cpuid

0_2_0062929C

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: EnumSystemLocalesW,	0_2_0064C014
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0064C09F
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: GetLocaleInfoW,	0_2_0064C2F2
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: GetLocaleInfoW,	0_2_0064642D
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0064C41B
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: GetLocaleInfoW,	0_2_0064C521
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0064C5F7
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: EnumSystemLocalesW,	0_2_00645EA7
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: EnumSystemLocalesW,	0_2_0064BF79
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: EnumSystemLocalesW,	0_2_0064BF2E

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Code function: 0_2_00629715 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00629715

Source: C:\Windows\SysWOW64\ctfmon.exe

Code function: 1_2_00786740 GetUserDefaultLCID,CreateMutexW,GetUserNameW,LocalAlloc,

1_2_00786740

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Code function: 0_2_00647559 GetTimeZoneInformation,

0_2_00647559

Stealing of Sensitive Information

Yara detected PikaBot

Source: Yara match	File source: 0.2.iQPxJrxxaj.exe.5340000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.iQPxJrxxaj.exe.49d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iQPxJrxxaj.exe.5340000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.iQPxJrxxaj.exe.49d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1821764268.00000000049D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected PikaBot

Source: Yara match	File source: 0.2.iQPxJrxxaj.exe.5340000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.iQPxJrxxaj.exe.49d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iQPxJrxxaj.exe.5340000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.iQPxJrxxaj.exe.49d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1821764268.00000000049D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	2 Virtualization/Sandbox Evasion	1 Input Capture	2 System Time Discovery	Remote Services	1 Input Capture	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Software Packing	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	22 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
iQPxJrxxaj.exe	79%	ReversingLabs	Win32.Trojan.Pikabot
iQPxJrxxaj.exe	100%	Avira	TR/Redcap.kbcgw

Name	Source	Malicious	Reputation
https://158.220.80.167:2967/	ctfmon.exe, 00000001.00000003.2787856275.0000000002BF3000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000001.00000002.3074015247.0000000002BF3000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://158.220.80.167:2967/GY	ctfmon.exe, 00000001.00000003.2787856275.0000000002BF3000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000001.00000002.3074015247.0000000002BF3000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://www.cplusplus.com/reference/ctime/strftime/	iQPxJrxxaj.exe	false	unknown
http://tools.stefankueng.com	iQPxJrxxaj.exe	false	unknown
https://158.220.80.167:2967/api/admin.teams.settings.setIcon	ctfmon.exe, 00000001.00000002.3074015247.0000000002BF3000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://158.220.80.167:2967/api/admin.teams.settings.setIconro	ctfmon.exe, 00000001.00000003.2787674000.0000000002C12000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000001.00000002.3074149438.0000000002C12000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000001.00000003.2787374939.0000000002C0F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://tools.stefankueng.comgrepWinNP3	iQPxJrxxaj.exe	false	unknown
https://www.boost.org/doc/libs/release/libs/regex/doc/html/boost_regex/syntax/character_classes.html	iQPxJrxxaj.exe	false	unknown
https://www.boost.org/doc/libs/release/libs/regex/doc/html/boost_regex/syntax/perl_syntax.html	iQPxJrxxaj.exe	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
37.60.242.85	unknown	Bulgaria	32475	SINGLEHOP-LLCUS	true
65.20.66.218	unknown	United States	199592	CP-ASDE	true
104.129.55.103	unknown	United States	8100	ASN-QUADRANET-GLOBALUS	true
104.129.55.104	unknown	United States	8100	ASN-QUADRANET-GLOBALUS	true
95.179.191.137	unknown	Netherlands	20473	AS-CHOOPAUS	true
158.220.80.167	unknown	Switzerland	8556	LEVANTISCH	true
139.84.237.229	unknown	United States	16498	LASALLEUS	true
85.239.243.155	unknown	Czech Republic	15685	CASABLANCA-ASInternetCollocationProviderCZ	true
158.220.80.157	unknown	Switzerland	8556	LEVANTISCH	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542283
Start date and time:	2024-10-25 18:50:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	iQPxJrxxaj.exe renamed because original name is a hash value
Original Sample Name:	ca5fb5814ec62c8f04936740aabe2664b3c7d036203afbd8425cd67cf1f4b79d.exe
Detection:	MAL
Classification:	mal96.troj.expl.evad.winEXE@3/0@0/9
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 72% Number of executed functions: 56 Number of non-executed functions: 203
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: iQPxJrxxaj.exe

Simulations

Behavior and APIs

Time	Type	Description
12:51:51	API Interceptor	1x Sleep call for process: ctfmon.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
37.60.242.85	Lisect_AVT_24003_G1B_115.exe	Get hash	malicious	PikaBot	Browse
	Lisect_AVT_24003_G1B_115.exe	Get hash	malicious	PikaBot	Browse
	Lisect_AVT_24003_G1B_54.exe	Get hash	malicious	PikaBot	Browse
	Lisect_AVT_24003_G1B_54.exe	Get hash	malicious	PikaBot	Browse
	Lisect_AVT_24003_G1B_96.exe	Get hash	malicious	PikaBot	Browse
	Lisect_AVT_24003_G1B_90.exe	Get hash	malicious	PikaBot	Browse
	Lisect_AVT_24003_G1B_96.exe	Get hash	malicious	PikaBot	Browse
	Lisect_AVT_24003_G1B_102.exe	Get hash	malicious	PikaBot	Browse
	Lisect_AVT_24003_G1B_104.exe	Get hash	malicious	PikaBot	Browse
	file://introwebllc.com/public/HD.zip	Get hash	malicious	PikaBot	Browse
104.129.55.103	Qum.js	Get hash	malicious	Unknown	Browse
	Qum.js	Get hash	malicious	Unknown	Browse
	QOrxv3yrK2.exe	Get hash	malicious	Unknown	Browse
	QOrxv3yrK2.exe	Get hash	malicious	Unknown	Browse
	Ifhfdhjkshfhjkgs.exe	Get hash	malicious	Unknown	Browse
	Ifhfdhjkshfhjkgs.exe	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN-QUADRANET-GLOBALUS	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	173.205.89.188
	Play_VM.Now.matt.sibilo_Audio.wav...v.html	Get hash	malicious	HtmlDropper	Browse	185.174.100.20
	mpsl.elf	Get hash	malicious	Mirai	Browse	154.205.102.28
	IMG465244247443 ORDER Opmagasinering.exe	Get hash	malicious	XWorm	Browse	104.223.35.76
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	23.153.31.252
	SecuriteInfo.com.Win32.MalwareX-gen.23086.24319.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	104.223.35.76
	http://tfmk.sweepshop.info/fwd/P2Q9OTU0NCZlaT00NDM2NzYzMSZpZj0zMTYwJmxpPTczNw	Get hash	malicious	Phisher	Browse	103.79.78.225
	QUOTE #46789-OCT24_JAMEELA TRD LLCS.bat.exe	Get hash	malicious	GuLoader	Browse	72.11.142.133
	sample.hta	Get hash	malicious	XWorm	Browse	107.150.23.154
	Re property pdf.exe	Get hash	malicious	FormBook	Browse	104.223.44.195
CP-ASDE	http://www.thegioimoicau.com/	Get hash	malicious	Unknown	Browse	65.21.45.74
	Bill Of Lading_MEDUVB935991.pdf.exe	Get hash	malicious	FormBook	Browse	65.21.196.90
	arm.elf	Get hash	malicious	Unknown	Browse	65.21.50.224
	P1 BOL.exe	Get hash	malicious	Unknown	Browse	65.21.196.90
	Doc 784-01965670.exe	Get hash	malicious	FormBook	Browse	65.21.196.90
	TT Swift copy1.exe	Get hash	malicious	FormBook	Browse	65.21.196.90
	BL.exe	Get hash	malicious	FormBook	Browse	65.21.196.90
	rDRAWINGDWGSINC.exe	Get hash	malicious	FormBook	Browse	65.21.196.90
	https://eadzhost.net/quieter/QUOTE_TECNO_GAZ_INDUSTRIES_63787_MC.rar	Get hash	malicious	FormBook	Browse	65.21.29.43
	na.hta	Get hash	malicious	Cobalt Strike, FormBook, GuLoader	Browse	65.21.196.90
SINGLEHOP-LLCUS	yGktPvplJn.exe	Get hash	malicious	Pushdo	Browse	96.127.180.42
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	216.104.42.28
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	173.236.97.217
	https://landsmith.ae/continue.html	Get hash	malicious	HTMLPhisher	Browse	69.175.95.50
	arm5.elf	Get hash	malicious	Unknown	Browse	65.60.17.27
	https://www.bing.com/ck/a?!&&p=c60f44e2e0299106bbda17ed4610b6a047eac19fa538687ebec1fc78213d7903JmltdHM9MTcyOTEyMzIwMA&ptn=3&ver=2&hsh=4&fclid=234c270a-e3bc-6c48-2bf3-3210e2866d6d&psq=Siemens+v17&u=a1aHR0cHM6Ly9wbGM0bWUuY29tL2Rvd25sb2FkLXRpYS1wb3J0YWwtdjE3LWZ1bGwtdmVyc2lvbi1nb29nbGVkcml2ZS8&ntb=1	Get hash	malicious	Unknown	Browse	172.96.186.147
	INVOICE_bwallman#E785IKK2.html	Get hash	malicious	HTMLPhisher	Browse	108.178.43.142
	http://www.fcc-movil.com/80th/enphem1sX2F0dG9ybmV5YXpAZmQub3Jn	Get hash	malicious	Phisher	Browse	198.20.104.206
	na.elf	Get hash	malicious	Mirai	Browse	65.63.38.146
	Remittance copy.shtml	Get hash	malicious	HTMLPhisher	Browse	108.178.26.90

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.904757414642191
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	iQPxJrxxaj.exe
File size:	1'361'408 bytes
MD5:	fd379c5ed778ea1000da0b8c9458f7f8
SHA1:	59fa8241388e3020e3f539ffbe3892332b59cd93
SHA256:	ca5fb5814ec62c8f04936740aabe2664b3c7d036203afbd8425cd67cf1f4b79d
SHA512:	9de54ef1a15a70dcf266d24685b2c1e259170973a6c61033289303258f63e41cda1aa53335a91f8317a5963ede47a805c29dbe3f69c80f71a716515616669472
SSDEEP:	24576:7yTiqxhwB8ow5KiPUIRCv1N4JFMl2K1WKT3IDC95ag62:7yTiqxhw1rx1mY1Wm4DCOg62
TLSH:	0C55BE71B583C072E96212F1293D9B65666DBE648FB788CFF3C03D6D4431DC26936A0A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............S...S...S...R...S...RY..S3..R...S...R...S...R...S...R...S...R...S...R...S...R...S...S!..S...R...S..KS...S..#S...S...R...

File Icon


Icon Hash:	0d66c3d363135109

Static PE Info

General

Entrypoint:	0x4c90a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x65C4C527 [Thu Feb 8 12:12:23 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	639b8ce85c0ddfcaca9633440db01cad

Entrypoint Preview

Instruction
call 00007F2634B945B2h
jmp 00007F2634B93D6Fh
cmp ecx, dword ptr [005161C0h]
jne 00007F2634B93EF3h
ret
jmp 00007F2634B946D2h
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007F2634B93EC9h
jmp 00007F2634B93ED2h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [005161C0h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [005161C0h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [005161C0h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp+00h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x113b84	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11c000	0x2b9f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x148000	0x7c0c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1076e0	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x107780	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x107620	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xf9000	0x61c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xf7cee	0xf7e00	e5d0129f14da84e1c0aed5958842ae7f	False	0.5985062484241049	data	6.9913927134244815	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xf9000	0x1cde2	0x1ce00	f6abe18b71f5b04c0a374a8593849936	False	0.3782890286796537	data	4.77550999528983	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x116000	0x5d34	0x3e00	57db2369eae20724a58ae59e568500db	False	0.17231602822580644	DOS executable (block device driver)	4.748370462370597	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x11c000	0x2b9f8	0x2ba00	dba96c6dbecb72154dcdddcc17b2d61a	False	0.40728532414040114	data	6.255321835115764	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x148000	0x7c0c	0x7e00	b71209090055b617bcbc68cffa550b6d	False	0.6593501984126984	data	6.578028479435236	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RTF	0x13feb0	0x6053	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033			0.10458656068778134
RT_ICON	0x11c8f0	0x884e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.997306127127873
RT_ICON	0x125140	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584			0.21585531763870816
RT_ICON	0x135968	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896			0.3706306093528578
RT_ICON	0x139b90	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.48350622406639004
RT_ICON	0x13c138	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.5530018761726079
RT_ICON	0x13d1e0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400			0.6549180327868852
RT_ICON	0x13db68	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.7730496453900709
RT_MENU	0x13fe50	0x56	data			0.7325581395348837
RT_DIALOG	0x13e038	0xe4e	data			0.3735663571818678
RT_DIALOG	0x13ee88	0x324	data			0.40049751243781095
RT_DIALOG	0x13f1b0	0x15e	data			0.58
RT_DIALOG	0x13f310	0x12e	data			0.609271523178808
RT_DIALOG	0x13f440	0x1a4	data			0.5523809523809524
RT_DIALOG	0x13f5e8	0xc8	data			0.69
RT_DIALOG	0x13f6b0	0x7a0	data			0.42520491803278687
RT_STRING	0x145f08	0x12c	data			0.52
RT_STRING	0x146038	0x560	data			0.42151162790697677
RT_STRING	0x146598	0x200	data			0.5
RT_STRING	0x146798	0x4aa	data			0.40033500837520936
RT_STRING	0x146c48	0x4d0	data			0.336038961038961
RT_STRING	0x147150	0xea	data			0.5213675213675214
RT_STRING	0x147118	0x36	data			0.6481481481481481
RT_ACCELERATOR	0x13fea8	0x8	data			2.0
RT_GROUP_ICON	0x13dfd0	0x68	data			0.7596153846153846
RT_VERSION	0x11c600	0x2ec	data	English	United States	0.4451871657754011
RT_MANIFEST	0x147240	0x7b4	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1912), with CRLF line terminators	English	United States	0.32302231237322515

Imports

DLL	Import
SHLWAPI.dll	PathRelativePathToW, SHGetValueW, AssocQueryStringW, StrFormatByteSizeW, PathCompactPathExW, SHAutoComplete, PathRemoveFileSpecW, PathAppendW, SHDeleteKeyW, PathIsRootW, PathCanonicalizeW, PathIsRelativeW, PathIsURLW, PathIsDirectoryW, PathFileExistsW, SHSetValueW, StrCmpLogicalW
UxTheme.dll	CloseThemeData, GetThemeInt, GetThemeBackgroundContentRect, SetWindowTheme, OpenThemeData, GetThemeColor, BeginBufferedPaint, BufferedPaintSetAlpha, EndBufferedPaint, DrawThemeBackground
KERNEL32.dll	lstrlenW, MultiByteToWideChar, FindResourceW, LoadResource, LockResource, SizeofResource, GetCurrentThreadId, GetFullPathNameW, GetLongPathNameW, GetShortPathNameW, GetModuleFileNameW, CreateFileW, CloseHandle, CreateDirectoryW, GetCurrentDirectoryW, Sleep, SetCurrentDirectoryW, FormatMessageW, GetTickCount64, GetWindowsDirectoryW, GetCurrentProcess, GetFileTime, WriteFile, SetFileTime, GetFileSizeEx, GlobalMemoryStatusEx, ReadFile, WideCharToMultiByte, GetFileSize, FlushFileBuffers, SetFilePointer, SetEndOfFile, GetCommandLineW, SetDllDirectoryW, CreateMutexW, GetSystemDirectoryW, SystemTimeToFileTime, SetErrorMode, GetUserDefaultLCID, GetStringTypeExW, LoadLibraryA, LCMapStringW, ExpandEnvironmentStringsW, OutputDebugStringW, QueryPerformanceCounter, QueryPerformanceFrequency, GetStringTypeExA, LCMapStringA, GetSystemTime, FileTimeToSystemTime, CreateThread, CreateProcessW, GetFileInformationByHandle, CompareFileTime, CopyFileW, GetFileAttributesW, SetFileAttributesW, MoveFileExA, GetTimeZoneInformation, SystemTimeToTzSpecificLocalTime, GetDateFormatW, GetTimeFormatW, CreateFileA, CreateFileMappingW, MapViewOfFile, GlobalAddAtomW, GlobalUnlock, GetOEMCP, GetACP, IsValidCodePage, HeapReAlloc, EnumSystemLocalesW, IsValidLocale, GetLocaleInfoW, CompareStringW, ReadConsoleW, GetConsoleMode, GetConsoleOutputCP, SetFilePointerEx, GetFileType, HeapAlloc, HeapFree, GetStdHandle, ExitProcess, SetEnvironmentVariableW, LoadLibraryExW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, RtlUnwind, CreateFileMappingA, GetModuleHandleA, MapViewOfFileEx, TerminateProcess, InitializeSListHead, GetCurrentProcessId, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, GetSystemTimeAsFileTime, LCMapStringEx, DecodePointer, EncodePointer, DeleteCriticalSection, InitializeCriticalSectionEx, LeaveCriticalSection, EnterCriticalSection, RaiseException, IsProcessorFeaturePresent, GetModuleHandleExW, CloseThreadpoolWork, SubmitThreadpoolWork, CreateThreadpoolWork, FreeLibraryWhenCallbackReturns, SleepConditionVariableSRW, WakeAllConditionVariable, WakeConditionVariable, GetNativeSystemInfo, InitOnceBeginInitialize, InitOnceComplete, TryAcquireSRWLockExclusive, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, GetStringTypeW, FormatMessageA, lstrcpyW, GlobalFree, GlobalLock, GlobalAlloc, FindNextFileW, FindClose, FindFirstFileW, FindFirstFileExW, lstrcpynW, GetModuleHandleW, MulDiv, GetLastError, GetProcAddress, FreeLibrary, LoadLibraryW, SetLastError, VerifyVersionInfoW, VerSetConditionMask, LocalFree, LocalAlloc, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, SetStdHandle, HeapSize, WriteConsoleW, DeleteAtom, UnmapViewOfFile
USER32.dll	GetSysColor, PostMessageW, CheckDlgButton, GetKeyState, RedrawWindow, CreatePopupMenu, CheckMenuItem, LoadIconA, CreateWindowExA, CheckRadioButton, SendDlgItemMessageW, AppendMenuW, DestroyMenu, SetCursor, GetClassNameW, InvalidateRgn, BeginPaint, GetClientRect, GetWindowLongW, SendMessageW, GetWindowTextLengthW, GetWindowTextW, EndPaint, DrawTextW, InflateRect, GetWindowRect, GetCursorPos, GetDCEx, LoadStringA, SetTimer, PtInRect, GetFocus, GetSystemMetrics, IntersectRect, MapWindowPoints, GetParent, GetDC, ReleaseDC, ScreenToClient, SystemParametersInfoW, DialogBoxParamW, CreateDialogParamW, EnableWindow, ShowWindow, BringWindowToTop, SetForegroundWindow, LoadAcceleratorsW, GetMessageW, TranslateAcceleratorW, IsDialogMessageW, TranslateMessage, DispatchMessageW, PostQuitMessage, DestroyWindow, EndDialog, SetFocus, KillTimer, IsDlgButtonChecked, EnumWindows, RegisterWindowMessageW, TrackPopupMenu, GetSubMenu, LoadMenuW, ClientToScreen, CreateDialogIndirectParamW, GetWindowPlacement, GetDesktopWindow, CopyRect, LoadStringW, SetDlgItemTextW, DrawIconEx, GetSysColorBrush, SetClipboardData, EmptyClipboard, OpenClipboard, CloseClipboard, EnumDisplayMonitors, GetMonitorInfoW, SetWindowTextW, SetMenuItemInfoW, GetMenuItemInfoW, GetMenuItemCount, GetSystemMenu, EnumThreadWindows, EnumChildWindows, CloseWindow, LoadCursorW, InsertMenuW, SetCapture, ReleaseCapture, DrawFocusRect, RemovePropW, GetPropW, SetPropW, RegisterClipboardFormatW, IsZoomed, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, InvalidateRect, SetWindowRgn, CallWindowProcW, SetWindowPlacement, MoveWindow, GetWindowDC, SetLayeredWindowAttributes, MessageBoxW, SetCursorPos, GetDlgItemTextW, DefDlgProcW, CreateWindowExW, SetWindowLongW, GetDlgItem, LoadImageW, SetWindowPos, OffsetRect
GDI32.dll	CombineRgn, SetRectRgn, CreateRectRgnIndirect, CreateRectRgn, SetBkMode, CreateFontIndirectW, GetObjectW, ExtTextOutW, SetBkColor, GetDeviceCaps, SetTextColor, EnumFontsW, CreateSolidBrush, SelectObject, DeleteObject, PatBlt
COMDLG32.dll	GetOpenFileNameW
ADVAPI32.dll	RegCloseKey, RegOpenKeyW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegDeleteValueW, CryptAcquireContextW, RegOpenKeyExW, CryptGetHashParam, CryptDestroyHash, CryptHashData, CryptReleaseContext, CryptCreateHash
SHELL32.dll	DragQueryFileW, SHGetDesktopFolder, SHGetFolderPathW, SHGetFileInfoW, CommandLineToArgvW, ShellExecuteW, ShellExecuteExW, SHGetKnownFolderPath, SHCreateItemFromParsingName
ole32.dll	CoCreateInstance, ReleaseStgMedium, OleDuplicateData, DoDragDrop, CoUninitialize, OleInitialize, OleUninitialize, RegisterDragDrop, CoTaskMemFree, CoTaskMemAlloc, CoInitializeEx
gdiplus.dll	GdipDeleteGraphics, GdipCreateFromHDC, GdipAddPathArcI, GdipClosePathFigure, GdipStartPathFigure, GdipResetPath, GdipDeletePath, GdipCreatePath, GdipSetPenDashStyle, GdipDeletePen, GdipCreatePen1, GdipDrawRectangleI, GdipAlloc, GdipFree, GdiplusShutdown, GdiplusStartup, GdipDrawPath
COMCTL32.dll	InitCommonControlsEx, ImageList_GetImageCount, ImageList_GetImageInfo
VERSION.dll	VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 18:51:45.552912951 CEST	49738	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:51:45.558635950 CEST	2967	49738	158.220.80.167	192.168.2.4
Oct 25, 2024 18:51:45.558753967 CEST	49738	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:51:45.563097000 CEST	49738	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:51:45.568798065 CEST	2967	49738	158.220.80.167	192.168.2.4
Oct 25, 2024 18:51:48.027631044 CEST	2967	49738	158.220.80.167	192.168.2.4
Oct 25, 2024 18:51:48.027774096 CEST	49738	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:51:48.027901888 CEST	49738	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:51:48.028340101 CEST	49739	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:51:48.033226967 CEST	2967	49738	158.220.80.167	192.168.2.4
Oct 25, 2024 18:51:48.033934116 CEST	2967	49739	158.220.80.167	192.168.2.4
Oct 25, 2024 18:51:48.034013033 CEST	49739	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:51:48.035166979 CEST	49739	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:51:48.040625095 CEST	2967	49739	158.220.80.167	192.168.2.4
Oct 25, 2024 18:51:51.706547976 CEST	2967	49739	158.220.80.167	192.168.2.4
Oct 25, 2024 18:51:51.706676960 CEST	49739	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:51:51.706990957 CEST	49739	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:51:51.707211018 CEST	49740	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:51:51.712502003 CEST	2967	49739	158.220.80.167	192.168.2.4
Oct 25, 2024 18:51:51.712716103 CEST	2967	49740	158.220.80.167	192.168.2.4
Oct 25, 2024 18:51:51.712799072 CEST	49740	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:51:51.713594913 CEST	49740	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:51:51.719238997 CEST	2967	49740	158.220.80.167	192.168.2.4
Oct 25, 2024 18:51:51.719300032 CEST	49740	2967	192.168.2.4	158.220.80.167

Target ID:	0
Start time:	12:51:13
Start date:	25/10/2024
Path:	C:\Users\user\Desktop\iQPxJrxxaj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\iQPxJrxxaj.exe"
Imagebase:	0x560000
File size:	1'361'408 bytes
MD5 hash:	FD379C5ED778EA1000DA0B8C9458F7F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PikaBot, Description: Yara detected PikaBot, Source: 00000000.00000003.1821764268.00000000049D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PikaBot, Description: Yara detected PikaBot, Source: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:51:18
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\ctfmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\ctfmon.exe -p 1234"
Imagebase:	0xb50000
File size:	9'728 bytes
MD5 hash:	1B19D302D7FFA3D0901B3D990A4E8E12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	33.8%
Signature Coverage:	32%
Total number of Nodes:	1468
Total number of Limit Nodes:	41

Executed Functions

Function 053446E0 Relevance: 74.8, APIs: 14, Strings: 28, Instructions: 1343threadCOMMON

Download Yara Rule

APIs

GetTopWindow.USER32 ref: 0534472C
GetThreadUILanguage.KERNEL32 ref: 05344788
SetLastError.KERNEL32 ref: 05344848
GetDesktopWindow.USER32 ref: 05344972

Part of subcall function 05351790: GetOEMCP.KERNEL32 ref: 0535179E
Part of subcall function 05351790: GetLastActivePopup.USER32 ref: 053517B9

GetShellWindow.USER32 ref: 05344E01
GetCurrentThread.KERNEL32 ref: 05344EAF
GetTopWindow.USER32 ref: 05344EBC
SetLastError.KERNEL32(?), ref: 053454C2
GetCurrentThreadId.KERNEL32 ref: 05345790
AnyPopup.USER32 ref: 05345806
SetLastError.KERNEL32 ref: 053458B0
GetTopWindow.USER32 ref: 053458E7
GetLastActivePopup.USER32(00000001), ref: 05345B21
GetForegroundWindow.USER32(00000001), ref: 05345CE4

Strings

SdbpOpenLocalDatabaseEx, xrefs: 05345AA7
The requested system device cannot be found., xrefs: 0534518D
SXS: %s() NtMapViewOfSection failed, xrefs: 05345D28
Invalid value type, xrefs: 053450CD
Specified present path is not in VidPN's topology., xrefs: 05345B5D
RtlStringCchPrintfW failed [%x], xrefs: 05344D0B, 05345040, 05345048, 053450B9, 053450C1, 05345150, 053453AD, 05345759, 05345953, 05345B4D, 05345CA3, 05345D01
The operation is not supported by the specified layer., xrefs: 05345B55
AslPathWildcardFindFirst/Next failed to find a file [%x], xrefs: 05344E97
Microsoft Time-Stamp PCA 2010, xrefs: 05345001
{Virtual Memory Minimum Too Low}, xrefs: 05344709, 053448D7
Initializing TLS slots failed with status 0x%08lx, xrefs: 05345A08
NonRFGImageLoad, xrefs: 05344F82
DebugProcessHeapOnly, xrefs: 05344A21
Built-in WEBP Codec, xrefs: 05344B80
STATUS_ABANDONED_WAIT_0, xrefs: 053447B7, 05344A58, 05344BE7, 05344D76, 05344DC4, 05344F42, 05345037, 05345232, 0534535E, 053453F4, 05345511, 0534571A, 053459F6, 05345E48
The action type is not compatible with the layer., xrefs: 05344A3C, 05344C21, 05344F76, 05345178, 0534527A, 0534572B, 05345826, 0534596F, 05345977, 05345CF9, 05345D20, 05345E6C, 05345E78
Nullsoft.NSIS, xrefs: 05345462, 053454C8
The directory is a reparse point., xrefs: 053453B5
WER/CrashAPI:%u: TRACE WERP_DEBUGGER_INFO.ProtectionLevel: %08X, xrefs: 05345983
The specified object has already been initialized., xrefs: 05345B65
An operation was attempted to a volume after it was dismounted., xrefs: 053447FB, 05344982, 05344BAB, 05344C15, 05344C2D, 05344D5B, 05345180, 05345723, 05345765, 053457D0, 053458ED, 05345AB3, 05345BA7
The printer power has been turned off., xrefs: 05345A10
The cloud sync provider failed user authentication., xrefs: 05345229
Invalid COM Descriptor virtual address encountered, xrefs: 0534565D
Business rule scripts are disabled for the calling application., xrefs: 053458CF
LdrpResGetMappingSize Exit, xrefs: 05345A00
The QUIC connection handshake failed., xrefs: 053457DD
The remote user session has been deleted., xrefs: 05344A65

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$Last$ErrorPopupThread$ActiveCurrent$DesktopForegroundLanguageShell
String ID: An operation was attempted to a volume after it was dismounted.$AslPathWildcardFindFirst/Next failed to find a file [%x]$Built-in WEBP Codec$Business rule scripts are disabled for the calling application.$DebugProcessHeapOnly$Initializing TLS slots failed with status 0x%08lx$Invalid COM Descriptor virtual address encountered$Invalid value type$LdrpResGetMappingSize Exit$Microsoft Time-Stamp PCA 2010$NonRFGImageLoad$Nullsoft.NSIS$RtlStringCchPrintfW failed [%x]$STATUS_ABANDONED_WAIT_0$SXS: %s() NtMapViewOfSection failed$SdbpOpenLocalDatabaseEx$Specified present path is not in VidPN's topology.$The QUIC connection handshake failed.$The action type is not compatible with the layer.$The cloud sync provider failed user authentication.$The directory is a reparse point.$The operation is not supported by the specified layer.$The printer power has been turned off.$The remote user session has been deleted.$The requested system device cannot be found.$The specified object has already been initialized.$WER/CrashAPI:%u: TRACE WERP_DEBUGGER_INFO.ProtectionLevel: %08X${Virtual Memory Minimum Too Low}
API String ID: 1879556982-341976307
Opcode ID: 6946599b006502724313d815d1944d44cbc8b6df2b4ae2f94db59d08a37f616a
Instruction ID: f7304e2fe47d7073a1bd59b4b5d659eda159596f73852c3f785b38cd4347f44e
Opcode Fuzzy Hash: 6946599b006502724313d815d1944d44cbc8b6df2b4ae2f94db59d08a37f616a
Instruction Fuzzy Hash: F5D212749282988FEB11CF78D4853A97FF5FB05308F9488AED889DB301DA749985CF91

Function 0059E040 Relevance: 73.9, APIs: 26, Strings: 16, Instructions: 368
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitCommonControlsEx.COMCTL32(?), ref: 0059E0EF
SHGetKnownFolderPath.SHELL32(00659740,00000000,00000000,00000000), ref: 0059E132
CoTaskMemFree.OLE32(00000000,00000000,-00000002), ref: 0059E16C
LoadLibraryW.KERNEL32(?), ref: 0059E32F
GetProcAddress.KERNEL32(00000000,AllowDarkModeForApp), ref: 0059E363
GetProcAddress.KERNEL32(00000000,SetPreferredAppMode), ref: 0059E372
GetProcAddress.KERNEL32(AllowDarkModeForWindow), ref: 0059E384
GetProcAddress.KERNEL32(ShouldAppsUseDarkMode), ref: 0059E396
GetProcAddress.KERNEL32(IsDarkModeAllowedForWindow), ref: 0059E3A8
GetProcAddress.KERNEL32(IsDarkModeAllowedForApp), ref: 0059E3BA
GetProcAddress.KERNEL32(ShouldSystemUseDarkMode), ref: 0059E3CC
GetProcAddress.KERNEL32(RefreshImmersiveColorPolicyState), ref: 0059E3DE
GetProcAddress.KERNEL32(GetIsImmersiveColorUsingHighContrast), ref: 0059E3F0
GetProcAddress.KERNEL32(FlushMenuThemes), ref: 0059E402
GetModuleHandleW.KERNEL32(user32.dll,SetWindowCompositionAttribute), ref: 0059E413
GetProcAddress.KERNEL32(00000000), ref: 0059E41A
GetProcAddress.KERNEL32(00000087), ref: 0059E43D
GetProcAddress.KERNEL32(00000087), ref: 0059E460
GetProcAddress.KERNEL32(00000085), ref: 0059E47B
GetProcAddress.KERNEL32(00000084), ref: 0059E496
GetProcAddress.KERNEL32(00000089), ref: 0059E4B1
GetProcAddress.KERNEL32(0000008B), ref: 0059E4CC
GetProcAddress.KERNEL32(0000008A), ref: 0059E4E7
GetProcAddress.KERNEL32(00000068), ref: 0059E4FF
GetProcAddress.KERNEL32(0000006A), ref: 0059E517
GetProcAddress.KERNEL32(00000088), ref: 0059E532

Strings

AllowDarkModeForApp, xrefs: 0059E35D
invalid stol argument, xrefs: 0059E585, 0059E599, 0059E5AD
IsDarkModeAllowedForWindow, xrefs: 0059E398
IsDarkModeAllowedForApp, xrefs: 0059E3AA
uxtheme.dll, xrefs: 0059E31B
\uxtheme.dll, xrefs: 0059E172
SetWindowCompositionAttribute, xrefs: 0059E404
GetIsImmersiveColorUsingHighContrast, xrefs: 0059E3E0
FlushMenuThemes, xrefs: 0059E3F2
RefreshImmersiveColorPolicyState, xrefs: 0059E3CE
ShouldAppsUseDarkMode, xrefs: 0059E386
SetPreferredAppMode, xrefs: 0059E36C
AllowDarkModeForWindow, xrefs: 0059E379
stol argument out of range, xrefs: 0059E58F, 0059E5A3, 0059E5B7
user32.dll, xrefs: 0059E409
ShouldSystemUseDarkMode, xrefs: 0059E3BC

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: AddressProc$CommonControlsFolderFreeHandleInitKnownLibraryLoadModulePathTask
String ID: AllowDarkModeForApp$AllowDarkModeForWindow$FlushMenuThemes$GetIsImmersiveColorUsingHighContrast$IsDarkModeAllowedForApp$IsDarkModeAllowedForWindow$RefreshImmersiveColorPolicyState$SetPreferredAppMode$SetWindowCompositionAttribute$ShouldAppsUseDarkMode$ShouldSystemUseDarkMode$\uxtheme.dll$invalid stol argument$stol argument out of range$user32.dll$uxtheme.dll
API String ID: 1016854174-2742066203
Opcode ID: 9412fdde13e27784252e46781f4e9534afd3bfc3ba3034f64363e4e781a0ee68
Instruction ID: 6949abbc76811268f0df7c73fa6c547b408b10fe35ede68cfd077abe0b901577
Opcode Fuzzy Hash: 9412fdde13e27784252e46781f4e9534afd3bfc3ba3034f64363e4e781a0ee68
Instruction Fuzzy Hash: 53E1AFB4D102189FDF18DF64EC5ABAD7FB6FB05B04F042529E808AB2A4DB755980CF91

Function 0534844C Relevance: 69.3, APIs: 23, Strings: 16, Instructions: 1093threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 053484DE
GetUserDefaultLangID.KERNEL32 ref: 05348613
GetLargePageMinimum.KERNEL32 ref: 05348667
GetThreadUILanguage.KERNEL32 ref: 05348777
GetWindowTextLengthW.USER32 ref: 05348AEE
GetForegroundWindow.USER32 ref: 05348BBC
GetWindowTextLengthA.USER32 ref: 05348BCA
SetLastError.KERNEL32(00000000), ref: 05348C35
GetLastActivePopup.USER32(00000000), ref: 05348CB6
GetLastActivePopup.USER32(Failed to get the database ID), ref: 05348CC0
GetLastActivePopup.USER32(?), ref: 05348CCA
GetTopWindow.USER32(00000000), ref: 05348D6F
GetThreadUILanguage.KERNEL32(00000000), ref: 05348EFF
GetModuleHandleW.KERNEL32 ref: 05348F9B
GetThreadUILanguage.KERNEL32 ref: 05349006
GetTickCount.KERNEL32 ref: 05349049
GetLastError.KERNEL32 ref: 05349098
GetLastError.KERNEL32 ref: 05349180
GetParent.USER32 ref: 0534918E

Part of subcall function 0534A8A0: GetUserDefaultLangID.KERNEL32 ref: 0534A90D

GetSystemDefaultLangID.KERNEL32 ref: 05349475
GetTopWindow.USER32 ref: 05349564
GetLastActivePopup.USER32(0000003F), ref: 053495B7
GetOEMCP.KERNEL32(82040462), ref: 053495F6

Strings

DefaultBrowser_NOPUBLISHERID, xrefs: 053484BE, 053485F3, 05348630, 053488BB, 05348A2F, 05348CCC, 05348D41, 05348E19, 05348F06, 05348F94, 0534913D, 053491B2, 05349403, 053494D3, 0534956A, 05349614, 053496EB
The operation was blocked by parental controls., xrefs: 05348713, 053488C3, 053489FD, 05348A5F, 05348C3B, 05348F64, 05349200, 053494CB, 05349683, 053496A7
DaylightBias, xrefs: 0534847A
?, xrefs: 053493D3
An error occurred while NDIS tried to map the file., xrefs: 0534909E, 0534967B, 053496F3
A key manager capable of key dictation is already registered, xrefs: 05348624
[, xrefs: 053491EC
drvGetDefaultCommConfigW, xrefs: 0534882F, 05348E66
^, xrefs: 053493DF
Failed to get the database ID, xrefs: 05348889, 05348CB8
SXS: %s() BaseDllMapResourceIdA failed, xrefs: 0534878E, 05348837, 05348B11, 05348B2C, 05348B34, 05348B4F, 05348B6A, 05348B72, 05348E6E, 05348EA0, 053490EC, 0534916C, 05349174, 053494E4, 05349526, 0534952E, 053496AF
2, xrefs: 0534900A
&, xrefs: 053490B2
#, xrefs: 053491E2
M, xrefs: 05349014
H, xrefs: 0534932F

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Last$Window$ActivePopupThread$DefaultErrorLangLanguage$LengthTextUser$CountCurrentForegroundHandleLargeMinimumModulePageParentSystemTick
String ID: #$&$2$?$A key manager capable of key dictation is already registered$An error occurred while NDIS tried to map the file.$DaylightBias$DefaultBrowser_NOPUBLISHERID$Failed to get the database ID$H$M$SXS: %s() BaseDllMapResourceIdA failed$The operation was blocked by parental controls.$[$^$drvGetDefaultCommConfigW
API String ID: 2889099878-380783571
Opcode ID: 6af329a8d55531f1a836f304488bc7d86ba5658f8c7de167ff66691de6e7bba4
Instruction ID: 99545cf59211e6444db9ec38a754fed176b6b436c79d6f48cf46f5992d81fc18
Opcode Fuzzy Hash: 6af329a8d55531f1a836f304488bc7d86ba5658f8c7de167ff66691de6e7bba4
Instruction Fuzzy Hash: 5BB2CE719252448FCB11DF69E48A6AABFF9FB44308FC485AEE488CF241EB359541CF85

Function 005DC3D0 Relevance: 66.6, APIs: 1, Strings: 36, Instructions: 1865comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00659790,00000000,00000001,0066592C,?), ref: 005DE064

Strings

Software\grepWinNP3\OpacityNoFocus, xrefs: 005DDF92
$!f, xrefs: 005DC77A
Software\grepWinNP3\DotMatchesNewline, xrefs: 005DD33C
}, xrefs: 005DDE4F
Software\grepWinNP3\SizeCombo, xrefs: 005DCA98
Software\grepWinNP3\Date1High, xrefs: 005DDBEB
Software\grepWinNP3\CaseSensitive, xrefs: 005DD28F
$!f, xrefs: 005DC7B6
Software\grepWinNP3\backupinfolder, xrefs: 005DD9C8
$!f, xrefs: 005DC798
Software\grepWinNP3\DateLimit, xrefs: 005DDA75
Software\grepWinNP3\IncludeBinary, xrefs: 005DCE31
Software\grepWinNP3\pattern, xrefs: 005DD4EC
2000, xrefs: 005DC954
Software\grepWinNP3\searchpath, xrefs: 005DD770
$!f, xrefs: 005DC73E
Software\grepWinNP3\StayOnTop, xrefs: 005DDED7
Software\grepWinNP3\KeepFileDate, xrefs: 005DCFA7
Software\grepWinNP3\Date2High, xrefs: 005DDD61
Software\grepWinNP3\UseFileMatchRegex, xrefs: 005DD3F7
Software\grepWinNP3\IncludeSymLinks, xrefs: 005DCD76
Software\grepWinNP3\ExcludeDirsPattern, xrefs: 005DD62E
Software\grepWinNP3\ShowContent, xrefs: 005DDE1C
Software\grepWinNP3\IncludeHidden, xrefs: 005DCC00
Software\grepWinNP3\AllSize, xrefs: 005DC88C
Software\grepWinNP3\IncludeSubfolders, xrefs: 005DCCBB
$!f, xrefs: 005DC75C
Software\grepWinNP3\UseRegex, xrefs: 005DC7DC
Software\grepWinNP3\Size, xrefs: 005DC982
Software\grepWinNP3\WholeWords, xrefs: 005DD062
Software\grepWinNP3\Date1Low, xrefs: 005DDB30
Software\grepWinNP3\UTF8, xrefs: 005DD11D
Software\grepWinNP3\CreateBackup, xrefs: 005DCEEC
Software\grepWinNP3\editorcmd, xrefs: 005DD8B2
Software\grepWinNP3\IncludeSystem, xrefs: 005DCB45
Software\grepWinNP3\Date2Low, xrefs: 005DDCA6

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: CreateInstance
String ID: $!f$$!f$$!f$$!f$$!f$2000$Software\grepWinNP3\AllSize$Software\grepWinNP3\CaseSensitive$Software\grepWinNP3\CreateBackup$Software\grepWinNP3\Date1High$Software\grepWinNP3\Date1Low$Software\grepWinNP3\Date2High$Software\grepWinNP3\Date2Low$Software\grepWinNP3\DateLimit$Software\grepWinNP3\DotMatchesNewline$Software\grepWinNP3\ExcludeDirsPattern$Software\grepWinNP3\IncludeBinary$Software\grepWinNP3\IncludeHidden$Software\grepWinNP3\IncludeSubfolders$Software\grepWinNP3\IncludeSymLinks$Software\grepWinNP3\IncludeSystem$Software\grepWinNP3\KeepFileDate$Software\grepWinNP3\OpacityNoFocus$Software\grepWinNP3\ShowContent$Software\grepWinNP3\Size$Software\grepWinNP3\SizeCombo$Software\grepWinNP3\StayOnTop$Software\grepWinNP3\UTF8$Software\grepWinNP3\UseFileMatchRegex$Software\grepWinNP3\UseRegex$Software\grepWinNP3\WholeWords$Software\grepWinNP3\backupinfolder$Software\grepWinNP3\editorcmd$Software\grepWinNP3\pattern$Software\grepWinNP3\searchpath$}
API String ID: 542301482-2027641394
Opcode ID: 8d9a6534ce6907cbb6ac2cbe6d284181ae5ad13c9d894269ddb5aa8f04c2efe8
Instruction ID: 222fc85387bd49ca4c381e7ae77b60d0900e764ab02174c55103136c6472003f
Opcode Fuzzy Hash: 8d9a6534ce6907cbb6ac2cbe6d284181ae5ad13c9d894269ddb5aa8f04c2efe8
Instruction Fuzzy Hash: FC1346B0D01749AEDB64DFA8C89879EBFF1BF08304F10461EE059AB791E7796654CB80

Function 05341394 Relevance: 52.0, APIs: 12, Strings: 17, Instructions: 1229threadwindowtimeCOMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32 ref: 0534164D
GetWindowTextLengthA.USER32 ref: 053417F5
GetDialogBaseUnits.USER32 ref: 05341D06
GetMessageTime.USER32 ref: 05341DFA

Part of subcall function 05350240: GetModuleHandleW.KERNEL32 ref: 053502B1
Part of subcall function 05350240: GetLastActivePopup.USER32(00000000), ref: 053502CC

GetShellWindow.USER32 ref: 0534208C
GetCurrentThreadId.KERNEL32 ref: 05342262
GetSystemDefaultLangID.KERNEL32 ref: 05342290
GetOEMCP.KERNEL32 ref: 05342331
GetDesktopWindow.USER32 ref: 0534240E

Part of subcall function 05351790: GetOEMCP.KERNEL32 ref: 0535179E
Part of subcall function 05351790: GetLastActivePopup.USER32 ref: 053517B9

GetModuleHandleW.KERNEL32 ref: 05342794
GetCurrentThreadId.KERNEL32 ref: 0534280F
GetLastActivePopup.USER32 ref: 053428B6

Strings

rswop.icm, xrefs: 053413BF
SXS: %s() NtMapViewOfSection failed, xrefs: 0534147A, 053414BD, 05341A42, 05341AA7, 05341AD9, 05341B82, 05341C5D, 05341ED6, 05341F21, 05341F5E, 05341F8B, 05341FDA, 0534211D, 053421FE, 053424E4, 053427EA, 053427F6
MachinePreferredUILanguages, xrefs: 05341968
SdbpCheckPackageAttributes, xrefs: 05341F3F
The cloud file provider exited unexpectedly., xrefs: 053424A3
Large Screen, xrefs: 05341A96
The command was not recognized by the security core, xrefs: 053421F2
The driver stack doesn't match the expected driver model., xrefs: 05341484, 05341494, 05341B8E, 05341FBE, 05341FCE, 05342011, 0534205F, 05342125, 05342135, 0534229B, 053422FE
Failed to get HWID, xrefs: 05342647
The RPC call completed before all pipes were processed., xrefs: 053413F5, 05341AE1, 05341B31, 05341B71, 05341CE3, 05341E24, 05341FB6, 05342029, 05342052, 0534222A, 053425B2, 0534269B, 053426B0, 05342821, 053428E1
Debugger received RIP exception., xrefs: 05341CD1
Network access is denied., xrefs: 053416EC
Floating-point inexact result., xrefs: 053414DD, 053417FE, 05341D32, 05341E49, 05341F19, 05342150, 05342358, 05342479, 053427B6
services.exe, xrefs: 0534148C, 05341792, 05341AED, 05341F66, 05341FC6, 0534212D
Object Path Component was not a directory object., xrefs: 05341596
Business rule scripts are disabled for the calling application., xrefs: 0534187A
The cluster node already exists., xrefs: 0534278D

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ActiveLastPopupWindow$CurrentHandleModuleThread$BaseDefaultDesktopDialogLangLengthMessageShellSystemTextTimeUnits
String ID: Business rule scripts are disabled for the calling application.$Debugger received RIP exception.$Failed to get HWID$Floating-point inexact result.$Large Screen$MachinePreferredUILanguages$Network access is denied.$Object Path Component was not a directory object.$SXS: %s() NtMapViewOfSection failed$SdbpCheckPackageAttributes$The RPC call completed before all pipes were processed.$The cloud file provider exited unexpectedly.$The cluster node already exists.$The command was not recognized by the security core$The driver stack doesn't match the expected driver model.$rswop.icm$services.exe
API String ID: 474283001-2113168018
Opcode ID: 3c45c63fba451e4a94ab6442935b79bbc1ea36b13a8aee6a1cdfdb776b94dd66
Instruction ID: 47013d44f956d05c052a355bb6a4cd45e3cdfc85d33c86b7502fc8a338e38e75
Opcode Fuzzy Hash: 3c45c63fba451e4a94ab6442935b79bbc1ea36b13a8aee6a1cdfdb776b94dd66
Instruction Fuzzy Hash: E4C26835A142994ECB148FF998803EA7FF5FB46304F64D5BEE8889B241CA749985CF90

Function 053435F4 Relevance: 44.7, APIs: 12, Strings: 13, Instructions: 924windowtimethreadCOMMON

Download Yara Rule

APIs

GetWindowTextLengthA.USER32 ref: 053436DA
GetModuleHandleW.KERNEL32(00000000), ref: 05343798
GetMessageTime.USER32 ref: 053439B3
SetLastError.KERNEL32 ref: 05343AEE
GetForegroundWindow.USER32(00000000), ref: 05343D71
GetModuleHandleW.KERNEL32 ref: 05343EBF

Part of subcall function 0535058C: GetTopWindow.USER32 ref: 053505AC
Part of subcall function 0535058C: GetWindowTextLengthA.USER32 ref: 053505DC
Part of subcall function 0535058C: GetLargePageMinimum.KERNEL32(00000000), ref: 05350609

GetShellWindow.USER32 ref: 05343FF6
GetParent.USER32 ref: 05344041
GetOEMCP.KERNEL32 ref: 053440E3
GetThreadUILanguage.KERNEL32 ref: 053441ED
GetLastError.KERNEL32 ref: 05344305
GetUserDefaultLangID.KERNEL32 ref: 05344589

Part of subcall function 0534EB18: GetMessageTime.USER32 ref: 0534EB42
Part of subcall function 0534EB18: GetForegroundWindow.USER32 ref: 0534EB57
Part of subcall function 0534EB18: lstrlenW.KERNEL32 ref: 0534EC17

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 05343ABC, 05343BB7, 05343C57, 05343CB3, 05343FCE, 05344125, 0534412D, 05344135, 053441A9, 053441B1, 05344563, 0534456B
The server version does not match the requested version., xrefs: 05343AA8, 05343B29, 05343BA7, 05343C4B, 05343FC2, 05344165, 053441A1, 0534420D, 053444E0, 05344504, 0534455B
The package is currently not available., xrefs: 05343786, 0534398D, 053439DE, 05343AB0, 05343B31, 05343B8C, 05343C68, 05343CAB, 05343EB8, 05343F86, 05343F95, 05343FBA, 05343FDA, 05344010, 0534411D, 05344205, 053444D8, 0534466B, 05344678, 05344689
UUUUUUUU, xrefs: 05343808
The disk contains non-simple volumes., xrefs: 05344385
The callback data queue has been disabled., xrefs: 0534395D
{Mapped View Alignment Incorrect}, xrefs: 05343627
Win32AppCompat, xrefs: 05343C37
Too many Sids have been specified., xrefs: 05343633, 05343BAF, 05343BBF, 05343CBB, 05343CC3, 053441B9, 05344573
L, xrefs: 05344510
AVRF: exception raised while probing provider %ws , xrefs: 05343E6B
P, xrefs: 0534451A
FrontHeapLockCount, xrefs: 0534414C

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$ErrorForegroundHandleLastLengthMessageModuleTextTime$DefaultLangLanguageLargeMinimumPageParentShellThreadUserlstrlen
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p) $AVRF: exception raised while probing provider %ws $FrontHeapLockCount$L$P$The callback data queue has been disabled.$The disk contains non-simple volumes.$The package is currently not available.$The server version does not match the requested version.$Too many Sids have been specified.$UUUUUUUU$Win32AppCompat${Mapped View Alignment Incorrect}
API String ID: 3832088895-2269772536
Opcode ID: 905de9bed24a97d2ba47f4c0c3a0676b17fad47045e560c02d71c2328006513b
Instruction ID: 93d041018959834fe93efb182f2374054bd5b9cfa2a752f5d04e9186f24b4cbd
Opcode Fuzzy Hash: 905de9bed24a97d2ba47f4c0c3a0676b17fad47045e560c02d71c2328006513b
Instruction Fuzzy Hash: C09232B19182988EDB51CF7894893A97FF9FB46304F54C8ADD8CD8B241CA34D985CFA1

Function 0534997C Relevance: 39.2, APIs: 12, Strings: 10, Instructions: 722
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastActivePopup.USER32 ref: 05349B75
GetWindowTextLengthA.USER32 ref: 05349C91
GetShellWindow.USER32 ref: 05349CCC
GetThreadUILanguage.KERNEL32 ref: 05349D55

Part of subcall function 0534FB34: lstrlenW.KERNEL32 ref: 0534FB79
Part of subcall function 0534FB34: GetWindowTextLengthW.USER32(00000000), ref: 0534FBC7
Part of subcall function 0534FB34: GetShellWindow.USER32 ref: 0534FBDD
Part of subcall function 0534FB34: SetLastError.KERNEL32 ref: 0534FC37
Part of subcall function 0534FB34: GetUserDefaultLangID.KERNEL32 ref: 0534FC3E
Part of subcall function 0534FB34: GetForegroundWindow.USER32 ref: 0534FC5F

Part of subcall function 0534B85C: RtlAllocateHeap.NTDLL(?,?,?,?,?,0534BF0B), ref: 0534B882

GetShellWindow.USER32 ref: 05349CE9

Part of subcall function 0534F2A8: GetTopWindow.USER32 ref: 0534F2BD

GetThreadUILanguage.KERNEL32 ref: 05349EE4
GetParent.USER32 ref: 05349F78
SetLastError.KERNEL32 ref: 05349FE3
GetCurrentThread.KERNEL32 ref: 0534A168

Part of subcall function 0534B88C: RtlFreeHeap.NTDLL ref: 0534B8B0

GetLastActivePopup.USER32(00000000), ref: 0534A38B
GetThreadUILanguage.KERNEL32 ref: 0534A43D
GetDialogBaseUnits.USER32 ref: 0534A5A2

Strings

InitOnceGetStringTableOffset, xrefs: 05349AB7, 05349D1C, 05349D6B, 05349D73, 05349D7B, 05349DD0, 05349DD8, 0534A2FF, 0534A3C3, 0534A3EC
*, xrefs: 0534A4F3
AslpFileGetClrVersionAttribute failed [%x], xrefs: 05349A98, 05349D2C, 05349F23, 0534A4A8
;, xrefs: 0534A4E7
Microsoft Himalaya, xrefs: 05349D24, 05349DE0, 0534A2CB
,, xrefs: 05349BE8
Error reading size data, xrefs: 05349B7B, 0534A452
[, xrefs: 05349E26
An attempt was made to execute an illegal instruction., xrefs: 053499CD, 05349A5C, 0534A075, 0534A1B2
@, xrefs: 0534A0CF

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$LastThread$LanguageShell$ActiveErrorHeapLengthPopupText$AllocateBaseCurrentDefaultDialogForegroundFreeLangParentUnitsUserlstrlen
String ID: *$,$;$@$An attempt was made to execute an illegal instruction.$AslpFileGetClrVersionAttribute failed [%x]$Error reading size data$InitOnceGetStringTableOffset$Microsoft Himalaya$[
API String ID: 3023793282-4021808248
Opcode ID: fc0bdf45dcef72c34bea12eb8bb6f76ea988013f99be597a76ac135c32e27516
Instruction ID: 0dcbab7b6e7b863737aa650ce28e99197452661343b0fdfc66cf9e6f688aa83d
Opcode Fuzzy Hash: fc0bdf45dcef72c34bea12eb8bb6f76ea988013f99be597a76ac135c32e27516
Instruction Fuzzy Hash: C7727AB5A243458FE710DF78D48A65ABBF9FB44348F80896EE489CB640EB74E940DF41

Function 05342918 Relevance: 35.7, APIs: 10, Strings: 10, Instructions: 687
stringthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLargePageMinimum.KERNEL32 ref: 0534295C
GetForegroundWindow.USER32 ref: 05342A7B
GetWindowTextLengthA.USER32 ref: 05342AE2

Part of subcall function 053502E0: GetTickCount.KERNEL32 ref: 053502E6

Part of subcall function 0535058C: GetTopWindow.USER32 ref: 053505AC
Part of subcall function 0535058C: GetWindowTextLengthA.USER32 ref: 053505DC
Part of subcall function 0535058C: GetLargePageMinimum.KERNEL32(00000000), ref: 05350609

GetTickCount.KERNEL32 ref: 05342D0A
GetTopWindow.USER32 ref: 05342D35
lstrlenW.KERNEL32 ref: 05342E29
GetLastActivePopup.USER32 ref: 05342ED4
GetOEMCP.KERNEL32(00000000), ref: 0534312C

Part of subcall function 05352084: GetOEMCP.KERNEL32 ref: 05352096
Part of subcall function 05352084: GetLastActivePopup.USER32 ref: 053520B8
Part of subcall function 05352084: GetModuleHandleW.KERNEL32 ref: 053520D2
Part of subcall function 05352084: GetDialogBaseUnits.USER32 ref: 05352137
Part of subcall function 05352084: GetWindowTextLengthW.USER32 ref: 05352150

GetCurrentThreadId.KERNEL32 ref: 05343176

Part of subcall function 053513D4: GetCurrentThreadId.KERNEL32 ref: 053513F1
Part of subcall function 053513D4: GetDesktopWindow.USER32 ref: 0535141F
Part of subcall function 053513D4: GetParent.USER32 ref: 05351483
Part of subcall function 053513D4: SetLastError.KERNEL32 ref: 053514E9

Part of subcall function 05350240: GetModuleHandleW.KERNEL32 ref: 053502B1
Part of subcall function 05350240: GetLastActivePopup.USER32(00000000), ref: 053502CC

GetUserDefaultLangID.KERNEL32 ref: 05343523

Strings

SdbpCheckMatchingRegistryEntry, xrefs: 05342B71, 05342BF2, 05342D4E, 05343148, 05343268, 05343270, 053432E7, 053432EF
windows blue, xrefs: 05342A49, 05342A51, 05342B79, 05342B96, 05342BE6, 05342C58, 05342D46, 05342DFE, 05342E5A, 05342F63, 05342FDB, 053430DD, 05343132, 0534313B, 053431E1, 05343244, 0534333C, 05343376, 05343412, 0534341A, 053434EE
STATUS_WAIT_3, xrefs: 05342F7B
Your interactive logon privilege has been disabled., xrefs: 05342E22
ForceFlags, xrefs: 05342DD4
An invalid parameter was passed to a service or function., xrefs: 05342941
Please refer to your System Event Log for further information., xrefs: 05342B1C, 05342B86, 05342C68, 05342C70, 05342E0E, 0534327C, 053432FB, 0534337E, 05343386, 0534338E
The request failed due to a fatal device hardware error., xrefs: 05343118
{Device Offline}, xrefs: 05342A76
AslpPathGetFormatInfo failed [%x], xrefs: 05342A5D, 05342C33, 05342C60, 05342E06, 05342E16

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$Last$ActiveLengthPopupText$CountCurrentHandleLargeMinimumModulePageThreadTick$BaseDefaultDesktopDialogErrorForegroundLangParentUnitsUserlstrlen
String ID: An invalid parameter was passed to a service or function.$AslpPathGetFormatInfo failed [%x]$ForceFlags$Please refer to your System Event Log for further information.$STATUS_WAIT_3$SdbpCheckMatchingRegistryEntry$The request failed due to a fatal device hardware error.$Your interactive logon privilege has been disabled.$windows blue${Device Offline}
API String ID: 2597146153-1639703026
Opcode ID: 241d6e46d6331fa6c39f93824b31bf132941c86c2cb215a280155b3385bd48b2
Instruction ID: d963d6abeaea66e9aa553db222ff1374ee71517b6fd140d22983e5d3996749ca
Opcode Fuzzy Hash: 241d6e46d6331fa6c39f93824b31bf132941c86c2cb215a280155b3385bd48b2
Instruction Fuzzy Hash: 2B620175A182488FCB51CF68D5952AA7FF5FB55304F90C8EEE889CB301CA709985CFA1

Function 0534C6A0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 387
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 05351138: GetCurrentThreadId.KERNEL32 ref: 0535117A

Part of subcall function 053523AC: GetForegroundWindow.USER32 ref: 05352432

Part of subcall function 05351A30: GetModuleHandleW.KERNEL32 ref: 05351AE1
Part of subcall function 05351A30: GetDesktopWindow.USER32 ref: 05351BC2

GetModuleHandleW.KERNEL32 ref: 0534C73F
GetOEMCP.KERNEL32 ref: 0534C7F2
GetCurrentThread.KERNEL32 ref: 0534C84F
GetDesktopWindow.USER32 ref: 0534C978
GetLastActivePopup.USER32 ref: 0534C994
GetLargePageMinimum.KERNEL32 ref: 0534CBBC
GetThreadUILanguage.KERNEL32 ref: 0534CCB2
GetWindowTextLengthW.USER32 ref: 0534CCDA

Strings

ntdl, xrefs: 0534C931
l.dl, xrefs: 0534C940
RtlDosPathNameToNtPathName_U_WithStatus failed for %S [%x], xrefs: 0534C738
), xrefs: 0534C705
RtlArrayGet failed to get the next node, xrefs: 0534C792, 0534CA23, 0534CB07, 0534CC59, 0534CCF5
Monitor descriptor could not be obtained., xrefs: 0534C79A, 0534C7AB, 0534C81C, 0534C903, 0534C90B, 0534CA1B, 0534CAFF, 0534CB61
Indicates two revision levels are incompatible., xrefs: 0534C6F1, 0534C6F9, 0534C864, 0534C88A, 0534C892, 0534CA49, 0534CA51, 0534CAE1, 0534CAE9, 0534CD22
G, xrefs: 0534CC28
Access to the cloud file is denied., xrefs: 0534C8A6, 0534CC61, 0534CCFD

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$Thread$CurrentDesktopHandleModule$ActiveForegroundLanguageLargeLastLengthMinimumPagePopupText
String ID: )$Access to the cloud file is denied.$G$Indicates two revision levels are incompatible.$Monitor descriptor could not be obtained.$RtlArrayGet failed to get the next node$RtlDosPathNameToNtPathName_U_WithStatus failed for %S [%x]$l.dl$ntdl
API String ID: 2824035724-3218422991
Opcode ID: 2a3cef03c7aa6eb657a2916d59221409b66443d0a1d402008edee8ddcaf0f27e
Instruction ID: 24670cfc4e7861eadf491c859b2c416146056f32c9965cd1893b101e40308136
Opcode Fuzzy Hash: 2a3cef03c7aa6eb657a2916d59221409b66443d0a1d402008edee8ddcaf0f27e
Instruction Fuzzy Hash: 8702AEB59222048FC710DFA8D68A619BFF9FB64348F45886DF445CF254EBB4A804DF61

Function 0534AF48 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 330
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetThreadUILanguage.KERNEL32 ref: 0534AF81

Part of subcall function 053509FC: GetDesktopWindow.USER32 ref: 05350A07
Part of subcall function 053509FC: GetThreadUILanguage.KERNEL32(?,0534B752), ref: 05350A48

GetDialogBaseUnits.USER32 ref: 0534AFCB
SetLastError.KERNEL32 ref: 0534B011
GetParent.USER32 ref: 0534B0DA
GetTickCount.KERNEL32 ref: 0534B0FD
GetWindowTextLengthA.USER32 ref: 0534B1EF
GetDialogBaseUnits.USER32 ref: 0534B2D0
GetDialogBaseUnits.USER32 ref: 0534B2D2
GetDialogBaseUnits.USER32 ref: 0534B2D4

Strings

failureId, xrefs: 0534B0AF, 0534B0B7, 0534B1F9
The provider context is of the wrong type., xrefs: 0534AFA3, 0534B03D, 0534B38F
, xrefs: 0534B19A
The specified plex is missing., xrefs: 0534B035, 0534B1D0, 0534B420, 0534B46F

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: BaseDialogUnits$LanguageThreadWindow$CountDesktopErrorLastLengthParentTextTick
String ID: The provider context is of the wrong type.$The specified plex is missing.$failureId$
API String ID: 3857300698-4291309561
Opcode ID: ce3255744e0286714bdc7bb0fd75a1010873bfdfb538759cb33e1c8d70f21729
Instruction ID: 5198fa205375da11de40d48ede6dc9f475a3f7cb6d929fb3eae2b496576a90cf
Opcode Fuzzy Hash: ce3255744e0286714bdc7bb0fd75a1010873bfdfb538759cb33e1c8d70f21729
Instruction Fuzzy Hash: FBE179B0A242458FDB04DF69E49A569BFF9FB48348F94C92EE449CF210EB74A941CF41

Function 0534A8A0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 331
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultLangID.KERNEL32 ref: 0534A90D
CreateToolhelp32Snapshot.KERNEL32 ref: 0534AB3C
GetLargePageMinimum.KERNEL32 ref: 0534ACC6
AnyPopup.USER32 ref: 0534ACD6

Strings

No receive buffer has been supplied in a synchronous request., xrefs: 0534A9A9, 0534AB71, 0534AD03, 0534AD0B
{Bad Image Checksum}, xrefs: 0534AC42
AVRF: provider %ws did not initialize correctly , xrefs: 0534A942, 0534A9C3, 0534AC8E
The session has been cancelled., xrefs: 0534A8F9, 0534A901, 0534A982
The object does not exist., xrefs: 0534A8A1, 0534A97A, 0534AA04, 0534ABDA, 0534ABE6

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CreateDefaultLangLargeMinimumPagePopupSnapshotToolhelp32User
String ID: AVRF: provider %ws did not initialize correctly $No receive buffer has been supplied in a synchronous request.$The object does not exist.$The session has been cancelled.${Bad Image Checksum}
API String ID: 646634548-3299865291
Opcode ID: ba09935f90348e9c1de17f2e6d2538bb293d79733ffc60889f68b9674f29c58b
Instruction ID: 68b4003227f1957ecc40bdf95a305c9924361a8b46e7e88fc72138dbcc4d2fad
Opcode Fuzzy Hash: ba09935f90348e9c1de17f2e6d2538bb293d79733ffc60889f68b9674f29c58b
Instruction Fuzzy Hash: 30E1DF75A282548FD710DF68DA4966ABFFAFB45308F84C4ADE489CB300DB38A954CF51

Function 053410E8 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 140
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 053513D4: GetCurrentThreadId.KERNEL32 ref: 053513F1
Part of subcall function 053513D4: GetDesktopWindow.USER32 ref: 0535141F
Part of subcall function 053513D4: GetParent.USER32 ref: 05351483
Part of subcall function 053513D4: SetLastError.KERNEL32 ref: 053514E9

CreateToolhelp32Snapshot.KERNEL32 ref: 05341212

Strings

No leaks detected., xrefs: 05341117, 053412E6
A primary pack is already present., xrefs: 05341127, 0534112F, 053412FA
Windows.Core, xrefs: 0534111F, 0534113D, 0534125D
No buffer is bound to composition surface, xrefs: 053411AD, 053412EE, 05341326
An ACPI Power Object failed to transition state, xrefs: 05341151, 05341159, 053411B5, 05341298

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CreateCurrentDesktopErrorLastParentSnapshotThreadToolhelp32Window
String ID: A primary pack is already present.$An ACPI Power Object failed to transition state$No buffer is bound to composition surface$No leaks detected.$Windows.Core
API String ID: 853061127-4035815744
Opcode ID: e7dc5d8d6897087f94b70ebfee26399c644b9b41cee90b2473b2dd4ae2928805
Instruction ID: 1915ce89f8e190f59713b74b39ecd544e08349fbd3d87fbeabe17f7312b2c65f
Opcode Fuzzy Hash: e7dc5d8d6897087f94b70ebfee26399c644b9b41cee90b2473b2dd4ae2928805
Instruction Fuzzy Hash: 3F51A1B59286419FC700DF65D649A2ABFF8FB44748F44855EE488CF604EB74E880CF92

Function 005A77C0 Relevance: 11.7, APIs: 2, Strings: 4, Instructions: 1245COMMON

Download Yara Rule

APIs

PathFileExistsW.KERNELBASE(?), ref: 005A7936

Part of subcall function 00628A29: AcquireSRWLockExclusive.KERNEL32(0067A12C,00000000,?,?,005AFA33,0067B250,0067B1DC,?,00000003,005F50B5,?,?), ref: 00628A34
Part of subcall function 00628A29: ReleaseSRWLockExclusive.KERNEL32(0067A12C,?,005AFA33,0067B250,0067B1DC,?,00000003,005F50B5,?,?), ref: 00628A6E

Part of subcall function 006289D8: AcquireSRWLockExclusive.KERNEL32(0067A12C,?,?,005AFA49,0067B250,00000003), ref: 006289E2
Part of subcall function 006289D8: ReleaseSRWLockExclusive.KERNEL32(0067A12C,?,005AFA49,0067B250,00000003), ref: 00628A15
Part of subcall function 006289D8: WakeAllConditionVariable.KERNEL32(0067A128,?,005AFA49,0067B250,00000003), ref: 00628A20

Strings

@, xrefs: 005A7A0C
X, xrefs: 005A7A1D
msgstr, xrefs: 005A7D90
msgid, xrefs: 005A7C36

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$ConditionExistsFilePathVariableWake
String ID: @$X$msgid$msgstr
API String ID: 492889668-3581600636
Opcode ID: 8a5f148092cfd6ee68f0f57e2f6045131383bedfc7a8c7b76e07978f8851ed2d
Instruction ID: 9e588894b499e68674e152159c764df545f1dbf3650fb3d8d6c386a4d66bdf67
Opcode Fuzzy Hash: 8a5f148092cfd6ee68f0f57e2f6045131383bedfc7a8c7b76e07978f8851ed2d
Instruction Fuzzy Hash: 18C225B0D002199FDF24DFA8C995BEDBBF1BF49304F1485AAE409A7241EB745A85CF60

Function 0534B4AC Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0534B695

Strings

Failed to allocate DB structure, xrefs: 0534B544, 0534B54C, 0534B5DE, 0534B5E6, 0534B626, 0534B746
WER/ReportFault:%u: ERROR Invalid params passed, xrefs: 0534B55B
X, xrefs: 0534B704
8, xrefs: 0534B70E

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ForegroundWindow
String ID: 8$Failed to allocate DB structure$WER/ReportFault:%u: ERROR Invalid params passed$X
API String ID: 2020703349-1544440979
Opcode ID: 6a2caa9fb0920db2cc6fda0c90e491285704bdc7e0a5bf9b3a4bbf3e36449e6f
Instruction ID: cd131a28cc640d8a40793134c4aa3f4f9ed698e845a58305b234d51cfad8e4b4
Opcode Fuzzy Hash: 6a2caa9fb0920db2cc6fda0c90e491285704bdc7e0a5bf9b3a4bbf3e36449e6f
Instruction Fuzzy Hash: 4881AFB5A142048FDB50CF39D89565AFFE9FB48344F41C65DE49A8F200DA78E840CF85

Function 05343548 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0534357E
CheckRemoteDebuggerPresent.KERNELBASE ref: 053435E7

Strings

AslEnvGetProcessWowInfo failed [%x], xrefs: 05343577
pd /TilingType 1 put, xrefs: 05343549

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CheckDebuggerHandleModulePresentRemote
String ID: AslEnvGetProcessWowInfo failed [%x]$pd /TilingType 1 put
API String ID: 276317622-1007002732
Opcode ID: 630c9102c46d64d9fd08c4aea0d5a78041257ed9843bb247e9ba33afc4c0529c
Instruction ID: c545a716a1e0bf0f86e3e4071da01568761407bc13067fbd183f9c8800d24af8
Opcode Fuzzy Hash: 630c9102c46d64d9fd08c4aea0d5a78041257ed9843bb247e9ba33afc4c0529c
Instruction Fuzzy Hash: 2101AD749152489FCB08DF28DA4A56ABFFDFB84344F84C9ADE592CB291DA34D4809F01

Function 05341000 Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0534C4B4: GetLastError.KERNEL32 ref: 0534C4D6
Part of subcall function 0534C4B4: GetLastActivePopup.USER32 ref: 0534C501
Part of subcall function 0534C4B4: GetLastActivePopup.USER32 ref: 0534C565

NtAlpcCreateSectionView.NTDLL(00000000,?,?,?,?,?,?,?,?,?,0534B8C7), ref: 05341052

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Last$ActivePopup$AlpcCreateErrorSectionView
String ID:
API String ID: 3416713291-0
Opcode ID: b3b125dfe50d23d2354220b3e411a7496b4b4b197732604ec0bac79f1ce959a2
Instruction ID: c538b83e19b076d1788aa867c4d57269dcbe14d218585416618fe549ca91c2e9
Opcode Fuzzy Hash: b3b125dfe50d23d2354220b3e411a7496b4b4b197732604ec0bac79f1ce959a2
Instruction Fuzzy Hash: DCF0B7715213409FDF08CB64F90A6E5BFA8F724314F016425E811CB310EA346AA49E41

Function 005F0F00 Relevance: 88.4, APIs: 48, Strings: 2, Instructions: 854
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0059BE30: GetDlgItem.USER32(?,?), ref: 0059BE44
Part of subcall function 0059BE30: GetWindowTextLengthW.USER32(00000000), ref: 0059BE4B
Part of subcall function 0059BE30: GetDlgItemTextW.USER32(?,?,00000000,00000001), ref: 0059BE8D

IsDlgButtonChecked.USER32(?,000003E9), ref: 005F0F7C
SetDlgItemTextW.USER32(?,000003EC,00000000), ref: 005F1395
GetDlgItem.USER32(?,00000001), ref: 005F13BC
EnableWindow.USER32(00000000,00000001), ref: 005F13C5
GetDlgItem.USER32(?,00000419), ref: 005F13D2
EnableWindow.USER32(00000000,00000001), ref: 005F13DB
GetDlgItem.USER32(?,00000405), ref: 005F13E8
EnableWindow.USER32(00000000,00000001), ref: 005F13F1
GetDlgItem.USER32(?,000003E8), ref: 005F1407
RedrawWindow.USER32(00000000,?,000003E8,00000000,00000000,00000401,?,00000405,?,00000419,?,00000001,?,000003EC,00000000), ref: 005F140A

Strings

${filepath}, xrefs: 005F1013, 005F10C2
${fileext}, xrefs: 005F1185

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Item$Window$EnableText$ButtonCheckedLengthRedraw
String ID: ${fileext}$${filepath}
API String ID: 4123494488-2440594156
Opcode ID: 44a4b5633c544b65282bbec249d8b9ddc99dbb705b58000e00f41086037440ca
Instruction ID: 1e5c205e6e9e39a1ff91c081a16739f1dc71f25020d027e3cd34307ce882da79
Opcode Fuzzy Hash: 44a4b5633c544b65282bbec249d8b9ddc99dbb705b58000e00f41086037440ca
Instruction Fuzzy Hash: AE725970D00209EFDF14DFA8DC89BADBBB5BF44300F248169E605AB291EBB55A45CF64

Function 0059B9A0 Relevance: 54.6, APIs: 29, Strings: 2, Instructions: 357
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,000000EB,?), ref: 0059B9CC
CreateWindowExW.USER32(00000000,tooltips_class32,00000000,80000003,80000000,80000000,80000000,80000000,?,00000000,?,00000000), ref: 0059B9FF
SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013), ref: 0059BA15
SendMessageW.USER32(?,00000418,00000000,00000258), ref: 0059BA30
SendMessageW.USER32(?,00000401,00000001,00000000), ref: 0059BA3E
GetWindowLongW.USER32(?,000000EB), ref: 0059BA46
DefDlgProcW.USER32(?,00000110,?,?), ref: 0059BAB1
GetClientRect.USER32(?,?), ref: 0059BAC4
SetBkColor.GDI32(?,00000000), ref: 0059BAD3
ExtTextOutW.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0059BAEB
SetWindowLongW.USER32(?,00000000,00000001), ref: 0059BAFC
SetBkColor.GDI32(?,00000000), ref: 0059BB0D
ExtTextOutW.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0059BB4C
ExtTextOutW.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0059BB81
ExtTextOutW.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0059BBB6
ExtTextOutW.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0059BBEB
SetWindowLongW.USER32(?,00000000,00000001), ref: 0059BBF8

Strings

tooltips_class32, xrefs: 0059B9F8
DwmExtendFrameIntoClientArea, xrefs: 0059BD29

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Window$Text$Long$ColorMessageSend$ClientCreateProcRect
String ID: DwmExtendFrameIntoClientArea$tooltips_class32
API String ID: 2355803220-4124622142
Opcode ID: d9d021ba1f8ae6f1f8c9e9a4e92f778b12152517bdc09e77343257d682ce33d4
Instruction ID: 973d92933d075c48ba4c35b67534d12181b771be27b91dcda36eba8886659bba
Opcode Fuzzy Hash: d9d021ba1f8ae6f1f8c9e9a4e92f778b12152517bdc09e77343257d682ce33d4
Instruction Fuzzy Hash: 3FC16F72644315EBEB20CF64DC45F5ABBA8FB88751F10461AFA48E7290D770E910CBA1

Function 0059F580 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClientRect.USER32(?,?), ref: 0059F593
GetWindowRect.USER32(?,?), ref: 0059F59E
OffsetRect.USER32(?,?,?), ref: 0059F5B0
GetSystemMetrics.USER32(00000002), ref: 0059F5BE
GetSystemMetrics.USER32(00000003), ref: 0059F5C5
CreateWindowExW.USER32 ref: 0059F601
CreateRectRgn.GDI32(00000000,00000000,00000001,00000001), ref: 0059F617
CreateRectRgnIndirect.GDI32(00000000), ref: 0059F624
SetRectRgn.GDI32(00000000,00000000,00000000,?,00000001), ref: 0059F641
CombineRgn.GDI32(00000000,00000000,00000000,00000004), ref: 0059F64C
SetWindowRgn.USER32(?,00000000,00000000), ref: 0059F65F
ShowWindow.USER32(?,?), ref: 0059F682

Strings

ScrollBar, xrefs: 0059F5E2

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Rect$Window$Create$MetricsSystem$ClientCombineIndirectOffsetShow
String ID: ScrollBar
API String ID: 3369083536-3978720103
Opcode ID: cd0f3204fc4108c7967e6ffaea4c85a10d9bd9db33b39a08c73d2ce0cab54fef
Instruction ID: 3634c3bd29846d8fdac3c241f16246462a447646b1df00a71a2f312c7e5498c5
Opcode Fuzzy Hash: cd0f3204fc4108c7967e6ffaea4c85a10d9bd9db33b39a08c73d2ce0cab54fef
Instruction Fuzzy Hash: 76318F71240311EFEB509F20DC8AF663BADFB49702F101469FE05DA1D1D7B5A841CB64

Function 0059B630 Relevance: 18.1, APIs: 12, Instructions: 100
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDialogParamW.USER32(?,?,00000000,Function_0003B9A0), ref: 0059B652
ShowWindow.USER32(00000000,00000005,?,00000000,?,?,?,?,?,?,?), ref: 0059B65E
BringWindowToTop.USER32(?), ref: 0059B667
SetForegroundWindow.USER32(?), ref: 0059B670
LoadAcceleratorsW.USER32(?,?), ref: 0059B6A1
GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0059B6D1
TranslateAcceleratorW.USER32(?,?,?), ref: 0059B6FA
IsDialogMessageW.USER32(?,?), ref: 0059B70C
TranslateMessage.USER32(?), ref: 0059B71B
DispatchMessageW.USER32(?), ref: 0059B722
PostQuitMessage.USER32(?), ref: 0059B738
DestroyWindow.USER32(?), ref: 0059B741

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Message$Window$DialogTranslate$AcceleratorAcceleratorsBringCreateDestroyDispatchForegroundLoadParamPostQuitShow
String ID:
API String ID: 3538134301-0
Opcode ID: 18aae9a383e66804f46cdfa4df2319a85fc8f2013136e1444070102e32f0924a
Instruction ID: c34011b5070aea1c270b94d5cc4a82e993332a2b1698cf4dc3e942a7f3ba46eb
Opcode Fuzzy Hash: 18aae9a383e66804f46cdfa4df2319a85fc8f2013136e1444070102e32f0924a
Instruction Fuzzy Hash: C9310371504301AFEB20DFA9ED48B6BBBE9FB88705F04491DF19AC2161E770E845CB22

Function 0534C100 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 213
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDefaultLangID.KERNEL32(?,?,?,?,?,00000B86,?,?,?,05341042,00000000), ref: 0534C194
GetUserDefaultLangID.KERNEL32 ref: 0534C235

Part of subcall function 0534D27C: GetDesktopWindow.USER32 ref: 0534D2D7
Part of subcall function 0534D27C: GetLastActivePopup.USER32 ref: 0534D337
Part of subcall function 0534D27C: GetSystemDefaultLangID.KERNEL32 ref: 0534D3A9
Part of subcall function 0534D27C: AnyPopup.USER32 ref: 0534D3BE
Part of subcall function 0534D27C: GetUserDefaultLangID.KERNEL32 ref: 0534D44A

Part of subcall function 05350F00: GetDesktopWindow.USER32 ref: 05350FA2
Part of subcall function 05350F00: GetDesktopWindow.USER32 ref: 05350FD9
Part of subcall function 05350F00: GetTopWindow.USER32 ref: 05351021

Part of subcall function 0534E4E0: GetCurrentThread.KERNEL32 ref: 0534E57C
Part of subcall function 0534E4E0: GetShellWindow.USER32 ref: 0534E638
Part of subcall function 0534E4E0: GetUserDefaultLangID.KERNEL32 ref: 0534E648

GetUserDefaultLangID.KERNEL32 ref: 0534C3B3
GetParent.USER32 ref: 0534C422

Strings

Secure Boot policy has unexpectedly changed., xrefs: 0534C14C, 0534C20B, 0534C27E, 0534C2BC
The volume repair could not be performed while it is online., xrefs: 0534C1E4, 0534C240, 0534C39F, 0534C463
An invalid address was found on the control flow stack., xrefs: 0534C203, 0534C2F5, 0534C32B
WER/CrashAPI:%u: ERROR Exception in WerpCurrentPeb, xrefs: 0534C154, 0534C333
AslpFileLargeGetChecksumAttributes, xrefs: 0534C3A7, 0534C45B

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultLang$Window$User$Desktop$PopupSystem$ActiveCurrentLastParentShellThread
String ID: An invalid address was found on the control flow stack.$AslpFileLargeGetChecksumAttributes$Secure Boot policy has unexpectedly changed.$The volume repair could not be performed while it is online.$WER/CrashAPI:%u: ERROR Exception in WerpCurrentPeb
API String ID: 3278762495-1392373765
Opcode ID: 7535dc13c8cf8efbadef0ea0f31d46449e14dee653ea861f7ec0f28a7303056f
Instruction ID: 0ae487537fac2b90e6156899c31b144604a782483799e6d310e2fee8fe8280e9
Opcode Fuzzy Hash: 7535dc13c8cf8efbadef0ea0f31d46449e14dee653ea861f7ec0f28a7303056f
Instruction Fuzzy Hash: DE91D3B5A202048BCB11EFB5E44A61A7FE9FB44308F90DA2DF845CF254DB74A912CF91

Function 05350810 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 101
windowtimethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDefaultLangID.KERNEL32(?,?,?,0534B79D), ref: 05350862
GetMessageTime.USER32 ref: 05350883
GetCurrentThread.KERNEL32 ref: 05350898
GetLastError.KERNEL32(?,?,?,0534B79D), ref: 053508F4
GetForegroundWindow.USER32(?,?,?,0534B79D), ref: 05350982

Strings

The specified port already has a completion list., xrefs: 053508C4
NumberOfWaitingExclusive = %lx, xrefs: 05350811
TPM 2.0: Insufficient space for NV allocation., xrefs: 0535082B, 05350904
Built-in HEIC Codec, xrefs: 053508A4, 05350936

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CurrentDefaultErrorForegroundLangLastMessageSystemThreadTimeWindow
String ID: NumberOfWaitingExclusive = %lx$Built-in HEIC Codec$TPM 2.0: Insufficient space for NV allocation.$The specified port already has a completion list.
API String ID: 3541390845-3688297793
Opcode ID: 455289e79df9059e069b8f7ac9ddece0150f16983a203849ae90312a535fa71f
Instruction ID: ab3eefff6a0a08e9c06f7c39299fa00c3b7942a0e88cf8f20849af38c357637a
Opcode Fuzzy Hash: 455289e79df9059e069b8f7ac9ddece0150f16983a203849ae90312a535fa71f
Instruction Fuzzy Hash: EE41E9749242018FD7188F38E5DB9253FADF768368F94E46EF846CF249EAB28440C760

Function 05350D70 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetOEMCP.KERNEL32 ref: 05350D82
GetWindowTextLengthA.USER32 ref: 05350DD8
GetLastActivePopup.USER32 ref: 05350E2C
GetForegroundWindow.USER32 ref: 05350E77
GetSystemDefaultLangID.KERNEL32 ref: 05350ED4

Strings

The system does not support fault tolerant volumes., xrefs: 05350DDE
The system is now ready for hibernation., xrefs: 05350D7A
FeatureUsage, xrefs: 05350E82
Microsoft America Operations1&0$, xrefs: 05350E32

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$ActiveDefaultForegroundLangLastLengthPopupSystemText
String ID: FeatureUsage$Microsoft America Operations1&0$$The system does not support fault tolerant volumes.$The system is now ready for hibernation.
API String ID: 1400623325-3058726051
Opcode ID: 330b1596efebc7fee86d0a94a933b1a2b313b2efa046c8cdb0c4a0c2490cdfdd
Instruction ID: 5baedcf9ae70d83a0dcda803d6a8270ade504b699b3cbd9abb30c23d43bb46e1
Opcode Fuzzy Hash: 330b1596efebc7fee86d0a94a933b1a2b313b2efa046c8cdb0c4a0c2490cdfdd
Instruction Fuzzy Hash: 0941D279D247018FD3148F68E8866A57FE9F74A318FA4C06EE995CF301EB798444CB81

Function 0534BBAC Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetLastError.KERNEL32 ref: 0534BBBF
GetOEMCP.KERNEL32 ref: 0534BC50

Strings

An attempt was made to access an exiting process., xrefs: 0534BC80
An attempt was made to decommit uncommitted virtual memory., xrefs: 0534BC05
AslpFileMakeStringVersionAttributes, xrefs: 0534BC0D
Microsoft, xrefs: 0534BBCB, 0534BC6F, 0534BC78
/TableEntry, xrefs: 0534BC15, 0534BC88, 0534BCD2
!Process, xrefs: 0534BC1D
gsave translate , xrefs: 0534BC90

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID: !Process$/TableEntry$An attempt was made to access an exiting process.$An attempt was made to decommit uncommitted virtual memory.$AslpFileMakeStringVersionAttributes$Microsoft$gsave translate
API String ID: 1452528299-771149502
Opcode ID: 200b2262b567b4a2831175552981fde0c91cbf6475fc0b5a00e5ecd44a145287
Instruction ID: 2e53820c713e564463a5ee9f2cfcaaa03df2bda65606571dbec15e0bc02978d6
Opcode Fuzzy Hash: 200b2262b567b4a2831175552981fde0c91cbf6475fc0b5a00e5ecd44a145287
Instruction Fuzzy Hash: 5E418FB49252048FCB009F38D5AA26ABFF9FB45318F84D89DE08ACF254EB759445CF81

Function 05345E9C Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 137memorythreadCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,0534BB94), ref: 05345ED3
GetOEMCP.KERNEL32 ref: 05345F22
GetWindowTextLengthA.USER32 ref: 05345FC6

Part of subcall function 053513D4: GetCurrentThreadId.KERNEL32 ref: 053513F1
Part of subcall function 053513D4: GetDesktopWindow.USER32 ref: 0535141F
Part of subcall function 053513D4: GetParent.USER32 ref: 05351483
Part of subcall function 053513D4: SetLastError.KERNEL32 ref: 053514E9

GetCurrentThreadId.KERNEL32 ref: 0534606C
VirtualFree.KERNELBASE ref: 0534609D

Strings

A account group cannot have a universal group as a member., xrefs: 05345FE1
The string UUID is invalid., xrefs: 05345FE9, 05345FF1, 05345FF9
CheckAllProcessMachinePolicyEnabled, xrefs: 05345F28, 05346017

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CurrentThreadVirtualWindow$AllocDesktopErrorFreeLastLengthParentText
String ID: A account group cannot have a universal group as a member.$CheckAllProcessMachinePolicyEnabled$The string UUID is invalid.
API String ID: 732584986-1906444222
Opcode ID: c89e65072f715c1eb1e6053c98a0355a9f51851d1c9188d6c39cc9d67fecad05
Instruction ID: b62d1ac27975b53e1436d1bae862c2cb85660e29d3b54ad3478a9a2ff909e040
Opcode Fuzzy Hash: c89e65072f715c1eb1e6053c98a0355a9f51851d1c9188d6c39cc9d67fecad05
Instruction Fuzzy Hash: EF51AC719242428FD714CF28D48B62ABFE9FB48358F40C96EE54DCF256EB7198448F92

Function 0534F860 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 84threadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,0000000B,?,0534A731), ref: 0534F87E
GetCurrentThreadId.KERNEL32 ref: 0534F8B9
AnyPopup.USER32 ref: 0534F95B
GetCurrentThread.KERNEL32 ref: 0534F991
GetLastError.KERNEL32(?,0000000B,?,0534A731), ref: 0534F997

Strings

An error occurred while NDIS tried to map the file., xrefs: 0534F8BF, 0534F933
The specified task name is invalid., xrefs: 0534F961
Too many files are opened on a remote server., xrefs: 0534F884

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CurrentThread$ErrorForegroundLastPopupWindow
String ID: An error occurred while NDIS tried to map the file.$The specified task name is invalid.$Too many files are opened on a remote server.
API String ID: 1115741200-1773836707
Opcode ID: 4fdb796c45affc359d1ed5ab37557b01109d080a7c158e3afb6aa58ff68ad7b7
Instruction ID: 732e4277f344c3036ceabc9de0d5ea787ff9fa7580bf698fdd21ade1552ede86
Opcode Fuzzy Hash: 4fdb796c45affc359d1ed5ab37557b01109d080a7c158e3afb6aa58ff68ad7b7
Instruction Fuzzy Hash: D531BC749352858FC708CF39E5A61287FAEF745308F98C19EE2468E35AEBB19401CF84

Function 053472A4 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 116COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 053472BB
GetLargePageMinimum.KERNEL32 ref: 05347337

Strings

WER/CrashAPI:%u: ERROR Final gather block size exceeds limit, xrefs: 0534741F
AslpFileQuery16BitDescription, xrefs: 053472D0
FrontEndHeap, xrefs: 05347431
fDa4P9+d9sUhAxNtkA8rSqPR/YC9ci1IF5ZhBUb9pBFS5pnX7GJyuTRrRXK0JOsL1rP1a8enzEZmpPpqbTgOpLkt9tEO3RiAY0YJOXeYBzNTw9DT43DwYHu6jXJ1z8dWxhEJv0Ij6iO0ebdg87m6OhtROnYgAnJjsuzRnHkSVsa4c89NSnduqn/JL9vDotf5uTdc2ENjZ8tmytdJwTe6CU7GZZhhyOTFCfqCJYhcH9ccLUTJPKT1QLwoA9GEBlQTP5jt, xrefs: 05347499
RtlUnicodeStringCbCatStringN failed [%x], xrefs: 05347439

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DesktopLargeMinimumPageWindow
String ID: AslpFileQuery16BitDescription$FrontEndHeap$RtlUnicodeStringCbCatStringN failed [%x]$WER/CrashAPI:%u: ERROR Final gather block size exceeds limit$fDa4P9+d9sUhAxNtkA8rSqPR/YC9ci1IF5ZhBUb9pBFS5pnX7GJyuTRrRXK0JOsL1rP1a8enzEZmpPpqbTgOpLkt9tEO3RiAY0YJOXeYBzNTw9DT43DwYHu6jXJ1z8dWxhEJv0Ij6iO0ebdg87m6OhtROnYgAnJjsuzRnHkSVsa4c89NSnduqn/JL9vDotf5uTdc2ENjZ8tmytdJwTe6CU7GZZhhyOTFCfqCJYhcH9ccLUTJPKT1QLwoA9GEBlQTP5jt
API String ID: 2359144380-4176750766
Opcode ID: cb04212fef1dd815f72509ce2c86c1984d4a962faaa5b48306cc6f7596ffd2e7
Instruction ID: 93088d4f2afbf674098598baaeec11f335d5fa69c81fd47b8037efb32cd9c66c
Opcode Fuzzy Hash: cb04212fef1dd815f72509ce2c86c1984d4a962faaa5b48306cc6f7596ffd2e7
Instruction Fuzzy Hash: 76514875A083888ECB18CF79D8852E97FE5EB94305F54C9BDD8998B341CA388489CFD1

Function 05353454 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,05346374,?,?,?,?,?,?,?,?,?,?,?), ref: 0535345E
GetUserDefaultLangID.KERNEL32(?,?,?,?,05346374,?,?,?,?,?,?,?,?,?,?,?), ref: 05353464
GetDesktopWindow.USER32 ref: 05353491
GetTopWindow.USER32 ref: 05353527
AnyPopup.USER32 ref: 05353559

Strings

AslpFileGetHeaderAttributesPE failed [%x], xrefs: 05353497
The specified storage reserve ID is invalid., xrefs: 0535346A

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$DefaultDesktopForegroundLangPopupUser
String ID: AslpFileGetHeaderAttributesPE failed [%x]$The specified storage reserve ID is invalid.
API String ID: 2508019835-289983430
Opcode ID: 0d6943af8094291840c75f1eb7c07402f09c1e011fa92a23d1d171393dfd4613
Instruction ID: cd791c986c637188898d4099cb2fbac1aebb33518126e9524a7ae91eb06eb88e
Opcode Fuzzy Hash: 0d6943af8094291840c75f1eb7c07402f09c1e011fa92a23d1d171393dfd4613
Instruction Fuzzy Hash: 8D21F6B49141404FDB11DF34C899A7A7BE9F7083A4F54AC6DE957CB281EB748894CB01

Function 005AD450 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?,?,00000002,00000000), ref: 005AD4B2
GetFileVersionInfoW.KERNELBASE(?,00000000,?,00000000,?,?,?,00000000), ref: 005AD541
VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,00000000,?,?,?,00000000), ref: 005AD555
VerQueryValueW.VERSION(00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 005AD5DC

Strings

\StringFileInfo\%04x%04x\ProductVersion, xrefs: 005AD56A
\VarFileInfo\Translation, xrefs: 005AD54F

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: FileInfoQueryValueVersion$Size
String ID: \StringFileInfo\%04x%04x\ProductVersion$\VarFileInfo\Translation
API String ID: 2099394744-1825429935
Opcode ID: 469d88d1df8c0752d70f9e5c9daa23c432d30d01e78e35faadf80f0f3ee14d75
Instruction ID: 6d1c00e8736ab6222b05785a7a3495e7b4fe80d54c19f70853004ab7598ad753
Opcode Fuzzy Hash: 469d88d1df8c0752d70f9e5c9daa23c432d30d01e78e35faadf80f0f3ee14d75
Instruction Fuzzy Hash: F8616BB1D00209AFDB14DFA8D985BAEBBF5FF48304F10452EE41AE3640E775A945CBA0

Function 05341065 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 102processCOMMON

Download Yara Rule

APIs

Part of subcall function 05341000: NtAlpcCreateSectionView.NTDLL(00000000,?,?,?,?,?,?,?,?,?,0534B8C7), ref: 05341052

Part of subcall function 053513D4: GetCurrentThreadId.KERNEL32 ref: 053513F1
Part of subcall function 053513D4: GetDesktopWindow.USER32 ref: 0535141F
Part of subcall function 053513D4: GetParent.USER32 ref: 05351483
Part of subcall function 053513D4: SetLastError.KERNEL32 ref: 053514E9

CreateToolhelp32Snapshot.KERNEL32 ref: 05341212

Part of subcall function 0534EB18: GetMessageTime.USER32 ref: 0534EB42
Part of subcall function 0534EB18: GetForegroundWindow.USER32 ref: 0534EB57
Part of subcall function 0534EB18: lstrlenW.KERNEL32 ref: 0534EC17

Strings

No leaks detected., xrefs: 05341117
A primary pack is already present., xrefs: 05341127, 0534112F
Windows.Core, xrefs: 0534111F, 0534113D
No buffer is bound to composition surface, xrefs: 053411AD
An ACPI Power Object failed to transition state, xrefs: 05341151, 05341159, 053411B5

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CreateWindow$AlpcCurrentDesktopErrorForegroundLastMessageParentSectionSnapshotThreadTimeToolhelp32Viewlstrlen
String ID: A primary pack is already present.$An ACPI Power Object failed to transition state$No buffer is bound to composition surface$No leaks detected.$Windows.Core
API String ID: 1494823140-4035815744
Opcode ID: fe939649a84b304087af0277e0fa89d2c90b16f88a376f01c2756ee62ddec1f4
Instruction ID: e6e2ae3cff7d627facf39cecd6b2158ef6cf1b4816428230cde43fefd8f25650
Opcode Fuzzy Hash: fe939649a84b304087af0277e0fa89d2c90b16f88a376f01c2756ee62ddec1f4
Instruction Fuzzy Hash: 0E313B716246405AC720AB70ED09B3ABFE8FB402D9F548419F148DA108DB74B884CFA2

Function 0534C4B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0534C4D6
GetLastActivePopup.USER32 ref: 0534C501
GetLastActivePopup.USER32 ref: 0534C565

Strings

;, xrefs: 0534C4C8
H, xrefs: 0534C52B
;, xrefs: 0534C4C1

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Last$ActivePopup$Error
String ID: ;$;$H
API String ID: 1952306238-2656199830
Opcode ID: 41b9b62692f0b2bb62abcd366f47666ee2ba92a7489dfbc7c1926ea6ffee8d6f
Instruction ID: 107016fc405da65e79e3b279bd212f4f1cdf470e250175cb80b1151e4f92d481
Opcode Fuzzy Hash: 41b9b62692f0b2bb62abcd366f47666ee2ba92a7489dfbc7c1926ea6ffee8d6f
Instruction Fuzzy Hash: 8F319CB4A212199FCB00DFA9E48569EBFF9FB88318F41C66DE955DB240DB749801CF84

Function 0059FA50 Relevance: 10.5, APIs: 7, Instructions: 48COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0059FA5D
SetWindowPos.USER32(?,00000001,?,?,00000000,00000000,00000211,?,?,?,?,?,0059F786), ref: 0059FA89
IsZoomed.USER32 ref: 0059FA91
EnableWindow.USER32(?,00000000), ref: 0059FAA1
ShowWindow.USER32(?,00000000,?,?,?,?,?,?,0059F786), ref: 0059FAAC
EnableWindow.USER32(?,00000001), ref: 0059FABA
ShowWindow.USER32(?,?,?,?,?,?,?,?,0059F786), ref: 0059FACF

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Window$EnableShow$ClientRectZoomed
String ID:
API String ID: 989374080-0
Opcode ID: 82a2a5a8616aaa03487c9c20df8c67d283f4e9ae4ac6ffbdef8d545c8da244b3
Instruction ID: b6fc8cf4c103dc6c6fd6131a9e1865576c65923b4c662937b7707a2af6eb5b82
Opcode Fuzzy Hash: 82a2a5a8616aaa03487c9c20df8c67d283f4e9ae4ac6ffbdef8d545c8da244b3
Instruction Fuzzy Hash: 0B016931140700EFEB20AF38CD49FAABBE6FF44702F805918F986925A0D775E8108B20

Function 006235F0 Relevance: 9.1, APIs: 6, Instructions: 62threadCOMMON

Download Yara Rule

APIs

#410.COMCTL32(?,00624530,000004D2,0067B0B0,?,00000000,?), ref: 0062362E
#412.COMCTL32(?,00624530,000004D2,?,00000000,?), ref: 00623641
EnumChildWindows.USER32(?,006236C0), ref: 0062364E
GetCurrentThreadId.KERNEL32 ref: 0062365A
EnumThreadWindows.USER32(00000000), ref: 00623661
RedrawWindow.USER32(?,00000000,00000000,00000587,?,?,?,00000000,?), ref: 00623671

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: EnumThreadWindows$#410#412ChildCurrentRedrawWindow
String ID:
API String ID: 1422472111-0
Opcode ID: 89038f0053fc4c8486412915f82e28fd42b2a75aa4571bafcc92afeb0ebffc81
Instruction ID: 18751b9f31abfe441e1f2fda1662fa75259e48b90b5b7dec63d94e38146b8819
Opcode Fuzzy Hash: 89038f0053fc4c8486412915f82e28fd42b2a75aa4571bafcc92afeb0ebffc81
Instruction Fuzzy Hash: 5A118231245730BBD710EF61AC09F9B7BAEAF95B01F004408F581A6391C7689605CE7A

Function 0059BDA0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 0059BDAB
KiUserCallbackDispatcher.NTDLL(00000000,?), ref: 0059BDCB

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: CallbackDispatcherItemUser
String ID:
API String ID: 4250310104-0
Opcode ID: ebd2be3fc3a64c3ec9c362b0bea4d924e4f0ff9b6743fc7203a06d19adae6ebb
Instruction ID: 7ebbee7514fcb1cb62b5531fa8920245bf37723f8775a0b184b56237171291f0
Opcode Fuzzy Hash: ebd2be3fc3a64c3ec9c362b0bea4d924e4f0ff9b6743fc7203a06d19adae6ebb
Instruction Fuzzy Hash: 52F0BB32244721ABEB629B35FC09BDE7F56FF91722F019815F89099194C7108CA7D760

Function 053523AC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 05352432
GetLastActivePopup.USER32 ref: 05352562
GetDialogBaseUnits.USER32 ref: 05352581

Strings

The system does not support fault tolerant volumes., xrefs: 053524A4

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ActiveBaseDialogForegroundLastPopupUnitsWindow
String ID: The system does not support fault tolerant volumes.
API String ID: 3505280388-4025416350
Opcode ID: 3126b21c305a7fc67dc67b9864147a240dd06836c604163ab42dcb05c1b26e64
Instruction ID: c81584ab56169aa7aaa737994916246ae74ae957337245262e07b11785c08533
Opcode Fuzzy Hash: 3126b21c305a7fc67dc67b9864147a240dd06836c604163ab42dcb05c1b26e64
Instruction Fuzzy Hash: CE511779E241918BD31ACF68E4926A67FAAF745318F69C06EFC45CF344DA3484458B80

Function 05346E98 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 102COMMON

Download Yara Rule

APIs

GetLastActivePopup.USER32 ref: 05346ED9

Strings

Failed to allocate process history buffer, xrefs: 05346EC6
CLiP license hardware ID is out of tolerance., xrefs: 05346FCF
dBG5xOZ9SrUbniavLIPRLiUBop3jpwxLm0b09L8W9yJBZxL8klaODa2zWo78Xyd+XEVXQlKy2nWCFNHyHMODh69lI+2/2WnD5oSli6kx/aEi5sa9lspGSc2d/CdOozkWnCDHvMkFBW77dNXssfJuPEb0LKdNRvkqfUTL2d41uwxNQKxjtUVVDJ3UiwGgHYLgq4+ecro3l0xEhxTFrdahDQeTsAmQp72aEEx8qYKCdU854Kvtg5eAKjOxBrH5fFulettx, xrefs: 05347021

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ActiveLastPopup
String ID: CLiP license hardware ID is out of tolerance.$Failed to allocate process history buffer$dBG5xOZ9SrUbniavLIPRLiUBop3jpwxLm0b09L8W9yJBZxL8klaODa2zWo78Xyd+XEVXQlKy2nWCFNHyHMODh69lI+2/2WnD5oSli6kx/aEi5sa9lspGSc2d/CdOozkWnCDHvMkFBW77dNXssfJuPEb0LKdNRvkqfUTL2d41uwxNQKxjtUVVDJ3UiwGgHYLgq4+ecro3l0xEhxTFrdahDQeTsAmQp72aEEx8qYKCdU854Kvtg5eAKjOxBrH5fFulettx
API String ID: 3737024409-446137809
Opcode ID: c56bb7f0ce6c64431c4b86712df960f6f78e367a3c8477efe01d442ba527b3be
Instruction ID: 4a19a9e80f8db2a0408dc1d731bb9bb3fb2e54719ebaa47dcdbeaf2c74267b4a
Opcode Fuzzy Hash: c56bb7f0ce6c64431c4b86712df960f6f78e367a3c8477efe01d442ba527b3be
Instruction Fuzzy Hash: 20418F3150819C8ADF158E79A8863EABFF6AB52300F84C0FDD5CD97242C57949888FA1

Function 0534EB18 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91stringwindowtimeCOMMON

Download Yara Rule

APIs

GetMessageTime.USER32 ref: 0534EB42
GetForegroundWindow.USER32 ref: 0534EB57
lstrlenW.KERNEL32 ref: 0534EC17

Strings

CLR version string null or too long, xrefs: 0534EC10

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ForegroundMessageTimeWindowlstrlen
String ID: CLR version string null or too long
API String ID: 2918359910-2602880372
Opcode ID: b2696c36b4bfa4fe5bd2a177f6665e9ea3251fde760c6edb81c085ef9ab6267e
Instruction ID: 06b869717c60d9a42f47fda123a15ff1decded8a33a40780847f175351d08f51
Opcode Fuzzy Hash: b2696c36b4bfa4fe5bd2a177f6665e9ea3251fde760c6edb81c085ef9ab6267e
Instruction Fuzzy Hash: F031AE759242428FDB14CF28E8966257FEDF749384F44C12EE066CF640DB30A408DF56

Function 053497A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

GetShellWindow.USER32 ref: 05349852

Strings

An error occurred during an access to Region Space, xrefs: 053497A1
Failed to construct full key path, xrefs: 05349800, 05349836
The RPC protocol sequence was not found., xrefs: 053497BE, 0534986C

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ShellWindow
String ID: An error occurred during an access to Region Space$Failed to construct full key path$The RPC protocol sequence was not found.
API String ID: 2831631499-4078023678
Opcode ID: 45b103be1d44f18994cb1d7692e73bf915826dccfb17a689f4533f0ddafc33b0
Instruction ID: f5dbb0f4f6351259f636b606adc999d1262081d76f8989d398dba68abbea2fdb
Opcode Fuzzy Hash: 45b103be1d44f18994cb1d7692e73bf915826dccfb17a689f4533f0ddafc33b0
Instruction Fuzzy Hash: 83319E759283058FC700DF78E95A2267FF9E784308F80C5ADE9948F309DB3998018F95

Function 053530B4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34threadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,00001DA0,?,053498B5), ref: 053530BC
GetSystemDefaultLangID.KERNEL32(?,00001DA0,?,053498B5), ref: 053530ED
GetThreadUILanguage.KERNEL32(?,00001DA0,?,053498B5), ref: 05353115

Strings

An attempt was made to open an Anonymous level token., xrefs: 053530C2

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultForegroundLangLanguageSystemThreadWindow
String ID: An attempt was made to open an Anonymous level token.
API String ID: 3065435761-254260388
Opcode ID: 0273efb74b6e1d0a2909d6b79701f247eb9f8ea0b102f29dd690ccfee80955bc
Instruction ID: 09e121d9155e7bcbcc416e7c452bd6c7f799f572534a903a35e97e9ec0398ccb
Opcode Fuzzy Hash: 0273efb74b6e1d0a2909d6b79701f247eb9f8ea0b102f29dd690ccfee80955bc
Instruction Fuzzy Hash: B3F0F0656182008BDB145F64D88AA2B7BA8F744394F60C83EF807CF280DAA588849291

Function 005AF0E0 Relevance: 6.1, APIs: 4, Instructions: 121registryCOMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 005AF117
RegOpenKeyExW.KERNELBASE(005AD9A0,00662530,00000000,005AD990,00000000,00000000,00000000,?,0065313D,000000FF,?), ref: 005AF1BB
RegCloseKey.ADVAPI32(00000000), ref: 005AF20E
GetTickCount64.KERNEL32 ref: 005AF223

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Count64Tick$CloseOpen
String ID:
API String ID: 4020578057-0
Opcode ID: be5dae2f05208f0c87d552ce52396dd0f4f859c5c154aef2d745cf485740c7f2
Instruction ID: db0d7c9a88a78925d77d627d5c12b68d7fa723c3cdf79a680e225c03852aa6e2
Opcode Fuzzy Hash: be5dae2f05208f0c87d552ce52396dd0f4f859c5c154aef2d745cf485740c7f2
Instruction Fuzzy Hash: CD419C75A00B45DFDB24CFA8C884BAEBBF6FB45315F04092EE59293A90D771A844CB60

Function 005A8A90 Relevance: 6.0, APIs: 4, Instructions: 32threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 005A8D80: GetWindowTextLengthW.USER32(?), ref: 005A8DA5
Part of subcall function 005A8D80: GetWindowTextW.USER32(?,00000000,00000001), ref: 005A8E0A

EnumChildWindows.USER32(?,Function_00048D80), ref: 005A8AAB
GetCurrentThreadId.KERNEL32 ref: 005A8AB7
EnumThreadWindows.USER32(00000000), ref: 005A8ABE
GetSystemMenu.USER32(?,00000000,?,?,?), ref: 005A8AC7

Part of subcall function 005A8AF0: GetMenuItemCount.USER32(?), ref: 005A8B1A
Part of subcall function 005A8AF0: GetMenuItemInfoW.USER32(?,00000000,00000400,?), ref: 005A8B9B
Part of subcall function 005A8AF0: GetMenuItemInfoW.USER32(?,00000000,00000400,00000030), ref: 005A8C0D

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Menu$Item$EnumInfoTextThreadWindowWindows$ChildCountCurrentLengthSystem
String ID:
API String ID: 886740550-0
Opcode ID: aa0ea1512620b476732a97653e9aa58e6d7f9342d46ff554ed2b8e99682e6e48
Instruction ID: e7feec6aafb31ad0b4762c744eb49f91804472084eab352cb231f60f9adc9071
Opcode Fuzzy Hash: aa0ea1512620b476732a97653e9aa58e6d7f9342d46ff554ed2b8e99682e6e48
Instruction Fuzzy Hash: 4CE06532640251B78710A7A95C0DEBF3FAEABD7722F08411AF501D21D0DEA05D0183BA

Function 00623000 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00625490: SystemParametersInfoW.USER32(00000042,0000000C,0000000C,00000000), ref: 006254CE
Part of subcall function 00625490: GetSysColor.USER32(00000008), ref: 006254EE
Part of subcall function 00625490: GetSysColor.USER32(00000005), ref: 00625507

GetTickCount64.KERNEL32 ref: 0062304C

Strings

global, xrefs: 00623029
darkmode, xrefs: 00623024

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Color$Count64InfoParametersSystemTick
String ID: darkmode$global
API String ID: 3447872873-3442901483
Opcode ID: 18dc7d36c8edea430675de29f521951fd5b11a3edd059df457ce3f60f52cae56
Instruction ID: c4af6175fbe77e95770f0908b2151f7756aa3b1ff8bf174aeb9b9c8a3b3f7c32
Opcode Fuzzy Hash: 18dc7d36c8edea430675de29f521951fd5b11a3edd059df457ce3f60f52cae56
Instruction Fuzzy Hash: 10310520300E32AADB289734B84A7E8B797BF40314F188249D45582390DF6DA991CBB6

Function 053518F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,0534B77C), ref: 05351958
GetShellWindow.USER32 ref: 053519D4

Strings

Network interface aborted the request., xrefs: 053518F5, 0535195E, 05351974, 053519DF

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$ForegroundShell
String ID: Network interface aborted the request.
API String ID: 3950612657-3432463622
Opcode ID: 75fa38dea8c530525524d60a6b2ede720d8577e288bc7d5e1a32c399a1aa6c12
Instruction ID: 8c13353bae25ffec62d0f64de9d0b7a40e0abf37cda990489cc1a7757f15f0a8
Opcode Fuzzy Hash: 75fa38dea8c530525524d60a6b2ede720d8577e288bc7d5e1a32c399a1aa6c12
Instruction Fuzzy Hash: BF310279A342454FD304CF39D546A627FEAF345358B84D5AFEA82CF204EA748041CBC4

Function 005BE810 Relevance: 4.5, APIs: 3, Instructions: 46registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,0067BC98,00000000,00000000,00000000), ref: 005BE848
RegCloseKey.ADVAPI32(00000000), ref: 005BE881
GetTickCount64.KERNEL32 ref: 005BE88E

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: CloseCount64OpenTick
String ID:
API String ID: 2982736543-0
Opcode ID: 5da7a86f551cbcd76cc46d149aff7a6903a4cb087c90b3ccd447cb1c208b8aa1
Instruction ID: 268c1c19a861159c0f3710aa54dbc6b5fdc128036c5a46b6674dde1dd6edbf25
Opcode Fuzzy Hash: 5da7a86f551cbcd76cc46d149aff7a6903a4cb087c90b3ccd447cb1c208b8aa1
Instruction Fuzzy Hash: 1311D274404B51EFD724CF28C985B57BBF1FB44715F40881EE88A82AA0E372F848CB61

Function 0063C7FF Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0063C7F9,00000101,Rb,?,?,713211A9,0062EA52,?), ref: 0063C810
TerminateProcess.KERNEL32(00000000,?,0063C7F9,00000101,Rb,?,?,713211A9,0062EA52,?), ref: 0063C817
ExitProcess.KERNEL32 ref: 0063C829

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: b1c89446ee84177988f01d6f100df253d72811ab7ba763604bb09d095321b74c
Instruction ID: da4f84cbf181d9c3b7bbcbc2ae75bba9740c1b8e7d45cab17ede2402012a3331
Opcode Fuzzy Hash: b1c89446ee84177988f01d6f100df253d72811ab7ba763604bb09d095321b74c
Instruction Fuzzy Hash: BAD09E31010209FFCF556F65EC0DD593F2BAF44356F445028B90555172DB319A52DBE5

Function 0534B8BC Relevance: 1.7, APIs: 1, Instructions: 170COMMON

Download Yara Rule

APIs

Part of subcall function 053465D8: GetTopWindow.USER32 ref: 053466A6
Part of subcall function 053465D8: GetOEMCP.KERNEL32(?,?,?,?,?,?,?,?,0534B8C7), ref: 053466BC

GetUserDefaultLangID.KERNEL32(?,?,?,0534BD26), ref: 0534BA2A

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultLangUserWindow
String ID:
API String ID: 2546096385-0
Opcode ID: 8938f14b779c6a9318c468024b32a1a89c9d19eafe8c4da45603419424a584c1
Instruction ID: 1ea55cd4cee0f9060b413a9aa48be7c7486515c4cb80401d874116d56cb3a253
Opcode Fuzzy Hash: 8938f14b779c6a9318c468024b32a1a89c9d19eafe8c4da45603419424a584c1
Instruction Fuzzy Hash: 5A71E7B4A18701CFCB05EF69D589919FBF5FF48310B5698A9E844DB315EB30E8848F62

Function 0059A730 Relevance: 1.6, APIs: 1, Instructions: 123comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00659710,00000000,00000001,00659750,?), ref: 0059A782

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: e8ba21405aa0667bab2e41bfe38766b375eccc7c9b153c6e066078ce0d4d19fa
Instruction ID: 91d126e082e5bac87af1520b334e189f933b1c1fe8b8d2d898ca55d0071cebc7
Opcode Fuzzy Hash: e8ba21405aa0667bab2e41bfe38766b375eccc7c9b153c6e066078ce0d4d19fa
Instruction Fuzzy Hash: 43416970600705AFDB24CFA9C885BAABBB9FF49B15F10416DE501DB690C7B2E804CBA1

Function 00642656 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,006418B4,00000001,00000364,?,00000006,000000FF,?,?,006301C7,006426F6), ref: 00642697

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1965efa2f80841669adc109aefef888058e655a02c1b701490a8abc7fb3383c7
Instruction ID: 990cbb8bcdc099c5d483145649a7811c7eb31138fda92fd431c80ad9b5ff15d6
Opcode Fuzzy Hash: 1965efa2f80841669adc109aefef888058e655a02c1b701490a8abc7fb3383c7
Instruction Fuzzy Hash: 24F0E93160123767DB31AB65DC15B9A7B4BAF42760F779125FC04E6290CE60DD0086E4

Function 053507B0 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,00000000,?,0534745D), ref: 053507BB

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 12a51ba5efb95afa1265efcc848a6e4cbd5b239a22d4bc7babbf402eaa86a85d
Instruction ID: 3dba20340e496697d67e45080ab7c21029e11cefcc6d4cc66a2599d9b799db5f
Opcode Fuzzy Hash: 12a51ba5efb95afa1265efcc848a6e4cbd5b239a22d4bc7babbf402eaa86a85d
Instruction Fuzzy Hash: 45F0B46E5060068B9B245E7DC84C897F74AE7017723849113EC65CFB08F96248C3CB59

Function 006426B3 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00628961,?,?,00599DB0,00000024,?,?,0065359F,000000FF), ref: 006426E5

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 94fe49ec5a61e7ec0b3fab8dc61779391bc20b6e71fb023f4fd6def276d56de9
Instruction ID: fa8b5e517d17bbff31a62face88e324898f14044e0cf32e430b254fac3bb69f2
Opcode Fuzzy Hash: 94fe49ec5a61e7ec0b3fab8dc61779391bc20b6e71fb023f4fd6def276d56de9
Instruction Fuzzy Hash: 48E0ED3120122B6BEF3126659C20B9B3A4B9F413E0FB30160FC48E62D0CE60CC8099E8

Function 053498F4 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetSystemDefaultLangID.KERNEL32 ref: 0534991C

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultLangSystem
String ID:
API String ID: 706401283-0
Opcode ID: 7eee95ff842472bcdfcc3ebc6d4cc9cb6434afc754c32fa04a2aa553f4c33131
Instruction ID: 3cc66a3e3d279b8caaac7589d3c0c9985b08ac71799608de265c346d3f57d692
Opcode Fuzzy Hash: 7eee95ff842472bcdfcc3ebc6d4cc9cb6434afc754c32fa04a2aa553f4c33131
Instruction Fuzzy Hash: 3BF03A64A242018ED715BBBC994F12D3FE9FB56208F40CA69E056CA250DF38A0068FA2

Function 0534B88C Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL ref: 0534B8B0

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 4e619b321c7eefc8b2be657072bff738abacd097d0dd9695a28674257ee806bb
Instruction ID: 88221e55c455e41c4f6994e0d5e8741eda90718dd3264390c864e68edd87cbb6
Opcode Fuzzy Hash: 4e619b321c7eefc8b2be657072bff738abacd097d0dd9695a28674257ee806bb
Instruction Fuzzy Hash: 0FE0E6745047059FC708EF19C18581AFBF5BFC4240F51C599DC444B315D630D8959BD1

Function 0534B85C Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,?,?,0534BF0B), ref: 0534B882

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 313513595948e2a599a16bb8f832654b1b13fa39767bf828bf66e8370fee390a
Instruction ID: aff41fc2d7f95dcb02a02ad107821fd3d4d1c2ab8e7fd82fcf1cb57951cb3882
Opcode Fuzzy Hash: 313513595948e2a599a16bb8f832654b1b13fa39767bf828bf66e8370fee390a
Instruction Fuzzy Hash: 0FE0B6785143019FC304EF18D18590AFBF5BB84214F51C558DC844B355D670E8898BC1

Non-executed Functions

Function 005EE3E0 Relevance: 88.6, APIs: 22, Strings: 27, Instructions: 2836filetimesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 005D9860: QueryPerformanceCounter.KERNEL32(?,00000000,?,00000000,?,?,005EE845,00000000), ref: 005D98A1

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005EE8FF

Part of subcall function 005F5070: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000040,00000000,00000000), ref: 005F5148

CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,.bak,00000004), ref: 005EFA46
GetLastError.KERNEL32 ref: 005EFA79
CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000000,00000000), ref: 005EFAE8
GetFileTime.KERNEL32(00000000,00000000,00000000,00000000), ref: 005EFB08
GetFileAttributesW.KERNEL32(?), ref: 005EFB2A
SetFileAttributesW.KERNEL32(?,00000000), ref: 005EFB4B
SetFileAttributesW.KERNEL32(?,00000000), ref: 005EFB78
CreateFileW.KERNEL32(?,40000000,00000007,00000000,00000003,00000000,00000000), ref: 005EFBAF
SetFileTime.KERNEL32(00000000,00000000,00000000,00000000), ref: 005EFBCE
CloseHandle.KERNEL32(00000000,00000000), ref: 005EFBDB
Sleep.KERNEL32(00000032), ref: 005EFBEA

Strings

${filepath}, xrefs: 005EE43F, 005EF330
X*f, xrefs: 005EE5C9
.grepwinreplaced, xrefs: 005F085F
,nf, xrefs: 005EE58D
Dnf, xrefs: 005EE641
4nf, xrefs: 005EE5F1
nullbytes, xrefs: 005EE860
Hnf, xrefs: 005EE655
@nf, xrefs: 005EE62D
${fileext}, xrefs: 005F0705
${filename}, xrefs: 005F06B1
${fileext}, xrefs: 005EE51D, 005EF600
${filename}, xrefs: 005EE4BE, 005EF4F5
0nf, xrefs: 005EE5A1
.bak, xrefs: 005EF7F7, 005F0482
8nf, xrefs: 005EE605
P#f, xrefs: 005EE57D
kf, xrefs: 005EE70D
${filepath}, xrefs: 005F0605
settings, xrefs: 005EE865
j, xrefs: 005F0900
\grepWinNP3_backup\, xrefs: 005EF83B, 005F04AD
@, xrefs: 005F08A8
file load and parse: , xrefs: 005EE81B
p1f, xrefs: 005EE5DD
Software\grepWinNP3\nullbytes, xrefs: 005EE873
<nf, xrefs: 005EE619

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: File$Attributes$CreateTime$ByteCharCloseCopyCounterErrorHandleLastMultiPerformanceQuerySleepUnothrow_t@std@@@Wide__ehfuncinfo$??2@
String ID: ${fileext}$${fileext}$${filename}$${filename}$${filepath}$${filepath}$,nf$.bak$.grepwinreplaced$0nf$4nf$8nf$<nf$@$@nf$Dnf$Hnf$P#f$Software\grepWinNP3\nullbytes$X*f$\grepWinNP3_backup\$file load and parse: $j$nullbytes$p1f$settings$kf
API String ID: 3915558587-3558875250
Opcode ID: 13b5068ea5b39b4733192299fbbedc3be2b3df129f65a2d06e25e5b0241a5cbd
Instruction ID: 69390026893bd18b13a062baf3f290590254995da571e97301ff8ca2f10cec57
Opcode Fuzzy Hash: 13b5068ea5b39b4733192299fbbedc3be2b3df129f65a2d06e25e5b0241a5cbd
Instruction Fuzzy Hash: 71438970900259DFDF28DF64C889BEEBBB5BF44304F1441A9E449A7292DB34AE85CF91

Function 005B9960 Relevance: 61.0, APIs: 32, Strings: 2, Instructions: 1463COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32 ref: 005B9994
CommandLineToArgvW.SHELL32(?,?,00000000,-00000002), ref: 005B9A07
PathFileExistsW.SHLWAPI(?,00000000,?), ref: 005B9B4B
PathFileExistsW.SHLWAPI(?), ref: 005B9CA1
PathFileExistsW.SHLWAPI(?,00000000,?), ref: 005B9D61
PathIsURLW.SHLWAPI(?,?), ref: 005B9EF3
PathIsRelativeW.SHLWAPI(?), ref: 005B9F0E
GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000), ref: 005B9F2F
GetFullPathNameW.KERNEL32(?,?,00000000,00000000), ref: 005B9F8B
PathCanonicalizeW.SHLWAPI(?,?), ref: 005BA03A
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 005BA053
GetLongPathNameW.KERNEL32(?,?,00000001), ref: 005BA0A8
GetShortPathNameW.KERNEL32(?,00000000,00000000), ref: 005BA0B8
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 005BA11D
GetLongPathNameW.KERNEL32(?,00000000,?), ref: 005BA173
GetShortPathNameW.KERNEL32(00000000,00000000,00000000), ref: 005BA1FE
GetShortPathNameW.KERNEL32(00000000,?,?), ref: 005BA254
GetLongPathNameW.KERNEL32(?,00000000,?), ref: 005BA26D
PathIsURLW.SHLWAPI(?,?), ref: 005BA4D4
PathIsRelativeW.SHLWAPI(?), ref: 005BA4EF
GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000), ref: 005BA510
GetFullPathNameW.KERNEL32(?,?,00000000,00000000), ref: 005BA56F
PathCanonicalizeW.SHLWAPI(?,?), ref: 005BA5F7
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 005BA610
GetLongPathNameW.KERNEL32(?,?,00000001), ref: 005BA668
GetShortPathNameW.KERNEL32(?,00000000,00000000), ref: 005BA678
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 005BA6E0
GetLongPathNameW.KERNEL32(?,00000000,?), ref: 005BA739
GetShortPathNameW.KERNEL32(00000000,00000000,00000000), ref: 005BA7C4
GetShortPathNameW.KERNEL32(00000000,?,?), ref: 005BA81D
GetLongPathNameW.KERNEL32(?,00000000,?), ref: 005BA836
LocalFree.KERNEL32(?), ref: 005BAA1F

Strings

T*f, xrefs: 005B9E3F
", xrefs: 005BAB2A, 005BABAC

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Path$Name$Long$Short$Full$ExistsFile$CanonicalizeCommandLineRelative$ArgvFreeLocal
String ID: "$T*f
API String ID: 2970764310-2600113902
Opcode ID: bc871a878fda8de0830c12e51066d1550800ae7ab6c88341102edeeb1b8b96a5
Instruction ID: e2b0a924fd4acfbe332e7b113bb69a26b16ff6e17ddfb34540f0a91f095cd06a
Opcode Fuzzy Hash: bc871a878fda8de0830c12e51066d1550800ae7ab6c88341102edeeb1b8b96a5
Instruction Fuzzy Hash: 38D218B0D012199FDF24DFA8D885BEEBBF5BF08300F1445A9E509A7291E7706A85CF61

Function 005EC1C0 Relevance: 50.7, APIs: 21, Strings: 7, Instructions: 1671windowCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,SearchThread,0000000C), ref: 005EC22B

Part of subcall function 00627690: GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,005EC26D), ref: 0062769A

GetTickCount64.KERNEL32 ref: 005EC330

Part of subcall function 005F5070: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000040,00000000,00000000), ref: 005F5148

Part of subcall function 00627705: WakeConditionVariable.KERNEL32(005DC02E,?,005DC032,0067B1A0), ref: 0062770F

SendMessageW.USER32(?,00008002,00000000,00000000), ref: 005EC8D6
PathIsDirectoryW.SHLWAPI(?), ref: 005ECAF3

Strings

global, xrefs: 005EC288
\x00, xrefs: 005EC96A
MaxNumOfWorker, xrefs: 005EC283
Software\grepWinNP3\MaxNumOfWorker, xrefs: 005EC29E
SearchThread, xrefs: 005EC1F3
\/ , xrefs: 005EC63C
, xrefs: 005ED571

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: ByteCharConditionCount64CounterDirectoryInfoMessageMultiNativePathPerformanceQuerySendSystemTickVariableWakeWide
String ID: $MaxNumOfWorker$SearchThread$Software\grepWinNP3\MaxNumOfWorker$\/ $\x00$global
API String ID: 3804574865-1410697583
Opcode ID: 523bc27f4a68acd8286b3e9871dd50835cf1c2ecc06f26650812b0c9728e6529
Instruction ID: 01e40e2036995d5614ef98355183e356c8ce5d4365d55bbfe8bd65dfcf197595
Opcode Fuzzy Hash: 523bc27f4a68acd8286b3e9871dd50835cf1c2ecc06f26650812b0c9728e6529
Instruction Fuzzy Hash: 18F25970D002999FDF28CFA9C984BEDBFB1BF05304F144599E499A7291D731AA86CF60

Function 005A7170 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 276windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,00000000,00000000,?,?,00000001), ref: 005A71BF
CloseWindow.USER32(?), ref: 005A71E0
DestroyWindow.USER32(?), ref: 005A71E9
SendMessageW.USER32(?,0000044B,00000000,?), ref: 005A726C
LoadCursorW.USER32(00000000,00007F89), ref: 005A72A9
SetCursor.USER32(00000000), ref: 005A72B0
ShellExecuteW.SHELL32(00000020,open,?,00000000,00000000,0000000A), ref: 005A72D3
EndDialog.USER32(?,?), ref: 005A736D
GetClientRect.USER32(?,?), ref: 005A739E
CreateWindowExW.USER32(00000000,RICHEDIT50W,00661ABC,50A0880C,00000000,00000000,?,?,?,00000000,?,00000000), ref: 005A73D1
FindResourceW.KERNEL32(?,?,?), ref: 005A73EE
LoadResource.KERNEL32(?,00000000), ref: 005A73FE
LockResource.KERNEL32(00000000), ref: 005A7409
SizeofResource.KERNEL32(?,00000000), ref: 005A7415
SendMessageW.USER32(?,00000461,?,00000000), ref: 005A7440
SetFocus.USER32(?), ref: 005A7445
SendMessageW.USER32(?,000000B1,000000FF,00000000), ref: 005A7457
SendMessageW.USER32(?,000000CF,00000001,00000000), ref: 005A7465
SendMessageW.USER32(?,00000445,00000000,04000004), ref: 005A7476

Strings

open, xrefs: 005A72CB
RICHEDIT50W, xrefs: 005A73CA

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: MessageSend$ResourceWindow$CursorLoad$ClientCloseCreateDestroyDialogExecuteFindFocusLockMoveRectShellSizeof
String ID: RICHEDIT50W$open
API String ID: 4190574625-2205014345
Opcode ID: 15c0c23ce0f32a1185c297715177f5e057777eb6ada18798786cfc604b0999be
Instruction ID: 01b872b6fa943d4e6d0f6bf6974fbfc8b559f2d05e2f8e40ad8921c32d1fb5f5
Opcode Fuzzy Hash: 15c0c23ce0f32a1185c297715177f5e057777eb6ada18798786cfc604b0999be
Instruction Fuzzy Hash: A6A19E71A00209EFDB24DFA8DC49BAEBFB5FF09701F104629F905E6690D774A850CBA0

Function 005E6780 Relevance: 36.4, APIs: 24, Instructions: 363windowkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F6), ref: 005E67BE
GetKeyState.USER32(00000011), ref: 005E67D1
GetKeyState.USER32(00000010), ref: 005E67E0
GetKeyState.USER32(00000012), ref: 005E67EF
GetFocus.USER32 ref: 005E681C
SendMessageW.USER32(00000000,0000100C,000000FF,00000002), ref: 005E6834
SendMessageW.USER32(00000000,0000100C,00000000,00000002), ref: 005E6876
GetFocus.USER32 ref: 005E6898
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 005E68D5
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 005E68E1
SendMessageW.USER32(?,0000102B,00000000,?), ref: 005E6909
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 005E6924
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 005E6934
GetFocus.USER32 ref: 005E6958
SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 005E69B1
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 005E69C0
SendMessageW.USER32(?,0000120B,00000000,-00000068), ref: 005E6A17
SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 005E6A54
SendMessageW.USER32(?,00001073,00000000,-00000074), ref: 005E6A8E
SetFocus.USER32(00000000), ref: 005E6B5E
IsDlgButtonChecked.USER32(?,00000423), ref: 005E6BB0
SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 005E6BC3
SendMessageW.USER32(?,0000100C,00000000,00000002), ref: 005E6C23

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: MessageSend$Focus$State$ButtonCheckedItem
String ID:
API String ID: 2917284611-0
Opcode ID: fb0f680e27694f56884bea284d0bcc746a1436af61186aaa753a8009d35e7c7b
Instruction ID: 4e3fa9692a8f99e913e2398f483002d3a0b259e80ee9654bd7cc43e280ee2326
Opcode Fuzzy Hash: fb0f680e27694f56884bea284d0bcc746a1436af61186aaa753a8009d35e7c7b
Instruction Fuzzy Hash: ADD1D071E40358ABDB25DB64DC89BADBFB4FB25790F200269F994AB2C1C7B05D41CB60

Function 005B15F0 Relevance: 31.0, APIs: 15, Strings: 2, Instructions: 1248filesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000014,?,?,?,?,?,?,?,?,?), ref: 005B16D5
CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,08000000,00000000,?,?,?,?,?,?,?,?,?), ref: 005B16EC
GetFileSizeEx.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005B184A
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 005B1855
GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005B18B9
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 005B1920
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005B1AFD
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005B1B86
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 005B1C82
CloseHandle.KERNEL32(?), ref: 005B1C91

Strings

\\?\, xrefs: 005B169E
\\?\UNC, xrefs: 005B1695, 005B16A3

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: CloseFileHandle$Read$CreateGlobalMemorySizeSleepStatus
String ID: \\?\$\\?\UNC
API String ID: 638801665-2523517826
Opcode ID: 1a4735203e1a6bb9bcf689ab09c0069b2b6eea3b9139e0ba125430029e420601
Instruction ID: 07de0c049ac5d3e9a9cd83b7ac1da3b5f926d00eee38dbffc23c2557e64320e9
Opcode Fuzzy Hash: 1a4735203e1a6bb9bcf689ab09c0069b2b6eea3b9139e0ba125430029e420601
Instruction Fuzzy Hash: 7DA21171A00A499FDF64CF28C895BEA7FA6FF45300F544229F8158B391D731E942CBA9

Function 0534684C Relevance: 23.1, APIs: 5, Strings: 8, Instructions: 348threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0534E3DC: GetLargePageMinimum.KERNEL32 ref: 0534E3EB
Part of subcall function 0534E3DC: GetParent.USER32 ref: 0534E44A
Part of subcall function 0534E3DC: GetParent.USER32 ref: 0534E4A1

GetParent.USER32 ref: 053468A1
SetLastError.KERNEL32(0000000B), ref: 05346AFF
GetParent.USER32 ref: 05346BF5
GetThreadUILanguage.KERNEL32 ref: 05346DC9
GetWindowTextLengthW.USER32(0000000B), ref: 05346E65

Part of subcall function 0534B88C: RtlFreeHeap.NTDLL ref: 0534B8B0

Strings

Floating-point stack check., xrefs: 05346863, 05346B06, 05346D4D
\, xrefs: 05346A03
WER/CrashAPI:%u: ERROR Unable to create the m_hAliveEvent event, xrefs: 05346972, 05346C59, 05346C7A
The Global system lock could not be acquired, xrefs: 0534695D, 05346965, 05346B0E, 05346C61, 05346D55
The requested name already exists as a unique identifier., xrefs: 0534686B, 05346C69
Getting the shim engine exports failed with status 0x%08lx, xrefs: 0534688E
`, xrefs: 05346BA4
Y, xrefs: 05346B9A

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Parent$ErrorFreeHeapLanguageLargeLastLengthMinimumPageTextThreadWindow
String ID: Floating-point stack check.$Getting the shim engine exports failed with status 0x%08lx$The Global system lock could not be acquired$The requested name already exists as a unique identifier.$WER/CrashAPI:%u: ERROR Unable to create the m_hAliveEvent event$Y$\$`
API String ID: 1213828948-3937182347
Opcode ID: 9def536b5878a45d0f539e86789bbceb581aff45cc2a27301bd34408b5b0b40b
Instruction ID: b53b6a70f93431b66f3df4de9c29ffc1af714f78b8f91030f45b0033462137fe
Opcode Fuzzy Hash: 9def536b5878a45d0f539e86789bbceb581aff45cc2a27301bd34408b5b0b40b
Instruction Fuzzy Hash: 70F1E0B591425A8FDB10CF68D9862AABFF5FB65308F44C0ADD898DB341DAB499818F40

Function 005A2C20 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 347encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000), ref: 005A2C69
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 005A2C8A
CryptHashData.ADVAPI32(?,?,?,00000000), ref: 005A2C9D
CryptDestroyHash.ADVAPI32(?), ref: 005A2CAA
CryptReleaseContext.ADVAPI32(?,00000000), ref: 005A2CB5
CryptGetHashParam.ADVAPI32(?,00000004,?,?,00000000), ref: 005A2D05
CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000), ref: 005A2D71
CryptDestroyHash.ADVAPI32(?), ref: 005A2D7E
CryptReleaseContext.ADVAPI32(?,00000000), ref: 005A2D89
CryptDestroyHash.ADVAPI32(?), ref: 005A2E64
CryptReleaseContext.ADVAPI32(?,00000000), ref: 005A2E6F

Strings

H"f, xrefs: 005A2FAC

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Crypt$Hash$Context$DestroyRelease$Param$AcquireCreateData
String ID: H"f
API String ID: 2102843587-2192279335
Opcode ID: a4a8e4d897ef6210a1053009add65ffd32eb867e1f4dadb5ae62dbe580853e92
Instruction ID: 6735eb74d4f6aa300109bd690ce2bb61f688c2481693fc81cebf31333ee8916d
Opcode Fuzzy Hash: a4a8e4d897ef6210a1053009add65ffd32eb867e1f4dadb5ae62dbe580853e92
Instruction Fuzzy Hash: 01C19A71A00209AFDB14CF28CD46BAEBBB5FF49304F148269E919AB290D774A914CF90

Function 006042D0 Relevance: 17.0, Strings: 12, Instructions: 1988COMMON

Download Yara Rule

Strings

Alternation operators are not allowed inside a DEFINE block., xrefs: 0060611A
OMMIT, xrefs: 006064E2
Invalid alternation operators within (?...) block., xrefs: 00605729
RUNE, xrefs: 006065B2
A repetition operator cannot be applied to a zero-width assertion., xrefs: 00605F39
CCEPT, xrefs: 00606422
Character class declaration starting with [ terminated prematurely - either no ] was found or the set had no content., xrefs: 00604329, 0060440A, 00604463, 006044D0, 006045EA, 00604657, 006046B0, 0060471F, 0060487D
Invalid or empty zero width assertion., xrefs: 00605E3B
KIP, xrefs: 00606682
AIL, xrefs: 00606363
More than one alternation operator | was encountered inside a conditional expression., xrefs: 00606045
Unterminated \Q...\E sequence., xrefs: 006049D4

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID:
String ID: A repetition operator cannot be applied to a zero-width assertion.$AIL$Alternation operators are not allowed inside a DEFINE block.$CCEPT$Character class declaration starting with [ terminated prematurely - either no ] was found or the set had no content.$Invalid alternation operators within (?...) block.$Invalid or empty zero width assertion.$KIP$More than one alternation operator | was encountered inside a conditional expression.$OMMIT$RUNE$Unterminated \Q...\E sequence.
API String ID: 0-3570781604
Opcode ID: afd0f88232ed207e2104dd8bed9b521861f4fb2a4bf9762aaea9253e5a000e6f
Instruction ID: aff41268c1cb5724ec3a98d4dbd321b9d9b005f02151206b627b5201b1fe5f42
Opcode Fuzzy Hash: afd0f88232ed207e2104dd8bed9b521861f4fb2a4bf9762aaea9253e5a000e6f
Instruction Fuzzy Hash: D003C0B1A042559FDB18CF68C584BAEBFF2EF49300F1480ADE9499B382DB75D945CB50

Function 005CC1D0 Relevance: 16.1, Strings: 11, Instructions: 2362COMMON

Download Yara Rule

Strings

Alternation operators are not allowed inside a DEFINE block., xrefs: 005CE612
OMMIT, xrefs: 005CEAE6
Invalid alternation operators within (?...) block., xrefs: 005CDA67
RUNE, xrefs: 005CEC01
A repetition operator cannot be applied to a zero-width assertion., xrefs: 005CE4E7
CCEPT, xrefs: 005CE9DB
Character class declaration starting with [ terminated prematurely - either no ] was found or the set had no content., xrefs: 005CC229, 005CC348, 005CC3A3, 005CC442, 005CC58D, 005CC5FA, 005CC656, 005CC6FB, 005CC934
Invalid or empty zero width assertion., xrefs: 005CE429
AIL, xrefs: 005CE8D0
More than one alternation operator | was encountered inside a conditional expression., xrefs: 005CE58A
Unterminated \Q...\E sequence., xrefs: 005CCAEF

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID:
String ID: A repetition operator cannot be applied to a zero-width assertion.$AIL$Alternation operators are not allowed inside a DEFINE block.$CCEPT$Character class declaration starting with [ terminated prematurely - either no ] was found or the set had no content.$Invalid alternation operators within (?...) block.$Invalid or empty zero width assertion.$More than one alternation operator | was encountered inside a conditional expression.$OMMIT$RUNE$Unterminated \Q...\E sequence.
API String ID: 0-1123991675
Opcode ID: aebe542c5282b0ef16bac6d06b873507a443cca3e02ffc496db4df074b8afb63
Instruction ID: 2be9fdab858c8883df87f4b730dccd74a7eacd98b511f42f6824e4b3b8e9a9f4
Opcode Fuzzy Hash: aebe542c5282b0ef16bac6d06b873507a443cca3e02ffc496db4df074b8afb63
Instruction Fuzzy Hash: 2E235C719002489FCB14CFA8C585BAEBFF5BF45310F18859EE85AAB292D734ED45CB90

Function 053462A8 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 176threadCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 053462B1
GetLargePageMinimum.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0534B8E0), ref: 05346327
GetCurrentThread.KERNEL32 ref: 0534637E
GetSystemDefaultLangID.KERNEL32 ref: 053465A0

Strings

4, xrefs: 05346463
MaxLoaderThreads, xrefs: 053464D4
[, xrefs: 05346452
OverlayPackages, xrefs: 05346488, 05346490, 05346498, 053464E0, 05346510, 0534657A, 05346582, 0534658A
The binding handle is invalid., xrefs: 053463FF, 05346480, 053464FB, 05346503, 05346572

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CountCurrentDefaultLangLargeMinimumPageSystemThreadTick
String ID: 4$MaxLoaderThreads$OverlayPackages$The binding handle is invalid.$[
API String ID: 774141065-961749580
Opcode ID: 3d4967f0884e8317e1f2f04e4f0159afdea1c03e7650549ac570f4dc5a2cbb92
Instruction ID: 644bd31cbbb42a3dfc52b0af140b4f3691d5a09ae31c5a5d08a223712e0da9fe
Opcode Fuzzy Hash: 3d4967f0884e8317e1f2f04e4f0159afdea1c03e7650549ac570f4dc5a2cbb92
Instruction Fuzzy Hash: F07190B5A242588FC700DF66D84A25ABFE9FB84358F44CB9EE189CF244EB749444DF81

Function 005B0B80 Relevance: 13.6, APIs: 9, Instructions: 78clipboardsleepmemoryCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000001,?,00000000,00000000,00000000,00000002,006668B8), ref: 005B0BAF
OpenClipboard.USER32(?), ref: 005B0BB6
EmptyClipboard.USER32 ref: 005B0BC0
GlobalAlloc.KERNEL32(00000002,00000000,?,00000000,00000000,00000000,00000002,006668B8), ref: 005B0BE9
GlobalLock.KERNEL32(00000000), ref: 005B0BF6
GlobalUnlock.KERNEL32(00000000), ref: 005B0C10
SetClipboardData.USER32(0000000D,00000000), ref: 005B0C19
CloseClipboard.USER32 ref: 005B0C23

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Clipboard$Global$AllocCloseDataEmptyLockOpenSleepUnlock
String ID:
API String ID: 3026512333-0
Opcode ID: afc9bfba2d6b970f5398b6ead9917782a7f3396662e940a429534665c055038a
Instruction ID: a5249c1b54a189495ffbc567e436d8a40c752b79656d5d09c5170ae6fde734ce
Opcode Fuzzy Hash: afc9bfba2d6b970f5398b6ead9917782a7f3396662e940a429534665c055038a
Instruction Fuzzy Hash: 38112B326003119BDB109F54EC897AFBBA9FF80752F002928EC0693280EB25ED09C6B1

Function 053481BC Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 146stringwindowtimeCOMMON

Download Yara Rule

APIs

GetShellWindow.USER32 ref: 0534825D
GetLastActivePopup.USER32 ref: 053482F8
lstrlenW.KERNEL32 ref: 0534836C
GetMessageTime.USER32 ref: 05348394

Strings

9XuFEqoKDcJEqWQIVJcVB7bgCnscClUO3Ek6DnrBRdd5/nGRvqwCDRNzntQHTrtpqzCAcpFuxTx5rVXUr4R9tb9QNcPxKZnkwCnojpukucKL3dOmPJ4LHIY3iDpV+k6X48+2mXXj978Ae9aPeYPM7YZYpUZDYXa82aZ7+NtxE09vfkntPmCV454Ed4jSnQK1nlLvNC266cXpGrPKXJq7//NWtY1i/YorAywptqoZx9jypXcovY3wr0/wpM3TS+iXsDKZ, xrefs: 05348435
Specified VidPN present path importance ordinal is invalid., xrefs: 05348365
Critical section debug info address, xrefs: 05348239

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ActiveLastMessagePopupShellTimeWindowlstrlen
String ID: 9XuFEqoKDcJEqWQIVJcVB7bgCnscClUO3Ek6DnrBRdd5/nGRvqwCDRNzntQHTrtpqzCAcpFuxTx5rVXUr4R9tb9QNcPxKZnkwCnojpukucKL3dOmPJ4LHIY3iDpV+k6X48+2mXXj978Ae9aPeYPM7YZYpUZDYXa82aZ7+NtxE09vfkntPmCV454Ed4jSnQK1nlLvNC266cXpGrPKXJq7//NWtY1i/YorAywptqoZx9jypXcovY3wr0/wpM3TS+iXsDKZ$Critical section debug info address$Specified VidPN present path importance ordinal is invalid.
API String ID: 2678776764-98429151
Opcode ID: 446e20c5be73647820455a7ddd3ce64dcc0f801ad987a6e8dc96342ba9f43f54
Instruction ID: 881b210ce954caed04d685a012b0978381b1099d660d5f2ae37215916dfcec27
Opcode Fuzzy Hash: 446e20c5be73647820455a7ddd3ce64dcc0f801ad987a6e8dc96342ba9f43f54
Instruction Fuzzy Hash: 595102709242448FC710DFB9A8862DA7FE9FB45304F94C5BEE988CB241DB785586CFA1

Function 0063AA60 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 455COMMONLIBRARYCODE

Download Yara Rule

Strings

d, xrefs: 0063AA7E, 0063AC16, 0063ADE1, 0063AE36
d, xrefs: 0063AEC1, 0063ACB0

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID:
String ID: d$d
API String ID: 0-1303137945
Opcode ID: 1efba251552fdea66bd40b4acbb61fcd993080fe13ac09347de62c1cb3ee0d26
Instruction ID: cda3161bf0e48cc4617b515f9ff0a3c463a90b1a9beb0b49e27703572c58e401
Opcode Fuzzy Hash: 1efba251552fdea66bd40b4acbb61fcd993080fe13ac09347de62c1cb3ee0d26
Instruction Fuzzy Hash: FB023A71E012199BDF14CFA9D8806EEFBF2FF48314F248269E959A7380D731A941DB91

Function 0059EBD0 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 321fileCOMMON

Download Yara Rule

APIs

PathIsDirectoryW.SHLWAPI(?), ref: 0059EE0A
FindFirstFileExW.KERNEL32(00000007,00000001,?,00000000,00000000,00000002,00000001,?,?,?,?,?), ref: 0059EE9C
FindFirstFileW.KERNEL32(?,?), ref: 0059EEBF
GetLastError.KERNEL32 ref: 0059EED4
FindClose.KERNEL32(?,?,?,00000007), ref: 0059EF61

Strings

*.*, xrefs: 0059EC1B

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Find$FileFirst$CloseDirectoryErrorLastPath
String ID: *.*
API String ID: 1803994648-438819550
Opcode ID: e0b2a0bbef023ffcdc46d9eab0e1c5c5e5a80d6abe0f1de6a2d6a121d7f92a87
Instruction ID: 9c225ed92c060814bf578a98196789f50b240e2c26f03f0bd53a36ce8745aecc
Opcode Fuzzy Hash: e0b2a0bbef023ffcdc46d9eab0e1c5c5e5a80d6abe0f1de6a2d6a121d7f92a87
Instruction Fuzzy Hash: 22C16D71A00214DFCF14DFA8D886BAEBBF5FF48310F204969E455EB291D731AA44CB60

Function 0064C5F7 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 00641716: GetLastError.KERNEL32(00000000,?,00647DD7), ref: 0064171A
Part of subcall function 00641716: SetLastError.KERNEL32(00000000,00000000,00000000,00000006,000000FF), ref: 006417BC

GetUserDefaultLCID.KERNEL32 ref: 0064C6FF
IsValidCodePage.KERNEL32(00000000), ref: 0064C73D
IsValidLocale.KERNEL32(?,00000001), ref: 0064C750
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0064C798
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 0064C7B3

Strings

,e, xrefs: 0064C65C

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID: ,e
API String ID: 415426439-4005468281
Opcode ID: ae3289982028a8cab7e0b96de5dc9d513230bdf42ced429067f4e252ddbe17c8
Instruction ID: 03756b78a259e423a30da26843334c53c0df27e013ac1d8174f826f3ae25d94a
Opcode Fuzzy Hash: ae3289982028a8cab7e0b96de5dc9d513230bdf42ced429067f4e252ddbe17c8
Instruction Fuzzy Hash: 5E51B071A01605ABDFA0DFA4CC85AFE77BABF08710F154469E900E7390EB71DA44CB65

Function 0064CECF Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0064D0E6

Strings

1#SNAN, xrefs: 0064CFDB
1#INF, xrefs: 0064D005
1#QNAN, xrefs: 0064CFE2
1#IND, xrefs: 0064CFD4

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: c8d87eb67ee6b94a7f4bfa6692625191b1c4c224cd126c1cb704dd79d9570aeb
Instruction ID: cbe7a71da6e1a7dd0aafeab3b9953862eff31fbec87217bb7ecd3c964a296397
Opcode Fuzzy Hash: c8d87eb67ee6b94a7f4bfa6692625191b1c4c224cd126c1cb704dd79d9570aeb
Instruction Fuzzy Hash: 33D24771E082288FDB65CE28DC447EAB7B6FB45305F1441EAD80DE7240EB79AE858F41

Function 05347D18 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 134COMMON

Download Yara Rule

APIs

GetShellWindow.USER32 ref: 05347E04
GetParent.USER32 ref: 05347E96

Strings

Failed to get TAG_REG_VALUE_DATA_DWORD, xrefs: 05347D3E
Microsoft Time-Stamp PCA 20100, xrefs: 05347D59, 05347DEF, 05347ED2
/Gkn+M89bw5nJnjp4ayKmM1pCcZ0hwa1jU19grR+zqs0bMUJoO3oNRGpK+m00iCWBJ4Hqb4Ga1g8blg4X8dAZ2Kdx7G9ZK3SxVNAM9b2hXDZK5Ztt+flpTng7uy28mrmlNJ+ZeoQ9eUdF7XA6anHxiC5JuuV5FiGOfTolTRgueS5uUKjlMsclrvuJUaswdKguWHUCgN0CsNo1RoDtSfskr+hhW1KSQmgL9Y676t+MO0yFF6yLr9/t8U2h9Xg355LDVQs, xrefs: 05347F6F

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ParentShellWindow
String ID: /Gkn+M89bw5nJnjp4ayKmM1pCcZ0hwa1jU19grR+zqs0bMUJoO3oNRGpK+m00iCWBJ4Hqb4Ga1g8blg4X8dAZ2Kdx7G9ZK3SxVNAM9b2hXDZK5Ztt+flpTng7uy28mrmlNJ+ZeoQ9eUdF7XA6anHxiC5JuuV5FiGOfTolTRgueS5uUKjlMsclrvuJUaswdKguWHUCgN0CsNo1RoDtSfskr+hhW1KSQmgL9Y676t+MO0yFF6yLr9/t8U2h9Xg355LDVQs$Failed to get TAG_REG_VALUE_DATA_DWORD$Microsoft Time-Stamp PCA 20100
API String ID: 2724987481-3605572846
Opcode ID: 710f1cd15720f8dfc30c8be709831c6103ca81947cb21407de340006a5c68f74
Instruction ID: 5818d782c1d7ddca79bbdcec92df4f18995e31a7e20d876c812d3e8467716ae8
Opcode Fuzzy Hash: 710f1cd15720f8dfc30c8be709831c6103ca81947cb21407de340006a5c68f74
Instruction Fuzzy Hash: D851F0719183888ECB25CF78D855BEA7FF4EB6A304F8484EDD4889B301CA749A45CF81

Function 05347888 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 134COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0534798C
GetDesktopWindow.USER32 ref: 0534799C

Strings

A required privilege is not held by the client., xrefs: 053478DD, 053479FA
An RPC protocol error occurred., xrefs: 053478CB
B6JBNJ6PRKKc2kvMjaLrLt3YZ32hT0WHOmQDBLvfQ8ma7v9L41vMKkBZMCJ2BiBBQGe68/Xky/+eddG9orwn5M0tVsxo1Ro1LpjpIN1KXMHnZ7bavYUXClyTzhwI5p4VcEukuoFe0hBKdKuohRhuGm/F/IlH4ZmeMc/8T4gBw2VoHAIpv7H1E82p6Tv4P97xC9eNtj23KcEkr1A54g5A1CFT0nD/HHbhN+XoBnOOxYCQOc7zKw18QAFv384h6T9UjIyN, xrefs: 05347AB0

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$DesktopForeground
String ID: A required privilege is not held by the client.$An RPC protocol error occurred.$B6JBNJ6PRKKc2kvMjaLrLt3YZ32hT0WHOmQDBLvfQ8ma7v9L41vMKkBZMCJ2BiBBQGe68/Xky/+eddG9orwn5M0tVsxo1Ro1LpjpIN1KXMHnZ7bavYUXClyTzhwI5p4VcEukuoFe0hBKdKuohRhuGm/F/IlH4ZmeMc/8T4gBw2VoHAIpv7H1E82p6Tv4P97xC9eNtj23KcEkr1A54g5A1CFT0nD/HHbhN+XoBnOOxYCQOc7zKw18QAFv384h6T9UjIyN
API String ID: 3460230961-3038535665
Opcode ID: 3c8890d4c2c277eab8991251ab988081d710ee219862e4a98edabcca6e9ded27
Instruction ID: 0831d2f4f7f6910dac786a475f117d7b85440f3a2c654e2152cedec02d7c9898
Opcode Fuzzy Hash: 3c8890d4c2c277eab8991251ab988081d710ee219862e4a98edabcca6e9ded27
Instruction Fuzzy Hash: CB515871A142988FDB15CF2AE8823EA7FE5EB45304F54C6BDE49C8B301CA385586CF90

Function 0064C41B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 0064C4B4
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 0064C4DD
GetACP.KERNEL32 ref: 0064C4F2

Strings

ACP, xrefs: 0064C439
OCP, xrefs: 0064C46F

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: a3a64eff3c0c1470c8ac2681891b34a416f2d2973066e63d2af01649e9180159
Instruction ID: aa60d10aad9ea5db42336c1fc31f4f3202ef65e213d0170ca9a6cbf406927e3f
Opcode Fuzzy Hash: a3a64eff3c0c1470c8ac2681891b34a416f2d2973066e63d2af01649e9180159
Instruction Fuzzy Hash: C8218C22702211AADBB49F24CB24AF772E7AB54B70B168424E90ADB314E732DE41C360

Function 00649310 Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 006493AB
FindNextFileW.KERNEL32(00000000,?), ref: 00649426
FindClose.KERNEL32(00000000), ref: 00649448
FindClose.KERNEL32(00000000), ref: 0064946B

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: d447213bdc87f86a4bb1de3c5015c2bc962c547a6bc37d6aa99d1dce5b7a981f
Instruction ID: 737799f39a40fe7096cb4eb4bacfedf10a5a23caa9ee8b4ad1204e2003e3ea8c
Opcode Fuzzy Hash: d447213bdc87f86a4bb1de3c5015c2bc962c547a6bc37d6aa99d1dce5b7a981f
Instruction Fuzzy Hash: C441C471940629AFDF21EF68CC8D9FBB7BAEB85315F0081D9E40593284E6309E85CB74

Function 006294D1 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 006294DD
IsDebuggerPresent.KERNEL32 ref: 006295A9
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 006295C2
UnhandledExceptionFilter.KERNEL32(?), ref: 006295CC

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: a2384a13596f2505b8eab36c6219f73f57cf868f5b821b7f3fcee89583d2cb7c
Instruction ID: c455694ff10a94857d8811a57d82834a9ef177af71cb78509f306d890d81f497
Opcode Fuzzy Hash: a2384a13596f2505b8eab36c6219f73f57cf868f5b821b7f3fcee89583d2cb7c
Instruction Fuzzy Hash: 0231E475D05228DADF61DFA4E9497CDBBB8AF08300F1041AAE40CAB250EB719B85CF55

Function 005D1A20 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 492libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(-000000CA), ref: 005D1AB7
LoadStringW.USER32(?,-000002E2,-000002E2,00000100), ref: 005D1BDB

Strings

Unable to open message catalog: , xrefs: 005D1D7B

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Load$LibraryString
String ID: Unable to open message catalog:
API String ID: 1664019954-3361316291
Opcode ID: 4d7b6d654c4c158fcb78e9720846532a58a49ab10e2e425a154b6c687f34af21
Instruction ID: c1303bda72c528aa48767656342c699f1009e9c7f3ec6ce0a952b2b0b3cc0926
Opcode Fuzzy Hash: 4d7b6d654c4c158fcb78e9720846532a58a49ab10e2e425a154b6c687f34af21
Instruction Fuzzy Hash: 7912BD70904659AFCB20DFACC8846AEBFF1BF88300F14856FE849AB352D7719945CB95

Function 0062A8C0 Relevance: 4.7, APIs: 3, Instructions: 207windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(713211A9,?), ref: 0062A916
FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000), ref: 0062A939
LocalFree.KERNEL32(?,?,?,00662150,00000002,?,?), ref: 0062AA06

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID:
API String ID: 1365068426-0
Opcode ID: 5464822d865689fe6651d83f294ba2d0d93631926612f8211d6eddde523df40c
Instruction ID: 84238ec3d303e86e33cf51789ebfb2213f27e5d951087785fe099d0e6f7db7c8
Opcode Fuzzy Hash: 5464822d865689fe6651d83f294ba2d0d93631926612f8211d6eddde523df40c
Instruction Fuzzy Hash: E4613471900615AFCB04DFA8E844BFDBBBAEF46310F148218E815772C2DBB15945CFA0

Function 0064C09F Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00641716: GetLastError.KERNEL32(00000000,?,00647DD7), ref: 0064171A
Part of subcall function 00641716: SetLastError.KERNEL32(00000000,00000000,00000000,00000006,000000FF), ref: 006417BC

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0064C0F3
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0064C13D
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0064C203

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: a49bf9507212df0e7b5ffeba6005baf15adde5899cf6a54101857afe2973bf91
Instruction ID: 9df23e2b7da0f93828fbf4ee3831ed05151f14efa3d624ee556ad5ad38d39d87
Opcode Fuzzy Hash: a49bf9507212df0e7b5ffeba6005baf15adde5899cf6a54101857afe2973bf91
Instruction Fuzzy Hash: 6C61C1719412079FDBA89F68CC82BAB73AAEF04320F104179ED05C6785F7B4EA81CB54

Function 0062EA53 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0062EB4B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0062EB55
UnhandledExceptionFilter.KERNEL32(-00000227,?,?,?,?,?,00000000), ref: 0062EB62

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: f2896d5aa143adc98c562207f7e781942323d64be9b1f338ed8bfe31830e4add
Instruction ID: fa13c12de79e10ea7349e41b386b4a91037439b5c8d62bbe28c7715a4d79ab3d
Opcode Fuzzy Hash: f2896d5aa143adc98c562207f7e781942323d64be9b1f338ed8bfe31830e4add
Instruction Fuzzy Hash: 7A31D67591122CABCB61DF24D9887DCB7B9BF08311F5041EAE40CA7251E7709B818F58

Function 0061A2C0 Relevance: 4.2, Strings: 3, Instructions: 458COMMON

Download Yara Rule

Strings

MATCH, xrefs: 0061A31B
Qf, xrefs: 0061A6CD
LAST_SUBMATCH_RESULTLAST_PAREN_MATCHPOSTMATCH, xrefs: 0061A61A

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID:
String ID: LAST_SUBMATCH_RESULTLAST_PAREN_MATCHPOSTMATCH$MATCH$Qf
API String ID: 0-222299530
Opcode ID: 7f52867446b1791bbc4a257203133d0ef56384d1fc76175098bca66c42bca3b2
Instruction ID: 0476b9e1a48dcd8d42b87561dfae77397a4839740bf4b42cf06ad3f5f008c8d9
Opcode Fuzzy Hash: 7f52867446b1791bbc4a257203133d0ef56384d1fc76175098bca66c42bca3b2
Instruction Fuzzy Hash: 95E1C6766052418FCB20CF64D4806E9B7E3FB92320F5C856AD456CB341D735F98ACBA2

Function 053460B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetDialogBaseUnits.USER32 ref: 053460E2

Part of subcall function 05353328: GetLargePageMinimum.KERNEL32 ref: 053533E1
Part of subcall function 05353328: GetWindowTextLengthW.USER32 ref: 05353448

Strings

STATUS_ABIOS_NOT_PRESENT, xrefs: 0534611C, 05346124

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: BaseDialogLargeLengthMinimumPageTextUnitsWindow
String ID: STATUS_ABIOS_NOT_PRESENT
API String ID: 2297771435-2188909095
Opcode ID: 57b3570cbe24ed9ae6c756e1b0b0cd8963780ce5c163f1f7228d407ab49b200f
Instruction ID: 345fbbf190bfcfae04f17b0c959f6f9ab853b5182368cb91e7b70e3040c19444
Opcode Fuzzy Hash: 57b3570cbe24ed9ae6c756e1b0b0cd8963780ce5c163f1f7228d407ab49b200f
Instruction Fuzzy Hash: A211E7719342008BCB21EF7DE48A1267FFDF704358F84C52DE0458F281DB3895548B96

Function 0064642D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00640EAC,?,20001004,00000000,00000002,?,?,0064049E), ref: 00646461

Strings

09Z, xrefs: 0064644C

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: InfoLocale
String ID: 09Z
API String ID: 2299586839-1578109394
Opcode ID: 5b0bc2a6960dd38556952785a9458edfc5bb84bb57b56d91141fc4f68b3b47f6
Instruction ID: f3381268e7bbc564a51bd977df5e5d4f019d6f76f5f84c5ff5672079e8358567
Opcode Fuzzy Hash: 5b0bc2a6960dd38556952785a9458edfc5bb84bb57b56d91141fc4f68b3b47f6
Instruction Fuzzy Hash: 2DE04F71501628FBCF126F60EC04AEE7F57EF45761F008024FD0565261CB368921AAAA

Function 00633B8A Relevance: 2.9, Strings: 2, Instructions: 385COMMON

Download Yara Rule

Strings

.2e, xrefs: 00633F40, 00633D68
0, xrefs: 00633D1B

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID:
String ID: .2e$0
API String ID: 0-2078051987
Opcode ID: 5adfe182679914925679b2140f1e8a17d396581802500721cf126efa20eff8ad
Instruction ID: b423d60c3a9dd0d91a5107793499745ee1cbeb21603d82c64a033d0be34438fb
Opcode Fuzzy Hash: 5adfe182679914925679b2140f1e8a17d396581802500721cf126efa20eff8ad
Instruction Fuzzy Hash: 94D1BD30A006268FCB28CF68C584ABAB7B3FF49710F14561DE556AB791D730AF42CB94

Function 0063382B Relevance: 2.8, Strings: 2, Instructions: 333COMMONLIBRARYCODE

Download Yara Rule

Strings

m-c, xrefs: 00633AC7, 00633AE9, 00633ACD, 00633AF6
0m-c, xrefs: 00633A33, 00633A39

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID:
String ID: 0m-c$m-c
API String ID: 0-4108365907
Opcode ID: a68eb8f1f16cfefcfc392c9038feccccc98166c390a74b55e794c0b8fe89bc5a
Instruction ID: aeb56e8b20a8572f7d3231d61a3fee8af3fc16d409f489fc13ca27e9cf8f205d
Opcode Fuzzy Hash: a68eb8f1f16cfefcfc392c9038feccccc98166c390a74b55e794c0b8fe89bc5a
Instruction Fuzzy Hash: 38C1AD30A0066ACECB28CE68C5847BABBB3EF45310F14461DE49697791D771EE46CBD1

Function 00647559 Relevance: 1.9, APIs: 1, Instructions: 410timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0064799E,00000000,00000000,00000000), ref: 0064785D

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 8d6dc7e0f8e5e08869afc0ea953517de359c2a3f1cb1fa15abde23e26f6f6cfd
Instruction ID: 94db88d41f77465ec6cabe7451140d521ef9a6c4062321e0a7cca2de4b97ef02
Opcode Fuzzy Hash: 8d6dc7e0f8e5e08869afc0ea953517de359c2a3f1cb1fa15abde23e26f6f6cfd
Instruction Fuzzy Hash: 29D13A72E04125ABDB14AFB4DC02ABE7BBBEF44710F50405AF905EB291EB709E40CB95

Function 00641FD4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,0059DFD0,?,00000008,?,?,00641FCF,0059DFD0,?,00000008,?,?,00651BBF,00000000), ref: 00642201

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 1148a735fd0abdb394cfb79ad726ef961d8f05ecb3469d56920d60d547e32970
Instruction ID: f1e55faeac5f40b44b7771c9b9e2949207b2645f0155209a2c48259238f6cc53
Opcode Fuzzy Hash: 1148a735fd0abdb394cfb79ad726ef961d8f05ecb3469d56920d60d547e32970
Instruction Fuzzy Hash: 26B16B3111060A9FD719CF28C49ABA57BE2FF45364F658658F999CF2A1C335EA82CB40

Function 0062929C Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 006292B2

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 1f509048e47462b8bf9e5ed21f2f4fc490bb93d55c80f502955e0358c40743b9
Instruction ID: 2c53a736b23d3f0d5929a3b4eca03693fa93a0d758d796cdfa6078310339f46b
Opcode Fuzzy Hash: 1f509048e47462b8bf9e5ed21f2f4fc490bb93d55c80f502955e0358c40743b9
Instruction Fuzzy Hash: 865174B1911A15CFEB18CF54E9857AEBBF6FB88310F24902AD405EB390D3749984CF60

Function 0064C2F2 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00641716: GetLastError.KERNEL32(00000000,?,00647DD7), ref: 0064171A
Part of subcall function 00641716: SetLastError.KERNEL32(00000000,00000000,00000000,00000006,000000FF), ref: 006417BC

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0064C346

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 77f6c1ae03c2b015ee17e718fee48ba73c1cf258271b59ae7a2c959db91cdadf
Instruction ID: ec5dbcb66c6175f73d4ce6c2639df4773f3bd66d299b5cdcf697260c3c4a7c70
Opcode Fuzzy Hash: 77f6c1ae03c2b015ee17e718fee48ba73c1cf258271b59ae7a2c959db91cdadf
Instruction Fuzzy Hash: 8B21F832502106ABDF599F14DC41ABB73AAEF81320F10407DFD01C6341EB76ED408754

Function 0064BF79 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00641716: GetLastError.KERNEL32(00000000,?,00647DD7), ref: 0064171A
Part of subcall function 00641716: SetLastError.KERNEL32(00000000,00000000,00000000,00000006,000000FF), ref: 006417BC

EnumSystemLocalesW.KERNEL32(0064C09F,00000001), ref: 0064BFEB

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 5ba7b02467c0985a163d4dee034c9b98decf73da5094dc62faaa23fcd44db088
Instruction ID: 46709007ce44667661c3916c1c688d434b908d6372ce215d646b0b834c8d5f27
Opcode Fuzzy Hash: 5ba7b02467c0985a163d4dee034c9b98decf73da5094dc62faaa23fcd44db088
Instruction Fuzzy Hash: 6111E53A2047019FDB18AF39C8916BABB93FF80768B15443CE94687B40D372B942CB40

Function 0064C521 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00641716: GetLastError.KERNEL32(00000000,?,00647DD7), ref: 0064171A
Part of subcall function 00641716: SetLastError.KERNEL32(00000000,00000000,00000000,00000006,000000FF), ref: 006417BC

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0064C2BB,00000000,00000000,?), ref: 0064C54D

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: ab24723881f80e0c4508bc8d1714f1e9ca097af0c09e87ad39f6aaf7fdf593d4
Instruction ID: 04f53a0be246371dfcd96d49120934e02e67e2ea80f9acd4c2e03ea6f688bbdf
Opcode Fuzzy Hash: ab24723881f80e0c4508bc8d1714f1e9ca097af0c09e87ad39f6aaf7fdf593d4
Instruction Fuzzy Hash: E901D672611112ABDB6C9B248C46AFE375ADB40764F154468EC06A3380EA74FE51C6A0

Function 0064C014 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00641716: GetLastError.KERNEL32(00000000,?,00647DD7), ref: 0064171A
Part of subcall function 00641716: SetLastError.KERNEL32(00000000,00000000,00000000,00000006,000000FF), ref: 006417BC

EnumSystemLocalesW.KERNEL32(0064C2F2,00000001), ref: 0064C05E

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: a3959d95fb2c89faecf802dbb69760274d10392147d0c3eb9799591c4151356b
Instruction ID: 3ac89cd95127fcb7427bb59670276bb8cc97424e5ecce5f2fb78a441b8401c74
Opcode Fuzzy Hash: a3959d95fb2c89faecf802dbb69760274d10392147d0c3eb9799591c4151356b
Instruction Fuzzy Hash: 4CF0F6363013049FDB249F799C81ABA7B92FF81B78F05442CFA454B790D6B29C41D650

Function 00645EA7 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0063DD9D: EnterCriticalSection.KERNEL32(?,?,0063ECD5,00000000,00673218,0000000C,0063EC9D,?,?,00642689,?,?,006418B4,00000001,00000364,?), ref: 0063DDAC

EnumSystemLocalesW.KERNEL32(Function_000E5E9A,00000001,006734B8,0000000C,006462D2,?), ref: 00645EDF

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 4b5d4746b01dff7a099dbba9595d10ecc9b4f10c2f99f6d2cbf3b0efb4789d5c
Instruction ID: 198b845cbfd03a624826106837dfc955305cd24d7f051b831b77e4543165dc26
Opcode Fuzzy Hash: 4b5d4746b01dff7a099dbba9595d10ecc9b4f10c2f99f6d2cbf3b0efb4789d5c
Instruction Fuzzy Hash: E2F04972A10710EFD704DFA8E846B9D77F2EB44721F10812AF415DB2A1CB7A4944CF95

Function 0064BF2E Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00641716: GetLastError.KERNEL32(00000000,?,00647DD7), ref: 0064171A
Part of subcall function 00641716: SetLastError.KERNEL32(00000000,00000000,00000000,00000006,000000FF), ref: 006417BC

EnumSystemLocalesW.KERNEL32(0064BE87,00000001), ref: 0064BF65

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 0e471716dc782b0445b265bc6b3a85a8f528e513a1302c49b09a19c6d8a1f20a
Instruction ID: e630128872f2f008b513c0df2b562fe029b9d0fbe776289d8da54114e453f421
Opcode Fuzzy Hash: 0e471716dc782b0445b265bc6b3a85a8f528e513a1302c49b09a19c6d8a1f20a
Instruction Fuzzy Hash: 28F0E53A30020597CB14AF39DC55AAA7FA6EFC1754B064098FA098B690CB71D842CB90

Function 005F49B0 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3262d2e818f5ec7b3eebc2c903f11d4aa5c0fb6e701161eff682ad2fce20ceb
Instruction ID: b23ea8b0ebb9fe2811d66ec3101863f660984b0d13820038d572d37dc5e0ba91
Opcode Fuzzy Hash: c3262d2e818f5ec7b3eebc2c903f11d4aa5c0fb6e701161eff682ad2fce20ceb
Instruction Fuzzy Hash: 66719A716053158FC714CF28C89062AFBE1FB88360F048A2EF999DB3A1D735E905CB95

Function 006389F7 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e1bea2186ccdaf5911758430073ecf0a306bc1d82e0eec42000191d8490b8c
Instruction ID: 6a521c38447deee020d1e257b259f085efb2d170aab44a6c6ac808c688004d90
Opcode Fuzzy Hash: e0e1bea2186ccdaf5911758430073ecf0a306bc1d82e0eec42000191d8490b8c
Instruction Fuzzy Hash: 51516D72D0021AAFDF14CF98C841AEEBBB6FF88300F198459E915AB341D774AA51CB90

Function 005F47F0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0f0a73c41b8169e5e60d41f4594f70cfefb0c30b59f3b6c78eb1d6e1a4a1e5a
Instruction ID: c696dc20cc3892a343726e343034fc799f5d376a92bb914b62c40187db8287de
Opcode Fuzzy Hash: d0f0a73c41b8169e5e60d41f4594f70cfefb0c30b59f3b6c78eb1d6e1a4a1e5a
Instruction Fuzzy Hash: 23517B716182158F8708DF28C8A196EFBE5FB88344F40892EF999DB391D771EA05CB91

Function 005BACA0 Relevance: 68.6, APIs: 21, Strings: 18, Instructions: 306COMMON

Download Yara Rule

APIs

SHSetValueW.SHLWAPI(80000001,Software\Classes\Directory\shell\grepWinNP3,00000000,00000001,Search with grepWinNP3,00000030,?,?,?,?,?,?,?), ref: 005BAD84
SHSetValueW.SHLWAPI(80000001,Software\Classes\Directory\shell\grepWinNP3,Icon,00000001,?,?,?,?,?,?,?,?,?), ref: 005BADAF
SHSetValueW.SHLWAPI(80000001,Software\Classes\Directory\shell\grepWinNP3\Command,00000000,00000001,?,?,?,?,?,?,?,?,?,?), ref: 005BADD7
SHSetValueW.SHLWAPI(80000001,Software\Classes\Directory\Background\shell\grepWinNP3,00000000,00000001,Search with grepWinNP3,00000030,?,?,?,?,?,?,?,?,?), ref: 005BADEE
SHSetValueW.SHLWAPI(80000001,Software\Classes\Directory\Background\shell\grepWinNP3,Icon,00000001,?,?,?,?,?,?,?,?,?,?,?), ref: 005BAE19
SHSetValueW.SHLWAPI(80000001,Software\Classes\Folder\shell\grepWinNP3,00000000,00000001,Search with grepWinNP3,00000030,?,?,?,?,?,?,?,?,?,?), ref: 005BAE30
SHSetValueW.SHLWAPI(80000001,Software\Classes\Folder\shell\grepWinNP3,Icon,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005BAE5B
SHSetValueW.SHLWAPI(80000001,Software\Classes\Folder\shell\grepWinNP3\Command,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005BAE83
SHSetValueW.SHLWAPI(80000001,Software\Classes\Drive\shell\grepWinNP3,00000000,00000001,Search with grepWinNP3,00000030), ref: 005BAE9A
SHSetValueW.SHLWAPI(80000001,Software\Classes\Drive\shell\grepWinNP3,Icon,00000001,?), ref: 005BAEC5
SHSetValueW.SHLWAPI(80000001,Software\Classes\Drive\shell\grepWinNP3\Command,00000000,00000001,?), ref: 005BAEED
SHSetValueW.SHLWAPI(80000001,Software\Classes\*\shell\grepWinNP3,00000000,00000001,Search with grepWinNP3,00000030), ref: 005BAF04
SHSetValueW.SHLWAPI(80000001,Software\Classes\*\shell\grepWinNP3,Icon,00000001,?), ref: 005BAF2F
SHSetValueW.SHLWAPI(80000001,Software\Classes\*\shell\grepWinNP3\Command,00000000,00000001,?), ref: 005BAF57
SHSetValueW.SHLWAPI(80000001,Software\Classes\*\shell\grepWinNP3,MultiSelectModel,00000001,Player,00000010), ref: 005BAF71
SHSetValueW.SHLWAPI(80000001,Software\Classes\Directory\Background\shell\grepWinNP3\Command,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005BB03D
SHDeleteKeyW.SHLWAPI(80000001,Software\Classes\Directory\shell\grepWinNP3,?,?), ref: 005BB06F
SHDeleteKeyW.SHLWAPI(80000001,Software\Classes\Directory\Background\shell\grepWinNP3), ref: 005BB07B
SHDeleteKeyW.SHLWAPI(80000001,Software\Classes\Folder\shell\grepWinNP3), ref: 005BB087
SHDeleteKeyW.SHLWAPI(80000001,Software\Classes\Drive\shell\grepWinNP3), ref: 005BB093
SHDeleteKeyW.SHLWAPI(80000001,Software\Classes\*\shell\grepWinNP3), ref: 005BB09F

Part of subcall function 005AD360: GetModuleFileNameW.KERNEL32(00000000,00000000,00000000), ref: 005AD3E1

Strings

Player, xrefs: 005BAF5B
%s /searchpath:"%%1", xrefs: 005BAD41
Software\Classes\Folder\shell\grepWinNP3\Command, xrefs: 005BAE79
Software\Classes\Drive\shell\grepWinNP3, xrefs: 005BAE90, 005BAEBB, 005BB089
Software\Classes\Directory\Background\shell\grepWinNP3\Command, xrefs: 005BB033
Software\Classes\Directory\shell\grepWinNP3\Command, xrefs: 005BADCD
Software\Classes\Drive\shell\grepWinNP3\Command, xrefs: 005BAEE3
Software\Classes\Folder\shell\grepWinNP3, xrefs: 005BAE26, 005BAE51, 005BB07D
Search with grepWinNP3, xrefs: 005BAD71
%s,-%d, xrefs: 005BACF3
Software\Classes\Directory\shell\grepWinNP3, xrefs: 005BAD7A, 005BADA5, 005BB065
%s /searchpath:"%%V", xrefs: 005BAFA2
MultiSelectModel, xrefs: 005BAF62
Software\Classes\Directory\Background\shell\grepWinNP3, xrefs: 005BADE4, 005BAE0F, 005BB071
Icon, xrefs: 005BADA0, 005BAE0A, 005BAE4C, 005BAEB6, 005BAF20
Software\Classes\*\shell\grepWinNP3, xrefs: 005BAEFA, 005BAF25, 005BAF67, 005BB095
Search with grepWinNP3, xrefs: 005BADDB, 005BAE1D, 005BAE87, 005BAEF1
Software\Classes\*\shell\grepWinNP3\Command, xrefs: 005BAF4D

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Value$Delete$FileModuleName
String ID: %s /searchpath:"%%1"$%s /searchpath:"%%V"$%s,-%d$Icon$MultiSelectModel$Player$Search with grepWinNP3$Search with grepWinNP3$Software\Classes\*\shell\grepWinNP3$Software\Classes\*\shell\grepWinNP3\Command$Software\Classes\Directory\Background\shell\grepWinNP3$Software\Classes\Directory\Background\shell\grepWinNP3\Command$Software\Classes\Directory\shell\grepWinNP3$Software\Classes\Directory\shell\grepWinNP3\Command$Software\Classes\Drive\shell\grepWinNP3$Software\Classes\Drive\shell\grepWinNP3\Command$Software\Classes\Folder\shell\grepWinNP3$Software\Classes\Folder\shell\grepWinNP3\Command
API String ID: 3737704472-174100858
Opcode ID: 8b465b70b70f69544911fe18f79c2a1a3a14c87298c7b0f8985379e272148bb9
Instruction ID: 714feae8c672187466a3b4c7ba44efd6989d486c0be19061868e6dda8ae36d73
Opcode Fuzzy Hash: 8b465b70b70f69544911fe18f79c2a1a3a14c87298c7b0f8985379e272148bb9
Instruction Fuzzy Hash: 8DB18A70A4021AAFEF14DB94DD96FEDBBB5EB04B08F100459F509B7281DBB17A44CBA1

Function 005A6CD0 Relevance: 45.7, APIs: 24, Strings: 2, Instructions: 238windowCOMMON

Download Yara Rule

APIs

GetPropW.USER32(?), ref: 005A6CE8
SetCursor.USER32 ref: 005A6D28
SetWindowLongW.USER32(?,000000FC,?), ref: 005A6D42
SendMessageW.USER32(?,00000030,?,00000000), ref: 005A6D50
DeleteObject.GDI32 ref: 005A6D75
RemovePropW.USER32(?,-00000001), ref: 005A6D8E
CallWindowProcW.USER32(?,?,?,?,?), ref: 005A6DA0
ShellExecuteExW.SHELL32 ref: 005A6E13
InvalidateRect.USER32(?,00000000,00000000), ref: 005A6E25
CallWindowProcW.USER32(?,?,?,?,?), ref: 005A6E5A
SendMessageW.USER32(?,00000030,?,00000000), ref: 005A6E7F
InvalidateRect.USER32(?,00000000,00000000), ref: 005A6E8A
GetParent.USER32(?), ref: 005A6EAD
GetWindowRect.USER32(?,?), ref: 005A6EC3
ScreenToClient.USER32(00000000,00000000), ref: 005A6EE5
ScreenToClient.USER32(00000000,00000000), ref: 005A6EED
GetDC.USER32(00000000), ref: 005A6EF0
DrawFocusRect.USER32(00000000,00000000), ref: 005A6EFE
ReleaseDC.USER32(00000000,00000000), ref: 005A6F06
GetClientRect.USER32(?,?), ref: 005A6F23
ReleaseCapture.USER32 ref: 005A6F4A

Strings

<, xrefs: 005A6DFB
open, xrefs: 005A6E03

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Rect$Window$Client$CallInvalidateMessageProcPropReleaseScreenSend$CaptureCursorDeleteDrawExecuteFocusLongObjectParentRemoveShell
String ID: <$open
API String ID: 2539734022-1930408713
Opcode ID: e118bf431d241049cb4d1007648c81c6b48061fd8f21d1a325375ab7ffb87e82
Instruction ID: d3978cc33a616fe5db66fa891059b499615e2cfcd2b10e43f2c60046ae3323f3
Opcode Fuzzy Hash: e118bf431d241049cb4d1007648c81c6b48061fd8f21d1a325375ab7ffb87e82
Instruction Fuzzy Hash: 1A81BD36200205DFD721CF64EC88B6FBBE9FB89712F04155AFA4AC22A0D7759854DB72

Function 0059B7D0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 124windowlibraryCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0059B7EA
GetWindowPlacement.USER32(00000000,?), ref: 0059B7F8
GetDesktopWindow.USER32 ref: 0059B810
GetWindowRect.USER32(00000000,?), ref: 0059B824
GetWindowRect.USER32(?,?), ref: 0059B82C
CopyRect.USER32(?,?), ref: 0059B838
OffsetRect.USER32(?,?,?), ref: 0059B857
OffsetRect.USER32(?,?,?), ref: 0059B86C
OffsetRect.USER32(?,?,?), ref: 0059B881
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000041), ref: 0059B8A8
LoadImageW.USER32(?,?,00000001,00000000,00000000,00008040), ref: 0059B8C1
SendMessageW.USER32(?,00000080,00000001,00000000), ref: 0059B8DA
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0059B8E7
SetLastError.KERNEL32(000004DF), ref: 0059B8F4
LoadLibraryW.KERNEL32(dwmapi.dll), ref: 0059B901

Strings

dwmapi.dll, xrefs: 0059B8FC
,, xrefs: 0059B7E2

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Rect$Window$Offset$LoadMessageSend$CopyDesktopErrorImageLastLibraryParentPlacement
String ID: ,$dwmapi.dll
API String ID: 2759369074-1731591866
Opcode ID: d66196f3b67ee90a3f14a28ecaf85640ca2d2d0ba000033927969c2d3c0deac8
Instruction ID: 00f16c1ea11645edbd2c8cafbf4da60db634be43f9b9964a63d1f7a7e3040d0e
Opcode Fuzzy Hash: d66196f3b67ee90a3f14a28ecaf85640ca2d2d0ba000033927969c2d3c0deac8
Instruction Fuzzy Hash: 0E411572504309AFEB10DF28DC89F6B7BEDEB88711F04461AFA45E7290D774E9048BA1

Function 005A6AB0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 123stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(http://tools.stefankueng.com,?,?,?,?), ref: 005A6AC2
lstrcpyW.KERNEL32(0066269C,http://tools.stefankueng.com,?,?,?,?,?), ref: 005A6B13
GetParent.USER32(?), ref: 005A6B1E
GetWindowLongW.USER32(00000000,000000FC), ref: 005A6B39
SetPropW.USER32(00000000,00000000,00000000), ref: 005A6B4C
SetWindowLongW.USER32(00000000,000000FC,005A6C10), ref: 005A6B5A
GetWindowLongW.USER32(?,000000F0), ref: 005A6B5F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005A6B6A
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 005A6B73
GetObjectW.GDI32(00000000,0000005C,?), ref: 005A6B9B
CreateFontIndirectW.GDI32(?), ref: 005A6BAB
LoadCursorW.USER32(00000000,00007F89), ref: 005A6BBD
LoadCursorW.USER32(00000000,00007F00), ref: 005A6BD2
GetWindowLongW.USER32(?,000000FC), ref: 005A6BE0
SetPropW.USER32(?,00000000,?), ref: 005A6BEF
SetWindowLongW.USER32(?,000000FC,Function_00046CD0), ref: 005A6BFD

Strings

http://tools.stefankueng.com, xrefs: 005A6AB9, 005A6B0C

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: LongWindow$CursorLoadProp$CreateFontIndirectMessageObjectParentSendlstrcpylstrlen
String ID: http://tools.stefankueng.com
API String ID: 3347581731-806382027
Opcode ID: 9897b235eaf23cb7986889c6fedc031dd892dc0994106e0da1d3815f29a24dc1
Instruction ID: ee7432233e7bdf292e9f630dcc7b0383a2042a837f65911912134b2621caf332
Opcode Fuzzy Hash: 9897b235eaf23cb7986889c6fedc031dd892dc0994106e0da1d3815f29a24dc1
Instruction Fuzzy Hash: 4331DD30104315FFD710AB24AC49F6F3BAAEB45721F101618FA65D22E0DB79A9418B75

Function 005E5B30 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,FillResultList,0000000E), ref: 005E5B77
LoadCursorW.USER32(00000000,00007F8A), ref: 005E5B8B
SetCursor.USER32(00000000), ref: 005E5B92
GetCursorPos.USER32(?), ref: 005E5B9C
SetCursorPos.USER32(?,?), ref: 005E5BA8
IsDlgButtonChecked.USER32(?,00000423), ref: 005E5BB6
GetDlgItem.USER32(?,000003F6), ref: 005E5BC6
SendMessageW.USER32(00000000,0000000B,00000000,00000000), ref: 005E5BD5
SendMessageW.USER32(00000000,0000102F,?,00000003), ref: 005E5C1D
SendMessageW.USER32(00000000,0000000B,00000001,00000000), ref: 005E5C2D
LoadCursorW.USER32(00000000,00007F00), ref: 005E5C36
SetCursor.USER32(00000000), ref: 005E5C3D
GetCursorPos.USER32(?), ref: 005E5C47
SetCursorPos.USER32(?,?), ref: 005E5C53
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 005E5C63

Strings

FillResultList, xrefs: 005E5B54

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Cursor$MessageSend$Load$ButtonCheckedCounterItemPerformanceQueryRedrawWindow
String ID: FillResultList
API String ID: 3380769934-393267765
Opcode ID: 0b1b97551906906dab458b009cb551b7d9f93de1e47e5eb25a73b2e52ab341a7
Instruction ID: 516aa47f26f49fbbe23c021c1dd5d864cf94a8dfc623f3ceefe4f6d8aa2c7adb
Opcode Fuzzy Hash: 0b1b97551906906dab458b009cb551b7d9f93de1e47e5eb25a73b2e52ab341a7
Instruction Fuzzy Hash: C3313C71A4070AEFDB14DFA4DD4AFADBBBAFB08702F105515F215E61D0DB7469108B60

Function 005F1A50 Relevance: 25.8, APIs: 17, Instructions: 268windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F6), ref: 005F1A83
SendMessageW.USER32(00000000,0000101F,00000000,00000000), ref: 005F1A9E
SendMessageW.USER32(00000000,00001004,00000000,00000000), ref: 005F1AAD
SendMessageW.USER32(?,00001200,00000000,00000000), ref: 005F1AEB
SendMessageW.USER32(?,00001002,00000001,00000000), ref: 005F1AFF
ImageList_GetImageCount.COMCTL32(00000000,?,75C05540,00000000), ref: 005F1B09
MulDiv.KERNEL32(00000003,00000000,?), ref: 005F1B38
ImageList_GetImageInfo.COMCTL32(?,00000000,?,?,75C05540,00000000), ref: 005F1B1B

Part of subcall function 0059B530: GetModuleHandleW.KERNEL32(user32.dll,?,?,?,00000000,00000000,0059C04D,?,00000060), ref: 0059B549
Part of subcall function 0059B530: GetProcAddress.KERNEL32(00000000,GetDpiForWindow), ref: 0059B563
Part of subcall function 0059B530: GetProcAddress.KERNEL32(?,GetDpiForSystem), ref: 0059B570
Part of subcall function 0059B530: GetProcAddress.KERNEL32(?,GetSystemMetricsForDpi), ref: 0059B57E
Part of subcall function 0059B530: GetProcAddress.KERNEL32(?,SystemParametersInfoForDpi), ref: 0059B58C

SendMessageW.USER32(?,0000120B,00000000,?), ref: 005F1BA8
SendMessageW.USER32(?,00001057,00000000,?), ref: 005F1BB7
SendMessageW.USER32(?,00001073,00000000,?), ref: 005F1C00
MulDiv.KERNEL32(0000000E,00000000,?), ref: 005F1C1D
SendMessageW.USER32(?,00001057,00000000,?), ref: 005F1C36
IsDlgButtonChecked.USER32(?,00000423), ref: 005F1C9C
SendMessageW.USER32(?,0000100E,00000000,?), ref: 005F1CC7
SendMessageW.USER32(?,0000100E,00000000,?), ref: 005F1CE7
SendMessageW.USER32(?,0000101E,00000000,00000000), ref: 005F1D4D

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: MessageSend$AddressImageProc$List_$ButtonCheckedCountHandleInfoItemModule
String ID:
API String ID: 1481306643-0
Opcode ID: 0b9d12fd17bea0cb92bb57bfef6ea4bdf18aa1fa3b4fc6a581a0d79c29d9ce7b
Instruction ID: 1d36fec3bcd7032ffb776a1692391b9b3a4eb0c749bd7236c71b6ffb1a06e77e
Opcode Fuzzy Hash: 0b9d12fd17bea0cb92bb57bfef6ea4bdf18aa1fa3b4fc6a581a0d79c29d9ce7b
Instruction Fuzzy Hash: B1A13472A4034DEFEB21DF68CC85BEA7BA9FB44700F144529FA059B290D7B5E840CB94

Function 005C0B40 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 264windowtimeCOMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32(?,000003E8,00664D74), ref: 005C0CDF
SetDlgItemTextW.USER32(?,000003FF,?), ref: 005C0CF3
GetDlgItem.USER32(?,000003E8), ref: 005C0D01
SetFocus.USER32(00000000), ref: 005C0D04
ShowWindow.USER32(?,-00000001,?), ref: 005C0D3F

Part of subcall function 0059F6A0: GetDlgItem.USER32(?,?), ref: 0059F6B2
Part of subcall function 0059F6A0: GetWindowRect.USER32(00000000,?), ref: 0059F6D1
Part of subcall function 0059F6A0: OffsetRect.USER32(?,?,?), ref: 0059F6EA
Part of subcall function 0059F6A0: MapWindowPoints.USER32(?,?,?,00000002), ref: 0059F6FE

GetDlgItem.USER32(?,00000406), ref: 005C0DC7
SendMessageW.USER32(00000000), ref: 005C0DD0
GetDlgItem.USER32(?,00000406), ref: 005C0DE6
SendMessageW.USER32(00000000), ref: 005C0DE9
GetDlgItem.USER32(?,00000408), ref: 005C0DFF
SendMessageW.USER32(00000000), ref: 005C0E02
KillTimer.USER32(?,00000064), ref: 005C0E3B

Strings

d, xrefs: 005C0E29
tMf, xrefs: 005C0C39, 005C0C44

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Item$MessageSendWindow$RectText$FocusKillOffsetPointsShowTimer
String ID: d$tMf
API String ID: 1684828882-926821200
Opcode ID: fc49304c47e3303331d3a68050f09769ecab0ebf795bbbec871b529118f2f659
Instruction ID: 3db06a481c2d51c24f3069486db257da019b6c1773d9b321c5a13d7849578f6a
Opcode Fuzzy Hash: fc49304c47e3303331d3a68050f09769ecab0ebf795bbbec871b529118f2f659
Instruction Fuzzy Hash: 4E91BC31640619AFDF15AFA4DC46FAE7BA6FF44710F008569FD05AB2D2CB349A01CBA4

Function 005ACBB0 Relevance: 22.9, APIs: 15, Instructions: 438COMMON

Download Yara Rule

APIs

PathIsURLW.SHLWAPI ref: 005ACC20
PathIsRelativeW.SHLWAPI ref: 005ACC43
GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000), ref: 005ACC61
GetFullPathNameW.KERNEL32(?,?,00000000,00000000), ref: 005ACCB4

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Path$FullName$Relative
String ID:
API String ID: 153212401-0
Opcode ID: 58a564013504604ab14cb4b3cae771a9bd156238595f635db00c9b853307097f
Instruction ID: 8e240d4bf6dd8c7047485c38513b414564823e2f5522f0cfa276873ae86ad37d
Opcode Fuzzy Hash: 58a564013504604ab14cb4b3cae771a9bd156238595f635db00c9b853307097f
Instruction Fuzzy Hash: AAF1C6B0E012199FDB54DFA8D985BAEBBF9FF08300F10446AE919E7341E775A904CB64

Function 0062A700 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 144filelibraryloaderCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000100), ref: 0062A784
CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000003,00000100), ref: 0062A798
SetFilePointer.KERNEL32(00000000,?,?,00000000), ref: 0062A7C7
GetLastError.KERNEL32 ref: 0062A7D2
SetEndOfFile.KERNEL32(?), ref: 0062A7E3
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0062A7F6
GetProcAddress.KERNEL32(00000000,GetFileSizeEx), ref: 0062A802
GetFileSize.KERNEL32(?,?), ref: 0062A82A

Strings

kernel32.dll, xrefs: 0062A7F1
failed opening file, xrefs: 0062A876
failed querying file size, xrefs: 0062A88E
GetFileSizeEx, xrefs: 0062A7FC
failed setting file size, xrefs: 0062A882

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: File$Create$AddressErrorHandleLastModulePointerProcSize
String ID: GetFileSizeEx$failed opening file$failed querying file size$failed setting file size$kernel32.dll
API String ID: 1272188909-882181951
Opcode ID: 5feafb18d60f68714c7ddac8d74984bf61d5c49041c5727cf4dd9b5dfd73a3bc
Instruction ID: 94df9f91810891ed97e4a41fb27f3d4e8ba619505b1fb800d1e6c9a2eea5caf3
Opcode Fuzzy Hash: 5feafb18d60f68714c7ddac8d74984bf61d5c49041c5727cf4dd9b5dfd73a3bc
Instruction Fuzzy Hash: 2941BF31600A19AFDB18CFA4DD48BAE73AAAB44711F10462DF816D32D0DBB4DC05CE62

Function 0059B530 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll,?,?,?,00000000,00000000,0059C04D,?,00000060), ref: 0059B549
GetProcAddress.KERNEL32(00000000,GetDpiForWindow), ref: 0059B563
GetProcAddress.KERNEL32(?,GetDpiForSystem), ref: 0059B570
GetProcAddress.KERNEL32(?,GetSystemMetricsForDpi), ref: 0059B57E
GetProcAddress.KERNEL32(?,SystemParametersInfoForDpi), ref: 0059B58C
GetDC.USER32(00000000), ref: 0059B5AE
GetDeviceCaps.GDI32(00000000,00000058), ref: 0059B5BD
ReleaseDC.USER32(00000000,00000000), ref: 0059B5C9

Strings

GetDpiForWindow, xrefs: 0059B55D
GetSystemMetricsForDpi, xrefs: 0059B572
GetDpiForSystem, xrefs: 0059B565
user32.dll, xrefs: 0059B544
SystemParametersInfoForDpi, xrefs: 0059B580

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: AddressProc$CapsDeviceHandleModuleRelease
String ID: GetDpiForSystem$GetDpiForWindow$GetSystemMetricsForDpi$SystemParametersInfoForDpi$user32.dll
API String ID: 3695273371-21495702
Opcode ID: 3ef783eb71474a039195731fa2b876ca3ead03df9a07cd11e1c9e72f8bb19ce2
Instruction ID: dac337b6d2838e0c26814d05f8caf888a0f1cde605297cfa01892d61a8fdd498
Opcode Fuzzy Hash: 3ef783eb71474a039195731fa2b876ca3ead03df9a07cd11e1c9e72f8bb19ce2
Instruction Fuzzy Hash: F32179B0A05702ABEB10CF65ED44A4ABFE5FF88711F05492AF804D7640EB70E914CBB2

Function 0061C2D0 Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 155COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0061C41E
EnumFontsW.GDI32(00000000,Segoe UI,0061C2C0,00000000), ref: 0061C431
ReleaseDC.USER32(00000000,00000000), ref: 0061C43A

Strings

Microsoft YaHei UI, xrefs: 0061C3BA
Yu Gothic UI, xrefs: 0061C3E5
[ja-jp], xrefs: 0061C3D1
[ko-kr], xrefs: 0061C3FC
[zh-tw], xrefs: 0061C3A6
Malgun Gothic, xrefs: 0061C410
Segoe UI, xrefs: 0061C2FF, 0061C35F, 0061C42F
Microsoft JhengHei UI, xrefs: 0061C38F
[zh-cn], xrefs: 0061C37B

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: EnumFontsRelease
String ID: Malgun Gothic$Microsoft JhengHei UI$Microsoft YaHei UI$Segoe UI$Yu Gothic UI$[ja-jp]$[ko-kr]$[zh-cn]$[zh-tw]
API String ID: 2694381407-3191444076
Opcode ID: d7784e320dbcccf312ba30d35fc22f13649d05a05a7f0b2b9f922defc25cd523
Instruction ID: 1a256cf7019b63a899212dd6093ed8a11ecd96e9ab9e6d6b224c332de4a63dd6
Opcode Fuzzy Hash: d7784e320dbcccf312ba30d35fc22f13649d05a05a7f0b2b9f922defc25cd523
Instruction Fuzzy Hash: E451A171E442159BCF10DF58C841BFE7BB6EB45764F184216ED25A7380D734AE818BE1

Function 0059BF60 Relevance: 21.1, APIs: 14, Instructions: 134windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 0059BF8A

Part of subcall function 0059BE30: GetDlgItem.USER32(?,?), ref: 0059BE44
Part of subcall function 0059BE30: GetWindowTextLengthW.USER32(00000000), ref: 0059BE4B
Part of subcall function 0059BE30: GetDlgItemTextW.USER32(?,?,00000000,00000001), ref: 0059BE8D

GetWindowDC.USER32(?,?,?), ref: 0059BFA9
GetWindowRect.USER32(?,?), ref: 0059BFBB
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0059BFCC
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0059BFFE
SelectObject.GDI32(00000000,00000000), ref: 0059C006
OffsetRect.USER32(?,?,?), ref: 0059C01F
DrawTextW.USER32(00000000,?,000000FF,?,00000450), ref: 0059C032
MulDiv.KERNEL32(00000003,00000000,?), ref: 0059C050
GetSystemMetrics.USER32(0000002D), ref: 0059C061
GetSystemMetrics.USER32(00000047), ref: 0059C069
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0059C098
SelectObject.GDI32(00000000,?), ref: 0059C0A8
ReleaseDC.USER32(?,00000000), ref: 0059C0B2

Part of subcall function 0059B530: GetModuleHandleW.KERNEL32(user32.dll,?,?,?,00000000,00000000,0059C04D,?,00000060), ref: 0059B549
Part of subcall function 0059B530: GetProcAddress.KERNEL32(00000000,GetDpiForWindow), ref: 0059B563
Part of subcall function 0059B530: GetProcAddress.KERNEL32(?,GetDpiForSystem), ref: 0059B570
Part of subcall function 0059B530: GetProcAddress.KERNEL32(?,GetSystemMetricsForDpi), ref: 0059B57E
Part of subcall function 0059B530: GetProcAddress.KERNEL32(?,SystemParametersInfoForDpi), ref: 0059B58C

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Window$AddressProc$ItemText$MetricsObjectRectSelectSystem$DrawHandleLengthMessageModuleMoveOffsetPointsReleaseSend
String ID:
API String ID: 586974731-0
Opcode ID: f3de0a40ceacad850cf2f71f6dffb5ecd7d794a5d61c095bc0403dd7b2977318
Instruction ID: f92dfd5a9ca03008e6e3902bc4e86408bb2ed349e9a0f91d61b0e71e1b590a09
Opcode Fuzzy Hash: f3de0a40ceacad850cf2f71f6dffb5ecd7d794a5d61c095bc0403dd7b2977318
Instruction Fuzzy Hash: 28411B75A01209EFDF04DFA4EC49BAEBBB9FF48711F105129FA15A3290D774A911CB60

Function 005DE170 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 357COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000101,?,?,00000000,00654E60,000000FF,?,005DE148,?), ref: 005DE7BC

Strings

$!f, xrefs: 005DE4A4
$!f, xrefs: 005DE4AE
0%f, xrefs: 005DE6CD
$!f, xrefs: 005DE4C2
0%f, xrefs: 005DE5F5
0%f, xrefs: 005DE589
0%f, xrefs: 005DE661
$!f, xrefs: 005DE4B8
0%f, xrefs: 005DE51D
$!f, xrefs: 005DE4CC

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: FreeLibrary
String ID: $!f$$!f$$!f$$!f$$!f$0%f$0%f$0%f$0%f$0%f
API String ID: 3664257935-758590268
Opcode ID: d338ec08b63e3a1b0715cb467f13ea47c8327bce31755367c1a69d1c7a5f0433
Instruction ID: 675209496c0e765c2547dcb748c463d2b497d24dde7c498380af4a07a4a211b7
Opcode Fuzzy Hash: d338ec08b63e3a1b0715cb467f13ea47c8327bce31755367c1a69d1c7a5f0433
Instruction Fuzzy Hash: 40F1CD30121B068BEF68EB30D5A9AFABBE5BF54708F40481DE09F46662DF357945EB10

Function 005A5830 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 005A5853
std::_Lockit::_Lockit.LIBCPMT ref: 005A5875
std::_Lockit::~_Lockit.LIBCPMT ref: 005A5895
std::_Lockit::~_Lockit.LIBCPMT ref: 005A58BF
std::_Lockit::_Lockit.LIBCPMT ref: 005A592D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 005A5979
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 005A5993
std::_Lockit::~_Lockit.LIBCPMT ref: 005A5A28
std::_Facet_Register.LIBCPMT ref: 005A5A35

Strings

bad locale name, xrefs: 005A5A4F
O<Z, xrefs: 005A58F3

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: O<Z$bad locale name
API String ID: 3375549084-2225322940
Opcode ID: be5e155c46a34636cecf31db627607691a94f876df23bb0d14e18f880cb65628
Instruction ID: 7654c73313a4a88a53de434e836902a435d23690e63b1de34c9c73065fd8bc5a
Opcode Fuzzy Hash: be5e155c46a34636cecf31db627607691a94f876df23bb0d14e18f880cb65628
Instruction Fuzzy Hash: 346182B5D00655DFDB50DFA4E845B9EBFB5BF05310F184018E805A7341EB34E949CBA6

Function 0064F947 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0064F600: CreateFileW.KERNEL32(?,00000000,?,0064F9F0,?,?,00000000,?,0064F9F0,?,0000000C), ref: 0064F61D

GetLastError.KERNEL32 ref: 0064FA5B
__dosmaperr.LIBCMT ref: 0064FA62
GetFileType.KERNEL32(00000000), ref: 0064FA6E
GetLastError.KERNEL32 ref: 0064FA78
__dosmaperr.LIBCMT ref: 0064FA81
CloseHandle.KERNEL32(00000000), ref: 0064FAA1
CloseHandle.KERNEL32(00648D01), ref: 0064FBEE
GetLastError.KERNEL32 ref: 0064FC20
__dosmaperr.LIBCMT ref: 0064FC27

Strings

H, xrefs: 0064FBAC

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 40ac23d3e3943f930f07833a0a233014ce9b0a16733f190fdfd167a19b7cfc19
Instruction ID: 5f11c0b1dc405a8327b922f3266e9cd7852965af81801c65a56465c1ddc43603
Opcode Fuzzy Hash: 40ac23d3e3943f930f07833a0a233014ce9b0a16733f190fdfd167a19b7cfc19
Instruction Fuzzy Hash: 81A13632A141199FDF19DFA8DC91BAE7BA2EB46310F24016DF8019F391CB348D56C792

Function 005A62C0 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 210COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 005A6332
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 005A637E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 005A64C4
std::_Lockit::~_Lockit.LIBCPMT ref: 005A6559
Concurrency::cancel_current_task.LIBCPMT ref: 005A657E

Strings

bad locale name, xrefs: 005A6574
false, xrefs: 005A640F
,, xrefs: 005A647C
true, xrefs: 005A6428
., xrefs: 005A643E

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$Concurrency::cancel_current_taskLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: ,$.$bad locale name$false$true
API String ID: 3204333896-3659324578
Opcode ID: 7534ae15c8fa42df1fa3957a99a3777835753be7f054bf97b3333a8ac064f938
Instruction ID: e4053a69830092a012d8a0f73dc7730a201e2d54b1d67f7a7107c4ea3bc4b0d1
Opcode Fuzzy Hash: 7534ae15c8fa42df1fa3957a99a3777835753be7f054bf97b3333a8ac064f938
Instruction Fuzzy Hash: EB8150B1D00259DBEF50DFE5D845BDEBBB8BF05304F148069E904AB281E775DA08CBA6

Function 005ABC10 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 005ABC33
std::_Lockit::_Lockit.LIBCPMT ref: 005ABC55
std::_Lockit::~_Lockit.LIBCPMT ref: 005ABC75
std::_Lockit::~_Lockit.LIBCPMT ref: 005ABC9F
std::_Lockit::_Lockit.LIBCPMT ref: 005ABD0D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 005ABD59
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 005ABD73
std::_Lockit::~_Lockit.LIBCPMT ref: 005ABE08
std::_Facet_Register.LIBCPMT ref: 005ABE15

Strings

bad locale name, xrefs: 005ABE2F

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: 3c5e3964c0dd4e957debb0053e2e478760bd704e1a02d4824b5b5676023aa98f
Instruction ID: 19d8991e04ced7730c0db70ba4bc09e6749ea9eeb8265def9fb31d8e5f3bb5db
Opcode Fuzzy Hash: 3c5e3964c0dd4e957debb0053e2e478760bd704e1a02d4824b5b5676023aa98f
Instruction Fuzzy Hash: 3F617EB4D002599BEB50DFA4D855BAEBFB5BF05314F184018E808A7342EB34AD49CBE6

Function 05350008 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 130threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 05350064
GetLastError.KERNEL32(?,00000000,?,0534AE8A), ref: 0535007E
GetLastActivePopup.USER32 ref: 053500F6
GetModuleHandleW.KERNEL32(00000000,?,0534AE8A), ref: 05350134
GetLargePageMinimum.KERNEL32(?,?,0534AE8A), ref: 05350177
GetSystemDefaultLangID.KERNEL32(?,?,0534AE8A), ref: 053501E5

Strings

The driver package cannot find a required driver configuration., xrefs: 0535003E
The specified named pipe is in the connected state., xrefs: 05350140, 053501F0
Checking file system on %wZ, xrefs: 0535012D
{Insufficient Resources on Remote Computer}, xrefs: 053500BF, 05350183

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Last$ActiveCurrentDefaultErrorHandleLangLargeMinimumModulePagePopupSystemThread
String ID: Checking file system on %wZ$The driver package cannot find a required driver configuration.$The specified named pipe is in the connected state.${Insufficient Resources on Remote Computer}
API String ID: 584268533-1900623555
Opcode ID: 30c536cb307a8f172bf26cdd4103823ed093c9affeaf9868326de5581930ddb5
Instruction ID: 1657e94f380948d63aea1d468de45dd0a6d3accbf351d7bdd3b46408d9cc0181
Opcode Fuzzy Hash: 30c536cb307a8f172bf26cdd4103823ed093c9affeaf9868326de5581930ddb5
Instruction Fuzzy Hash: 4C51F1B99202018FCB09CF6AE98B5567FEDE788308F80C56EE9458F344EF7984198F50

Function 05352DA4 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 112stringCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(?,?,?,?,?,?,05349A36), ref: 05352E00
GetLargePageMinimum.KERNEL32(?,?,?,?,?,?,?,05349A36), ref: 05352E20
lstrlenW.KERNEL32(?,?,?,?,?,?,?,05349A36), ref: 05352E7B
GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,05349A36), ref: 05352EB9
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,05349A36), ref: 05352EE0

Strings

The specified resiliency type is not valid., xrefs: 05352DD1
APPOINTMENTS, xrefs: 05352E81
{Invalid Current Directory}, xrefs: 05352DA5
The filter weight is not valid., xrefs: 05352E74
OnMachineUILanguageClear, xrefs: 05352EE2

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ErrorLast$ForegroundLargeMinimumPageWindowlstrlen
String ID: APPOINTMENTS$OnMachineUILanguageClear$The filter weight is not valid.$The specified resiliency type is not valid.${Invalid Current Directory}
API String ID: 2730288062-1783351758
Opcode ID: 669790b17405bce41684d7d72c496f5ada9ff12760aef2378c1152eca159e833
Instruction ID: 46974a6ada2b12fb402a150159fe1823f9cb12677c408674d5d4096fa8212898
Opcode Fuzzy Hash: 669790b17405bce41684d7d72c496f5ada9ff12760aef2378c1152eca159e833
Instruction Fuzzy Hash: 4541E3B5A252008BD314CF29E9824667FEEEB84308F94D06EF849CF31CEE348415DBA1

Function 0059C2F0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 381comCOMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00676DE4,?,00000002), ref: 0059C37E
CoCreateInstance.OLE32(006597A0,00000000,00000001,00661AEC,?), ref: 0059C3DF
SHCreateItemFromParsingName.SHELL32(00676DE4,00000000,00661AFC,00000000), ref: 0059C473
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,-00000002), ref: 0059C696

Strings

mg, xrefs: 0059C38F
mg, xrefs: 0059C360
mg, xrefs: 0059C454
mg, xrefs: 0059C32E
mg, xrefs: 0059C371

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Create$ExistsFileFreeFromInstanceItemNameParsingPathTask
String ID: mg$mg$mg$mg$mg
API String ID: 4132989732-2136722120
Opcode ID: 05f115cdb996edc4e2abdef6185da841f020234267964243fc93ea2a7f3bf3da
Instruction ID: 96d4c6cba8a5ebb848bb7f6d9b59b7c87f3222835e64720c7d0bd9227e74aacb
Opcode Fuzzy Hash: 05f115cdb996edc4e2abdef6185da841f020234267964243fc93ea2a7f3bf3da
Instruction Fuzzy Hash: 2BE14871A00215AFCB14DFA8C898FAEBFB5FF48704F108559F91AAB290D731E905CB60

Function 00625490 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 334COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000042,0000000C,0000000C,00000000), ref: 006254CE
GetSysColor.USER32(00000008), ref: 006254EE
GetSysColor.USER32(00000005), ref: 00625507
GetTickCount64.KERNEL32 ref: 00625562

Part of subcall function 005BE810: RegOpenKeyExW.KERNELBASE(80000001,0067BC98,00000000,00000000,00000000), ref: 005BE848
Part of subcall function 005BE810: RegCloseKey.ADVAPI32(00000000), ref: 005BE881
Part of subcall function 005BE810: GetTickCount64.KERNEL32 ref: 005BE88E

Strings

global, xrefs: 0062553F
invalid stol argument, xrefs: 0062586A, 0062587E, 00625892
uiribbon.dll, xrefs: 006255E9
stol argument out of range, xrefs: 00625874, 00625888, 0062589C
darkmode, xrefs: 0062553A

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: ColorCount64Tick$CloseInfoOpenParametersSystem
String ID: darkmode$global$invalid stol argument$stol argument out of range$uiribbon.dll
API String ID: 763119031-2917169372
Opcode ID: fa3e658f072baab936ddd41bc0eba6416324d1738a3ad04ac135992c9aef35b0
Instruction ID: 5190554d5226efe0b839f039cd74a8c4c3363d463a5453fe85aad5a65a4fddc0
Opcode Fuzzy Hash: fa3e658f072baab936ddd41bc0eba6416324d1738a3ad04ac135992c9aef35b0
Instruction Fuzzy Hash: 74C1E171E00E65AFDF24DBA4E8467ECBBB6BF04300F044169E416AB381D774A944CFA2

Function 05353128 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 125COMMON

Download Yara Rule

APIs

GetDialogBaseUnits.USER32 ref: 0535318E
GetLastError.KERNEL32(00000001,?,?,0534CF01,?,?,?,0534B33B), ref: 0535321D
AnyPopup.USER32 ref: 053532BB
GetForegroundWindow.USER32(?,0534CF01,?,?,?,0534B33B), ref: 053532F8

Strings

CFGOptions, xrefs: 0535319E
Built-in PNG Codec, xrefs: 05353228
An invalid characteristics table was used., xrefs: 05353129
AslRegistryOpenKey failed [%x], xrefs: 05353143
Compressing this object would not save space., xrefs: 05353280

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: BaseDialogErrorForegroundLastPopupUnitsWindow
String ID: An invalid characteristics table was used.$AslRegistryOpenKey failed [%x]$Built-in PNG Codec$CFGOptions$Compressing this object would not save space.
API String ID: 2560853714-4095279174
Opcode ID: 019a504e0539eeaef248f70a8e490df8322b847b064f24dab10759615e13d379
Instruction ID: 95f0a2ed7063baf531867f3eb998f31502b87adc8f62e2bf167e4f6d76d2d382
Opcode Fuzzy Hash: 019a504e0539eeaef248f70a8e490df8322b847b064f24dab10759615e13d379
Instruction Fuzzy Hash: 6C51F1B59303518FD314CF39E88A665BFAAF745365FC8DA2EE841CF285EB7480458B81

Function 0534D82C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 111COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(?,?,82040462,?,0534886D), ref: 0534D8BC
GetLastActivePopup.USER32 ref: 0534D8F2
GetForegroundWindow.USER32(00000000,?,?,82040462,?,0534886D), ref: 0534D979
GetForegroundWindow.USER32(?,?,82040462,?,0534886D), ref: 0534D9B1
GetDesktopWindow.USER32 ref: 0534D9BD
GetSystemDefaultLangID.KERNEL32(?,?,82040462,?,0534886D), ref: 0534D9D7

Strings

AslRegistryOpenSubKey passed bad Path [%x], xrefs: 0534D82D
ExecuteOptions, xrefs: 0534D894, 0534D8F8
Waiter TCB, xrefs: 0534D97B

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$Foreground$ActiveDefaultDesktopLangLastPopupSystem
String ID: AslRegistryOpenSubKey passed bad Path [%x]$ExecuteOptions$Waiter TCB
API String ID: 219059782-3912792277
Opcode ID: 183a804efcf22a60ece8d6825d77dcb2589f60118e05587a059e08edc8eb684b
Instruction ID: df3d80fc444e4da835a05329330e2961c953b59b92bcc71038eb5580eee5aca5
Opcode Fuzzy Hash: 183a804efcf22a60ece8d6825d77dcb2589f60118e05587a059e08edc8eb684b
Instruction Fuzzy Hash: AC4195789242818FD702CF79E5962253FEAF709308FA4C86EE446CF395EB75A0058F41

Function 0062F795 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 487COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0062FB6D

Strings

f, xrefs: 0062F8A7
p, xrefs: 0062F892
p, xrefs: 0062F8F4
p, xrefs: 0062F8AE
:, xrefs: 0062F860
f, xrefs: 0062F8ED
f, xrefs: 0062F88B

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: __aulldiv
String ID: :$f$f$f$p$p$p
API String ID: 3732870572-1434680307
Opcode ID: 97986b8538d5f89c871bdc3f9bcc664c2bcc637c3cfe150ad1ee66712ad1f84c
Instruction ID: ef5786e0b02db1b335d282a15998d570eeae1219fd26881e0f7f66ad7356ebc7
Opcode Fuzzy Hash: 97986b8538d5f89c871bdc3f9bcc664c2bcc637c3cfe150ad1ee66712ad1f84c
Instruction Fuzzy Hash: 4D02A079E00A28DADF208FA4E4556EEB777FF40B18F6081BAD8147B280D3309E858F15

Function 0062A190 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000001,0062AC22,failed create mapping), ref: 0062A194
CloseHandle.KERNEL32(00000000,?,00000001,0062AC22,failed create mapping), ref: 0062A1A4
CloseHandle.KERNEL32(?,?,00000001,0062AC22,failed create mapping), ref: 0062A1B3
SetLastError.KERNEL32(00000000,?,00000001,0062AC22,failed create mapping), ref: 0062A1BA

Strings

failed closing mapped file, xrefs: 0062A3A7

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID: failed closing mapped file
API String ID: 918212764-752119354
Opcode ID: 3f3068f1d4a48dda2ad61b33639fb599dadc8a6c1ca34a73708273cf9c65037d
Instruction ID: 5f390c4548b57d24a712299c923c5c1a38c19f7052e37698072497bb23870797
Opcode Fuzzy Hash: 3f3068f1d4a48dda2ad61b33639fb599dadc8a6c1ca34a73708273cf9c65037d
Instruction Fuzzy Hash: 7D51CE71A00B189BDB14DFA4ED487AEBBB6AF44320F14470DE4629B7D1CBB59940CF51

Function 005B3580 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 177COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(?,open,?,00000000,00000000,00000005), ref: 005B364F
EndDialog.USER32(?,?), ref: 005B369B
GetDlgItem.USER32(?,00000415), ref: 005B36FA
SetDlgItemTextW.USER32(?,00000413,?), ref: 005B37AC
SetDlgItemTextW.USER32(?,00000414,2024-01-10), ref: 005B37BB

Strings

grepWinNP3 (x86) version %ld.%ld.%ld.%ld, xrefs: 005B377E
open, xrefs: 005B3647
2024-01-10, xrefs: 005B37AE

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Item$Text$DialogExecuteShell
String ID: 2024-01-10$grepWinNP3 (x86) version %ld.%ld.%ld.%ld$open
API String ID: 616644314-1604778358
Opcode ID: 47ea07c8655b00d8823660d59612146714fb5bca061210b608861ad5c5d91653
Instruction ID: 820dffb32f3187f9d321ee4c6650bc06ba55ba4c041fb0c8ce943d38e319083a
Opcode Fuzzy Hash: 47ea07c8655b00d8823660d59612146714fb5bca061210b608861ad5c5d91653
Instruction Fuzzy Hash: 6351C170A00619ABCB14DF64DC5AFEE7B66FF04710F004269F909AB2D2DB75AE50CB94

Function 05351A30 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 129threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 05351AE1
GetDesktopWindow.USER32 ref: 05351BC2
GetCurrentThread.KERNEL32 ref: 05351C14

Strings

MachinePreferredUILanguages, xrefs: 05351ADA, 05351B6D
SdbpGetProcessHostGuestArchitectures, xrefs: 05351AE7
AslRegistryBuildUserPath, xrefs: 05351B22, 05351BA8
Stack trace available at %p, xrefs: 05351AA6
/languagelevel where {pop languagelevel} {1} ifelse, xrefs: 05351A36

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CurrentDesktopHandleModuleThreadWindow
String ID: /languagelevel where {pop languagelevel} {1} ifelse$AslRegistryBuildUserPath$MachinePreferredUILanguages$SdbpGetProcessHostGuestArchitectures$Stack trace available at %p
API String ID: 2956977152-1075518002
Opcode ID: 78d0aa108afcaf39972b7b65c4b3cced1976a050dcc197e1dd392b5538e0a2f6
Instruction ID: df7b03e611b6dbcd8043dd0490b753405fe1884380ecd2e3160a18a3f9416c85
Opcode Fuzzy Hash: 78d0aa108afcaf39972b7b65c4b3cced1976a050dcc197e1dd392b5538e0a2f6
Instruction Fuzzy Hash: 6C51E079A242408FD715CF69E5A26627FEAF789318F94D1EEE9868F345EB344400CBC1

Function 0534D27C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0534D2D7
GetLastActivePopup.USER32 ref: 0534D337
GetSystemDefaultLangID.KERNEL32 ref: 0534D3A9
AnyPopup.USER32 ref: 0534D3BE
GetUserDefaultLangID.KERNEL32 ref: 0534D44A
GetUserDefaultLangID.KERNEL32 ref: 0534D46E
GetSystemDefaultLangID.KERNEL32 ref: 0534D48E

Strings

The device is pending further configuration., xrefs: 0534D27D, 0534D2C3, 0534D38F

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultLang$PopupSystemUser$ActiveDesktopLastWindow
String ID: The device is pending further configuration.
API String ID: 3968625898-3241136172
Opcode ID: 2fe72437b7429efc1ebcf8546daa7fead92596e54614641ed535c199fa4ce8f0
Instruction ID: 29a46000537cc7fe742d6a17ee15725c24ea8c83f199ab664da7d8e2a83bee4f
Opcode Fuzzy Hash: 2fe72437b7429efc1ebcf8546daa7fead92596e54614641ed535c199fa4ce8f0
Instruction Fuzzy Hash: 3F5166B59252008FDB06CF69E58B5567FEDF748348F84C9AEF08A8F241DF74A4608B91

Function 0534DDB4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

GetLargePageMinimum.KERNEL32(?,00000001,?,05348BA1), ref: 0534DE3E
GetWindowTextLengthW.USER32 ref: 0534DEA4
GetDesktopWindow.USER32 ref: 0534DEAB
GetModuleHandleW.KERNEL32(?,00000001,?,05348BA1), ref: 0534DEF5
GetLastError.KERNEL32(?,?,00000001,?,05348BA1), ref: 0534DF0B

Strings

An IKE policy cannot contain an Extended Mode policy., xrefs: 0534DE34
No device query callback specified, xrefs: 0534DEC1
Windows.Mobile, xrefs: 0534DDE3

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$DesktopErrorHandleLargeLastLengthMinimumModulePageText
String ID: An IKE policy cannot contain an Extended Mode policy.$No device query callback specified$Windows.Mobile
API String ID: 1650162651-460382086
Opcode ID: 282f36f6ab139d39cd061f37782c1d0f50c70f72e15f4f3807b5b56940d6f4bd
Instruction ID: c97f3ce14a18e12af478d8c7c8acf2f21ef64652a08d391e1d06a39e150a27ee
Opcode Fuzzy Hash: 282f36f6ab139d39cd061f37782c1d0f50c70f72e15f4f3807b5b56940d6f4bd
Instruction Fuzzy Hash: DE4137B49202058BCB519F65A59AA257FEDF758308B90C62EE451CF708EB389059CF40

Function 005F46A0 Relevance: 13.6, APIs: 9, Instructions: 117fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000000,00000000,00000000,?,?,00000000), ref: 005F4702
GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 005F4717
CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000,?,?,00000000), ref: 005F472B
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 005F4738
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,?,00000000), ref: 005F474C
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 005F4760
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 005F4763
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 005F4767
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 005F476A

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: CloseHandle$File$Create$MappingSizeView
String ID:
API String ID: 506559639-0
Opcode ID: 0b3ed30dfc5412538e0dbf3b54f129d5275d06eb2eadaf26d7d73e92d7ca3a63
Instruction ID: f4df4821732ca61019b58806e90bafa4e6f379b898a2a81a36ce0830c64910fe
Opcode Fuzzy Hash: 0b3ed30dfc5412538e0dbf3b54f129d5275d06eb2eadaf26d7d73e92d7ca3a63
Instruction Fuzzy Hash: 43417C70A0071AEFD720DF64CC89B6ABBB8FB05720F204119F615AB6D0D774A910CFA4

Function 005B34B0 Relevance: 13.6, APIs: 9, Instructions: 76windowCOMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 005B34CD
BeginPaint.USER32(?,?), ref: 005B34E5

Part of subcall function 0059B530: GetModuleHandleW.KERNEL32(user32.dll,?,?,?,00000000,00000000,0059C04D,?,00000060), ref: 0059B549
Part of subcall function 0059B530: GetProcAddress.KERNEL32(00000000,GetDpiForWindow), ref: 0059B563
Part of subcall function 0059B530: GetProcAddress.KERNEL32(?,GetDpiForSystem), ref: 0059B570
Part of subcall function 0059B530: GetProcAddress.KERNEL32(?,GetSystemMetricsForDpi), ref: 0059B57E
Part of subcall function 0059B530: GetProcAddress.KERNEL32(?,SystemParametersInfoForDpi), ref: 0059B58C

MulDiv.KERNEL32(00000040,00000000), ref: 005B3503

Part of subcall function 0059B530: GetDC.USER32(00000000), ref: 0059B5AE
Part of subcall function 0059B530: GetDeviceCaps.GDI32(00000000,00000058), ref: 0059B5BD
Part of subcall function 0059B530: ReleaseDC.USER32(00000000,00000000), ref: 0059B5C9

MulDiv.KERNEL32(0000000C,00000000), ref: 005B3519
MulDiv.KERNEL32(0000000C,00000000), ref: 005B352F
GetSysColorBrush.USER32(0000000F), ref: 005B3535
DrawIconEx.USER32(00000060,00000000,00000000,00000000,00000000,00000000,00000000,00000003), ref: 005B354F
ReleaseDC.USER32(?,00000060), ref: 005B3557
EndPaint.USER32(?,?,?,00000060,?,00000060,?,00000060,?,00000060,?,?), ref: 005B3563

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: AddressProc$PaintRelease$BeginBrushCapsColorDeviceDrawHandleIconModule
String ID:
API String ID: 2460367397-0
Opcode ID: 83396d8a75f9acc59364b6b9fc97d60f7019b524be2ed4039d345a0f9a3e31ba
Instruction ID: cb2d7d28dcbce9c483207a7ff04ea8a37c78413d2f5f4a6b392d4d852c7b520b
Opcode Fuzzy Hash: 83396d8a75f9acc59364b6b9fc97d60f7019b524be2ed4039d345a0f9a3e31ba
Instruction Fuzzy Hash: 3911937164031DBFFB10A7B4AC0EF6F7BDEEB44B51F041125BA09D22D1EA64AD0086B5

Function 0062D9D6 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

___TypeMatch.LIBVCRUNTIME ref: 0062DC03
CatchIt.LIBVCRUNTIME ref: 0062DC54
_UnwindNestedFrames.LIBCMT ref: 0062DD55
CallUnexpected.LIBVCRUNTIME ref: 0062DD70

Strings

csm, xrefs: 0062DA80
csm, xrefs: 0062DA13
csm, xrefs: 0062DB2C

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwind
String ID: csm$csm$csm
API String ID: 944608866-393685449
Opcode ID: 4a35cc4a5ea49ea3e62a9b742658f9b4ac56378fcae8f56de49fcb81901c0b42
Instruction ID: e37a69cb49d2a8cd8952c342d894281baec4cf8847c2ab47eb26955ec4c7c3f0
Opcode Fuzzy Hash: 4a35cc4a5ea49ea3e62a9b742658f9b4ac56378fcae8f56de49fcb81901c0b42
Instruction Fuzzy Hash: 06B19971900A29EFCF18DFA4E8819EEB7BAFF04311F14456AE8146B216D371EA51CF91

Function 00645B0F Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 00645D90, 00645D93

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: b9902383498c146190f1a47479901108ce3fc5a1f84d757560d40f40de17b3c6
Instruction ID: 8977c03bf1cc9e123503243fe2ed2b98d842f3f504512c9d985e24f278345b5a
Opcode Fuzzy Hash: b9902383498c146190f1a47479901108ce3fc5a1f84d757560d40f40de17b3c6
Instruction Fuzzy Hash: 8AB1F170E00649AFEB11DFE8C884BADBBB7BF49304F144158E5469B393C7709A42CBA5

Function 005D98B0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,75C05540,00000000), ref: 005D98DC
QueryPerformanceFrequency.KERNEL32(00000000,?,75C05540,00000000), ref: 005D98E6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005D990D
GetTickCount64.KERNEL32 ref: 005D9941
GetTickCount64.KERNEL32 ref: 005D99B1

Strings

%s : %lld ms, xrefs: 005D9A67
Software\grepWinNP3\DebugOutput, xrefs: 005D994F

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Count64PerformanceQueryTick$CounterFrequencyUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: %s : %lld ms$Software\grepWinNP3\DebugOutput
API String ID: 2281104147-2271610753
Opcode ID: f0b77e6dbe1914beb1af7eddf7860b672da7cb626254c58864bed43782d8a7e9
Instruction ID: 5425bd3fb3d86d3b7d284d072bdd37126fcc1739e153fccde683f912fe4507a9
Opcode Fuzzy Hash: f0b77e6dbe1914beb1af7eddf7860b672da7cb626254c58864bed43782d8a7e9
Instruction Fuzzy Hash: 23518DB19002499FDF24DFA8D895BEEBBB5FB44304F14861AE815AB381D7349944CFA1

Function 005A24F0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 005A255B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 005A25AA
__Getctype.LIBCPMT ref: 005A25C0
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 005A260A
std::_Lockit::~_Lockit.LIBCPMT ref: 005A26A2
__Getwctype.LIBCPMT ref: 005A26D8

Strings

bad locale name, xrefs: 005A26BD

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeGetwctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2702795554-1405518554
Opcode ID: 4bd083eae2c639e5abd7f249c5f4fa4e2867c4e2b71e6ca50d5e03aaf8b1a4eb
Instruction ID: 29e666a6f38715737f9e1ce9539252c90117e907180119faafea8823e9945c48
Opcode Fuzzy Hash: 4bd083eae2c639e5abd7f249c5f4fa4e2867c4e2b71e6ca50d5e03aaf8b1a4eb
Instruction Fuzzy Hash: AF516DB1D003589BEB50DFA8D845B9EBBB9BF15300F14816DE908AB341EB34D908CB96

Function 0534FDF4 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 137COMMON

Download Yara Rule

APIs

GetShellWindow.USER32 ref: 0534FE36
GetWindowTextLengthW.USER32 ref: 0534FF0B

Strings

The same member index was specified more than once., xrefs: 0534FEC8
Operating System, xrefs: 0534FDF5
Win32 x86 emulation subsystem Floating-point stack check., xrefs: 0534FF6E
{Invalid Parameter}, xrefs: 0534FE42
LdrpResSearchResourceInsideDirectory Enter, xrefs: 0534FE89, 0534FF11, 0534FF46

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$LengthShellText
String ID: Operating System$LdrpResSearchResourceInsideDirectory Enter$The same member index was specified more than once.$Win32 x86 emulation subsystem Floating-point stack check.${Invalid Parameter}
API String ID: 4278117263-4043220159
Opcode ID: edb486b12956fafd51e5d10debc3abe5b6ca68adc4aa5ba40b53c3a643c42d8c
Instruction ID: 0017501413b065a41e57eaa37d91bb8937e46e9bdc6a0fda22ed5d55aac3dfd2
Opcode Fuzzy Hash: edb486b12956fafd51e5d10debc3abe5b6ca68adc4aa5ba40b53c3a643c42d8c
Instruction Fuzzy Hash: 8F5148B49242418FD314CF28E5922617FE9F71634DF88D1AEE8868F346EA706441CF90

Function 0062D4E0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0062D517
___except_validate_context_record.LIBVCRUNTIME ref: 0062D51F
_ValidateLocalCookies.LIBCMT ref: 0062D5A8
__IsNonwritableInCurrentImage.LIBCMT ref: 0062D5D3
_ValidateLocalCookies.LIBCMT ref: 0062D628

Strings

09Z, xrefs: 0062D5EC
csm, xrefs: 0062D5BD

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: 09Z$csm
API String ID: 1170836740-2073185448
Opcode ID: ef5b31ef96ef525d9927fe4b6456acede662fb4c1e253f0ebf041d04091062f4
Instruction ID: a272e876508eb1ec48d30ca24844b02ea92f1f1402d68064cbf901e85347146c
Opcode Fuzzy Hash: ef5b31ef96ef525d9927fe4b6456acede662fb4c1e253f0ebf041d04091062f4
Instruction Fuzzy Hash: 4E41D634A006289BCF10DF68D844A9E7BB7AF45328F148169F818AB392D771EA45CF95

Function 053476B8 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 108COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32 ref: 05347770

Strings

LdrpCodeAuthzInitialize failed with status 0x%08lx, xrefs: 05347833
AslFileMappingGetFileKindDetail, xrefs: 0534781F
DaylightName, xrefs: 053477CC, 05347811
Allocating a data table entry for the executable failed, xrefs: 0534782B
The resource is owned exclusively by thread %p, xrefs: 053476DE
b+5sghCuTgLs2LpDuMG00CRzvBlcU2oDDNrm1FMrSmiHV7s0W+ogurH0ZtnOeQbMnH8kzF3bGH/4hLo6kn0JFv1X208aNZNbVOEEZwKP3NU/F/7D6+FhwHEs5ifoYPnJ3oqTX0KTlJY0pQDDKpnnZZNQUfKaedhfgw5bYlgxyqaNMPsYvat9XC1evsJIEqsdO/UepnIK1oGjnCjpx5xRMCWV9AbHkIwRKw2zUeoZB/zLa6772qyL/GlcgHtVITf7bl7p, xrefs: 05347867

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultLangUser
String ID: Allocating a data table entry for the executable failed$AslFileMappingGetFileKindDetail$DaylightName$LdrpCodeAuthzInitialize failed with status 0x%08lx$The resource is owned exclusively by thread %p$b+5sghCuTgLs2LpDuMG00CRzvBlcU2oDDNrm1FMrSmiHV7s0W+ogurH0ZtnOeQbMnH8kzF3bGH/4hLo6kn0JFv1X208aNZNbVOEEZwKP3NU/F/7D6+FhwHEs5ifoYPnJ3oqTX0KTlJY0pQDDKpnnZZNQUfKaedhfgw5bYlgxyqaNMPsYvat9XC1evsJIEqsdO/UepnIK1oGjnCjpx5xRMCWV9AbHkIwRKw2zUeoZB/zLa6772qyL/GlcgHtVITf7bl7p
API String ID: 768647712-1029917157
Opcode ID: 24e45345eb78b0cdfb857703469c2a2dd7f8eb227787145657ae0892112cb907
Instruction ID: 7615c5342dca9bedb1c822860aab7b42974ca2061a4e06b72631d2063651ba8a
Opcode Fuzzy Hash: 24e45345eb78b0cdfb857703469c2a2dd7f8eb227787145657ae0892112cb907
Instruction Fuzzy Hash: B24175749182988BCB148F79A4492EA3FF2FB55300F64C5ACEC8C9B341CA745949CFA1

Function 05350BA0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32 ref: 05350BEA
GetUserDefaultLangID.KERNEL32(00000000,?,?,00000000,?,05347B52), ref: 05350C2E
GetTopWindow.USER32 ref: 05350C6A
GetLastActivePopup.USER32 ref: 05350C9C
GetModuleHandleW.KERNEL32(00000000,?,?,?,00000000,?,05347B52), ref: 05350CF3
GetDesktopWindow.USER32 ref: 05350D04

Strings

A context is already defined for this object., xrefs: 05350CD8

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$ActiveDefaultDesktopHandleLangLastLengthModulePopupTextUser
String ID: A context is already defined for this object.
API String ID: 284326558-2900652361
Opcode ID: 83b1a6253cb7fd2b70f50f67c83097871aebce016f1e97ece9a9c7de0058c711
Instruction ID: a4731d95093724f9ca3d62034be40eb1f0566491790172c1e74270ef1a2dc314
Opcode Fuzzy Hash: 83b1a6253cb7fd2b70f50f67c83097871aebce016f1e97ece9a9c7de0058c711
Instruction Fuzzy Hash: DA415AB49202028BC704DF69E68AA653FE9F748318FA0D66EF852CF240EB399441CF55

Function 005F1DA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 107windowmemoryCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?), ref: 005F1DF1
LocalAlloc.KERNEL32(00000000,00000040,?,00000400,?), ref: 005F1E42
MessageBoxW.USER32(00000000,grepWinNP3,00000000,00000010), ref: 005F1E98
LocalFree.KERNEL32(00000000,?,00000400,?), ref: 005F1EC1

Strings

Unknown error 0x%0lX, xrefs: 005F1E7B
IDispatch error #%d, xrefs: 005F1E73
grepWinNP3, xrefs: 005F1E91

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: LocalMessage$AllocFormatFree
String ID: IDispatch error #%d$Unknown error 0x%0lX$grepWinNP3
API String ID: 59769524-447017682
Opcode ID: b655f1a5bc64b386b28decaae559a90d5ec3c77d55207bb1a3873389eec41fc6
Instruction ID: eda88b70f837994080476d25583e5e4e848be93c2ddddc300035757a18e7b757
Opcode Fuzzy Hash: b655f1a5bc64b386b28decaae559a90d5ec3c77d55207bb1a3873389eec41fc6
Instruction Fuzzy Hash: 2B31C074A0070ADBEB14DF54C84ABBFBBB9FF44704F10855DEE16A7280D7B969008A98

Function 05350670 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 76threadCOMMON

Download Yara Rule

APIs

GetDialogBaseUnits.USER32 ref: 053506A5
SetLastError.KERNEL32(?,?,?,?,05349A03), ref: 053506DF
GetThreadUILanguage.KERNEL32(00000000,?,?,?,?,05349A03), ref: 05350734
GetLastError.KERNEL32(?,?,?,?,05349A03), ref: 0535077C

Strings

/WhitePointY, xrefs: 05350671
Luminance, xrefs: 053506E5
windows seven, xrefs: 0535073F

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ErrorLast$BaseDialogLanguageThreadUnits
String ID: /WhitePointY$Luminance$windows seven
API String ID: 3268890622-1929846185
Opcode ID: 425eaaffb4401c3e41b4fe275f57288d00809c3b135d951afd45af425f0f620e
Instruction ID: f2243ba61cb9da25f387d6b948306fe95fc4a996eed81194ab4062607b1d2c35
Opcode Fuzzy Hash: 425eaaffb4401c3e41b4fe275f57288d00809c3b135d951afd45af425f0f620e
Instruction Fuzzy Hash: 06318DB8A242418FC708DF69E69A9157FFAFB84348B94C46EF8068F744EFB594058B50

Function 0534F498 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000003,?,?,0534B508), ref: 0534F4B6
GetTickCount.KERNEL32 ref: 0534F4DB
GetLastError.KERNEL32(?,?,?,0534B508), ref: 0534F534
GetLastActivePopup.USER32 ref: 0534F5BB

Strings

The type UUID has already been registered., xrefs: 0534F588
There is not enough power to complete the requested operation., xrefs: 0534F4E6
The Directory Service is shutting down., xrefs: 0534F53A

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Last$Error$ActiveCountPopupTick
String ID: The Directory Service is shutting down.$The type UUID has already been registered.$There is not enough power to complete the requested operation.
API String ID: 815136527-3840197208
Opcode ID: 85e543b4b20c2fed00d503c71191d4896da4c2e26271a2e90dc270339981dd3e
Instruction ID: de8197647ee348dd5812b249c5aaf4f3a66174dc51b916c7dcc77fa5bb4844ab
Opcode Fuzzy Hash: 85e543b4b20c2fed00d503c71191d4896da4c2e26271a2e90dc270339981dd3e
Instruction Fuzzy Hash: D831BCB59352528FD304CFA8E5AA5517FEDF789348FA480AFF9958F340EB7850058B80

Function 0534FB34 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0534FB79
GetWindowTextLengthW.USER32(00000000), ref: 0534FBC7
GetShellWindow.USER32 ref: 0534FBDD
SetLastError.KERNEL32 ref: 0534FC37
GetUserDefaultLangID.KERNEL32 ref: 0534FC3E
GetForegroundWindow.USER32 ref: 0534FC5F

Strings

,fiWymsJEXztn8kHA9xx5OCWQKcoq4y+YMm7zZyi7gEU=0Z, xrefs: 0534FB6D

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$DefaultErrorForegroundLangLastLengthShellTextUserlstrlen
String ID: ,fiWymsJEXztn8kHA9xx5OCWQKcoq4y+YMm7zZyi7gEU=0Z
API String ID: 4116212751-1031629053
Opcode ID: 3f0f14ecb6344425644355b68248b7ffa5507902b750342d0ffac8efa186db80
Instruction ID: 8c26a36057c2d9c7cf1d754018552b64a3d53f3da7bc76364be9cb0da4ff41ed
Opcode Fuzzy Hash: 3f0f14ecb6344425644355b68248b7ffa5507902b750342d0ffac8efa186db80
Instruction Fuzzy Hash: E0310FB5A242428FC709DF68E88B61A7FADF794308B90C66EF405CF258EB3490458B90

Function 05351FE4 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 51COMMON

Download Yara Rule

APIs

GetDialogBaseUnits.USER32 ref: 0535200C
GetSystemDefaultLangID.KERNEL32 ref: 05352031
GetOEMCP.KERNEL32 ref: 05352072

Strings

AslpFileQuery16BitModuleName, xrefs: 05352053
AslFileMappingGetImageTypeEx failed [%x], xrefs: 05352012
This stream is not DAX mappable., xrefs: 05352037
Driver %2 has been blocked from loading., xrefs: 05351FE5, 05351FFB

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: BaseDefaultDialogLangSystemUnits
String ID: AslFileMappingGetImageTypeEx failed [%x]$AslpFileQuery16BitModuleName$Driver %2 has been blocked from loading.$This stream is not DAX mappable.
API String ID: 3966756997-4087607733
Opcode ID: 57cf9feeab295cd02d6352cce33d6e6f7dcce9a6a886ba763c648d310710971c
Instruction ID: a00aa8b57aa3a1684f5a27987fa55fdd5ab1d9bf220fa9b60c0ebf82df139f0e
Opcode Fuzzy Hash: 57cf9feeab295cd02d6352cce33d6e6f7dcce9a6a886ba763c648d310710971c
Instruction Fuzzy Hash: 2A01242C6050864BDB141A24C074A7BBB67FB95361F94E169FE878F788E964C883D361

Function 0534F108 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

GetShellWindow.USER32 ref: 0534F12D
GetTickCount.KERNEL32 ref: 0534F133
lstrlenW.KERNEL32(?,?,?,?,?,05346694,?,?,?,?,?,?,?,?,0534B8C7), ref: 0534F16D

Strings

A consistency check failed., xrefs: 0534F139
{Kernel Debugger Awakened}, xrefs: 0534F14A
/chrominance, xrefs: 0534F109
Error reading tag, xrefs: 0534F166

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CountShellTickWindowlstrlen
String ID: /chrominance$A consistency check failed.$Error reading tag${Kernel Debugger Awakened}
API String ID: 2562418233-4088426988
Opcode ID: 23131de0892d99e7cde81203a8a1e24468c44cbcb82651e4294624847c2b804c
Instruction ID: 62e4d131af883ebe74fc70e7ea6a6e0836123b379de565c93889ebc08f53a0ff
Opcode Fuzzy Hash: 23131de0892d99e7cde81203a8a1e24468c44cbcb82651e4294624847c2b804c
Instruction Fuzzy Hash: 08F02B6C6040568BD7105F25C46923A7BE5FB46700F88C058E4C38F388EA709846CF52

Function 053525EC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 25stringthreadwindowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32 ref: 053525F9
GetCurrentThread.KERNEL32 ref: 05352600
lstrlenW.KERNEL32 ref: 0535262C
GetMessageTime.USER32 ref: 05352633
GetSystemDefaultLangID.KERNEL32 ref: 05352639

Strings

Indicates that the specified image is already loaded., xrefs: 05352625
WER/CrashAPI:%u: ERROR NtQueryInformationProcess failed 0x%x, xrefs: 05352606

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CurrentDefaultLangLengthMessageSystemTextThreadTimeWindowlstrlen
String ID: Indicates that the specified image is already loaded.$WER/CrashAPI:%u: ERROR NtQueryInformationProcess failed 0x%x
API String ID: 3973347586-578630763
Opcode ID: 0ee49e0abfeb9e48b538ece9748f6722acdff2cb4f5cc0530acbcb3f1b06dcdc
Instruction ID: 9a304824dc50759f48413492dda9813f7f26606efc7233d338a8c4058a3df397
Opcode Fuzzy Hash: 0ee49e0abfeb9e48b538ece9748f6722acdff2cb4f5cc0530acbcb3f1b06dcdc
Instruction Fuzzy Hash: 30E0397C8182168BD7002FA5D85E52A3FBCBB45305F81C81CF9CA8B284DE78884D9B61

Function 005BE9F0 Relevance: 12.2, APIs: 8, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d62b65871c8a8d6ecf518f0fbbce8e7992b657092244c5a54bb64806a31c1f49
Instruction ID: 1b46f98169c2256231b3d193b2ad56f63998f2bbb4174c8f38567e65aa17fdef
Opcode Fuzzy Hash: d62b65871c8a8d6ecf518f0fbbce8e7992b657092244c5a54bb64806a31c1f49
Instruction Fuzzy Hash: 0F61D571600215ABCB14EF64DC96FAE7BA9FF44300F044569FD06EB292DB35AD10CBA4

Function 006245E0 Relevance: 12.1, APIs: 8, Instructions: 86windowCOMMON

Download Yara Rule

APIs

#412.COMCTL32(?,006245E0,000004D2), ref: 00624610
#413.COMCTL32(?,?,?,?), ref: 0062461E
SendMessageW.USER32(?,00001073,?,?), ref: 00624676
SetBkColor.GDI32(?,00202020), ref: 0062468F
ExtTextOutW.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 006246A7
SetTextColor.GDI32(?,00DDDDDD), ref: 006246B5
SetBkMode.GDI32(?,00000001), ref: 006246BE
DrawTextW.USER32(?,?,000000FF,?,00008824), ref: 006246D6

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Text$Color$#412#413DrawMessageModeSend
String ID:
API String ID: 1438310018-0
Opcode ID: 996aec572c765f2308ca187e436005bf55563bdf739a4f9a6227b7df418759d2
Instruction ID: de96a0dda80ba92e489040022713d25c74933c08585a6d3ddc9a7985fe31224f
Opcode Fuzzy Hash: 996aec572c765f2308ca187e436005bf55563bdf739a4f9a6227b7df418759d2
Instruction Fuzzy Hash: 43316B32204715EBD710CF64EC49F9ABBAAFF49711F00061AF950A26D0D7B0A958CBE6

Function 00623550 Relevance: 12.1, APIs: 8, Instructions: 52windowstringCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00623579
GetObjectW.GDI32(00000000,?,?), ref: 00623580
lstrcpynW.KERNEL32 ref: 006235A1
CreateFontIndirectW.GDI32(?), ref: 006235AC
GetDC.USER32(?), ref: 006235B5
SetBkMode.GDI32(00000000,00000002), ref: 006235C0
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 006235CC
ReleaseDC.USER32(?,00000000), ref: 006235D4

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: MessageSend$CreateFontIndirectModeObjectReleaselstrcpyn
String ID:
API String ID: 3096525694-0
Opcode ID: e92979676d07262712528e0bfdba3434d62d64ae5798eaf1778af48650817134
Instruction ID: 34be929ec9f2ad7318b7b70c41c7c4e69957c392485d6f1ab6d1a43a6912dd23
Opcode Fuzzy Hash: e92979676d07262712528e0bfdba3434d62d64ae5798eaf1778af48650817134
Instruction Fuzzy Hash: BE011731144304FBE720EB60AC4DF9B7BEDEB88B62F041919F705961E1D674AA088B76

Function 00642806 Relevance: 10.8, APIs: 7, Instructions: 329COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0064288C

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 418969ae6e46c0b55661fc9f540cf272c5e0b5a421fbc640b1c478988cf86484
Instruction ID: 5d8248e52ff8d1ea105e8c3f2b1d7ef3c4d512fc97adc50c89cdef89ec17b96a
Opcode Fuzzy Hash: 418969ae6e46c0b55661fc9f540cf272c5e0b5a421fbc640b1c478988cf86484
Instruction Fuzzy Hash: 9DB14572A00356AFDB228F64CCA2BEE7BA7EF15310F644155FD44AB382D3749941C7A4

Function 005A8AF0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 203windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 005A8B1A
GetMenuItemInfoW.USER32(?,00000000,00000400,?), ref: 005A8B9B
GetMenuItemInfoW.USER32(?,00000000,00000400,00000030), ref: 005A8C0D

Part of subcall function 005A8AF0: SetMenuItemInfoW.USER32(?,?,00000400,00000030), ref: 005A8D32

Strings

@, xrefs: 005A8D0C
0, xrefs: 005A8B80

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: ItemMenu$Info$Count
String ID: 0$@
API String ID: 4286743509-1545510068
Opcode ID: 190ae65d6761a524f64e97c714d999d9a4051b6d986fdbb88537d3bb349796c1
Instruction ID: e339300eb7bac5417d1155c32b81471303709321f551218e2c513e5f0848bdc8
Opcode Fuzzy Hash: 190ae65d6761a524f64e97c714d999d9a4051b6d986fdbb88537d3bb349796c1
Instruction Fuzzy Hash: BC716AB1D00219ABDB10DF98D988BAEBBF9FF05310F244159E519AB281DB346A05CFA0

Function 005A74B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 005A7518
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 005A7564
__Getctype.LIBCPMT ref: 005A757A
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 005A75A6
std::_Lockit::~_Lockit.LIBCPMT ref: 005A763B

Strings

bad locale name, xrefs: 005A7656

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1840309910-1405518554
Opcode ID: 7da29a8f4b3f093ebfe1056ef62749dc31761c0cc730dede91b9da72bc575ffb
Instruction ID: 826d730443d44f55ff0c057e339a10974be2f32ab71205871c214c3c218a5d52
Opcode Fuzzy Hash: 7da29a8f4b3f093ebfe1056ef62749dc31761c0cc730dede91b9da72bc575ffb
Instruction Fuzzy Hash: 975170B1D042189BDF50DF99D845B9EBBF9BF19300F188069E909AB341E734DA08CB95

Function 05352778 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

GetDialogBaseUnits.USER32 ref: 053527C3
GetTickCount.KERNEL32 ref: 0535284C
GetLastError.KERNEL32(?,?,?,05349C2F), ref: 053528AA
GetLastActivePopup.USER32 ref: 05352941

Strings

AslFileMappingEnsureMappedAs failed [%x], xrefs: 053527D8
WER/CrashAPI:%u: ERROR Final gather block size exceeds limit, xrefs: 05352858, 053528B0

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Last$ActiveBaseCountDialogErrorPopupTickUnits
String ID: AslFileMappingEnsureMappedAs failed [%x]$WER/CrashAPI:%u: ERROR Final gather block size exceeds limit
API String ID: 3113536026-921639215
Opcode ID: 890476a3687a482ee00cd650dfdd13c1af5b612f2817ec0b7770a73cc7dda808
Instruction ID: 9a31dee7fbd9006dc64761909d2a45301774d51519e199c27c80bb780ce197cb
Opcode Fuzzy Hash: 890476a3687a482ee00cd650dfdd13c1af5b612f2817ec0b7770a73cc7dda808
Instruction Fuzzy Hash: E451ADB89352018FC706CF78E48AA527FAAF344318F95EA9EF846CF215DB748045CB51

Function 00625F00 Relevance: 10.6, APIs: 7, Instructions: 121COMMON

Download Yara Rule

APIs

GdipResetPath.GDIPLUS ref: 00625F38
GdipStartPathFigure.GDIPLUS ref: 00625F49
GdipAddPathArcI.GDIPLUS(?,?,?,00000005,00000005), ref: 00625F77
GdipAddPathArcI.GDIPLUS(?,?,?,00000005,00000005,00000005,00000005), ref: 00625FBD
GdipAddPathArcI.GDIPLUS(?,?,?,00000005,00000005,00000005,00000005,00000005,00000005), ref: 00625FF8
GdipAddPathArcI.GDIPLUS(?,?,?,00000005,00000005,00000005,00000005,00000005,00000005,00000005,00000005), ref: 00626027
GdipClosePathFigure.GDIPLUS(?,?,?,?,00000005,00000005,00000005,00000005,00000005,00000005,00000005,00000005), ref: 00626035

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: GdipPath$Figure$CloseResetStart
String ID:
API String ID: 2226062657-0
Opcode ID: 61129bd583e9a830da4d432a45bc68504dc46f0c17125d48671058c38ec4c9fc
Instruction ID: 43985a5befe7a67b45afd0341382619209c71fbb8978de4b34e4bbab9a8ec0c2
Opcode Fuzzy Hash: 61129bd583e9a830da4d432a45bc68504dc46f0c17125d48671058c38ec4c9fc
Instruction Fuzzy Hash: D0412831204601EFCB219F29EE4896ABFF6FB85701F04896DF895D6264E731C924DF62

Function 0534F6D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 106COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32(?,?,?,05348DEC,00000000), ref: 0534F71A
GetLargePageMinimum.KERNEL32(?,?,?,05348DEC,00000000), ref: 0534F731
GetTopWindow.USER32 ref: 0534F7B3

Strings

No security context is available to allow impersonation., xrefs: 0534F7EF, 0534F80E
The object does not exist., xrefs: 0534F7B9
Xbox One X, xrefs: 0534F6D1, 0534F720, 0534F73D

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultLangLargeMinimumPageUserWindow
String ID: No security context is available to allow impersonation.$The object does not exist.$Xbox One X
API String ID: 330300774-3044702618
Opcode ID: 56baa20c2ab6919b382a4f4facd1d851bc905f893ba87e62978a965d1cd0652e
Instruction ID: c6831bce8fe2cfefd711d0aa9944628e18318eb3770d6cab7792120a5c02d076
Opcode Fuzzy Hash: 56baa20c2ab6919b382a4f4facd1d851bc905f893ba87e62978a965d1cd0652e
Instruction Fuzzy Hash: A541A0799201428FD754CF29D86616A3FE9F756388BD8C61EF492CF744EA78D4828F10

Function 0534EF68 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

GetLargePageMinimum.KERNEL32 ref: 0534EF82
GetParent.USER32 ref: 0534EFE5
GetOEMCP.KERNEL32 ref: 0534F075

Strings

Calling KernelbasePostInit failed with status 0x%08lx, xrefs: 0534F02E, 0534F0A6
The system file %1 has become corrupt and has been replaced., xrefs: 0534EFEB
Failed to get the string from the database, xrefs: 0534F07B

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: LargeMinimumPageParent
String ID: Calling KernelbasePostInit failed with status 0x%08lx$Failed to get the string from the database$The system file %1 has become corrupt and has been replaced.
API String ID: 1858583498-2516440567
Opcode ID: 66f9e8671b6cf2af1b56e78d17e5b48bdc636ca2a674374ff2caee64414224f3
Instruction ID: 0e73e744f58a33fddd493d1b96d742a851bd370e7c8d44f3b172accb1bf4cc9c
Opcode Fuzzy Hash: 66f9e8671b6cf2af1b56e78d17e5b48bdc636ca2a674374ff2caee64414224f3
Instruction Fuzzy Hash: E7417C749222428FD714CF38E6566367FEEEB84308F98C49EF4468F345EE7594458B90

Function 0534D4C4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 93COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32 ref: 0534D4EB
GetOEMCP.KERNEL32 ref: 0534D536
GetUserDefaultLangID.KERNEL32 ref: 0534D580

Strings

Extended error information is available., xrefs: 0534D4C5
NtQueryInformationFile failed [%x], xrefs: 0534D5E8
OptionValue, xrefs: 0534D53C

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultLangUser
String ID: Extended error information is available.$NtQueryInformationFile failed [%x]$OptionValue
API String ID: 768647712-457629104
Opcode ID: bf187b41569b91a197f06d99ac1d56342495e8eef6a066cc62203550a2f68bc5
Instruction ID: 2b03d0d1d6eefb17a33305470f3a83946ed7b864338b479e4f4e88796b79f986
Opcode Fuzzy Hash: bf187b41569b91a197f06d99ac1d56342495e8eef6a066cc62203550a2f68bc5
Instruction Fuzzy Hash: 21318A709342458EDB05CF25A55A2217FEEF38A30CF94D65EE0928F2A8DF7494528F40

Function 0534F9B0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0534FA03
GetTickCount.KERNEL32 ref: 0534FA48
GetWindowTextLengthW.USER32 ref: 0534FA8A

Strings

An invalid region for the target was specified, xrefs: 0534F9B1
image/x-wmf, xrefs: 0534FA0E
SdbUnpackQueryResult, xrefs: 0534FA90

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CountLengthParentTextTickWindow
String ID: An invalid region for the target was specified$SdbUnpackQueryResult$image/x-wmf
API String ID: 3915914195-847515522
Opcode ID: aa9e2519525b0846736800594384596d597e0ae7278cf2b2a19b0053db864e44
Instruction ID: f5c916f4e9ad5e755fc12c8c5038e2203ee9fe3c3b3761599c65c6d226d261f0
Opcode Fuzzy Hash: aa9e2519525b0846736800594384596d597e0ae7278cf2b2a19b0053db864e44
Instruction Fuzzy Hash: 8031C1B4A252429FC709CF28E896615BFEDF789308F98C42EE442CF354EA7494918F84

Function 0534DA00 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32(0000000B,00000000,?,0534A70D), ref: 0534DA12
GetOEMCP.KERNEL32(?,0534A70D), ref: 0534DA58
GetLastActivePopup.USER32 ref: 0534DA94
GetTopWindow.USER32 ref: 0534DABB

Strings

AeGetPersistedLocation failed [%#x], xrefs: 0534DA0A
OnUILanguageAdd, xrefs: 0534DA5E

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ActiveDefaultLangLastPopupUserWindow
String ID: AeGetPersistedLocation failed [%#x]$OnUILanguageAdd
API String ID: 2912674099-3659897179
Opcode ID: 3c8b799e03032ab252ccb03f2d060ca26a26873b8640f5e0a608818f730e95f3
Instruction ID: 6cabf5601fa2ababc1c3b657ca114cf36b69ae60143206ad2b42884eb348dbe6
Opcode Fuzzy Hash: 3c8b799e03032ab252ccb03f2d060ca26a26873b8640f5e0a608818f730e95f3
Instruction Fuzzy Hash: EF31A2B5D202019FE308DF6AE5871527FEEF748314F98C4AEF655CF244EA7094428B91

Function 00646077 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,713211A9,?,00646186,?,?,00000000,?), ref: 00646138

Strings

ext-ms-, xrefs: 006460E2
api-ms-, xrefs: 006460CE

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: b66681f758bd901fa1bc41f3ef5c5119bf2a2e214a4f288c6cb5b73ba12ade74
Instruction ID: b998302cb3530aa439bbe3ef49ff9e17e08bff3dd6b991e2b6f04a53822b85c5
Opcode Fuzzy Hash: b66681f758bd901fa1bc41f3ef5c5119bf2a2e214a4f288c6cb5b73ba12ade74
Instruction Fuzzy Hash: 9C212431A01311ABCB21DB28EC80ADA776BAF53775F211110F816A73D2DB30EE01C6E2

Function 0534D648 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 73COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0534D6B5
GetUserDefaultLangID.KERNEL32(00000000), ref: 0534D6E4
GetForegroundWindow.USER32 ref: 0534D714

Strings

The user/kernel marshalling buffer has overflowed., xrefs: 0534D71F
Nirmala UI, xrefs: 0534D649
TPM 1.2: Unacceptable encryption scheme., xrefs: 0534D670

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultForegroundLangParentUserWindow
String ID: Nirmala UI$TPM 1.2: Unacceptable encryption scheme.$The user/kernel marshalling buffer has overflowed.
API String ID: 2007750773-339840602
Opcode ID: 630ddb319a1af20d5ed73e8ed2bce56506a53df1c1e9ff06a5ca988a3d23e0fd
Instruction ID: d2b142089f3615cfd8c32397c27ef4f41df6f09fe4eda5478e3b055f5714dfdc
Opcode Fuzzy Hash: 630ddb319a1af20d5ed73e8ed2bce56506a53df1c1e9ff06a5ca988a3d23e0fd
Instruction Fuzzy Hash: 0D21E1A5E242508BD3148F74E89A6263FA9F751308F84C86EE606CF394EB79D8408F90

Function 0535225C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72windowtimethreadCOMMON

Download Yara Rule

APIs

GetDialogBaseUnits.USER32 ref: 05352291
GetLastActivePopup.USER32 ref: 053522CE
GetMessageTime.USER32 ref: 053522FD
GetWindowTextLengthA.USER32 ref: 05352345
GetCurrentThread.KERNEL32 ref: 05352389

Strings

The TDI indication has completed successfully., xrefs: 0535225D

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ActiveBaseCurrentDialogLastLengthMessagePopupTextThreadTimeUnitsWindow
String ID: The TDI indication has completed successfully.
API String ID: 206609152-2274360702
Opcode ID: 8f66afa59945de3ec6884aba3a3d1c91ae8c79df53b633127fe5d0f00456dcea
Instruction ID: 2647e73b9a7506050eab5782632239b11a98a0855a96bdd1bf819b5d0507ff4f
Opcode Fuzzy Hash: 8f66afa59945de3ec6884aba3a3d1c91ae8c79df53b633127fe5d0f00456dcea
Instruction Fuzzy Hash: 663112B89242018FC750DF6AE88A5027FEDF748308B94DA6EF549CF214EB7490568FA0

Function 05352084 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32 ref: 05352096
GetLastActivePopup.USER32 ref: 053520B8
GetModuleHandleW.KERNEL32 ref: 053520D2
GetDialogBaseUnits.USER32 ref: 05352137
GetWindowTextLengthW.USER32 ref: 05352150

Strings

AslEnvGetSysNativeDirPathForGuestBuf, xrefs: 053520CB

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ActiveBaseDialogHandleLastLengthModulePopupTextUnitsWindow
String ID: AslEnvGetSysNativeDirPathForGuestBuf
API String ID: 1122648610-2648611450
Opcode ID: 9e9d9550bc92d9f722ae027ca451e434de48432238079225d624b6c50e709207
Instruction ID: e6752c10320ad22340ee6186bd28c5ab971fdb46414230ef49baf3f9ea918a8e
Opcode Fuzzy Hash: 9e9d9550bc92d9f722ae027ca451e434de48432238079225d624b6c50e709207
Instruction Fuzzy Hash: 9721F578A141819BCB009F69D88DA6B7FBEFB45754F14802AF9828F340DA798846CB61

Function 0534DB3C Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowTextLengthA.USER32 ref: 0534DC0B
GetModuleHandleW.KERNEL32(00000000), ref: 0534DC19

Strings

The RPC call completed before all pipes were processed., xrefs: 0534DB3D
AslPathIsTemporaryDirectory, xrefs: 0534DC12
0123456789abcdef, xrefs: 0534DBCB
{Verifying Disk}, xrefs: 0534DB64

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: HandleLengthModuleTextWindow
String ID: 0123456789abcdef$AslPathIsTemporaryDirectory$The RPC call completed before all pipes were processed.${Verifying Disk}
API String ID: 3424440608-2488994354
Opcode ID: 62823ca0657621a289f8ae4e9b980334c83aa6718c22b823c4b708a2cb06292c
Instruction ID: 51b78092d3f796db97ef9de4a8d96589683954b1b417d0c09195f69509142c26
Opcode Fuzzy Hash: 62823ca0657621a289f8ae4e9b980334c83aa6718c22b823c4b708a2cb06292c
Instruction Fuzzy Hash: A8215B74A202418BC715CF79D4D92267FEEF796308F54C46ED142CF38AEA71A4858B91

Function 005B5700 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000004,00000080,00000000), ref: 005B5747
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 005B5769
SetEndOfFile.KERNEL32(?), ref: 005B5772
FlushFileBuffers.KERNEL32(?, )f,?), ref: 005B5799
CloseHandle.KERNEL32(00000000), ref: 005B57A0

Strings

)f, xrefs: 005B577B, 005B5785

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: File$BuffersCloseCreateFlushHandlePointer
String ID: )f
API String ID: 3397818590-664519796
Opcode ID: 69ab14aa108f250d5d200bc173f62dfb88195f7fe30551a727772545a7d3ec65
Instruction ID: 60bdb474c73fa924a607288f8df2445bf740caf15e16c635e326ae35262db6d4
Opcode Fuzzy Hash: 69ab14aa108f250d5d200bc173f62dfb88195f7fe30551a727772545a7d3ec65
Instruction Fuzzy Hash: A221B471A40B15EBDB21DF58DC05FAEBBB9FB45B21F10421AF911A73D0DBB4690087A0

Function 005DC250 Relevance: 10.6, APIs: 7, Instructions: 53COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 005DC263
GetDCEx.USER32(?,?,00000081), ref: 005DC272
GetWindowRect.USER32(?,?), ref: 005DC292
MapWindowPoints.USER32(00000000,?,00000081,00000002), ref: 005DC2A2
SetBkColor.GDI32(00000000,000000FF), ref: 005DC2AE
ExtTextOutW.GDI32(00000000,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 005DC2C6
ReleaseDC.USER32(?,00000000), ref: 005DC2CE

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Window$ColorPointsRectReleaseText
String ID:
API String ID: 288212811-0
Opcode ID: cdd7a2021cc3e88a03639213cb982c4aed34438b2e291f789e791e2b7f5b01d6
Instruction ID: 827535fd25e578805bc7f7725eb7f06745080c5ee988b8b848db6e9c0f178bd9
Opcode Fuzzy Hash: cdd7a2021cc3e88a03639213cb982c4aed34438b2e291f789e791e2b7f5b01d6
Instruction Fuzzy Hash: 71018031544301BBE310DB649C0AFAB3BECEB89B12F00852AF645D51C0DBB0590287B6

Function 05350240 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 053502B1
GetLastActivePopup.USER32(00000000), ref: 053502CC

Strings

Checking file system on %wZ, xrefs: 05350295
Windows, xrefs: 05350241
TimeZoneKeyName, xrefs: 0535025B
The log file has changed between reads., xrefs: 05350277

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ActiveHandleLastModulePopup
String ID: Windows$Checking file system on %wZ$The log file has changed between reads.$TimeZoneKeyName
API String ID: 4230660008-443829936
Opcode ID: aae719fe242e586da623845c11a70b154438ca9c7d3368b74d105c6fff7af215
Instruction ID: ee40c9f2f5c1b46c6b92d69de6b79818aa97d9cdd2fd2c5abc755f945fcf664c
Opcode Fuzzy Hash: aae719fe242e586da623845c11a70b154438ca9c7d3368b74d105c6fff7af215
Instruction Fuzzy Hash: 4801F9B8A142458BCB159F68C09D9A9BFF9FB45304F9484ADE987CF344EB75D8028710

Function 0063C849 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,713211A9,00000101,?,00000000,0065809B,000000FF,?,0063C825,?,?,0063C7F9,00000101), ref: 0063C87E
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0063C890
FreeLibrary.KERNEL32(00000000,?,00000000,0065809B,000000FF,?,0063C825,?,?,0063C7F9,00000101), ref: 0063C8B2

Strings

09Z, xrefs: 0063C8A1
CorExitProcess, xrefs: 0063C888
mscoree.dll, xrefs: 0063C877

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: 09Z$CorExitProcess$mscoree.dll
API String ID: 4061214504-1248854793
Opcode ID: a4f2fd5c958800f291facdd4a5d11636388888ade1559081788b86eea08a6a14
Instruction ID: c292f5cc74351fc65b20f4570611df1fefa31e6adc4ef0b9bf308db81f2826ea
Opcode Fuzzy Hash: a4f2fd5c958800f291facdd4a5d11636388888ade1559081788b86eea08a6a14
Instruction Fuzzy Hash: FC01A235954725EFDB018F54CC49BEEBBBAFB44B22F000625F812A26E0DB759A04CB90

Function 05350344 Relevance: 10.5, APIs: 7, Instructions: 39COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32 ref: 05350361
GetOEMCP.KERNEL32 ref: 0535036F
GetForegroundWindow.USER32 ref: 0535037B
GetSystemDefaultLangID.KERNEL32 ref: 05350394
GetUserDefaultLangID.KERNEL32 ref: 053503AB
GetTopWindow.USER32 ref: 053503B4
GetForegroundWindow.USER32(00000000), ref: 053503C1

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultLangWindow$ForegroundUser$System
String ID:
API String ID: 3104731404-0
Opcode ID: 10c16ff7031b4ab5fa36ffb4de25b6bfd906242386d4978fafc7a348eab4d242
Instruction ID: 1f540bdf81d96487677a358504310277db45b18d4e99b29405c83459dbc576ab
Opcode Fuzzy Hash: 10c16ff7031b4ab5fa36ffb4de25b6bfd906242386d4978fafc7a348eab4d242
Instruction Fuzzy Hash: 21012C759202099BCB00AF69FD8A4467FBCEB55318B80846EF904DB200EE75990A8FA1

Function 0535050C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetDialogBaseUnits.USER32 ref: 0535051F
GetCurrentThreadId.KERNEL32 ref: 05350531
GetDesktopWindow.USER32 ref: 0535055D
GetLastError.KERNEL32(?,053473AB), ref: 05350574

Strings

The validation process needs to continue on to the next step., xrefs: 05350563
The cluster node is already down., xrefs: 05350537

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: BaseCurrentDesktopDialogErrorLastThreadUnitsWindow
String ID: The cluster node is already down.$The validation process needs to continue on to the next step.
API String ID: 504704107-3347549321
Opcode ID: 447ac476318a5031e96a544eedcb3de07d22391afbe6de0b33a12f204e1b4f76
Instruction ID: 8d7de18a7d32662ad9cd97bfdf28eaeb2d0365043aa0232596182be352b7230f
Opcode Fuzzy Hash: 447ac476318a5031e96a544eedcb3de07d22391afbe6de0b33a12f204e1b4f76
Instruction Fuzzy Hash: B3F02DB4514205CFD7158FB9D8D96567F6CEB01358B60D42EE8458F305D97184498790

Function 0063BFAF Relevance: 9.3, APIs: 6, Instructions: 270COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0063C137
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0063C153
__allrem.LIBCMT ref: 0063C16A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0063C188
__allrem.LIBCMT ref: 0063C19F
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0063C1BD

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: ed0b14b891f1ca67b06fcb8e2644b0cd8ea197fc79ddaf6f00705ef0a89ee138
Instruction ID: 9416a9a7cbaaff27524384329d3936720916851420240a8584d0e4d9e74655b8
Opcode Fuzzy Hash: ed0b14b891f1ca67b06fcb8e2644b0cd8ea197fc79ddaf6f00705ef0a89ee138
Instruction Fuzzy Hash: 8781E372A007069BE724AE68DC41BABB3EBAF45774F24412EF411E7781E770DA049BD4

Function 005A2420 Relevance: 9.2, APIs: 6, Instructions: 219COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 005A24E4
std::_Lockit::_Lockit.LIBCPMT ref: 005A255B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 005A25AA
__Getctype.LIBCPMT ref: 005A25C0
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 005A260A
std::_Lockit::~_Lockit.LIBCPMT ref: 005A26A2
__Getwctype.LIBCPMT ref: 005A26D8

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$Concurrency::cancel_current_taskGetctypeGetwctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID:
API String ID: 606201873-0
Opcode ID: 973d37ccb8a547f72706dfa7ea7c9b82e33bb266ed7b9d5bbea4513076f8dfe4
Instruction ID: 118b8f94b3f8b27f132ceac957ad4f354bfbf88e8d6f9aa606dd251ac2ad1196
Opcode Fuzzy Hash: 973d37ccb8a547f72706dfa7ea7c9b82e33bb266ed7b9d5bbea4513076f8dfe4
Instruction Fuzzy Hash: 597181B19003199BEB50DFA8D845B9EBBF9BF05304F14416DE9089B341EB75D908CB92

Function 005AE100 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 439COMMON

Download Yara Rule

Strings

%s%d, xrefs: 005AE1AC
%s\%s%d, xrefs: 005AE217, 005AE3CF, 005AE4E5

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID:
String ID: %s%d$%s\%s%d
API String ID: 0-3353845208
Opcode ID: b55674494c71ac029d1363086ef4c7fdcc70c2a4ec0ad2192b29b95c2851572d
Instruction ID: 1653247752789e861424ef4fe63d876b509fb65c809c03b5eda3021795df701b
Opcode Fuzzy Hash: b55674494c71ac029d1363086ef4c7fdcc70c2a4ec0ad2192b29b95c2851572d
Instruction Fuzzy Hash: E5126C71800219EFDF24DF64C956BEDBBB9FF15304F404559E90A97681E730AA98CFA0

Function 006286B5 Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001,00000000,?,00662189,?,?,bad locale name), ref: 006286FE
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 00628769
LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00628786
LCMapStringEx.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 006287C5
LCMapStringEx.KERNEL32(00000000,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00628824
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00628847

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 5d6083a1f41669bc6826d90c87f16aecb543f48fca4f2a7f7f1d8deb3211ce0d
Instruction ID: 5c424992df4e10ef296ee2d2f1a4b6c3a0b71b80941d34157050f8ea8df0e267
Opcode Fuzzy Hash: 5d6083a1f41669bc6826d90c87f16aecb543f48fca4f2a7f7f1d8deb3211ce0d
Instruction Fuzzy Hash: 4F51AF72911626EFEB209F50EC45FEA7BABEF40740F154428F915A7290DB388D00CFA0

Function 005A4130 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 418COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 005A4265
_swprintf.LIBCMT ref: 005A4435

Strings

%, xrefs: 005A44E4
+, xrefs: 005A44F1

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: _swprintf
String ID: %$+
API String ID: 589789837-2626897407
Opcode ID: bb41a848879b0a8e82e484df7bab555037f35bbec5a168ea261bb95119a5d1f0
Instruction ID: 12aedc3d88048cf9724531ccf3dac46f94ebd2b944f67d2320025c33235eb2a4
Opcode Fuzzy Hash: bb41a848879b0a8e82e484df7bab555037f35bbec5a168ea261bb95119a5d1f0
Instruction Fuzzy Hash: EFD1EE71E001199BDF18DF98DC45BAEBFBAFF8A300F044529F815A7281E7749D548BA1

Function 005B55D0 Relevance: 9.1, APIs: 6, Instructions: 103fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(-00000002,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,?,00000000,-00000002), ref: 005B5602
GetFileSize.KERNEL32(00000000,?), ref: 005B5629
CloseHandle.KERNEL32(00000000,?,?,00000000,-00000002), ref: 005B5660
ReadFile.KERNEL32 ref: 005B5688
CloseHandle.KERNEL32(00000000,00000000,?,?,00000000,-00000002), ref: 005B56AF
CloseHandle.KERNEL32(00000000), ref: 005B56D0

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: CloseFileHandle$CreateReadSize
String ID:
API String ID: 1620663982-0
Opcode ID: ecd109aa791f265848859af6abec1c1650f10314a08697c0db2ca0481df334a5
Instruction ID: f9e7c8074dbd306fe3b2b820df04c2cbdd30cacd179ee8d651981bc59b4ee9b2
Opcode Fuzzy Hash: ecd109aa791f265848859af6abec1c1650f10314a08697c0db2ca0481df334a5
Instruction Fuzzy Hash: FE2126723017016BD720AA28BC49F9BB799EB90732F540636FE10D22D0EB75A90D87B5

Function 005B14E0 Relevance: 9.1, APIs: 6, Instructions: 92timefileCOMMON

Download Yara Rule

APIs

GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 005B1568
CloseHandle.KERNEL32(00000000), ref: 005B156F
WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 005B15A3
CloseHandle.KERNEL32(00000000,?,?,00000000,00000000), ref: 005B15AE
SetFileTime.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,00000000), ref: 005B15D1
CloseHandle.KERNEL32(00000000,?,?,00000000,00000000), ref: 005B15D8

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: CloseFileHandle$Time$Write
String ID:
API String ID: 1785683994-0
Opcode ID: 44a61dfa31e2349650c93508694d38745c0a5849ea0ec26a39f0b901ee4455be
Instruction ID: 955fe3ce138f63167555a55bd0dab8df8f05b4f94a1bb5b4c862784bfb880fce
Opcode Fuzzy Hash: 44a61dfa31e2349650c93508694d38745c0a5849ea0ec26a39f0b901ee4455be
Instruction Fuzzy Hash: 3931E472104711ABE320DF18DC89FDBBBECBB89324F100619FA55961D0D774AA08CBA9

Function 005F54B0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 338libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,071C71C7), ref: 005F5517
LoadStringA.USER32(?,?,?,00000100), ref: 005F55DA
GetStringTypeExA.KERNEL32(?,00000001,00603B05,00000001,?,?,?,071C71C7), ref: 005F570B
LCMapStringA.KERNEL32(?,00000100,?,00000100,?,00000100,?,?,071C71C7), ref: 005F5781

Strings

Unable to open message catalog: , xrefs: 005F5838

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: String$Load$LibraryType
String ID: Unable to open message catalog:
API String ID: 2888867733-3361316291
Opcode ID: b978ae4a3dc294db2d61938672d0a54bed83ec642a8816efcc6713e8671cd6d6
Instruction ID: c45abb29eb00da6bc43f9e0dc392ae5a196c649001b09ee7898c643fe228e37e
Opcode Fuzzy Hash: b978ae4a3dc294db2d61938672d0a54bed83ec642a8816efcc6713e8671cd6d6
Instruction Fuzzy Hash: 91C1DF70D016489FCB14CFA8C884BEDBFB9BF45300F548169E655EB292EB799A44CB60

Function 0062D668 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0062D65F,0062B1D4,0062842D,713211A9,?,?,?,?,00658218,000000FF), ref: 0062D676
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0062D684
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0062D69D
SetLastError.KERNEL32(00000000,?,0062D65F,0062B1D4,0062842D,713211A9,?,?,?,?,00658218,000000FF), ref: 0062D6EF

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 67a08072cf3c0b873d4e4aed6e83c38e6c553565431c8ccbe1902ca343b24974
Instruction ID: 99b2a08b1c7d65b3fd8dc4d261a239b9282a124f48e2a94e4734a97b84f1458e
Opcode Fuzzy Hash: 67a08072cf3c0b873d4e4aed6e83c38e6c553565431c8ccbe1902ca343b24974
Instruction Fuzzy Hash: 93018832109F316EE7A426B4BC859663747DB41775F20023EF128451E3FE524E815998

Function 005B3AB0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,00000000,00007FFF), ref: 005B3AFE
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000), ref: 005B3C2B
CreateDirectoryW.KERNEL32(?,00000000), ref: 005B3C67

Strings

\bookmarks, xrefs: 005B3C6D
\grepWinNP3, xrefs: 005B3C4E

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: CreateDirectoryFileFolderModuleNamePath
String ID: \bookmarks$\grepWinNP3
API String ID: 486951923-2245591162
Opcode ID: 3650b5ba69aeb597095533dff40e91f2145448e3fc5640ba116215f854a3b415
Instruction ID: eac16793014deaaac586a49ca575dabf0b2991b35f51dd3ce9d707ef3d173ee6
Opcode Fuzzy Hash: 3650b5ba69aeb597095533dff40e91f2145448e3fc5640ba116215f854a3b415
Instruction Fuzzy Hash: 0561D170A006159BCB28DF68D845BAEBFF5FF84710F204A2DE416B7681D770BA44CBA4

Function 005A10E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00659720,00000000,00000001,006597D0,00000000), ref: 005A1234
CoCreateInstance.OLE32(00659720,00000000,00000001,00659780,00000000), ref: 005A1253
GetCursorPos.USER32(00000000), ref: 005A126B
DoDragDrop.OLE32(00000000,00000000,00000003,00000000), ref: 005A12C3

Strings

T f, xrefs: 005A12FF

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: CreateInstance$CursorDragDrop
String ID: T f
API String ID: 1547148105-2778841009
Opcode ID: 1502b08f39e885b99089eb8a60c431e5de476defa69a76d6138410c7f94f9ad3
Instruction ID: ca7797e7fe96b6461dd127d67cb9035eb25a68af07143b730ff5e8f5cfd454bc
Opcode Fuzzy Hash: 1502b08f39e885b99089eb8a60c431e5de476defa69a76d6138410c7f94f9ad3
Instruction Fuzzy Hash: 1F71A974A01A06EFDB10CF95C988BAEBFF5FF4A314F108518E415AB680C7B5E944CBA4

Function 00645112 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 181COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006451AF
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006452B6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006452C9

Strings

Pd, xrefs: 006451BC
Pd, xrefs: 0064517F

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: Pd$Pd
API String ID: 885266447-2097763959
Opcode ID: 6b844ddbba440a3e8d4d75d5f9720e7d55365f42ab0f14bf6c2199260df4a333
Instruction ID: d3b905510c29bde79d8675da7895ad24903515a3883532779acd7c97ac5d9e8e
Opcode Fuzzy Hash: 6b844ddbba440a3e8d4d75d5f9720e7d55365f42ab0f14bf6c2199260df4a333
Instruction Fuzzy Hash: 2D517075A00509EFCF14DF98C841AEFBBB7EF89350F14815AE956A7352D270AE42CB60

Function 0062D77F Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0062D846
___AdjustPointer.LIBCMT ref: 0062D869
___AdjustPointer.LIBCMT ref: 0062D905

Strings

09Z, xrefs: 0062D7DE

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: AdjustPointer
String ID: 09Z
API String ID: 1740715915-1578109394
Opcode ID: 27d921bff46cb73e13a27e09c027c86d80b287d324d08a458e4a1c005c14c27f
Instruction ID: 8df2896adc7fe34bd424d761cb4abc3ed6258f010a349445e8f23771bf949a51
Opcode Fuzzy Hash: 27d921bff46cb73e13a27e09c027c86d80b287d324d08a458e4a1c005c14c27f
Instruction Fuzzy Hash: F851C171A01B26AFEB289F10E841BBA77A6EF50310F14402DE845973D1D739EC81CF90

Function 00646F30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

f, xrefs: 00646FF8

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID:
String ID: f
API String ID: 0-4115541692
Opcode ID: b1864c9927b6de2854fd44747c74e0882fb8765dc026f88a1db7302df20c4fe4
Instruction ID: 0b5f299c51ba0ee0f77e0d73976fd79bcced500e86b5b04b5978ad89bfa61481
Opcode Fuzzy Hash: b1864c9927b6de2854fd44747c74e0882fb8765dc026f88a1db7302df20c4fe4
Instruction Fuzzy Hash: 7A4117B2B00704AFE765AF78DC02B9ABBABEB85710F10852EF551DB381D371A9448780

Function 0062AB00 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 123fileCOMMON

Download Yara Rule

APIs

CreateFileMappingA.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 0062AB65
MapViewOfFileEx.KERNEL32(00000000,?,?,?,00000007,?), ref: 0062ABC8

Part of subcall function 0062B679: RaiseException.KERNEL32(E06D7363,00000001,00000003,006294C0,?,?,?,?,006294C0,?,0067371C), ref: 0062B6D9

Part of subcall function 0062A190: GetLastError.KERNEL32(?,00000001,0062AC22,failed create mapping), ref: 0062A194
Part of subcall function 0062A190: CloseHandle.KERNEL32(00000000,?,00000001,0062AC22,failed create mapping), ref: 0062A1A4
Part of subcall function 0062A190: CloseHandle.KERNEL32(?,?,00000001,0062AC22,failed create mapping), ref: 0062A1B3
Part of subcall function 0062A190: SetLastError.KERNEL32(00000000,?,00000001,0062AC22,failed create mapping), ref: 0062A1BA

Strings

failed create mapping, xrefs: 0062AC16
bad numeric conversion: overflow, xrefs: 0062AC60
failed mapping view, xrefs: 0062AC47

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: CloseErrorFileHandleLast$CreateExceptionMappingRaiseView
String ID: bad numeric conversion: overflow$failed create mapping$failed mapping view
API String ID: 2473760820-1174817036
Opcode ID: 32bee2568713561a99e97d46acd31833c97f2a950a68c49b1ce63b28032a8366
Instruction ID: 320207e7dc2736205ada2121dc0529025fdea3a0fce6d5eeb706e9920cc13743
Opcode Fuzzy Hash: 32bee2568713561a99e97d46acd31833c97f2a950a68c49b1ce63b28032a8366
Instruction Fuzzy Hash: 80311531A40B199BDB10DFE4EC41BEEB7A7FF48711F14461AF901E2280D7B1A944CEA5

Function 05350F00 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 05350FA2
GetDesktopWindow.USER32 ref: 05350FD9
GetTopWindow.USER32 ref: 05351021

Strings

ScriptBreak, xrefs: 05350F3C
AslEnvExpandStrings2, xrefs: 05350FE0

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$Desktop
String ID: AslEnvExpandStrings2$ScriptBreak
API String ID: 2849500299-2721211007
Opcode ID: 5716f55693d047261d92aac3272d57f637e17cd9d2687ca341f1e35410edf8e7
Instruction ID: 87fe2d8ae81dbc9e16d1d3e5815e2fbc84f3d12b696fcbc0244c7d7d9b82cbe5
Opcode Fuzzy Hash: 5716f55693d047261d92aac3272d57f637e17cd9d2687ca341f1e35410edf8e7
Instruction Fuzzy Hash: 50416BB1E202008FDB15CF29EA9A6117FEEF798348F84D12EE4458F359EB75D8218B44

Function 0534EA00 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 87stringthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0534EA5D
GetDialogBaseUnits.USER32 ref: 0534EA8B
lstrlenW.KERNEL32 ref: 0534EAD0

Strings

The server received the messages but did not send a reply., xrefs: 0534EAD6
The specified pack is offline., xrefs: 0534EAC9

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: BaseCurrentDialogThreadUnitslstrlen
String ID: The server received the messages but did not send a reply.$The specified pack is offline.
API String ID: 1613970765-1132203946
Opcode ID: 5c80dfc6f5167df626f74bf5c03fe4d80e00aaa35283e7189ad04302bc6288d6
Instruction ID: 78bcf04b65ccc0fce8ffc02fb89a6c63680bcd42ba7f774d718cecbfa432d25e
Opcode Fuzzy Hash: 5c80dfc6f5167df626f74bf5c03fe4d80e00aaa35283e7189ad04302bc6288d6
Instruction Fuzzy Hash: F621FD7CE041158BDB205F64C454276BBEEFB44341F84C46AE886CF748EA74A882EB53

Function 0534EC6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(75BF7910,?,05348D02,00000000), ref: 0534ECB8
GetParent.USER32 ref: 0534ED08
GetLastActivePopup.USER32 ref: 0534ED86

Strings

Enclosure awareness is not supported for this virtual disk., xrefs: 0534ED57
AslPathToSystemPathBuf, xrefs: 0534ED0E

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ActiveForegroundLastParentPopupWindow
String ID: AslPathToSystemPathBuf$Enclosure awareness is not supported for this virtual disk.
API String ID: 880296319-2013822429
Opcode ID: 28298e6fb55cb984f50361dd68b84b705032fcdecfd10857dcf8936976fc6951
Instruction ID: 6f6323e9ceb11199188b47fc95347544e728b18f0faf23530b97345ba7212aac
Opcode Fuzzy Hash: 28298e6fb55cb984f50361dd68b84b705032fcdecfd10857dcf8936976fc6951
Instruction Fuzzy Hash: 213179B4A312418FD704CF2AE88A2157FEEFB49308B84C96EE459CF344EA749515DF42

Function 053513D4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 053513F1
GetDesktopWindow.USER32 ref: 0535141F
GetParent.USER32 ref: 05351483
SetLastError.KERNEL32 ref: 053514E9

Strings

vK, xrefs: 05351442, 0535144E, 0535148A, 053514E1, 053514FD

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CurrentDesktopErrorLastParentThreadWindow
String ID: vK
API String ID: 3735582752-3317896225
Opcode ID: 8c0a8d808962d6120539e3b4ce94ed12df947890b19d8a06dea62d6b7349e95e
Instruction ID: 3182e528a92aed1c9f318d6e72bfd0338ea5686c614a049283e895e16c5ecd92
Opcode Fuzzy Hash: 8c0a8d808962d6120539e3b4ce94ed12df947890b19d8a06dea62d6b7349e95e
Instruction Fuzzy Hash: 1331C2B5A242018BD750DF69E84A6A67FF9E748328F54D46AEC81CF300DA389480CB91

Function 0534F360 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

GetLastActivePopup.USER32 ref: 0534F3C6
GetSystemDefaultLangID.KERNEL32 ref: 0534F45C

Strings

GCInterval, xrefs: 0534F3D7
windows blue, xrefs: 0534F41C
WER/Heap:%u: ERROR Arithmetic overflow when aligning block size, xrefs: 0534F361

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ActiveDefaultLangLastPopupSystem
String ID: GCInterval$WER/Heap:%u: ERROR Arithmetic overflow when aligning block size$windows blue
API String ID: 3479583571-1642325539
Opcode ID: ca71850450ed8209ab397e33e3ff468fbaaddbf5fab9dce0a620e74c169a1f31
Instruction ID: fefab9f5aead185f7ee9540a10f5cbb61dd0e1cfeeaeeeccbe949016a8521351
Opcode Fuzzy Hash: ca71850450ed8209ab397e33e3ff468fbaaddbf5fab9dce0a620e74c169a1f31
Instruction Fuzzy Hash: 1E3148B6D312058FD714DF28E8D22613FEDF788308F49C16EE8168F309EA7994008B92

Function 0534E7A4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77threadwindowtimeCOMMON

Download Yara Rule

APIs

GetMessageTime.USER32 ref: 0534E7D5
GetCurrentThreadId.KERNEL32 ref: 0534E820
AnyPopup.USER32 ref: 0534E852
GetCurrentThread.KERNEL32 ref: 0534E8B3

Strings

VirtualMemoryThreshold, xrefs: 0534E8B9

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CurrentThread$MessagePopupTime
String ID: VirtualMemoryThreshold
API String ID: 1332121241-3178925693
Opcode ID: 2ece2d16105f45e5538b9ae4d114b94f347f7f8a4f090143d0f3f8b31f1b88a9
Instruction ID: 47cead4b25504dad6659e6b8bfca9fbcee738aed2b4b50e33e551fdbc9f6507f
Opcode Fuzzy Hash: 2ece2d16105f45e5538b9ae4d114b94f347f7f8a4f090143d0f3f8b31f1b88a9
Instruction Fuzzy Hash: 2D3112B4A202008FCB04CF6AE98A9517FEDFB88708B94C62EF416CF354EAB49455DF41

Function 0534E1C0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32(?,?,?,0534BD67), ref: 0534E207
GetMessageTime.USER32 ref: 0534E26B

Strings

The validation was not successful., xrefs: 0534E2AD
MajorVersion mismatch, MajorVersion 0x%lx Expected 0x%lx, xrefs: 0534E1CF
STATUS_SUCCESS, xrefs: 0534E21F

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultLangMessageTimeUser
String ID: MajorVersion mismatch, MajorVersion 0x%lx Expected 0x%lx$STATUS_SUCCESS$The validation was not successful.
API String ID: 1049946065-3575248791
Opcode ID: 0e70d63f92ed9222b2bc4dcc2d34a6ba10a4fcee3f6943bedfc391895376b6f3
Instruction ID: c42db193f199925ae213b5e2ddc70f82abc51e61e55e3b25f55360524c54d546
Opcode Fuzzy Hash: 0e70d63f92ed9222b2bc4dcc2d34a6ba10a4fcee3f6943bedfc391895376b6f3
Instruction Fuzzy Hash: 872101B59202418FD344CF69E5961213FEEF799308F98C0AEE465CF246DABE98049B49

Function 005A2AF0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 76COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 005A2B8D

Part of subcall function 0062B679: RaiseException.KERNEL32(E06D7363,00000001,00000003,006294C0,?,?,?,?,006294C0,?,0067371C), ref: 0062B6D9

Strings

ios_base::eofbit set, xrefs: 005A2B38, 005A2B51, 005A2B70
|7g, xrefs: 005A2B71
ios_base::badbit set, xrefs: 005A2B27
ios_base::failbit set, xrefs: 005A2B2E

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$|7g
API String ID: 3109751735-2160263992
Opcode ID: 19d3277679a50dbbfcb5474b684e5a2525becf49f9138a5f74115d310b137aca
Instruction ID: 5060dce7651163cc299506e2ffcf7e6e394c2a1694dab82e10a270c5e3e0af4e
Opcode Fuzzy Hash: 19d3277679a50dbbfcb5474b684e5a2525becf49f9138a5f74115d310b137aca
Instruction Fuzzy Hash: D5110AB29047096FC714DF5CD802B99BBE9FF56310F04852EFA5887681E770E914CBA5

Function 05352974 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 73threadCOMMON

Download Yara Rule

APIs

GetLastActivePopup.USER32 ref: 053529EA
GetThreadUILanguage.KERNEL32 ref: 05352A2C

Strings

LdrResSearchResource Exit, xrefs: 05352975
SdbpGetProcessHostGuestArchitectures failed [%x], xrefs: 0535299F
The binding handle is invalid., xrefs: 05352A32

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ActiveLanguageLastPopupThread
String ID: LdrResSearchResource Exit$SdbpGetProcessHostGuestArchitectures failed [%x]$The binding handle is invalid.
API String ID: 2119500835-3222778300
Opcode ID: 5792b5ddda2afc7c64c14764f76da158023edf043e6bbf5ebe680cf23a91b5af
Instruction ID: cde82e8393bbc1c6efb7d6010c169de52e89a56d0f048b040df48bb25837f5b1
Opcode Fuzzy Hash: 5792b5ddda2afc7c64c14764f76da158023edf043e6bbf5ebe680cf23a91b5af
Instruction Fuzzy Hash: E12105BCA241404BC7208F28D59662B7FEAE781348B84E56DF886CF348EA748002EB51

Function 0535264C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringthreadCOMMON

Download Yara Rule

APIs

GetTopWindow.USER32 ref: 05352696
GetCurrentThreadId.KERNEL32 ref: 053526E0
lstrlenW.KERNEL32 ref: 0535275E

Strings

function, xrefs: 0535264D, 053526EB, 05352757
The supplied device ID is invalid., xrefs: 05352727

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CurrentThreadWindowlstrlen
String ID: The supplied device ID is invalid.$function
API String ID: 582314876-3737079412
Opcode ID: a76497203884fa7100005e34d308ee624f5074f882e9a9599ed97dc51deaff35
Instruction ID: 76431706a1d831184a7510cbc6685942edab7ea33cf3dad2d60b1e5bb8faecf6
Opcode Fuzzy Hash: a76497203884fa7100005e34d308ee624f5074f882e9a9599ed97dc51deaff35
Instruction Fuzzy Hash: C6218EB99202028FC300DF29A8569667FAAF750328FD5E25DF592CF25ADB748046CB52

Function 05352F70 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,?,05349B45), ref: 05352FEC
GetWindowTextLengthW.USER32(00000000), ref: 05353027

Strings

Directory Service cannot start., xrefs: 05352FAA
A mapped section could not be extended., xrefs: 05352FC3
The specified volume is offline., xrefs: 05352F71

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: LengthTextWindowlstrlen
String ID: A mapped section could not be extended.$Directory Service cannot start.$The specified volume is offline.
API String ID: 3761700447-438102289
Opcode ID: c2ef91320ff220327b30e0ad4a1a2ddf614bef49a1d3a1fcd6b3aabcdf8a02d5
Instruction ID: ff70d409fc85e7a05f134583ababb74c3593d8cccda03e2bb6b33dd3103968a3
Opcode Fuzzy Hash: c2ef91320ff220327b30e0ad4a1a2ddf614bef49a1d3a1fcd6b3aabcdf8a02d5
Instruction Fuzzy Hash: 802159B5A302018BC704DF79E896516BFEEF759318F84C66EF8468F349EB7084008B61

Function 05351E90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45threadstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 05351EA1
GetCurrentThreadId.KERNEL32 ref: 05351EBB
GetThreadUILanguage.KERNEL32 ref: 05351F01
GetWindowTextLengthW.USER32 ref: 05351F0E

Strings

The proximity domain information is invalid., xrefs: 05351E9A

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Thread$CurrentLanguageLengthTextWindowlstrlen
String ID: The proximity domain information is invalid.
API String ID: 1355267480-2565701227
Opcode ID: 94f0a52fce94cf4c9acadf4722bde81b8460a11fece67f6405f492e87fef28c5
Instruction ID: 4f24e22f2bfc67d9ac301c7726ab6eb110e16c1ff1646643ed2edc5218decea7
Opcode Fuzzy Hash: 94f0a52fce94cf4c9acadf4722bde81b8460a11fece67f6405f492e87fef28c5
Instruction Fuzzy Hash: 8C01A77C6041028BDB206F6AC485A6BFB7AFB49751B44C139EDC28F748EA744882D726

Function 006268C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006268C7
std::_Lockit::_Lockit.LIBCPMT ref: 006268D2
std::_Lockit::~_Lockit.LIBCPMT ref: 00626940

Part of subcall function 00626A23: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00626A3B

std::locale::_Setgloballocale.LIBCPMT ref: 006268ED

Strings

09Z, xrefs: 0062690F, 00626933

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID: 09Z
API String ID: 677527491-1578109394
Opcode ID: 15ed965ce7516ae188e255c1c3b363f26af885397ce048b962f4e6f2eed09306
Instruction ID: d8b9c1be6fa80f4a6c62ac2b3448a8b16ce92856d43c16aca0277e5c98d8b76d
Opcode Fuzzy Hash: 15ed965ce7516ae188e255c1c3b363f26af885397ce048b962f4e6f2eed09306
Instruction Fuzzy Hash: 420148B5A009219BDB0AEB20E8555BD7BB3EF85340B24400DF80167391DF786A46CFA9

Function 0534F300 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(?,?,0000000B,?,0534A7B3), ref: 0534F30D
GetOEMCP.KERNEL32(?,?,0000000B,?,0534A7B3), ref: 0534F30F
GetOEMCP.KERNEL32(?,?,0000000B,?,0534A7B3), ref: 0534F32D
GetParent.USER32 ref: 0534F349

Strings

GlobalFlag, xrefs: 0534F311

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Parent
String ID: GlobalFlag
API String ID: 975332729-4289803471
Opcode ID: cba0d5557ae9a48056a90bd475d4c5c25097d7fdfa59b26ff32dd2a6e767665f
Instruction ID: dc61b08b4f25be23a8634e4659ea52732ab0beb8ad3086d3b104cee778cc18cc
Opcode Fuzzy Hash: cba0d5557ae9a48056a90bd475d4c5c25097d7fdfa59b26ff32dd2a6e767665f
Instruction Fuzzy Hash: B3F05CA15041429FCB00FBB5C88963D7BE8BB04300F4C8468E083CB3C2D538E8418F21

Function 005B2390 Relevance: 8.0, APIs: 5, Instructions: 485COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 005B26A2
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,000A00BC,00000007,00000000,00000000), ref: 005B2726
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 005B274D
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 005B27E4
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000007,00000000,00000000), ref: 005B2848

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: e693d9f71bb1152be36973af4318e53df4419fa438590360e0cade2118f18e00
Instruction ID: b7ac26acc6ec147490466032bd16560350a7805236bfc8cec2533230e340bec0
Opcode Fuzzy Hash: e693d9f71bb1152be36973af4318e53df4419fa438590360e0cade2118f18e00
Instruction Fuzzy Hash: BCF173B1A01616AFDB24DF54DC42BAA7BA5FF44700F240529F911EB285EB30F914CBB5

Function 005BEFB0 Relevance: 7.7, APIs: 5, Instructions: 153windowCOMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32(?,00000426), ref: 005BF043
EndDialog.USER32(?,?), ref: 005BF06F
SetDlgItemTextW.USER32(?,0000040D,?), ref: 005BF145
GetDlgItem.USER32(?,0000040D), ref: 005BF151
SetFocus.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,00653795,000000FF), ref: 005BF158

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Item$ButtonCheckedDialogFocusText
String ID:
API String ID: 3578702649-0
Opcode ID: 064d35bf1517e03d8726d20bb84e026190a2a2012466ae002adddfb34fe009fc
Instruction ID: eaa1c8ebc8e3b32774d521338d6e3628481861ff30190ad17aed1b2d7592298f
Opcode Fuzzy Hash: 064d35bf1517e03d8726d20bb84e026190a2a2012466ae002adddfb34fe009fc
Instruction Fuzzy Hash: 8D51F77190061ABBCB14EF68DC49BAEBBA6FF44310F004629F80697791DB35BD11CBA4

Function 006273C1 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 006273D5
AcquireSRWLockExclusive.KERNEL32(0067B2C0), ref: 006273F4
AcquireSRWLockExclusive.KERNEL32(0067B2C0,00000000,00000000), ref: 00627422
TryAcquireSRWLockExclusive.KERNEL32(0067B2C0,00000000,00000000), ref: 0062747D
TryAcquireSRWLockExclusive.KERNEL32(0067B2C0,00000000,00000000), ref: 00627494

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: b5ab3ae1b3248be82f3bb84c61788c5e357e5faabf44f51a604f8281e389ae72
Instruction ID: 986e786ed4cf0348ebd4394002e1779e9fc113bf6d7903bb91ecfa765647e279
Opcode Fuzzy Hash: b5ab3ae1b3248be82f3bb84c61788c5e357e5faabf44f51a604f8281e389ae72
Instruction Fuzzy Hash: 91416C31508E2ADBCB20EF64E580DAABBF6FF04311B204529D44AC7A40D730F985CFA4

Function 005ABA60 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 005ABA83
std::_Lockit::_Lockit.LIBCPMT ref: 005ABAA6
std::_Lockit::~_Lockit.LIBCPMT ref: 005ABAC6
std::_Facet_Register.LIBCPMT ref: 005ABB3B
std::_Lockit::~_Lockit.LIBCPMT ref: 005ABB53

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: f199b7f50dc79f9d1da19d2bce2bd34d92639aebee7185c4047dfc98c68f0bb1
Instruction ID: 7be80f327d6fae0908e631cc42251698038ada1c722688f0e98c633563a75cae
Opcode Fuzzy Hash: f199b7f50dc79f9d1da19d2bce2bd34d92639aebee7185c4047dfc98c68f0bb1
Instruction Fuzzy Hash: 6831B27590062ACFDB25DF58E880BAEBBB6FF45720F144659E80967352DB30AD40CBE1

Function 005A5E60 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 005A5E83
std::_Lockit::_Lockit.LIBCPMT ref: 005A5EA6
std::_Lockit::~_Lockit.LIBCPMT ref: 005A5EC6
std::_Facet_Register.LIBCPMT ref: 005A5F3B
std::_Lockit::~_Lockit.LIBCPMT ref: 005A5F53

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 4ad269f89eef5a96d133272f9ad4d632f66774dd82507da709bc00d20af8da16
Instruction ID: 3baa3579203f0ca71d81a7cbf45da5a6132ca87f036867f276b5d6a07bb93171
Opcode Fuzzy Hash: 4ad269f89eef5a96d133272f9ad4d632f66774dd82507da709bc00d20af8da16
Instruction Fuzzy Hash: DF31CFB5900A25CFCB15CF54E880BAEBBB5FB45720F144659E80967391EB30AE84CFD0

Function 005A5F80 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 005A5FA3
std::_Lockit::_Lockit.LIBCPMT ref: 005A5FC6
std::_Lockit::~_Lockit.LIBCPMT ref: 005A5FE6
std::_Facet_Register.LIBCPMT ref: 005A605B
std::_Lockit::~_Lockit.LIBCPMT ref: 005A6073

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 94fdeeda621ecd044afb4a1a25d3be833122318bb0bdf1b3bbb3f049e07a60d2
Instruction ID: 992a7bd573f7e96262725e574aaf528a664330631a50dfa70ca3bf0e4995a4b9
Opcode Fuzzy Hash: 94fdeeda621ecd044afb4a1a25d3be833122318bb0bdf1b3bbb3f049e07a60d2
Instruction Fuzzy Hash: FE31AD71800616CFCB25CF54E889BAEBBB2FF45324F18465AE815A7251D730AD81CFE1

Function 005ED9F0 Relevance: 7.6, APIs: 5, Instructions: 102windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00008003,?,FFFFFFFF), ref: 005EDA7B
SendMessageW.USER32(?,00008004,00000000,00000000), ref: 005EDAD0
GetCursorPos.USER32(?), ref: 005EDAD7
SetCursorPos.USER32(?,?), ref: 005EDAE5
PostMessageW.USER32(?,00008005,00000000,00000000), ref: 005EDB05

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Message$CursorSend$Post
String ID:
API String ID: 1374786658-0
Opcode ID: d3c8e847336cac4c696e735d342bb9d95e7f56409ce29e7799a197216d28deb2
Instruction ID: 55b5ef42ac50201d1ff2e605e12754a62776eb817611c75269e779330bbc07ec
Opcode Fuzzy Hash: d3c8e847336cac4c696e735d342bb9d95e7f56409ce29e7799a197216d28deb2
Instruction Fuzzy Hash: 2B31F731604341EBDB24DF26DC0AF1ABBA6BF41721F10862DF5A8971E0EB709915CF66

Function 005AD790 Relevance: 7.6, APIs: 5, Instructions: 83sleepCOMMON

Download Yara Rule

APIs

PathIsRootW.SHLWAPI ref: 005AD7C3
CreateDirectoryW.KERNEL32(?,00000000), ref: 005AD7DF
GetLastError.KERNEL32(?,00000000), ref: 005AD7EB
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000000), ref: 005AD82D
Sleep.KERNEL32(00000032,?,00000000,?,?,00000000), ref: 005AD83B

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: CreateDirectory$ErrorLastPathRootSleep
String ID:
API String ID: 1188401217-0
Opcode ID: 49d7f9aa34df141e0a34f4b1983ba96f12d7abae2a0f0b34f8911b05c2520b65
Instruction ID: 357db01a1309fa23fe7067dc12548a17c74101800cad01113004f0ee54b5b7e9
Opcode Fuzzy Hash: 49d7f9aa34df141e0a34f4b1983ba96f12d7abae2a0f0b34f8911b05c2520b65
Instruction Fuzzy Hash: 4721C471A40706DBCB21EF589849B6DB7F9FB86B11F10051DE85687B80DB349D04CBB0

Function 005F0E10 Relevance: 7.6, APIs: 5, Instructions: 73timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 005F0E2D
GetTimeZoneInformation.KERNEL32(00676D38), ref: 005F0E41
SystemTimeToTzSpecificLocalTime.KERNEL32(00676D38,?,?), ref: 005F0E56
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,00000064), ref: 005F0E99
GetTimeFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000064), ref: 005F0EB7

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Time$FormatSystem$DateFileInformationLocalSpecificZone
String ID:
API String ID: 2901416390-0
Opcode ID: d0843d67abe59d52c4ed05ac600d74008de835a30f00670b2491d6769f9ace8c
Instruction ID: c2f13d46f3b7a5bda88616f9cdbf63cf29e9f90f4f4e1c40bdb48374ae9a766c
Opcode Fuzzy Hash: d0843d67abe59d52c4ed05ac600d74008de835a30f00670b2491d6769f9ace8c
Instruction Fuzzy Hash: DD218171284719BBE320DB60DC06FEA779E9F44B10F004915BB54A60D0EBB1951887A6

Function 0534AE58 Relevance: 7.6, APIs: 5, Instructions: 69threadCOMMON

Download Yara Rule

APIs

Part of subcall function 05350008: GetCurrentThreadId.KERNEL32 ref: 05350064
Part of subcall function 05350008: GetLastError.KERNEL32(?,00000000,?,0534AE8A), ref: 0535007E
Part of subcall function 05350008: GetLastActivePopup.USER32 ref: 053500F6
Part of subcall function 05350008: GetModuleHandleW.KERNEL32(00000000,?,0534AE8A), ref: 05350134
Part of subcall function 05350008: GetLargePageMinimum.KERNEL32(?,?,0534AE8A), ref: 05350177

GetThreadUILanguage.KERNEL32 ref: 0534AE8A
GetDialogBaseUnits.USER32 ref: 0534AEA5

Part of subcall function 0534FC94: AnyPopup.USER32 ref: 0534FCEE
Part of subcall function 0534FC94: GetSystemDefaultLangID.KERNEL32(?,0534AEB0), ref: 0534FD25
Part of subcall function 0534FC94: GetTopWindow.USER32 ref: 0534FD53

GetLastActivePopup.USER32 ref: 0534AF0C
GetDesktopWindow.USER32 ref: 0534AF1D
GetOEMCP.KERNEL32 ref: 0534AF23

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: LastPopup$ActiveThreadWindow$BaseCurrentDefaultDesktopDialogErrorHandleLangLanguageLargeMinimumModulePageSystemUnits
String ID:
API String ID: 1843500158-0
Opcode ID: df11a738403c00f17cbb17020de0f796114aaf747bc3d487c1a7d1eaae6ec627
Instruction ID: 76bed4fce881547bf8789015e9100588e221269e12d661dcc2acb50a8b09c2c7
Opcode Fuzzy Hash: df11a738403c00f17cbb17020de0f796114aaf747bc3d487c1a7d1eaae6ec627
Instruction Fuzzy Hash: 5A217C719B12048BD710DF69E88A65A7FEEFB44314F44C16AF9498B240EB349844CF91

Function 00603AD0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 426libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 005F54B0: LoadLibraryA.KERNEL32(?,?,?,071C71C7), ref: 005F5517
Part of subcall function 005F54B0: LoadStringA.USER32(?,?,?,00000100), ref: 005F55DA

LoadLibraryA.KERNEL32(?,?,?,071C71C7), ref: 00603BCC
LoadStringA.USER32(?,000000C8,?,00000100), ref: 00603CA1
LoadStringA.USER32(?,0000012C,?,00000100), ref: 00603E88

Part of subcall function 00628A29: AcquireSRWLockExclusive.KERNEL32(0067A12C,00000000,?,?,005AFA33,0067B250,0067B1DC,?,00000003,005F50B5,?,?), ref: 00628A34
Part of subcall function 00628A29: ReleaseSRWLockExclusive.KERNEL32(0067A12C,?,005AFA33,0067B250,0067B1DC,?,00000003,005F50B5,?,?), ref: 00628A6E

Part of subcall function 006289D8: AcquireSRWLockExclusive.KERNEL32(0067A12C,?,?,005AFA49,0067B250,00000003), ref: 006289E2
Part of subcall function 006289D8: ReleaseSRWLockExclusive.KERNEL32(0067A12C,?,005AFA49,0067B250,00000003), ref: 00628A15
Part of subcall function 006289D8: WakeAllConditionVariable.KERNEL32(0067A128,?,005AFA49,0067B250,00000003), ref: 00628A20

Strings

Unable to open message catalog: , xrefs: 00603FD3

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Load$ExclusiveLock$String$AcquireLibraryRelease$ConditionVariableWake
String ID: Unable to open message catalog:
API String ID: 941639143-3361316291
Opcode ID: f793142ca1e0725ccc0588a799e098c76520213c009dc4901b6666f3bc8913f2
Instruction ID: f30ca9e3a3af74fe415d90326432ab217e735a3289f14c190d5e005c15bb9391
Opcode Fuzzy Hash: f793142ca1e0725ccc0588a799e098c76520213c009dc4901b6666f3bc8913f2
Instruction Fuzzy Hash: C802B0B1900258DFCB18CF68C8847DEBBEABF09304F14816AF9599B392D7759A44CF91

Function 005CB8E0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 400libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D1A20: LoadLibraryA.KERNEL32(-000000CA), ref: 005D1AB7

LoadLibraryA.KERNEL32(-00000024), ref: 005CB9D5

Part of subcall function 006289D8: AcquireSRWLockExclusive.KERNEL32(0067A12C,?,?,005AFA49,0067B250,00000003), ref: 006289E2
Part of subcall function 006289D8: ReleaseSRWLockExclusive.KERNEL32(0067A12C,?,005AFA49,0067B250,00000003), ref: 00628A15
Part of subcall function 006289D8: WakeAllConditionVariable.KERNEL32(0067A128,?,005AFA49,0067B250,00000003), ref: 00628A20

LoadStringW.USER32(?,000000C8,-0000023C,00000100), ref: 005CBAE2
LoadStringW.USER32(?,0000012C,-0000023C,00000100), ref: 005CBC76

Part of subcall function 005A1E40: ___std_exception_copy.LIBVCRUNTIME ref: 005A1E71

Strings

Unable to open message catalog: , xrefs: 005CBD97

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Load$ExclusiveLibraryLockString$AcquireConditionReleaseVariableWake___std_exception_copy
String ID: Unable to open message catalog:
API String ID: 783877595-3361316291
Opcode ID: 7c6887245e5479c5825cbc05ddfc996cc8135dcbaa7a8fa91734c086330cb5ac
Instruction ID: 68bcb6bf370518e064c9f13e2638ae2eef6eba76ba377b573a6bf6376a97c1fe
Opcode Fuzzy Hash: 7c6887245e5479c5825cbc05ddfc996cc8135dcbaa7a8fa91734c086330cb5ac
Instruction Fuzzy Hash: 49F18771900248DFDB14DFA8C885BDE7FE5BF08304F14816EE9199B292EB759A44CF91

Function 0063D6F7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 370COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 0063D871
__freea.LIBCMT ref: 0063D88D

Strings

am/pm, xrefs: 0063D8EF
a/p, xrefs: 0063D953

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: __freea
String ID: a/p$am/pm
API String ID: 240046367-3206640213
Opcode ID: eb9c49b6d488e6469df1eb86edbba10d9452b54521d62f4e7b1fce55700bdd90
Instruction ID: e583ff43b5580633331aea21db911513ad358c0afb6fb6b364363d803990f416
Opcode Fuzzy Hash: eb9c49b6d488e6469df1eb86edbba10d9452b54521d62f4e7b1fce55700bdd90
Instruction Fuzzy Hash: B6C1FF74A04216DBCB249F68EA95BFAB7B3FF46300F144159E802AB390D3319E42CBD5

Function 053465D8 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

GetTopWindow.USER32 ref: 053466A6
GetOEMCP.KERNEL32(?,?,?,?,?,?,?,?,0534B8C7), ref: 053466BC

Strings

An invalid volume label has been specified., xrefs: 05346727
Specified gamma ramp is invalid., xrefs: 053465D9, 0534660A, 0534663A, 05346667, 053466D7, 053466EB, 053466F7, 05346717, 0534671F, 05346746, 05346764, 053467CD, 053467F8, 05346820

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window
String ID: An invalid volume label has been specified.$Specified gamma ramp is invalid.
API String ID: 2353593579-1471136984
Opcode ID: 1dc04799c7ae8e143ed31f5b865cecfa8f92a4cba4cec0d6ba7a1239abb89bce
Instruction ID: 94113a7326629a4c60eb630486a240f6b3b6e45924b6ea5a57723ca5d8909e41
Opcode Fuzzy Hash: 1dc04799c7ae8e143ed31f5b865cecfa8f92a4cba4cec0d6ba7a1239abb89bce
Instruction Fuzzy Hash: 1A51AEB4A283428FD741CF38D587216BFEAFB4A318F90C51EE4958F214EB3894518F56

Function 0062DD7B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 0062DDA0
CatchIt.LIBVCRUNTIME ref: 0062DE86

Strings

MOC, xrefs: 0062DDB2
RCC, xrefs: 0062DDBA

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: 003c3696d79e2bfd643d0d9d2bd7d4fa0d6fe27571647d52942544293a352667
Instruction ID: 95860b9abbb5fe477f4e1110148025a7ab9e34706a0b41b463e340379be96088
Opcode Fuzzy Hash: 003c3696d79e2bfd643d0d9d2bd7d4fa0d6fe27571647d52942544293a352667
Instruction Fuzzy Hash: AF418A71900619AFCF15DF94DD81AEEBBB6FF48304F158059F9186B211D3359950CF51

Function 05351D28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

GetTopWindow.USER32 ref: 05351D5B
GetLastError.KERNEL32 ref: 05351E07
GetTopWindow.USER32 ref: 05351E75

Strings

The cluster node has been poisoned., xrefs: 05351E0D

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$ErrorLast
String ID: The cluster node has been poisoned.
API String ID: 531141135-1625712938
Opcode ID: 3b75e1fcb7961082df789bf0deb45ecef25f2f31d0d9b9a6857fe772f688e6e2
Instruction ID: dcdaad710cd3e60e097b9c2ba976c0b4b0c5ae5218701d5737a7688bf72b594d
Opcode Fuzzy Hash: 3b75e1fcb7961082df789bf0deb45ecef25f2f31d0d9b9a6857fe772f688e6e2
Instruction Fuzzy Hash: 2E31D0B69312048ECB15DF38DA4A6557FEDF788318F94C62EE844CF265EB78C4509B90

Function 0534F180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71threadCOMMON

Download Yara Rule

APIs

GetDialogBaseUnits.USER32 ref: 0534F194
GetCurrentThreadId.KERNEL32 ref: 0534F1B3

Strings

A device was removed so enumeration must be restarted., xrefs: 0534F1F0
TPM 1.2: Authentication failed., xrefs: 0534F23B

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: BaseCurrentDialogThreadUnits
String ID: A device was removed so enumeration must be restarted.$TPM 1.2: Authentication failed.
API String ID: 4123241832-380985876
Opcode ID: 369bf93eea17dc3a61ea2ebda9ac34e65f04064eaba23b16bc1d93e86dc95b1f
Instruction ID: 04f62b5a17e00be65710f9ce6ad585a8fcee50733e80c01e3b536562ca87eaf2
Opcode Fuzzy Hash: 369bf93eea17dc3a61ea2ebda9ac34e65f04064eaba23b16bc1d93e86dc95b1f
Instruction Fuzzy Hash: 9F21D2799352028FD705CF39EA8A6513FEEF764308B88C0AEE4458F718EBB99445CB51

Function 0534FC94 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

AnyPopup.USER32 ref: 0534FCEE
GetSystemDefaultLangID.KERNEL32(?,0534AEB0), ref: 0534FD25
GetTopWindow.USER32 ref: 0534FD53

Strings

Stick PC, xrefs: 0534FD80

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultLangPopupSystemWindow
String ID: Stick PC
API String ID: 2971084555-3603036135
Opcode ID: b7eda424d009f20b9fbdd086ab6b713b287019ea7d13b0fc926734d681e4de7a
Instruction ID: d520d8459065bfe2520e4dd056fca7139543951e8d92ec8269e1c6044f6c7049
Opcode Fuzzy Hash: b7eda424d009f20b9fbdd086ab6b713b287019ea7d13b0fc926734d681e4de7a
Instruction Fuzzy Hash: 2B217AB59311008BCB058F39E88A1953FEEF74831CFC4C66EE949CE254EB3584158F81

Function 0534E910 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

GetLargePageMinimum.KERNEL32(00001103,00000001,?,0534CEDD,?,?,?,0534B33B), ref: 0534E936
GetSystemDefaultLangID.KERNEL32(00001103,00000001,?,0534CEDD,?,?,?,0534B33B), ref: 0534E99C

Strings

The volume must undergo garbage collection., xrefs: 0534E911, 0534E971, 0534E98D
The Platform Manifest file was not authorized on this machine., xrefs: 0534E946

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultLangLargeMinimumPageSystem
String ID: The Platform Manifest file was not authorized on this machine.$The volume must undergo garbage collection.
API String ID: 3676040673-3218441631
Opcode ID: 96b080c743f78cd4364d71c8afd738ae4cd89d231b09f6f1a493ae249c6cffc3
Instruction ID: e97b8bc648d9d0ac55e547e4c2ca04a8c36ff3c32d4a2cf8b0a583852f4d4db5
Opcode Fuzzy Hash: 96b080c743f78cd4364d71c8afd738ae4cd89d231b09f6f1a493ae249c6cffc3
Instruction Fuzzy Hash: 54213B399342428FDF82CF28D0996367FEEF79230CB94C08ED0964F65AD6796416DB81

Function 0534C008 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000032,?,?,053492A9), ref: 0534C05B

Strings

SdbpGetProcessHostGuestArchitectures failed [%x], xrefs: 0534C090
Maker Board, xrefs: 0534C088
Can't get the name string, xrefs: 0534C009

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID:
String ID: Can't get the name string$Maker Board$SdbpGetProcessHostGuestArchitectures failed [%x]
API String ID: 0-4055452779
Opcode ID: d0c438a0f0d7ea5590d61e90d28d2c5680cf565c66cbf4a34af429b0b4cfe792
Instruction ID: e6550b7beb3c396f86ed3042b525b25568d62fc846d0000c703793b8913c662b
Opcode Fuzzy Hash: d0c438a0f0d7ea5590d61e90d28d2c5680cf565c66cbf4a34af429b0b4cfe792
Instruction Fuzzy Hash: A1219AB59292068FC700DF38D487626BFE9FB40358F44A42EE589CF255E775E8008F56

Function 0534E0C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(?,?,?,0534B04D), ref: 0534E0DE
GetTickCount.KERNEL32 ref: 0534E102
GetDesktopWindow.USER32 ref: 0534E108

Strings

TermsrvUpdateAllUserMenu, xrefs: 0534E0EB

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CountDesktopTickWindow
String ID: TermsrvUpdateAllUserMenu
API String ID: 1610731074-1499210260
Opcode ID: 2bcabbe9706788dfd34992dfa9a1ea862a993186f69313bc170c13feb589df1e
Instruction ID: 4dea72ecc540f76f3b4a8b3435085e4bbc80d52de7a2459c57d3d9a769528cef
Opcode Fuzzy Hash: 2bcabbe9706788dfd34992dfa9a1ea862a993186f69313bc170c13feb589df1e
Instruction Fuzzy Hash: 710126395041018BDB309F2AD4842B7BFEEFB45351B448056F8A68F704EA70A482EE13

Function 0059A4E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45libraryloaderCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(80040007,00000000,0059BD0C), ref: 0059A4F0
SystemParametersInfoW.USER32(00000042,0000000C,?,00000000), ref: 0059A519
GetProcAddress.KERNEL32(0000000C,DwmIsCompositionEnabled), ref: 0059A526

Strings

DwmIsCompositionEnabled, xrefs: 0059A51F

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: AddressErrorInfoLastParametersProcSystem
String ID: DwmIsCompositionEnabled
API String ID: 32703461-3099646739
Opcode ID: 046a4cd6326990c3c2be8928b587d63d80da64c890ce8fac9d87fb5db3960360
Instruction ID: e0571ad67ff38e42a66fc6a5608e146d00ea193615001dbfed71685ea007fa5d
Opcode Fuzzy Hash: 046a4cd6326990c3c2be8928b587d63d80da64c890ce8fac9d87fb5db3960360
Instruction Fuzzy Hash: 60018F70514302ABEF20AF28DD08BA7BFD4BF44304F44992DB88C95191E7B9C984C6A3

Function 0062A350 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(00000000,?,00000000,00000000), ref: 0062A35C
CloseHandle.KERNEL32(00000000), ref: 0062A36A
CloseHandle.KERNEL32(?), ref: 0062A384

Strings

failed closing mapped file, xrefs: 0062A3A7

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: CloseHandle$FileUnmapView
String ID: failed closing mapped file
API String ID: 260491571-752119354
Opcode ID: 6ccd8b8f90d7411ab64f29347ed1e2bd9d777f4f04e755e4b61df885cf3f9da0
Instruction ID: a18b26770fc2338b2ff44601d91191f10d6165fdafbe68124ecda8ec8e4b4189
Opcode Fuzzy Hash: 6ccd8b8f90d7411ab64f29347ed1e2bd9d777f4f04e755e4b61df885cf3f9da0
Instruction Fuzzy Hash: 62E06D30340B21DBDB61ABB0AE0979A3ADB6F00B42F04550CF906C62E0CBA4E8008B26

Function 0062E747 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,0062E6F8,?,?,00000000,?,?,?,0062E822,00000002,FlsGetValue,0065B668,FlsGetValue), ref: 0062E754
GetLastError.KERNEL32(?,0062E6F8,?,?,00000000,?,?,?,0062E822,00000002,FlsGetValue,0065B668,FlsGetValue,?,?,0062D689), ref: 0062E75E
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 0062E786

Strings

api-ms-, xrefs: 0062E76B

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 8d1d2d13ee988b9a59e380df1e1271594a8b5f8d09afff23c12f21acc4494686
Instruction ID: 43dc6aca68c312a1b6f1a07eb4c20be1bb1eadc249054d61d880a5a160b9676b
Opcode Fuzzy Hash: 8d1d2d13ee988b9a59e380df1e1271594a8b5f8d09afff23c12f21acc4494686
Instruction Fuzzy Hash: 5DE0483064071DF7DB205B50FC46B983F579F10B5AF105030F90DE81E1DB769990D955

Function 00644138 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(713211A9,00000000,00000000,?), ref: 0064419B

Part of subcall function 00646DB3: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00646C89,?,00000000,-00000008), ref: 00646E14

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 006443ED
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00644433
GetLastError.KERNEL32 ref: 006444D6

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: adac5b7ffbc5ab758bb91d58a74c942919139ba326b18a8759fd0792fa7e539a
Instruction ID: 60972b38620da315442e4dae02107a8673d5bbd9ff56d8ffb050028dd25087fb
Opcode Fuzzy Hash: adac5b7ffbc5ab758bb91d58a74c942919139ba326b18a8759fd0792fa7e539a
Instruction Fuzzy Hash: 92D17BB5D006589FCF15CFA8C881AEDBBF6FF48314F24416AE556EB351DA30A942CB50

Function 00621E10 Relevance: 6.3, APIs: 4, Instructions: 280memoryCOMMON

Download Yara Rule

APIs

CoTaskMemFree.OLE32(?), ref: 00621E73
CoTaskMemFree.OLE32(?), ref: 00621E7C
SHGetDesktopFolder.SHELL32(?), ref: 00621E8C
CoTaskMemAlloc.OLE32(?), ref: 00621EB6

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Task$Free$AllocDesktopFolder
String ID:
API String ID: 1141445250-0
Opcode ID: 78e069d2e63fea419bd99208d275e7356c47c7f1d1f8c0079b44af97286a8f71
Instruction ID: 67153898b771f8ff4570fc9694e4c97530cd3d9c598f05b7eeb63495dc4f2d07
Opcode Fuzzy Hash: 78e069d2e63fea419bd99208d275e7356c47c7f1d1f8c0079b44af97286a8f71
Instruction Fuzzy Hash: E8A19EB5A006269FCB14DF68D995AAEBBB6FF49300F048169E915AF341D731ED01CFA0

Function 05347F84 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 134COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 053480AE

Part of subcall function 0534DA00: GetUserDefaultLangID.KERNEL32(0000000B,00000000,?,0534A70D), ref: 0534DA12
Part of subcall function 0534DA00: GetOEMCP.KERNEL32(?,0534A70D), ref: 0534DA58
Part of subcall function 0534DA00: GetLastActivePopup.USER32 ref: 0534DA94
Part of subcall function 0534DA00: GetTopWindow.USER32 ref: 0534DABB

Strings

QoZYLJECoSANG9LKyFMwEKYh0Q/roiGXvMuN5tmTrwsxnTqcC6pOtcAqwstU1ZU44MzYvTUqgXsKdmRAZdGj19WaYYkz6H1J87nQJTG60X2vY29CMEoYO+9N32IS6/XdAR5UH61VsFsvjGfewxiOgtUOkPwJnmHn+Hs5QG1DDnddkjJ6013s7ZloCkhkyERpSGMVjh+pMDMnLUmQiL0ag4tzdzTDrbUomRmtKFvcgqp71Jdv1LsJl5FnnBGc5NEpLB1u, xrefs: 053481A8
AslFileMappingEnsureMappedAs, xrefs: 05347FAA
The specified address range is already committed., xrefs: 05347FC5, 05348110, 05348161

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Last$ActiveDefaultErrorLangPopupUserWindow
String ID: AslFileMappingEnsureMappedAs$QoZYLJECoSANG9LKyFMwEKYh0Q/roiGXvMuN5tmTrwsxnTqcC6pOtcAqwstU1ZU44MzYvTUqgXsKdmRAZdGj19WaYYkz6H1J87nQJTG60X2vY29CMEoYO+9N32IS6/XdAR5UH61VsFsvjGfewxiOgtUOkPwJnmHn+Hs5QG1DDnddkjJ6013s7ZloCkhkyERpSGMVjh+pMDMnLUmQiL0ag4tzdzTDrbUomRmtKFvcgqp71Jdv1LsJl5FnnBGc5NEpLB1u$The specified address range is already committed.
API String ID: 1206660600-3279949425
Opcode ID: ca4c516a8003d11d3e4126509ca152a865bb950be5b565d82d2cce327d102ad3
Instruction ID: 5c617c386efb5a64249f35dd4aab66d5a744b635136b99981d720687620a3045
Opcode Fuzzy Hash: ca4c516a8003d11d3e4126509ca152a865bb950be5b565d82d2cce327d102ad3
Instruction Fuzzy Hash: 515177759242AC8FCB44CF68E4863E97FE5EB45304F5480FDE9888B341CA34A58ADF91

Function 005B1450 Relevance: 6.1, APIs: 4, Instructions: 127timefileCOMMON

Download Yara Rule

APIs

GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 005B1568
CloseHandle.KERNEL32(00000000), ref: 005B156F
WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 005B15A3
CloseHandle.KERNEL32(00000000,?,?,00000000,00000000), ref: 005B15AE
SetFileTime.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,00000000), ref: 005B15D1
CloseHandle.KERNEL32(00000000,?,?,00000000,00000000), ref: 005B15D8

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: CloseFileHandle$Time$Write
String ID:
API String ID: 1785683994-0
Opcode ID: 9ad8bd78702d20eb48e9571acf98ab39c5ea8172bbbf3870253624090ee9a0b9
Instruction ID: 32f2860a9f56264c89323d03b75d5d8d69dc091a318d338cc053f1363b7a070d
Opcode Fuzzy Hash: 9ad8bd78702d20eb48e9571acf98ab39c5ea8172bbbf3870253624090ee9a0b9
Instruction Fuzzy Hash: 8241F571100701ABE720DF28DC59B9BBBD9BF44314F140A1CF995972D0E774E944CBA9

Function 005D9510 Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 006275A9: QueryPerformanceFrequency.KERNEL32(?,?,?,?,005D9522,?,?,?,?,?,?,?,?,005F8B9C), ref: 006275C7

Part of subcall function 00627592: QueryPerformanceCounter.KERNEL32(?,?,?,?,005D9531,?,?,?,?,?,?,?,?,005F8B9C), ref: 0062759B

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005D9573
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005D95A5
__alldvrm.LIBCMT ref: 005D95C8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005D95EC

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$PerformanceQuery$CounterFrequency__alldvrm
String ID:
API String ID: 2057067329-0
Opcode ID: 85e12fba6b8acb37627b600c50b54ad45a2044a855940a57d984c9f8cbb6f4f6
Instruction ID: a29347647a6dcb6e7fa817104d68881049b48be7bb56e275244e8f2182188126
Opcode Fuzzy Hash: 85e12fba6b8acb37627b600c50b54ad45a2044a855940a57d984c9f8cbb6f4f6
Instruction Fuzzy Hash: 3F21B1713043182FD754EE2D6C42B3BBADEDBC8790F01843EF90ADB351E564AC0846A9

Function 05351C34 Relevance: 6.1, APIs: 4, Instructions: 65threadCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 05351C72
GetShellWindow.USER32 ref: 05351C93
GetCurrentThread.KERNEL32 ref: 05351CCB
GetWindowTextLengthA.USER32 ref: 05351D14

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$CurrentLengthParentShellTextThread
String ID:
API String ID: 2226962073-0
Opcode ID: 7c0df7e6edc45b7e2b159629438645f1c613711b640ec8c4555f192b4711277a
Instruction ID: 21ccf23c4759c087d932a8788256bd70a867b3d406168417bdf072b3297547f3
Opcode Fuzzy Hash: 7c0df7e6edc45b7e2b159629438645f1c613711b640ec8c4555f192b4711277a
Instruction Fuzzy Hash: 9721B875E102108BCB019F69D88E6A5BFACF748385F80C56EFC928F340EE789568CB50

Function 0059F6A0 Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 0059F6B2
GetWindowRect.USER32(00000000,?), ref: 0059F6D1
OffsetRect.USER32(?,?,?), ref: 0059F6EA
MapWindowPoints.USER32(?,?,?,00000002), ref: 0059F6FE

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: RectWindow$ItemOffsetPoints
String ID:
API String ID: 2681051736-0
Opcode ID: 51960848f92a9f98740586be179f82eedfca4e808536bf15c1cc8b76c5f5ea4d
Instruction ID: 390c8511800857bfdadd90b7ac4c4b25943eb1911dbc94681f36b30ffcb401cc
Opcode Fuzzy Hash: 51960848f92a9f98740586be179f82eedfca4e808536bf15c1cc8b76c5f5ea4d
Instruction Fuzzy Hash: 092108B5504306EFC700DF58D8459ABBBE9FB88311F10891EF899C7251E731E955CBA2

Function 05351098 Relevance: 6.1, APIs: 4, Instructions: 55threadwindowtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 053510AA
AnyPopup.USER32 ref: 053510C1
GetMessageTime.USER32 ref: 053510FD
GetLastError.KERNEL32 ref: 05351116

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CurrentErrorLastMessagePopupThreadTime
String ID:
API String ID: 3839394117-0
Opcode ID: f2d36be031ce61906450f97e2d39190503f2a2d8407645f873e506e65c0f0d25
Instruction ID: fcd76ffa0a3bf1a985fde0d469434219404eea99c9e9c88bfa5fccdc805c4042
Opcode Fuzzy Hash: f2d36be031ce61906450f97e2d39190503f2a2d8407645f873e506e65c0f0d25
Instruction Fuzzy Hash: EE01FE7DE000518BDB201F6AD84566BBB6AEB84362B448076FCD54B708FE704986C662

Function 0059A440 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,00000000), ref: 0059A498
VerSetConditionMask.KERNEL32(00000000), ref: 0059A49C
VerSetConditionMask.KERNEL32(00000000), ref: 0059A4A0
VerifyVersionInfoW.KERNEL32(00000023), ref: 0059A4C5

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: 1546324be19c1d18ba552c91f530240cc9169aaef21505ec3e445a0fb6aad5a2
Instruction ID: ddb4be1f094a2bfe3f33bc0a7a4334c89cd6868e9bcd2719f6e76a91ac9694b0
Opcode Fuzzy Hash: 1546324be19c1d18ba552c91f530240cc9169aaef21505ec3e445a0fb6aad5a2
Instruction Fuzzy Hash: 2301ECB0644305BAF760DF21DC4AFAB7AECEF84710F00481DB588E61D1D7B896188BA6

Function 0063BC45 Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(?,?,?,0063BD34,?), ref: 0063BC50
GetLastError.KERNEL32(?,0063BD34,?), ref: 0063BC5A
__dosmaperr.LIBCMT ref: 0063BC61
GetCurrentDirectoryW.KERNEL32(?,?,?,?,0063BD34,?), ref: 0063BC88

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: CurrentDirectory$ErrorLast__dosmaperr
String ID:
API String ID: 1554857224-0
Opcode ID: f92ffb2acbe418a2c0eac2b6285e4dcd3fb22568640244252800b00a1dc78e7f
Instruction ID: 14508dc552e7bdd43b334aa965ba822e1323089b88edd890b23205e2a24b94ca
Opcode Fuzzy Hash: f92ffb2acbe418a2c0eac2b6285e4dcd3fb22568640244252800b00a1dc78e7f
Instruction Fuzzy Hash: C5F0FE31600711DFAB70AB72DC089577BABAF40311B10A91EE696C6660DB70D80187A4

Function 006509C9 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,006356DA,00000000,00000000,?,0064E752,00000000,00000001,?,?,?,0064452A,?,00000000,00000000), ref: 006509E0
GetLastError.KERNEL32(?,0064E752,00000000,00000001,?,?,?,0064452A,?,00000000,00000000,?,?,?,00644B04,00000000), ref: 006509EC

Part of subcall function 006509B2: CloseHandle.KERNEL32(FFFFFFFE,006509FC,?,0064E752,00000000,00000001,?,?,?,0064452A,?,00000000,00000000,?,?), ref: 006509C2

___initconout.LIBCMT ref: 006509FC

Part of subcall function 00650974: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,006509A3,0064E73F,?,?,0064452A,?,00000000,00000000,?), ref: 00650987

WriteConsoleW.KERNEL32(00000000,00000000,006356DA,00000000,?,0064E752,00000000,00000001,?,?,?,0064452A,?,00000000,00000000,?), ref: 00650A11

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 8ad3862caecec550ef5c031a70499267021155be9ae7c2faa6d97051b8cf290e
Instruction ID: 11bc6374d5726d4a2d31aaa9b02bae3d8abf14d74e99df90902751de7c07c576
Opcode Fuzzy Hash: 8ad3862caecec550ef5c031a70499267021155be9ae7c2faa6d97051b8cf290e
Instruction Fuzzy Hash: DAF09836500219BBEF225F95DC049993E67FB093A6F045454FE1895271CB32C960EBA0

Function 0064A80A Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

xbg, xrefs: 0064A836
xbg, xrefs: 0064AADC

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID:
String ID: xbg$xbg
API String ID: 0-3714758753
Opcode ID: 36bbe8065888e3daf91f9a7924c9e34cbb46ed9c7e374dc55fec229b86b68e97
Instruction ID: 1227040cb22c3b2b8937ece3c4a28078defa21263c6064b8ddd70c762591def1
Opcode Fuzzy Hash: 36bbe8065888e3daf91f9a7924c9e34cbb46ed9c7e374dc55fec229b86b68e97
Instruction Fuzzy Hash: C2B141B2D40205BFDB60DFA4CC82FEB77FDAB08700F154559BA15EB282EA70E9448B55

Function 0064B26E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0064261C: HeapFree.KERNEL32(00000000,00000000,?,0064AE0A,?,00000000,?,?,0064B0AB,?,00000007,?,?,0064B405,?,?), ref: 00642632
Part of subcall function 0064261C: GetLastError.KERNEL32(?,?,0064AE0A,?,00000000,?,?,0064B0AB,?,00000007,?,?,0064B405,?,?), ref: 0064263D

___free_lconv_mon.LIBCMT ref: 0064B2B2

Strings

xbg, xrefs: 0064B284
hdg, xrefs: 0064B35A

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: ErrorFreeHeapLast___free_lconv_mon
String ID: hdg$xbg
API String ID: 4068849827-1827522482
Opcode ID: 4356ab61e5bba3685b9c7d529952679288c92a7bb86033f240265b9f0088d66b
Instruction ID: fb926498dad4eb2ce06884bd76e526a512f8465cfe844b939f17473a1396b809
Opcode Fuzzy Hash: 4356ab61e5bba3685b9c7d529952679288c92a7bb86033f240265b9f0088d66b
Instruction Fuzzy Hash: BB3148716002019FEB61AE79D845BAB7BEAAF10310F65582DF449D7262DF70E9808B29

Function 005C9840 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(?,00000100,IV\,00000001,00000000,00000001,?,?,?,?,005C5649,?,?,?,00000000,?), ref: 005C98C0
LCMapStringW.KERNEL32(?,00000100,IV\,00000001,?,00000001,00000002,0000000E,?,?,?,?,005C5649,?,?,?), ref: 005C9940

Strings

IV\, xrefs: 005C992A, 005C98B5, 005C98B9, 005C992E

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: String
String ID: IV\
API String ID: 2568140703-238454864
Opcode ID: d7faf9cf82f0bf1bb7ef8ba5430b7e837225631568b129c1a0f407f108092171
Instruction ID: b04b3b5b6bc29600b3a89e74e5e4b21befac1d52b6fbee585bf6c1aed4d286c5
Opcode Fuzzy Hash: d7faf9cf82f0bf1bb7ef8ba5430b7e837225631568b129c1a0f407f108092171
Instruction Fuzzy Hash: C2415876200611AFD310CF5AD884BB6B7E4FB88725F14856EF689C7290D774E894CB61

Function 0534E2E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,05348E7A,00000000), ref: 0534E30C

Strings

DefaultBrowser_NOPUBLISHERID, xrefs: 0534E2E7
The file designated by DCERPCCHARTRANS cannot be opened., xrefs: 0534E305

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: HandleModule
String ID: DefaultBrowser_NOPUBLISHERID$The file designated by DCERPCCHARTRANS cannot be opened.
API String ID: 4139908857-370230117
Opcode ID: cb7544943f54a8ba006d48a959d2574322985ccb3015d0e0c8ab2621781cf86d
Instruction ID: 023f30fa9e52502b4228a8a1ed86d3cdb0708cbf33a844777167a660bd977bd0
Opcode Fuzzy Hash: cb7544943f54a8ba006d48a959d2574322985ccb3015d0e0c8ab2621781cf86d
Instruction Fuzzy Hash: A7213A25B040528BDB229EE880641BEB7DFFB41741B588496D4D38F748E6B1B883EF43

Function 053503D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 053504A5
GetCurrentThread.KERNEL32 ref: 053504C5

Strings

{Filemark Found}, xrefs: 0535049E

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CurrentHandleModuleThread
String ID: {Filemark Found}
API String ID: 2752942033-1305916082
Opcode ID: e2d7b748b49efb2ff4efbb5bf2d64e239201df2158ed2a508f93b23afaa15b8f
Instruction ID: 1a0e7db0905285c89253b15b095faae8ca100be29e09173d5a8e5892bb3905b3
Opcode Fuzzy Hash: e2d7b748b49efb2ff4efbb5bf2d64e239201df2158ed2a508f93b23afaa15b8f
Instruction Fuzzy Hash: 54310AB19342069BC718DF64E64E9A67FB9F744758F90802EF8068F340EBB85450CB90

Function 05350A70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32 ref: 05350B24
GetSystemDefaultLangID.KERNEL32(00000000,?,?,00000000,?,053484F8), ref: 05350B6C

Strings

The callback function must be invoked inline., xrefs: 05350A71

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultLangLengthSystemTextWindow
String ID: The callback function must be invoked inline.
API String ID: 3266653797-1109098526
Opcode ID: 90fb8161dd17044a080dbc85f326fb391a95943c3a77d5e5edb956342e653819
Instruction ID: 66ee15121cbd14ffa9ff534f713b4c098335c3363c0af4a15fd5ae5dd9057169
Opcode Fuzzy Hash: 90fb8161dd17044a080dbc85f326fb391a95943c3a77d5e5edb956342e653819
Instruction Fuzzy Hash: 073150B0A212018FD714CF69E5966257FEAF78830CF98D96EF805CF244EB748101DBA2

Function 05353328 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetLargePageMinimum.KERNEL32 ref: 053533E1
GetWindowTextLengthW.USER32 ref: 05353448

Strings

A write operation failed while converting the volume., xrefs: 0535336E

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: LargeLengthMinimumPageTextWindow
String ID: A write operation failed while converting the volume.
API String ID: 3158731419-61448210
Opcode ID: eb3de9c4f0d1ceb60318176470aa24c5046b87fd045689953e6f58c075b9c133
Instruction ID: e0ecf10f582739249ad926ed7c0ad85e9813e6c9f16cfb804f4a7b60b342d1eb
Opcode Fuzzy Hash: eb3de9c4f0d1ceb60318176470aa24c5046b87fd045689953e6f58c075b9c133
Instruction Fuzzy Hash: B8218DA6A341008BD3148F7CD8C75167FAAF754368B88EA2AE941CE691EBB4D448C681

Function 0534CDD8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0534CE17
GetShellWindow.USER32 ref: 0534CE41

Strings

setmiterlimit, xrefs: 0534CDD9

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CurrentShellThreadWindow
String ID: setmiterlimit
API String ID: 262587986-743676673
Opcode ID: e60b74cd7c9eeb3eb4cc56edd0086817cdc095951ddb26e066bca8e332bc1e6a
Instruction ID: cddbf6b65c7d2d1dd626780f2ab34623d5148c79e228f3d8b9af6ccf141f41f9
Opcode Fuzzy Hash: e60b74cd7c9eeb3eb4cc56edd0086817cdc095951ddb26e066bca8e332bc1e6a
Instruction Fuzzy Hash: B92135719242098FC700CF68E49A66A7FF8FB45319F94846DF8858F200DB31A845CFD5

Function 005A4580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 005A4600

Strings

%, xrefs: 005A4594
+, xrefs: 005A45A1

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: _swprintf
String ID: %$+
API String ID: 589789837-2626897407
Opcode ID: fc1dafd169ab910db28b66a04fa97e48f06b952931c2034271e33f729ffc7716
Instruction ID: dac90b24f1735ab3b94bb040bf58b48a8d2603084badd9ac4bb27a3df8419490
Opcode Fuzzy Hash: fc1dafd169ab910db28b66a04fa97e48f06b952931c2034271e33f729ffc7716
Instruction Fuzzy Hash: AC1136725043449FDB11CE48D889BDF7FD9AF9A304F088019F98847292D7B5D918CBA3

Function 005B6310 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,`][ )f,005B6CB6,`][ )f,?,?,?,00662920), ref: 005B6326
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,00662920,00000000,00000000,`][ )f,?,?,00662920,005B5D60,00662920,00000000,00000000), ref: 005B638A

Strings

`][ )f, xrefs: 005B6310, 005B633A

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: `][ )f
API String ID: 626452242-3177394246
Opcode ID: df834464c05d72d7940250afaa77200722df712daa3ec1360450a48240913c26
Instruction ID: a89831df813b95a7f2831c620f22cc1fb9b949195f63b76c11678519e8a205e1
Opcode Fuzzy Hash: df834464c05d72d7940250afaa77200722df712daa3ec1360450a48240913c26
Instruction Fuzzy Hash: 5D11E331204711BBE7308E549C89F9A7BA6FB45721F300B2DF1229B1D0C7A5BC51CA65

Function 005A4630 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 005A46A3

Strings

+, xrefs: 005A4650
%, xrefs: 005A4644

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: _swprintf
String ID: %$+
API String ID: 589789837-2626897407
Opcode ID: a3b72f0b22335ff30c80bbcba514fa06435b1ede7dd33deeb7e530f75ec359d3
Instruction ID: 8e92249bcc2d39a136a86deb1ae3de5c880cb95d7df415fd34d039568da9e95c
Opcode Fuzzy Hash: a3b72f0b22335ff30c80bbcba514fa06435b1ede7dd33deeb7e530f75ec359d3
Instruction Fuzzy Hash: D6113832104345AEDB118D98CC04BDFBFA8AF97314F048519F99857281D3B4A8159BF2

Function 005A46D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 005A4743

Strings

+, xrefs: 005A46F0
%, xrefs: 005A46E4

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: _swprintf
String ID: %$+
API String ID: 589789837-2626897407
Opcode ID: 75545949910e4368b5cf1099c73b23fb14ecee2b1ffe9e188ec4ad00851b3ef2
Instruction ID: 607350653033a1e2aaae883a43b06de4b42dcdcfcb6788027ee1a9267737e493
Opcode Fuzzy Hash: 75545949910e4368b5cf1099c73b23fb14ecee2b1ffe9e188ec4ad00851b3ef2
Instruction Fuzzy Hash: A8113836108384AEDB11CD98DC44BDFBFD8EF97354F048519F98457281D3B4A4169BE2

Function 0534DF38 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

GetWindowTextLengthA.USER32 ref: 0534DF6A

Strings

2147483647, xrefs: 0534DFB1
{Network Request Timeout}, xrefs: 0534DF39

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: LengthTextWindow
String ID: 2147483647${Network Request Timeout}
API String ID: 298885082-3867047420
Opcode ID: 80e204b142a629670d17d063e10a445e382454ce66df5834ea3931017f34f8f3
Instruction ID: 555eb3f9a6d732a762e440ccdfa798079c08f32d0db2c012bcb2b23c495a3190
Opcode Fuzzy Hash: 80e204b142a629670d17d063e10a445e382454ce66df5834ea3931017f34f8f3
Instruction Fuzzy Hash: 771101B59242418BDB11DF31D88A2A17FF9F719308F94CA5DE4628F244DA74E528CF68

Function 0534E6D4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53threadCOMMON

Download Yara Rule

APIs

GetThreadUILanguage.KERNEL32(05008D72,?,?,0534741F), ref: 0534E71D

Strings

The operation failed because the log is a dedicated log., xrefs: 0534E6DE
heap_failure_listentry_corruption, xrefs: 0534E728

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: LanguageThread
String ID: The operation failed because the log is a dedicated log.$heap_failure_listentry_corruption
API String ID: 243849632-2863350049
Opcode ID: d4760338bf72cff6376622e4ab11b413099f59b091aa83e939df6693c71f7b61
Instruction ID: 2ed79ad79ef964bd25030b07b550a4b003359743680848ef3c0aea16158f5018
Opcode Fuzzy Hash: d4760338bf72cff6376622e4ab11b413099f59b091aa83e939df6693c71f7b61
Instruction Fuzzy Hash: 5511CEB6E342008BDB40CE6DD89A6217FF9F754318B848C29F4A5CF350EBB5D5108A41

Function 005C45D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 005C4616

Strings

XMf, xrefs: 005C4662
PMf, xrefs: 005C4669

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: ___std_exception_copy
String ID: PMf$XMf
API String ID: 2659868963-3086229458
Opcode ID: 884f54ce9a8b8c9db3334819ae02d694cb05411b7c054e28ac4bbcd143fa55b0
Instruction ID: a3b840f2616c744e1fa2b2afb80668ead8241d5c318308873dc4e35189932481
Opcode Fuzzy Hash: 884f54ce9a8b8c9db3334819ae02d694cb05411b7c054e28ac4bbcd143fa55b0
Instruction Fuzzy Hash: F52103B5900B45EFC724CF19C544A56BBF9FF09710F008A2EE8AA87B40D7B0A958CB90

Function 0534E000 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32(?,0000022C,?,05341276), ref: 0534E078

Strings

Failed to read text to match, xrefs: 0534E030
The attribute cannot be written., xrefs: 0534E001

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultLangUser
String ID: Failed to read text to match$The attribute cannot be written.
API String ID: 768647712-3297483619
Opcode ID: e1874e3a5e920d4e28dd777235eafe4cc02fb05144ee0b59355a768fe96ffb88
Instruction ID: a460564f26b4186fffa9f40e651b13ac80994dc01fca6d87a0b97cb7c10164a9
Opcode Fuzzy Hash: e1874e3a5e920d4e28dd777235eafe4cc02fb05144ee0b59355a768fe96ffb88
Instruction Fuzzy Hash: 0E11C2749251028FD301CF6AE986122BFEEF785318BE4C05EF4558F308DA31A802AFA1

Function 05351F1C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 05351F21
AnyPopup.USER32 ref: 05351FA8

Strings

The specified disk is not empty., xrefs: 05351F78

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CurrentPopupThread
String ID: The specified disk is not empty.
API String ID: 2908149267-2386209912
Opcode ID: e0604f9e13bc68f3a18f7dc0e05bfa334fc0554fa9a9ef1f6def3889e54e0de3
Instruction ID: 5b20e3e6b021b486433095d762f8bdc5c86a6cef3aa9f6f15b4c5484d1a4ed69
Opcode Fuzzy Hash: e0604f9e13bc68f3a18f7dc0e05bfa334fc0554fa9a9ef1f6def3889e54e0de3
Instruction Fuzzy Hash: CD1191796212414FD318CF28EA876613FEDE748318F94D96EF806CF261DB748540CB51

Function 0062694D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00626959
std::_Lockit::~_Lockit.LIBCPMT ref: 006269B5

Strings

09Z, xrefs: 00626980, 0062699A

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: 09Z
API String ID: 593203224-1578109394
Opcode ID: 44ac8ac85b823b436cc35911e9c3570e990df3922dfc8e7c0e2a931f91ec2b09
Instruction ID: 759f6aa44f1aed99eeb36fb8ad94884d59afe26c12bef757a79505ed109d8b2c
Opcode Fuzzy Hash: 44ac8ac85b823b436cc35911e9c3570e990df3922dfc8e7c0e2a931f91ec2b09
Instruction Fuzzy Hash: 0A01A934A00A25EFDB00DB14E894A9D77BAEF81310B04009AE8019B360DF30AE45CB61

Function 0535131C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48windowtimeCOMMON

Download Yara Rule

APIs

GetMessageTime.USER32 ref: 0535135E
GetSystemDefaultLangID.KERNEL32(?,?,?,0534BCC7), ref: 053513BC

Strings

/iCCP/ProfileName, xrefs: 05351320

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultLangMessageSystemTime
String ID: /iCCP/ProfileName
API String ID: 1876246435-2957417691
Opcode ID: a9441dc6cd6954d19079dae1c21e2e80c9cf6d64cf28aaac26017f2ff1983666
Instruction ID: 182fc12710bbf08f6dc58cbef06caa1368c425feddf0bbcf00850c45908ec43f
Opcode Fuzzy Hash: a9441dc6cd6954d19079dae1c21e2e80c9cf6d64cf28aaac26017f2ff1983666
Instruction Fuzzy Hash: A3118EB69342808FE304CE79E496A157FEEF75435CF84C56EF289CA614EB38C401C690

Function 05351228 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 05351286
GetOEMCP.KERNEL32(00000000), ref: 0535129A

Strings

RR.Raphael.Install.Builder, xrefs: 0535127F

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: HandleModule
String ID: RR.Raphael.Install.Builder
API String ID: 4139908857-540015930
Opcode ID: 4cacc424dbdaacb7d368cc5c131245f3f8aa50f8a35f8b7fab8920c4d96ffb29
Instruction ID: 33f070a50681660b12fe143316b3eb4174a55158733be2dfaf958993bd833c66
Opcode Fuzzy Hash: 4cacc424dbdaacb7d368cc5c131245f3f8aa50f8a35f8b7fab8920c4d96ffb29
Instruction Fuzzy Hash: 430124759141559BCF008FA8C4A5BAABBA9FB09324F4480A9FDE5CF280EA349401CB86

Function 05351710 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0535174A

Strings

Print or disk redirection is temporarily paused., xrefs: 0535171A
The IPsec cipher transform is not compatible with the policy., xrefs: 05351743

Memory Dump Source

Source File: 00000000.00000002.1857654055.0000000005340000.00000040.00001000.00020000.00000000.sdmp, Offset: 05340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: HandleModule
String ID: Print or disk redirection is temporarily paused.$The IPsec cipher transform is not compatible with the policy.
API String ID: 4139908857-1868017272
Opcode ID: cf151a2edb03ac93667b8f037c429ab12aa59b979805a293849b88a3016d7a10
Instruction ID: 385682e8574705d77d2ee9fa1cfdbffbd04b9183fd6d2f1fda20dcbb0c208fa3
Opcode Fuzzy Hash: cf151a2edb03ac93667b8f037c429ab12aa59b979805a293849b88a3016d7a10
Instruction Fuzzy Hash: 5AF0D1729212519FC704DB28E882A967FECFB4A304F80C5AEE569CF204E62199408B81

Function 005C3550 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 005C3574

Strings

C'\, xrefs: 005C3551
(Of, xrefs: 005C3579

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: ___std_exception_copy
String ID: (Of$C'\
API String ID: 2659868963-1825978011
Opcode ID: a33d2f9ef8576d9d5912ae66b05bd75d3a8b670e7e9896a9cd0e38ef46031784
Instruction ID: e8d34763771f434a531505a2a3870a965d720427ceb639c1ac91ccc428d75c52
Opcode Fuzzy Hash: a33d2f9ef8576d9d5912ae66b05bd75d3a8b670e7e9896a9cd0e38ef46031784
Instruction Fuzzy Hash: 0201C0F1500A02AFC314CF19D548642FBF5BF49320B01871EE4698BB80D7B0A568CB94

Function 006464ED Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,00646AC8,-00000020,00000FA0,00000000,00000000,00000000,00000000,?), ref: 0064652D

Strings

09Z, xrefs: 0064651D
InitializeCriticalSectionEx, xrefs: 006464FD

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: 09Z$InitializeCriticalSectionEx
API String ID: 2593887523-281017962
Opcode ID: 84a27c4a5de7fab4c3c694783c8a7547d32e19cf3e19d4b9bfbdf6ea0a886cc8
Instruction ID: f2e94afbd00704efaec9030cbd50d658946d20a381fa153b6615f04a97842f3c
Opcode Fuzzy Hash: 84a27c4a5de7fab4c3c694783c8a7547d32e19cf3e19d4b9bfbdf6ea0a886cc8
Instruction Fuzzy Hash: 70E01236581318B7CF216F51DC06D9E7F17EB55BA2F018010FD18191A1DA714A61EAD5

Function 005C4DE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 005C4E03

Strings

PMf, xrefs: 005C4E3D
XMf, xrefs: 005C4E36

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: ___std_exception_copy
String ID: PMf$XMf
API String ID: 2659868963-3086229458
Opcode ID: eebc8b8bfa3a652cac560cee5a25c8496f954168d366e8ae6c89eab10222daae
Instruction ID: 0edae767f582aefbd09671806a77881bb569d387100a3b13bda7fb8a9e452ad4
Opcode Fuzzy Hash: eebc8b8bfa3a652cac560cee5a25c8496f954168d366e8ae6c89eab10222daae
Instruction Fuzzy Hash: 1DF0B2B1405B518FC334CF18D818646BFF5AF05728F018B1EE0AA9BB91D7B0A548CB98

Function 006462D7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0064630B

Strings

09Z, xrefs: 00646301
FlsAlloc, xrefs: 006462E7

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Alloc
String ID: 09Z$FlsAlloc
API String ID: 2773662609-13803204
Opcode ID: 983864d06a42b7728fa708946dd614ad23c3dd33645099e1e7595644e3b3572c
Instruction ID: d05364ec9318e1fa7adb8efee42e1909adc4648be8621e3c46d82c3be656d313
Opcode Fuzzy Hash: 983864d06a42b7728fa708946dd614ad23c3dd33645099e1e7595644e3b3572c
Instruction Fuzzy Hash: BCE02B32680364B787223791DC1BDDF7E17CB52B73F011030FD05562D28AA50C4591EB

Function 00628921 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,00627672,00000000,00000000,00000000,?,006275F1,?,0067B2B8,00000000,?,0062744B,?,00000000,00000000), ref: 0062893A
GetSystemTimeAsFileTime.KERNEL32(00000000,0067B2B8,?,00627672,00000000,00000000,00000000,?,006275F1,?,0067B2B8,00000000,?,0062744B,?,00000000), ref: 0062893E

Strings

09Z, xrefs: 00628934

Memory Dump Source

Source File: 00000000.00000002.1856705125.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true

Associated: 00000000.00000002.1856688052.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856778475.0000000000659000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856800684.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856817216.0000000000677000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856835588.0000000000679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856851640.000000000067C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_iQPxJrxxaj.jbxd

Similarity

API ID: Time$FileSystem$Precise
String ID: 09Z
API String ID: 743729956-1578109394
Opcode ID: dd947c912eb62b697032fdbb5d1383de60b8fc2afa3815139196d849c9e22119
Instruction ID: 4ae9c7c9990fc900345718413b0820ba2a3b9dacfff795e38567e546315b1875
Opcode Fuzzy Hash: dd947c912eb62b697032fdbb5d1383de60b8fc2afa3815139196d849c9e22119
Instruction Fuzzy Hash: 52D02232902638EF8B012B88FC044FC7B1FEA45B62B040011E80D43220CF201C819FE3

Analysis Process: ctfmon.exePID: 7428, Parent PID: 7352COMMON

Execution Graph

Execution Coverage:	39.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	19.2%
Total number of Nodes:	543
Total number of Limit Nodes:	2

Executed Functions

Function 00786740 Relevance: 41.6, APIs: 3, Strings: 20, Instructions: 1362memorysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00785098: LdrGetProcedureAddress.NTDLL ref: 007852C9

CreateMutexW.KERNELBASE ref: 00787AC8
GetUserNameW.ADVAPI32 ref: 00787C9D
LocalAlloc.KERNEL32 ref: 00787FF8

Strings

=y, xrefs: 00787189
ult, xrefs: 00786CB1
chr-Cher-US, xrefs: 00786A6D
sq-AL, xrefs: 00786889, 00787006, 0078707F
address_family_not_supported, xrefs: 0078686D, 00786875, 00786C44, 00786D8E, 00786E0F, 00786EA1, 00786F90, 007871AB, 00787668, 00787F48, 0078803D
or-IN, xrefs: 00786A94, 00787126, 00787933
onecoreuap\base\appmodel\search\common\utils\regredirect.cxx, xrefs: 00786789, 007867CD, 00786A4C, 00786C68, 00786FEA, 0078709B
failureId, xrefs: 007867BA
$$y, xrefs: 00786752
ca-ES, xrefs: 007867FD, 007868E4, 00786D86, 007870F1, 0078711D, 0078713E, 00787230, 00787280, 0078764A, 0078768C, 007876BA, 00787B17, 00787B82, 00787B8A, 00787DD7, 00787E14, 00787F50, 00788005
|$y, xrefs: 00787191
SECURITY, xrefs: 00786781, 0078679F, 00786A78, 00786B52, 00786B97, 00786BE9, 007870D7, 0078715A, 007876A9
, xrefs: 00787FE9
failureType, xrefs: 00786F36
threadId, xrefs: 00786C60, 00786DA2, 00786F88, 0078729B, 007872A9, 00787F16
:, xrefs: 00786AB6
resu, xrefs: 00786D60
=y, xrefs: 00787162
|$y, xrefs: 00788035
`$y, xrefs: 00786F1D

Memory Dump Source

Source File: 00000001.00000002.3073858624.0000000000781000.00000020.00000400.00020000.00000000.sdmp, Offset: 00780000, based on PE: true

Associated: 00000001.00000002.3073844183.0000000000780000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3073877642.000000000078F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3073892660.0000000000792000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3073907473.0000000000796000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_780000_ctfmon.jbxd

Similarity

API ID: AddressAllocCreateLocalMutexNameProcedureUser
String ID: $$$y$:$SECURITY$`$y$address_family_not_supported$ca-ES$chr-Cher-US$failureId$failureType$onecoreuap\base\appmodel\search\common\utils\regredirect.cxx$or-IN$resu$sq-AL$threadId$ult$|$y$|$y$=y$=y
API String ID: 664105279-99074842
Opcode ID: 1e378aec4e67495fa407fe41ed79426ef827b7c5165fb21ccce98882f070c283
Instruction ID: 9968f8eacb932f3d91c67fc728a007067304b5c0ad1e5b224b1b5b82c3914800
Opcode Fuzzy Hash: 1e378aec4e67495fa407fe41ed79426ef827b7c5165fb21ccce98882f070c283
Instruction Fuzzy Hash: 86E259B0955704DFC714EF68D98869ABBE0FF49300F5589BEE4888B322D7388946CF95

Function 00781468 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE ref: 007815E8

Strings

+y, xrefs: 007814B0
originatingContextId, xrefs: 0078149F, 00781513
host unreachable, xrefs: 007814CC

Memory Dump Source

Source File: 00000001.00000002.3073858624.0000000000781000.00000020.00000400.00020000.00000000.sdmp, Offset: 00780000, based on PE: true

Associated: 00000001.00000002.3073844183.0000000000780000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3073877642.000000000078F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3073892660.0000000000792000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3073907473.0000000000796000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_780000_ctfmon.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID: host unreachable$originatingContextId$+y
API String ID: 3662101638-107514122
Opcode ID: 4b4111e38db9f8a313162adff02f0ec463f767d9fb1e1cdd18d1423866c65f0b
Instruction ID: 5d2f189935e4d2ce24f7bd3f120a9a251f1405607667dd3e652ff1642b85f050
Opcode Fuzzy Hash: 4b4111e38db9f8a313162adff02f0ec463f767d9fb1e1cdd18d1423866c65f0b
Instruction Fuzzy Hash: 88417BB18543448FCB10EF64DC4869ABBF9FB44324F40C96BD45A976A0D33C8946CF99

Function 00789A6C Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 51
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNELBASE ref: 00789AA2

Strings

p?y, xrefs: 00789AD7

Memory Dump Source

Source File: 00000001.00000002.3073858624.0000000000781000.00000020.00000400.00020000.00000000.sdmp, Offset: 00780000, based on PE: true

Associated: 00000001.00000002.3073844183.0000000000780000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3073877642.000000000078F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3073892660.0000000000792000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3073907473.0000000000796000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_780000_ctfmon.jbxd

Similarity

API ID: AllocLocal
String ID: p?y
API String ID: 3494564517-3669447398
Opcode ID: 6eb6016724de92750bd63dd045c24fc11e19d09cd99939a977f3ebff573caeeb
Instruction ID: ef0c7a09634713fb3f0f64fe54c167a5aad62eb8d5353e238943d9540a9ff832
Opcode Fuzzy Hash: 6eb6016724de92750bd63dd045c24fc11e19d09cd99939a977f3ebff573caeeb
Instruction Fuzzy Hash: EC110AB0955705DFDB00EF69E88555A7BE4FB48750F00C45AE6588B325D3389801CF96

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report iQPxJrxxaj.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Pikabot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Windows Analysis Report
iQPxJrxxaj.exe

Function 0059E040 Relevance: 73.9, APIs: 26, Strings: 16, Instructions: 368
libraryloaderCOMMON

Function 0534997C Relevance: 39.2, APIs: 12, Strings: 10, Instructions: 722
threadCOMMON

Function 05342918 Relevance: 35.7, APIs: 10, Strings: 10, Instructions: 687
stringthreadCOMMON

Function 0534C6A0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 387
threadCOMMON

Function 0534AF48 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 330
threadCOMMON

Function 0534A8A0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 331
processCOMMON

Function 053410E8 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 140
processCOMMON

Function 005F0F00 Relevance: 88.4, APIs: 48, Strings: 2, Instructions: 854
COMMON

Function 0059B9A0 Relevance: 54.6, APIs: 29, Strings: 2, Instructions: 357
windowCOMMON

Function 0059F580 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 103
COMMON

Function 0059B630 Relevance: 18.1, APIs: 12, Instructions: 100
windowCOMMON

Function 0534C100 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 213
COMMON

Function 05350810 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 101
windowtimethreadCOMMON

Function 05350D70 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 98
COMMON

Function 0534BBAC Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 95
COMMON