Edit tour

Windows Analysis Report
1XZFfxyWZA.exe

Overview

General Information

Sample name:	1XZFfxyWZA.exe renamed because original name is a hash value
Original sample name:	4AA3A0EB589DA4820635577D4C82C3B5.exe
Analysis ID:	1543051
MD5:	4aa3a0eb589da4820635577d4c82c3b5
SHA1:	0b0fd6ac3648c6c7166f92e7ed2640deb73bcb5d
SHA256:	c26ce02368f7e800361b6174fb471e5499347e4205b354011908bff9409d2e1e
Tags:	exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected RedLine Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Found API chain indicative of debugger detection

Injects a PE file into a foreign processes

Installs new ROOT certificates

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops certificate files (DER)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location

Sigma detected: Suspicious Copy From or To System Directory

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

1XZFfxyWZA.exe (PID: 6876 cmdline: "C:\Users\user\Desktop\1XZFfxyWZA.exe" MD5: 4AA3A0EB589DA4820635577D4C82C3B5)

cmd.exe (PID: 6996 cmdline: "C:\Windows\System32\cmd.exe" /c copy Accepted Accepted.bat & Accepted.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7164 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 6236 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 3168 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 1516 cmdline: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 5808 cmdline: cmd /c md 667869 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 5928 cmdline: findstr /V "AvenueAdaptorDuiDivision" Marco MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 2708 cmdline: cmd /c copy /b ..\Preparation + ..\Sustained + ..\Recommendations + ..\Sw + ..\Mac + ..\Understand N MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Approaches.pif (PID: 5440 cmdline: Approaches.pif N MD5: 18CE19B57F43CE0A5AF149C96AECC685)

RegAsm.exe (PID: 4124 cmdline: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)

choice.exe (PID: 4124 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "87.120.115.20:28332", "Bot Id": "works", "Authorization Header": "ebaab249295fe3ff536559f38593991c"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000A.00000003.2251666785.0000000004D5D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000A.00000003.2309383491.0000000004D11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000003.2251278695.0000000004D11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000A.00000003.2250995716.0000000004F11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000A.00000003.2309264417.0000000004D5E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000A.00000003.2251560532.0000000004F11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000F.00000002.2448210120.0000000000732000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000A.00000003.2307864609.0000000004E60000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000A.00000003.2309470984.0000000004DC5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000A.00000003.2251177267.00000000053BB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000A.00000003.2251060881.0000000004DC5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000A.00000003.2258224682.0000000003D9F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000A.00000003.2258182624.0000000004F11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: Approaches.pif PID: 5440	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 4124	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 4124	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
15.2.RegAsm.exe.730000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe, ParentCommandLine: Approaches.pif N, ParentImage: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif, ParentProcessId: 5440, ParentProcessName: Approaches.pif, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe, ProcessId: 4124, ProcessName: RegAsm.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: Approaches.pif N, CommandLine: Approaches.pif N, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Accepted Accepted.bat & Accepted.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6996, ParentProcessName: cmd.exe, ProcessCommandLine: Approaches.pif N, ProcessId: 5440, ProcessName: Approaches.pif

Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe, ParentCommandLine: Approaches.pif N, ParentImage: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif, ParentProcessId: 5440, ParentProcessName: Approaches.pif, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe, ProcessId: 4124, ProcessName: RegAsm.exe

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Accepted Accepted.bat & Accepted.bat, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Accepted Accepted.bat & Accepted.bat, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\1XZFfxyWZA.exe", ParentImage: C:\Users\user\Desktop\1XZFfxyWZA.exe, ParentProcessId: 6876, ParentProcessName: 1XZFfxyWZA.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Accepted Accepted.bat & Accepted.bat, ProcessId: 6996, ProcessName: cmd.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Accepted Accepted.bat & Accepted.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6996, ParentProcessName: cmd.exe, ProcessCommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , ProcessId: 1516, ProcessName: findstr.exe

Suricata Signatures

ET MALWARE Redline Stealer TCP CnC - Id1Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-27T07:18:02.731272+0100	2043234	1	A Network Trojan was detected	87.120.115.20	28332	192.168.2.4	49768	TCP

ET MALWARE Redline Stealer TCP CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-27T07:18:02.486694+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:08.016687+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:08.969877+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:09.292832+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:09.858335+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:10.257864+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:11.341987+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:11.634582+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:11.805383+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:12.046773+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:12.333135+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:12.604213+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:12.846262+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:13.085739+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:13.329309+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:13.581898+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:13.820733+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:14.161017+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49768	87.120.115.20	28332	TCP

ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-27T07:18:08.270659+0100	2046056	1	A Network Trojan was detected	87.120.115.20	28332	192.168.2.4	49768	TCP

ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-27T07:18:02.486694+0100	2046045	1	A Network Trojan was detected	192.168.2.4	49768	87.120.115.20	28332	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000A.00000003.2258224682.0000000003D9F000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: RedLine {"C2 url": "87.120.115.20:28332", "Bot Id": "works", "Authorization Header": "ebaab249295fe3ff536559f38593991c"}

Multi AV Scanner detection for submitted file

Source: 1XZFfxyWZA.exe	ReversingLabs: Detection: 28%
Source: 1XZFfxyWZA.exe	Virustotal: Detection: 31%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.2% probability

Source: 1XZFfxyWZA.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1XZFfxyWZA.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegAsm.pdb source: RegAsm.exe, 0000000F.00000000.2252131125.0000000000352000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe.10.dr
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe, 0000000F.00000000.2252131125.0000000000352000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe.10.dr

Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_00514005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00514005
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_0051494A GetFileAttributesW,FindFirstFileW,FindClose,	10_2_0051494A
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_00513CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00513CE2
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_0051C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_0051C2FF
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_0051CD14 FindFirstFileW,FindClose,	10_2_0051CD14
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_0051CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	10_2_0051CD9F
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_0051F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_0051F5D8
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_0051F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_0051F735
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_0051FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_0051FA36

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\667869	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\667869\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe

Code function: 4x nop then jmp 07231CC8h

15_2_072317D0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.4:49768 -> 87.120.115.20:28332
Source: Network traffic	Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.4:49768 -> 87.120.115.20:28332
Source: Network traffic	Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 87.120.115.20:28332 -> 192.168.2.4:49768
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 87.120.115.20:28332 -> 192.168.2.4:49768

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 87.120.115.20:28332

Source: global traffic

TCP traffic: 192.168.2.4:49768 -> 87.120.115.20:28332

Source: Joe Sandbox View

ASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG

Source: unknown

DNS traffic detected: query: qzvkxaAyizkCBLIA.qzvkxaAyizkCBLIA replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.115.20
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

Code function: 10_2_005229BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

10_2_005229BA

Source: global traffic

DNS traffic detected: DNS query: qzvkxaAyizkCBLIA.qzvkxaAyizkCBLIA

Source: 1XZFfxyWZA.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 1XZFfxyWZA.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 1XZFfxyWZA.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 1XZFfxyWZA.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 1XZFfxyWZA.exe, 00000000.00000003.1736710196.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp, Approaches.pif.1.dr, Abu.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: 1XZFfxyWZA.exe, 00000000.00000003.1736710196.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp, Approaches.pif.1.dr, Abu.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: 1XZFfxyWZA.exe, 00000000.00000003.1736710196.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp, Approaches.pif.1.dr, Abu.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: 1XZFfxyWZA.exe, 00000000.00000003.1736710196.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp, Approaches.pif.1.dr, Abu.0.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: 1XZFfxyWZA.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 1XZFfxyWZA.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 1XZFfxyWZA.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 1XZFfxyWZA.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 1XZFfxyWZA.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: 1XZFfxyWZA.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 1XZFfxyWZA.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: 1XZFfxyWZA.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: 1XZFfxyWZA.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: 1XZFfxyWZA.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: 1XZFfxyWZA.exe, 00000000.00000003.1736710196.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp, Approaches.pif.1.dr, Abu.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: 1XZFfxyWZA.exe, 00000000.00000003.1736710196.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp, Approaches.pif.1.dr, Abu.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: 1XZFfxyWZA.exe, 00000000.00000003.1736710196.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp, Approaches.pif.1.dr, Abu.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9&
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: 1XZFfxyWZA.exe, 00000000.00000003.1736710196.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp, Approaches.pif.1.dr, Abu.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: 1XZFfxyWZA.exe, 00000000.00000003.1736710196.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp, Approaches.pif.1.dr, Abu.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000029E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002992000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002A04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000029E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002A04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002A04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002A04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002A04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002A04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: 1XZFfxyWZA.exe, 00000000.00000003.1736710196.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp, Approaches.pif, 0000000A.00000000.1774043752.0000000000579000.00000002.00000001.01000000.00000006.sdmp, Approaches.pif.1.dr, Abu.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: 1XZFfxyWZA.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Approaches.pif, 0000000A.00000003.2251666785.0000000004D5D000.00000004.00000800.00020000.00000000.sdmp, Approaches.pif, 0000000A.00000003.2309383491.0000000004D11000.00000004.00000800.00020000.00000000.sdmp, Approaches.pif, 0000000A.00000003.2309264417.0000000004D5E000.00000004.00000800.00020000.00000000.sdmp, Approaches.pif, 0000000A.00000003.2307864609.0000000004E60000.00000004.00000800.00020000.00000000.sdmp, Approaches.pif, 0000000A.00000003.2251177267.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, Approaches.pif, 0000000A.00000003.2258224682.0000000003D9F000.00000004.00000020.00020000.00000000.sdmp, Approaches.pif, 0000000A.00000003.2258182624.0000000004F11000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2448210120.0000000000732000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 1XZFfxyWZA.exe, 00000000.00000003.1736710196.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp, Approaches.pif.1.dr, Abu.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: RegAsm.exe, 0000000F.00000002.2452067965.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Abu.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: 1XZFfxyWZA.exe, 00000000.00000003.1736710196.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp, Approaches.pif.1.dr, Abu.0.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Source: C:\Users\user\Desktop\1XZFfxyWZA.exe

Code function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050CD

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

Code function: 10_2_00524830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

10_2_00524830

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

Code function: 10_2_00524632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

10_2_00524632

Source: C:\Users\user\Desktop\1XZFfxyWZA.exe

Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044A5

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

Code function: 10_2_0053D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

10_2_0053D164

Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp296F.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp297F.tmp			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

Code function: 10_2_00514254: CreateFileW,DeviceIoControl,CloseHandle,

10_2_00514254

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

Code function: 10_2_00508F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

10_2_00508F2E

Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,		0_2_00403883
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_00515778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		10_2_00515778

Source: C:\Users\user\Desktop\1XZFfxyWZA.exe

File created: C:\Windows\ConstructionChecked

Jump to behavior

Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Code function: 0_2_0040497C	0_2_0040497C
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Code function: 0_2_00406ED2	0_2_00406ED2
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Code function: 0_2_004074BB	0_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004BB020	10_2_004BB020
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004B94E0	10_2_004B94E0
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004B9C80	10_2_004B9C80
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004D23F5	10_2_004D23F5
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_00538400	10_2_00538400
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004E6502	10_2_004E6502
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004E265E	10_2_004E265E
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004BE6F0	10_2_004BE6F0
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004D282A	10_2_004D282A
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004E89BF	10_2_004E89BF
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004E6A74	10_2_004E6A74
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_00530A3A	10_2_00530A3A
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004C0BE0	10_2_004C0BE0
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004DCD51	10_2_004DCD51
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_0050EDB2	10_2_0050EDB2
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_00518E44	10_2_00518E44
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_00530EB7	10_2_00530EB7
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004E6FE6	10_2_004E6FE6
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004D33B7	10_2_004D33B7
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004CD45D	10_2_004CD45D
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004DF409	10_2_004DF409
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004B1663	10_2_004B1663
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004CF628	10_2_004CF628
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004BF6A0	10_2_004BF6A0
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004D16B4	10_2_004D16B4
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004D78C3	10_2_004D78C3
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004D1BA8	10_2_004D1BA8
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004DDBA5	10_2_004DDBA5
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004E9CE5	10_2_004E9CE5
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004CDD28	10_2_004CDD28
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004D1FC0	10_2_004D1FC0
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004DBFD6	10_2_004DBFD6
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Code function: 15_2_024DDC74	15_2_024DDC74
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Code function: 15_2_05FD67D8	15_2_05FD67D8
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Code function: 15_2_05FDA3E8	15_2_05FDA3E8
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Code function: 15_2_05FD3F50	15_2_05FD3F50
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Code function: 15_2_05FDA3D8	15_2_05FDA3D8
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Code function: 15_2_05FD6FF8	15_2_05FD6FF8
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Code function: 15_2_05FD6FE8	15_2_05FD6FE8
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Code function: 15_2_07233760	15_2_07233760
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Code function: 15_2_072317D0	15_2_072317D0
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Code function: 15_2_072344A8	15_2_072344A8
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Code function: 15_2_0723D3C8	15_2_0723D3C8
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Code function: 15_2_0723F268	15_2_0723F268
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Code function: 15_2_072391B8	15_2_072391B8
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Code function: 15_2_07230040	15_2_07230040
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Code function: 15_2_0723CF20	15_2_0723CF20
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Code function: 15_2_0723F25D	15_2_0723F25D

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD

Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Code function: String function: 004062A3 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: String function: 004D0D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: String function: 004C1A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: String function: 004D8B30 appears 42 times

Source: 1XZFfxyWZA.exe, 00000000.00000003.1736710196.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutoIt3.exeB vs 1XZFfxyWZA.exe
Source: 1XZFfxyWZA.exe, 00000000.00000002.1792333444.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs 1XZFfxyWZA.exe
Source: 1XZFfxyWZA.exe, 00000000.00000003.1790891407.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs 1XZFfxyWZA.exe

Source: 1XZFfxyWZA.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@24/18@1/1

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

Code function: 10_2_0051A6AD GetLastError,FormatMessageW,

10_2_0051A6AD

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_00508DE9 AdjustTokenPrivileges,CloseHandle,		10_2_00508DE9
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_00509399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		10_2_00509399

Source: C:\Users\user\Desktop\1XZFfxyWZA.exe

0_2_004044A5

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

Code function: 10_2_00514148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

10_2_00514148

Source: C:\Users\user\Desktop\1XZFfxyWZA.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

Code function: 10_2_0051443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

10_2_0051443D

Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7020:120:WilError_03

Source: C:\Users\user\Desktop\1XZFfxyWZA.exe

File created: C:\Users\user\AppData\Local\Temp\nss4652.tmp

Jump to behavior

Source: C:\Users\user\Desktop\1XZFfxyWZA.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Accepted Accepted.bat & Accepted.bat

Source: 1XZFfxyWZA.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\choice.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\SysWOW64\choice.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\SysWOW64\choice.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\SysWOW64\choice.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\1XZFfxyWZA.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\1XZFfxyWZA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1XZFfxyWZA.exe	ReversingLabs: Detection: 28%
Source: 1XZFfxyWZA.exe	Virustotal: Detection: 31%

Source: C:\Users\user\Desktop\1XZFfxyWZA.exe

File read: C:\Users\user\Desktop\1XZFfxyWZA.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1XZFfxyWZA.exe "C:\Users\user\Desktop\1XZFfxyWZA.exe"
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Accepted Accepted.bat & Accepted.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 667869
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "AvenueAdaptorDuiDivision" Marco
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Preparation + ..\Sustained + ..\Recommendations + ..\Sw + ..\Mac + ..\Understand N
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif Approaches.pif N
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Process created: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Accepted Accepted.bat & Accepted.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 667869	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "AvenueAdaptorDuiDivision" Marco	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Preparation + ..\Sustained + ..\Recommendations + ..\Sw + ..\Mac + ..\Understand N	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif Approaches.pif N	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: esdsip.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\1XZFfxyWZA.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Google Chrome.lnk.15.dr

LNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 1XZFfxyWZA.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegAsm.pdb source: RegAsm.exe, 0000000F.00000000.2252131125.0000000000352000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe.10.dr
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe, 0000000F.00000000.2252131125.0000000000352000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe.10.dr

Source: C:\Users\user\Desktop\1XZFfxyWZA.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004D8B75 push ecx; ret	10_2_004D8B88
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004CCBF1 push eax; retf	10_2_004CCBF8
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Code function: 15_2_05FDC710 push es; ret	15_2_05FDC720
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Code function: 15_2_05FDE060 push es; ret	15_2_05FDE070
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Code function: 15_2_05FDECF2 push eax; ret	15_2_05FDED01
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Code function: 15_2_05FD49AB push FFFFFF8Bh; retf	15_2_05FD49AD
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Code function: 15_2_05FD3B4F push dword ptr [esp+ecx*2-75h]; ret	15_2_05FD3B53

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

Jump to dropped file

Installs new ROOT certificates

Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	File created: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_005359B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		10_2_005359B3
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004C5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		10_2_004C5EDA

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

Code function: 10_2_004D33B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_004D33B7

Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\choice.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\choice.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Memory allocated: 23B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Memory allocated: 26F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Memory allocated: 2430000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Window / User API: threadDelayed 692			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Window / User API: threadDelayed 4203			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

API coverage: 4.8 %

Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe TID: 2992	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe TID: 3704	Thread sleep count: 692 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe TID: 3704	Thread sleep count: 4203 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe TID: 5328	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\choice.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_00514005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00514005
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_0051494A GetFileAttributesW,FindFirstFileW,FindClose,	10_2_0051494A
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_00513CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00513CE2
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_0051C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_0051C2FF
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_0051CD14 FindFirstFileW,FindClose,	10_2_0051CD14
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_0051CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	10_2_0051CD9F
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_0051F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_0051F5D8
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_0051F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_0051F735
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_0051FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_0051FA36

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

Code function: 10_2_004C5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

10_2_004C5D13

Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\667869	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\667869\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: RegAsm.exe, 0000000F.00000002.2459133772.0000000006151000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
Source: Approaches.pif, 0000000A.00000002.2321638662.0000000003D95000.00000004.00000020.00020000.00000000.sdmp, Approaches.pif, 0000000A.00000003.2317648693.0000000003D94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_10-98679

Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe

Code function: 15_2_07230040 LdrInitializeThunk,

15_2_07230040

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

Code function: 10_2_005245D5 BlockInput,

10_2_005245D5

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

Code function: 10_2_004C5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

10_2_004C5240

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

Code function: 10_2_004E5CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

10_2_004E5CAC

Source: C:\Users\user\Desktop\1XZFfxyWZA.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

Code function: 10_2_005088CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

10_2_005088CD

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004DA354 SetUnhandledExceptionFilter,		10_2_004DA354
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_004DA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		10_2_004DA385

Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

Memory written: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe base: 730000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Memory written: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe base: 730000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Memory written: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe base: 5FD000			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

Code function: 10_2_00509369 LogonUserW,

10_2_00509369

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

Code function: 10_2_004C5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

10_2_004C5240

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

Code function: 10_2_00511AC6 SendInput,keybd_event,

10_2_00511AC6

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

Code function: 10_2_005151E2 mouse_event,

10_2_005151E2

Source: C:\Users\user\Desktop\1XZFfxyWZA.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Accepted Accepted.bat & Accepted.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 667869	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "AvenueAdaptorDuiDivision" Marco	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Preparation + ..\Sustained + ..\Recommendations + ..\Sw + ..\Mac + ..\Understand N	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif Approaches.pif N	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

10_2_005088CD

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

Code function: 10_2_00514F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

10_2_00514F1C

Source: 1XZFfxyWZA.exe, 00000000.00000003.1736710196.0000000002AA5000.00000004.00000020.00020000.00000000.sdmp, Approaches.pif, 0000000A.00000000.1773957145.0000000000566000.00000002.00000001.01000000.00000006.sdmp, Approaches.pif.1.dr, Abu.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Approaches.pif	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

Code function: 10_2_004D885B cpuid

10_2_004D885B

Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

Code function: 10_2_004F0030 GetLocalTime,__swprintf,

10_2_004F0030

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

Code function: 10_2_004F0722 GetUserNameW,

10_2_004F0722

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

Code function: 10_2_004E416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

10_2_004E416A

Source: C:\Users\user\Desktop\1XZFfxyWZA.exe

Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406805

Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RegAsm.exe, 0000000F.00000002.2459287300.00000000061A6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2462310746.0000000007151000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2451037559.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\SysWOW64\choice.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\SysWOW64\choice.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\SysWOW64\choice.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\SysWOW64\choice.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\SysWOW64\choice.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\SysWOW64\choice.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 15.2.RegAsm.exe.730000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.2251666785.0000000004D5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2309383491.0000000004D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2251278695.0000000004D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2250995716.0000000004F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2309264417.0000000004D5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2251560532.0000000004F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2448210120.0000000000732000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2307864609.0000000004E60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2309470984.0000000004DC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2251177267.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2251060881.0000000004DC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2258224682.0000000003D9F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2258182624.0000000004F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Approaches.pif PID: 5440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4124, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Source: Approaches.pif	Binary or memory string: WIN_81
Source: Approaches.pif	Binary or memory string: WIN_XP
Source: Approaches.pif	Binary or memory string: WIN_XPe
Source: Approaches.pif	Binary or memory string: WIN_VISTA
Source: Approaches.pif	Binary or memory string: WIN_7
Source: Approaches.pif	Binary or memory string: WIN_8
Source: Abu.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4124, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 15.2.RegAsm.exe.730000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.2251666785.0000000004D5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2309383491.0000000004D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2251278695.0000000004D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2250995716.0000000004F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2309264417.0000000004D5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2251560532.0000000004F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2448210120.0000000000732000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2307864609.0000000004E60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2309470984.0000000004DC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2251177267.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2251060881.0000000004DC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2258224682.0000000003D9F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2258182624.0000000004F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Approaches.pif PID: 5440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4124, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_0052696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		10_2_0052696E
Source: C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	Code function: 10_2_00526E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		10_2_00526E32

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	2 Valid Accounts	221 Windows Management Instrumentation	1 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 Install Root Certificate	NTDS	127 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	Keylogging	11 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	111 Masquerading	Cached Domain Credentials	361 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	341 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	341 Virtualization/Sandbox Evasion	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	212 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1XZFfxyWZA.exe	29%	ReversingLabs	Win32.Trojan.Generic
1XZFfxyWZA.exe	32%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	0%	URL Reputation	safe
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/sc	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/trust	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/envelope/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
http://tempuri.org/Entity/Id12Response	2%	Virustotal		Browse
http://tempuri.org/Entity/Id14ResponseD	2%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
qzvkxaAyizkCBLIA.qzvkxaAyizkCBLIA	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id14ResponseD	RegAsm.exe, 0000000F.00000002.2452067965.0000000002A04000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse	unknown
http://tempuri.org/Entity/Id23ResponseD	RegAsm.exe, 0000000F.00000002.2452067965.0000000002A04000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id12Response	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse	unknown
http://tempuri.org/	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://tempuri.org/Entity/Id2Response	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id21Response	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id9	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.autoitscript.com/autoit3/	1XZFfxyWZA.exe, 00000000.00000003.1736710196.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp, Approaches.pif.1.dr, Abu.0.dr	false		unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id8	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://tempuri.org/Entity/Id6ResponseD	RegAsm.exe, 0000000F.00000002.2452067965.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://tempuri.org/Entity/Id5	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id4	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://tempuri.org/Entity/Id7	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://tempuri.org/Entity/Id6	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id19Response	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id13ResponseD	RegAsm.exe, 0000000F.00000002.2452067965.00000000029E2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id15Response	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id6Response	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.autoitscript.com/autoit3/J	1XZFfxyWZA.exe, 00000000.00000003.1736710196.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp, Approaches.pif, 0000000A.00000000.1774043752.0000000000579000.00000002.00000001.01000000.00000006.sdmp, Approaches.pif.1.dr, Abu.0.dr	false		unknown
https://api.ip.sb/ip	Approaches.pif, 0000000A.00000003.2251666785.0000000004D5D000.00000004.00000800.00020000.00000000.sdmp, Approaches.pif, 0000000A.00000003.2309383491.0000000004D11000.00000004.00000800.00020000.00000000.sdmp, Approaches.pif, 0000000A.00000003.2309264417.0000000004D5E000.00000004.00000800.00020000.00000000.sdmp, Approaches.pif, 0000000A.00000003.2307864609.0000000004E60000.00000004.00000800.00020000.00000000.sdmp, Approaches.pif, 0000000A.00000003.2251177267.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, Approaches.pif, 0000000A.00000003.2258224682.0000000003D9F000.00000004.00000020.00020000.00000000.sdmp, Approaches.pif, 0000000A.00000003.2258182624.0000000004F11000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2448210120.0000000000732000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/sc	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id1ResponseD	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id9Response	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://tempuri.org/Entity/Id20	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://tempuri.org/Entity/Id21	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://tempuri.org/Entity/Id22	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id23	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://nsis.sf.net/NSIS_ErrorError	1XZFfxyWZA.exe	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id24	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id24Response	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	RegAsm.exe, 0000000F.00000002.2452067965.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id1Response	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id10	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://tempuri.org/Entity/Id11	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://tempuri.org/Entity/Id10ResponseD	RegAsm.exe, 0000000F.00000002.2452067965.00000000029E2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://tempuri.org/Entity/Id12	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://tempuri.org/Entity/Id16Response	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id13	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://tempuri.org/Entity/Id14	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://tempuri.org/Entity/Id15	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://tempuri.org/Entity/Id16	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id17	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://tempuri.org/Entity/Id18	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://tempuri.org/Entity/Id5Response	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://tempuri.org/Entity/Id19	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id15ResponseD	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://tempuri.org/Entity/Id10Response	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id11ResponseD	RegAsm.exe, 0000000F.00000002.2452067965.0000000002992000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://tempuri.org/Entity/Id8Response	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	RegAsm.exe, 0000000F.00000002.2452067965.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id8ResponseD	RegAsm.exe, 0000000F.00000002.2452067965.0000000002A04000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1	RegAsm.exe, 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	RegAsm.exe, 0000000F.00000002.2452067965.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
87.120.115.20	unknown	Bulgaria		25206	UNACS-AS-BG8000BurgasBG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543051
Start date and time:	2024-10-27 07:16:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1XZFfxyWZA.exe renamed because original name is a hash value
Original Sample Name:	4AA3A0EB589DA4820635577D4C82C3B5.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@24/18@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 100 Number of non-executed functions: 300
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:17:42	API Interceptor	21x Sleep call for process: Approaches.pif modified
02:18:10	API Interceptor	29x Sleep call for process: RegAsm.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNACS-AS-BG8000BurgasBG	roquette October.pdf	Get hash	malicious	HTMLPhisher	Browse	87.120.126.33
	roquette October.pdf	Get hash	malicious	HTMLPhisher	Browse	87.120.126.33
	https://anviict.com/?qvtvxymb	Get hash	malicious	HTMLPhisher	Browse	87.120.125.203
	t50.elf	Get hash	malicious	Xmrig	Browse	87.120.117.189
	ctCDAy5OQc.exe	Get hash	malicious	XenoRAT	Browse	87.120.116.115
	roze.sparc.elf	Get hash	malicious	Gafgyt, Mirai	Browse	87.120.112.102
	0CX5ickdBO.elf	Get hash	malicious	Gafgyt, Mirai	Browse	87.120.112.102
	nAPbYNc5C7.elf	Get hash	malicious	Gafgyt, Mirai	Browse	87.120.112.102
	2l3kD0USE4.elf	Get hash	malicious	Gafgyt, Mirai	Browse	87.120.112.102
	sqVzO0x5ns.elf	Get hash	malicious	Gafgyt, Mirai	Browse	87.120.112.102

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe	lcxMtt6sny.exe	Get hash	malicious	Quasar	Browse
	60w1fGMqay.exe	Get hash	malicious	RedLine	Browse
	GOmRjFSKNz.exe	Get hash	malicious	RedLine	Browse
	t1B7sgX825.exe	Get hash	malicious	RedLine	Browse
	08(2)_00.exe	Get hash	malicious	AgentTesla	Browse
	rDoc5633276235623657_xls.exe	Get hash	malicious	StormKitty, XWorm	Browse
	lchs.exe	Get hash	malicious	Quasar	Browse
	Shipping Documemt.vbs	Get hash	malicious	Lokibot	Browse
	AaK2FmzNcl.exe	Get hash	malicious	LummaC	Browse
	SecuriteInfo.com.Trojan.Siggen29.33686.11630.12129.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\667869\Approaches.pif	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc, Vidar	Browse
	ZnPyVAOUBc.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse
	1WDpq6mvnr.exe	Get hash	malicious	Unknown	Browse
	1WDpq6mvnr.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	SecuriteInfo.com.Win32.Malware-gen.11524.25894.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Malware-gen.11524.25894.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.HEUR.Backdoor.Win32.Agent.gen.2809.4386.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\Public\Desktop\Google Chrome.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:38 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
Category:	dropped
Size (bytes):	2104
Entropy (8bit):	3.457614077721351
Encrypted:	false
SSDEEP:	48:8SXd7oTbs0GRYrnvPdAKRkdAGdAKRFdAKR/U:8S5ont
MD5:	B5B1DB266E6440997BA86803C04E9B85
SHA1:	26AB85E411F7B6379A4747FCD496CE1028099388
SHA-256:	4D440025E8C2100FE32A0B66A9EF12D0B808CFCB3A00E643D3716A9EF7ABE7D2
SHA-512:	DB8CFE2AB30EC9CA35290FD36D3F9AAC7900580A500C05F234E5DF62E48B1DC7DC20231EC8E38993D870BAC17CA58641E2F41AD5CB8CC9D59D5BCC4672A451C8
Malicious:	false
Preview:	L..................F.@.. ......,.....O........q.... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IDW5`....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDWT`....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDWT`....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDWT`..........................."&.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.+ .chrome.exe..F......CW.VDWI`..........................,.6.c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	5.3318368586986695
Encrypted:	false
SSDEEP:	96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlq0
MD5:	0C1110E9B7BBBCB651A0B7568D796468
SHA1:	7AEE00407EE27655FFF0ADFBC96CF7FAD9610AAA
SHA-256:	112E21404A85963FB5DF8388F97429D6A46E9D4663435CC86267C563C0951FA2
SHA-512:	46E37552764B4E61006AB99F8C542D55B2418668B097D3C6647D306604C3D7CA3FAF34F8B4121D94B0E7168295B2ABEB7C21C3B96F37208943537B887BC81590
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	893608
Entropy (8bit):	6.62028134425878
Encrypted:	false
SSDEEP:	12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
MD5:	18CE19B57F43CE0A5AF149C96AECC685
SHA1:	1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
SHA-256:	D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
SHA-512:	A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: ZnPyVAOUBc.exe, Detection: malicious, Browse Filename: 1WDpq6mvnr.exe, Detection: malicious, Browse Filename: 1WDpq6mvnr.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.11524.25894.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.11524.25894.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.HEUR.Backdoor.Win32.Agent.gen.2809.4386.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\667869\N

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	424543
Entropy (8bit):	7.999568569943796
Encrypted:	true
SSDEEP:	12288:IinkNfq+xXzTGpKzxQ8hoz6OXrNKKyH2c60O0i:IinkNCgE8I6OXrNKKyHjOR
MD5:	20A0E6D76A5184D598BC45699196FB4B
SHA1:	B6D0A2077C3B6AA8806290F8F030DF0AECE5F6AC
SHA-256:	CD8FA96B089D7751681DDC98F55FCDC4C953C2F04715E6F7CBF1D68D940BD0A7
SHA-512:	191F7BE64C299F931F3B80D3620E3A4ADA56328FBAC64A93CCF3E166211FDE0E5224FFEB223AD1879AAC17EEC43CFD27B7D33D16C5A897B1169CE5F434EBB3ED
Malicious:	false
Preview:	...^K~....t...87mN......D..nn......LV...c.\.t....\d.O....K.$t... K...oD.s.HSdpfi..VK..,.t.>.J...C&.{.sJh.8s....a......[l..i5WR...,?O.....u...-...+....&_..h..3`.....Wl.......?.].e.,.}.....3. h..9..5..`.Q.$..~..Lz.3\e-..x.C..j....yAl...,&.R..(........3<.4.....x.....g.8.6!%.D.%....1.6._.o......^...z....k.v.^S.=.Ft..:..H..h..S)].4...bsw...J..[.U{..~...l.tK...s.....0...E;z-...\.4.qi......O@IH8R:..9...+..w.&j?..1%.:....D..A./..]M.>.:..R&.........a=&.N....&G.d..B..a.5 n..*......._ &.CW..S.,........Y+...]..........^.f.. B..uK.%ji..4.n..N.E.E...L..z.GI.v.pGa.xP<....\....O,..j.e..v..{....uS..<.I;......y...!._...k..M1B..c.f.+...rx..g.._u7...>co..d\.......?..sy,:F._...Nz.....$b..;...vn$.J.R.......\|.3[...$...#g..8].n.x:.J.../5.sM,....,R^c.'.t.....='.........q.;..IY..B}.."$..x..i....&..uW].W.Qh\|$m1.........\|/...5..".... .......x1q.[..R...Y.TV..2efJ..Z..S}...~Lq..........?A(.E..J..i......4m.o....WE.y..~J.U2.]....f...\|.;.D....i2`.F.n...Bc..... w0N.>..d

C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\667869\Approaches.pif
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	65440
Entropy (8bit):	6.049806962480652
Encrypted:	false
SSDEEP:	768:X8XcJiMjm2ieHlPyCsSuJbn8dBhFwlSMF6Iq8KSYDKbQ22qWqO8w1R:rYMaNylPYSAb8dBnsHsPDKbQBqTY
MD5:	0D5DF43AF2916F47D00C1573797C1A13
SHA1:	230AB5559E806574D26B4C20847C368ED55483B0
SHA-256:	C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
SHA-512:	F96CF9E1890746B12DAF839A6D0F16F062B72C1B8A40439F96583F242980F10F867720232A6FA0F7D4D7AC0A7A6143981A5A130D6417EA98B181447134C7CFE2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: lcxMtt6sny.exe, Detection: malicious, Browse Filename: 60w1fGMqay.exe, Detection: malicious, Browse Filename: GOmRjFSKNz.exe, Detection: malicious, Browse Filename: t1B7sgX825.exe, Detection: malicious, Browse Filename: 08(2)_00.exe, Detection: malicious, Browse Filename: rDoc5633276235623657_xls.exe, Detection: malicious, Browse Filename: lchs.exe, Detection: malicious, Browse Filename: Shipping Documemt.vbs, Detection: malicious, Browse Filename: AaK2FmzNcl.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Siggen29.33686.11630.12129.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0.............^.... ........@.. ....................... .......F....`.....................................O.......8................A........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P.....0.."........(......-.r...p.rI..p(....s....z....0..........(....~P.....o........(....n(.....(..........%...(....~(.....(..........%...%...(.....(.....(..........%...%...%...(....V.(......}Q.....}R.....{Q.....{R......0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......

C:\Users\user\AppData\Local\Temp\Abu

Download File

Process:	C:\Users\user\Desktop\1XZFfxyWZA.exe
File Type:	data
Category:	dropped
Size (bytes):	888593
Entropy (8bit):	6.622266777635325
Encrypted:	false
SSDEEP:	12288:hV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:7xz1JMyyzlohMf1tN70aw8501
MD5:	FA5E8E45CC73FDBAAE72B065DF222054
SHA1:	6A76B1F9A4F8BDBED85B02567F7BA0D9D679ADD8
SHA-256:	FDFE25D56153D97F558AE12B6077E181B0D0A6FD5DBA9D81F44F6442E8CD25D9
SHA-512:	50438F949ACD18D666261FE40EB4C9AD7BC92EF2089F404EA24489BA04492113FD69A76F48F639737E988E64E35EAA10808CFD372E682731565C1CF2647D8322
Malicious:	false
Preview:	9.t.........6..U..M$...u.......E(.....@..S.]...#E(VW..........} .........j.Q.u.WS.u..u.Qh..I.hp.I.P.u.......u............E..NL.f.......E.h....f......f......f...........U.3.Y.x..x........p..8........t.99u1.........f......_^[].$...........J......O...2......U..E.VW3........F.98u[.F..E.=......%....~..E...7.......t..E..D...E..D...G._.F.^]....}..t..M.......}..t.M........0.U..M..E......P.....uaSVW.}.3.S.5.xL..u,.7.u(.u$.u .u.Q.u..u.P.. .I.....t$8]4t.Sj.....I.Pj0V....I.9..........._..^[].0.%.....U...8SV.u.W.~:...m....].........E.E.P.6..4.I..M.E.VD.~H.M..E..U..}.....d.......s............}....E.P.3....I..E.M.+..U.E.E.+.E.E.P.6.U..M...p.I..}....E..u.M..}.f..........E...}.f.......E...E...}.f.......E...E...}.f......f..............t(.E.f.........u..........E..+...;............t'.E.f........`u..........E..+...;........U......................... ..R.....@..U..._^[..]....}.f.FX.......f......f.F\f......t_f.F`f......f.Fdf.......E.P.7..4.I....9^Xt=9^\tE.E.P.7....I.9^`......9^d....

C:\Users\user\AppData\Local\Temp\Accepted

Download File

Process:	C:\Users\user\Desktop\1XZFfxyWZA.exe
File Type:	ASCII text, with very long lines (704), with CRLF line terminators
Category:	dropped
Size (bytes):	17833
Entropy (8bit):	5.116112475945016
Encrypted:	false
SSDEEP:	384:J2/iF32bPa1UW5ZyAPRAm+767TPqeVZW7yqWrAoWA+glpiV:92b9cUm+OPPqeT2WrAoF+gviV
MD5:	143645101D80ACD52D4E0664F8DB1063
SHA1:	18DF06E98022326EE2ECF0D88C098FAC563649EE
SHA-256:	021E96F5612088BAF460734117FA4C15249214E0B367E2FD324F30ADD946F14E
SHA-512:	A68305196BA12B2A044D327C7139DB038443B062DE9AB7DC3CDA889D6B98F1D05DFF7FB812A79FA0B0B29474DD245916ADC9FF5986A6EA1B04F286FBD2BD8AA3
Malicious:	false
Preview:	Set Operational=Q..rJfQueensland-Qatar-Counters-Inspection-Prison-Landscape-Beta-Jc-Lands-..szALicking-Cant-Self-..BNZFinals-Honda-Thomson-Rich-Glass-Pour-Comfortable-..PCcmGetting-Secure-Upper-Milton-Assurance-Shares-Shaved-Diet-..oimContained-Look-..DiBYFs-Scott-Merry-Uk-Briefing-Harrison-Employ-Seeing-Ml-..YwAuStructural-Up-Ir-Viral-..nNRenewal-Dream-Copy-..Set Training=0..PkGround-..WPAlexander-..tMXNSpecification-Built-Accountability-Right-Acknowledge-Biotechnology-Really-..LoHCode-..hPGreece-..ZMVoyuer-Mission-Invitation-Latina-..RdReferences-Loc-Excluded-Shared-Florence-Decorative-..nXerFriend-Deemed-Liability-Tom-Ohio-Sql-Royalty-..waRover-Victims-Highlight-Chosen-Ice-Eminem-..tUoHonolulu-..Set Pantyhose=l..xyZVVoltage-Twenty-Empty-..iTrYRabbit-..nGORFarming-Postings-Giants-Xx-Harmful-..pjUVPermit-..LpSNetworking-Peas-Preparation-Phi-Revenue-..ObwWit-Wise-Scotland-..fNkeNudity-Tours-Sox-Wednesday-..rrkSLa-Gender-Lou-Acquire-..Set Stood=r..gHzrCommentary-Enforcement-Designers-..

C:\Users\user\AppData\Local\Temp\Accepted.bat

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (704), with CRLF line terminators
Category:	dropped
Size (bytes):	17833
Entropy (8bit):	5.116112475945016
Encrypted:	false
SSDEEP:	384:J2/iF32bPa1UW5ZyAPRAm+767TPqeVZW7yqWrAoWA+glpiV:92b9cUm+OPPqeT2WrAoF+gviV
MD5:	143645101D80ACD52D4E0664F8DB1063
SHA1:	18DF06E98022326EE2ECF0D88C098FAC563649EE
SHA-256:	021E96F5612088BAF460734117FA4C15249214E0B367E2FD324F30ADD946F14E
SHA-512:	A68305196BA12B2A044D327C7139DB038443B062DE9AB7DC3CDA889D6B98F1D05DFF7FB812A79FA0B0B29474DD245916ADC9FF5986A6EA1B04F286FBD2BD8AA3
Malicious:	false
Preview:	Set Operational=Q..rJfQueensland-Qatar-Counters-Inspection-Prison-Landscape-Beta-Jc-Lands-..szALicking-Cant-Self-..BNZFinals-Honda-Thomson-Rich-Glass-Pour-Comfortable-..PCcmGetting-Secure-Upper-Milton-Assurance-Shares-Shaved-Diet-..oimContained-Look-..DiBYFs-Scott-Merry-Uk-Briefing-Harrison-Employ-Seeing-Ml-..YwAuStructural-Up-Ir-Viral-..nNRenewal-Dream-Copy-..Set Training=0..PkGround-..WPAlexander-..tMXNSpecification-Built-Accountability-Right-Acknowledge-Biotechnology-Really-..LoHCode-..hPGreece-..ZMVoyuer-Mission-Invitation-Latina-..RdReferences-Loc-Excluded-Shared-Florence-Decorative-..nXerFriend-Deemed-Liability-Tom-Ohio-Sql-Royalty-..waRover-Victims-Highlight-Chosen-Ice-Eminem-..tUoHonolulu-..Set Pantyhose=l..xyZVVoltage-Twenty-Empty-..iTrYRabbit-..nGORFarming-Postings-Giants-Xx-Harmful-..pjUVPermit-..LpSNetworking-Peas-Preparation-Phi-Revenue-..ObwWit-Wise-Scotland-..fNkeNudity-Tours-Sox-Wednesday-..rrkSLa-Gender-Lou-Acquire-..Set Stood=r..gHzrCommentary-Enforcement-Designers-..

C:\Users\user\AppData\Local\Temp\Mac

Download File

Process:	C:\Users\user\Desktop\1XZFfxyWZA.exe
File Type:	data
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	7.9982238017962635
Encrypted:	true
SSDEEP:	1536:rEhxAc9iFt5qXhKzqJHYuhwXJuP7JjpQkr8lEDVIJdVeQ1HXgsa1sA3r6Xde04P8:eN9SfqXswHrhwc9nQE2hRXgsgHmj4PlW
MD5:	0875EE6F12D420D2AE30FAEADD2C0AED
SHA1:	733D02F993D3C3FCE53D1586212112FEDDCAAED3
SHA-256:	03DB44E908E90F3C1B168381335CD24AE994BF74F1E5FF17DF98A77CD8A10104
SHA-512:	3FA2F1B7126F26E00819041B87C1CD0CB6318F45FBB047B7EAB94D319B736AF1C69230F7BA5D37B729F087DDE052CAA52EE0D4766CE75D6DF2D28D492F98DB45
Malicious:	false
Preview:	<.F....D.Y...f:......7......&&3..w.j,~....r<....V.s>T...B`...RX>R..4.....\):..X....9..B...g.g..g......2.Ul.'(....#......k....9......zb3......#...'.#..x..@.._g...y...z#.P.o..p.!.....k<..Et..::W.v..2...xc[\a...@6.#..x.Os.-.{A5.}."..@..t[..a.......ro..2..G.......y...k.. .t..d..,.I_..A.m.Y.Q[d.D<.W#.!B.....2.T.L.......H......\|a..h......l.h.n.^..Q-.x..)........U...>.Aeu..C..L..>].`...h<,..]...\S...kU9.gY..&2....I...$8.x..(3..4..B(.#....F5i...a...8~...+..}..M.8..i.1..&..7K.8 ...'sc.jW.G.apn..&.\.NB0..y..W.j...;...a...e..3....y..N.7.........0..2.G..@.%-....\|aua.._Z...y.Be+..CZ...Z.C............B.~..X..Y.`..B6..}.m..D.(`..5K.R.5..-.....J.........t.....i....7a...V.....X..4....!..0.^.....R............[a......0;1..y..[...,.A.}<.e...5Kk...../yb&n.....@.M.....v<....<,.^../........ao.=VL.T...WQ...$.Y..YG....vEi...2.XF..^.;P....Yp.h.S.UQ.?R...I.`E.\|.].V.2Y...N....Z8....f...jj.!!...(.....9.9pGb .9....c.e..e9....7.d.7.......h."...#.7u.........#7.@0.

C:\Users\user\AppData\Local\Temp\Marco

Download File

Process:	C:\Users\user\Desktop\1XZFfxyWZA.exe
File Type:	data
Category:	dropped
Size (bytes):	5041
Entropy (8bit):	6.054685757387587
Encrypted:	false
SSDEEP:	96:vxgUzr4tgOwVAfBzDICS09CAi6R7u+IhsObfS+NsPvj6ooxdofjxY:pHAeOqAFDw09CV/2nPvj6DdMY
MD5:	12D1FC2FE2C61A5EC004A72D04753D0C
SHA1:	68422FABC33D19A0D4E853571D36DE0EF741FC6E
SHA-256:	7D7E2D738525738C5A9DD685D45713927537A39986935E8592B866DC4341DCDB
SHA-512:	ABF40DE9014C4C181D193EA04A20499FABC8932A2315B12BD4C966CA4F8E3D1AF7BB381DD56815DEE84474C2CCB7BFC78000718AACED7B98EE88C0DFAEFCB519
Malicious:	false
Preview:	AvenueAdaptorDuiDivision..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B......................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Preparation

Download File

Process:	C:\Users\user\Desktop\1XZFfxyWZA.exe
File Type:	data
Category:	dropped
Size (bytes):	91136
Entropy (8bit):	7.9978635631615544
Encrypted:	true
SSDEEP:	1536:QmEwehIS646NyDxci6gqRPLpEYv6I6rCDvyu9Vmt0CBqYV1KbuRBt4rVeOYoHrG:eIS64LiPLp1TKEquw0Sqk0yerV1S
MD5:	6CF7358A6EF7AF408D49B7E533708CBE
SHA1:	CF5F2DB0169B46D029CDA1C5190369196F412A23
SHA-256:	55643859D0F3091A794D29CD1AFA4660ABD19EA412EFEE733D2BF4E414D033A3
SHA-512:	9535275ACB8C03D1D27B2F4572A32D7169565CF7BF4EAE743181B9093BB0C2561B3FD84C45996956E197CFED55005594876A66B119C2D909EC2350CA2A9F7F45
Malicious:	false
Preview:	...^K~....t...87mN......D..nn......LV...c.\.t....\d.O....K.$t... K...oD.s.HSdpfi..VK..,.t.>.J...C&.{.sJh.8s....a......[l..i5WR...,?O.....u...-...+....&_..h..3`.....Wl.......?.].e.,.}.....3. h..9..5..`.Q.$..~..Lz.3\e-..x.C..j....yAl...,&.R..(........3<.4.....x.....g.8.6!%.D.%....1.6._.o......^...z....k.v.^S.=.Ft..:..H..h..S)].4...bsw...J..[.U{..~...l.tK...s.....0...E;z-...\.4.qi......O@IH8R:..9...+..w.&j?..1%.:....D..A./..]M.>.:..R&.........a=&.N....&G.d..B..a.5 n..*......._ &.CW..S.,........Y+...]..........^.f.. B..uK.%ji..4.n..N.E.E...L..z.GI.v.pGa.xP<....\....O,..j.e..v..{....uS..<.I;......y...!._...k..M1B..c.f.+...rx..g.._u7...>co..d\.......?..sy,:F._...Nz.....$b..;...vn$.J.R.......\|.3[...$...#g..8].n.x:.J.../5.sM,....,R^c.'.t.....='.........q.;..IY..B}.."$..x..i....&..uW].W.Qh\|$m1.........\|/...5..".... .......x1q.[..R...Y.TV..2efJ..Z..S}...~Lq..........?A(.E..J..i......4m.o....WE.y..~J.U2.]....f...\|.;.D....i2`.F.n...Bc..... w0N.>..d

C:\Users\user\AppData\Local\Temp\Recommendations

Download File

Process:	C:\Users\user\Desktop\1XZFfxyWZA.exe
File Type:	data
Category:	dropped
Size (bytes):	60416
Entropy (8bit):	7.996920080641024
Encrypted:	true
SSDEEP:	1536:6lOK9RXTLjxPYXgOzhjjNgCOf/3RlYZSXc7H4w:oOK3XTxuzhmzf/3R6gqb
MD5:	8A2905DF9036FAF531DEF37D9112BCCF
SHA1:	DA6135B11E97BAA769EC68038505F2854087CC18
SHA-256:	CE491579FF28B3B52966928236BE40FC9ED3308407D1EC5DBE424AB78248B7EF
SHA-512:	2676133DDAE1EBE380D149005A7D16AD3E56F80FD56263756ACE93B04E86E6EE5C1A36C2F3246B5B69C62DBC93F411A7F62661733EC94D8E659A991BE2E429ED
Malicious:	false
Preview:	k8..@..6......o..xyI../....w.9Xa.i.j,.=....m5p......4........}..7.I.;..,........iMs......K+....F.......z.&<.@7B.>.8.G./&.4...S ).+f.d1........c6B......}.B...zM,...FH.\..]j.6.B..j.V..tB. 9.r.6.a..l?.#..rQ.,..T.../S..6........mYo.FAo/m.B.......r...(...d!..Q.hJj.....X.KL...u....A7.....L^.4....g...H......N....R..".)...u.I....C5.....C.,{.Q.Ul7 ....4.S8]y...z.eJ.n...,.v...o...g...P0....@.~..]...ii..I.{G....5.s.cz].Y..Rm.a.......A..3.%....ui}w.'\|b7.`.AX..F..J....K....JFx...`.../.p...Un{.."O`.........E^..../.?..'..8,WV...+@.....<.q.+.C....k..AFa@.....?..\M`.x......p..`_...........RC....(.....D..6.\...7.#^.#.t].HS/9.....?..v/.X..m8yM......~U.....N.j._.+Z......;.....X.x.p....z..bd.......`.q..2U.@'p.`<.D....i.D..n=..c.......S..a.....)B...p.......HC.B...z..7...a..3#y.c.\.....1c..L...fg.S...&...D.J..s...\|O4)...5w=........I..P~.W..../...4..k..!fa...-..q....Y.s([.-0<.S,\.....LJ..W._..^0,1+........).0.....{.....l..K.b..-.s...8.3#...S....

C:\Users\user\AppData\Local\Temp\Sustained

Download File

Process:	C:\Users\user\Desktop\1XZFfxyWZA.exe
File Type:	data
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	7.998350201927
Encrypted:	true
SSDEEP:	1536:tKOuWI31YJ4YHvlZwj/lBw31HeMvzDNr0lUzXZEIg+dIFnIBtnBJEs87b:fhIlYlNZK/lC3xbDi2zXZErOIRM87b
MD5:	325D62E9713D43B8681F7ED6E9ED0D05
SHA1:	988236CCEEC50D76ACAAE66D01E8420815506198
SHA-256:	1462C2E7E0D2954FBD77EE1CABE9787CC28FC3144B3C7F238D8387C047959A7B
SHA-512:	00B7F4F355F42E3CAB50D5ED9EEF2077561D6B1F94DD1B731A27F82A84BED38581E911E0B66928E47A3E181A40AC6185837C8AC92B8A6CE7EFCBAC3002F4E55E
Malicious:	false
Preview:	s.........Z{.......z}.W".}.a..xE....p.q.Jh...........'r...~........<...>qS.wP.{.M<.....Hw.D,..L.X.,FX.8.@D`l.%..i....;...'..........2..T.y....-.@e..pr...L"M.[T.....J#%...$p...n.c.^ZU2.6.E..'.+X..`[...d.X...`..1.....z...A,.Cs\|...o..a. Z.f..SV..i.g.60`......-..1.\|q.r.....,....h.T#:.L.E../..Z?...o9.}.....{.ayD2..D.M....KeEB.b...!..sS.b ..y.h....OE.....t.J.6..^H......A.1....Z....).0.+.g.u.....,...e.+.P.. ...9B20..K.....!/.......u&{."....%U..$...p...8.....I............{`......Q..H.../..lv.d.+..R..i[l.D..d..Ccs.>+..b...n...0o.i....k.j.-..R....ew....oN.F.b.E.La.{.H...W.1.......W....t...."``'...4..=#&..=..=.....<..z..5..\|!5T..w...=.kx...x...z.#....M.-+..!o.y.:..]..<.............Q.....w...cS'..-.p.L...?.#%..=....\|.S.r<,u..5WZ.L.N.x..f.P'....2..T:C..O..Mi.....%....WN.....U........a~G....o.9..y.S.Z.....y.{.....A5[s2Z J.Px......w.F...v..w.n....%.oaVB.....o.6...P.y..Tq...\..../:.&.G:y....[.~...v.d..$n..`v...1.R.O.W.....~..M...6?.........(.

C:\Users\user\AppData\Local\Temp\Sw

Download File

Process:	C:\Users\user\Desktop\1XZFfxyWZA.exe
File Type:	data
Category:	dropped
Size (bytes):	58368
Entropy (8bit):	7.996571343317569
Encrypted:	true
SSDEEP:	768:adlvzUtHOnugq2KSSpEmmPdWlUk0aT9UrgmU3h9ZJNDXHAmTv3NLampMP0szgkCX:0zU0aI+E7lHaTKrYx9ZJNDbbYSMMxTHh
MD5:	85B5393B7D47D6DB994EA1D2A624378D
SHA1:	EED6D57451150A87406231FD107A1090650F5374
SHA-256:	71FFC4AF2AD343AB9DCA9317F8E8A5441D758A490FF509F5EB53BEE6B9BBF4E5
SHA-512:	B3D3DD29AA7F2183A0500587E5B0F53DF1DCEC89021E1F484C1C67CC4519CD6F161FD77F3923FBBA780E07CE781ECFF683B15C41A4B09449870BD19BB81CA15C
Malicious:	false
Preview:	....N......k...j.j.G]..O:T.w..@....I......8.._.\|..#.;A.0..$?/.6-.H.....2. .8#ua..-[...j..V........Xa..+=./.o.D.z&.....-;.X......MZ...mR...~..my.E/0.."..%..D;$.....A.......8..Q.......x...{.\@D.v3....z#.4D.u{.m.}.n8+......'dY. g.......SF....."Px.=... .sjc{2........I............n.>.Za........6,."..>........F.R.yQ)S.....M2...VL....L.N.u.VX.}.L......l..W...^....d..q.@..M.d.W0Ur...4-..z....An........=....V.v..._...M...........j....^.....?#.....5.;.....&...k.Sz....;\.XA...3..U..2..\|...d......O..Wk.ND....}2.....Y.D."X..25b..NI."/K....7KXm..j...b.7..2">+.....Qh...W.......5........].....v.......A~....a..6.......c.$..........\Er...@Oe.%y^#.%.x..1.N._..........J.r..WF.W...\|.5\|G..B..c.Zy.L..w..L.T.%f..c...qt........O.v...0q.a.RX...^..t...%..../NN...,.....}x...y..=...h.............D J...B...Ye..;n..-.Ry.7.qti.3.k..SV.....e.....u.zvdi......F...p.........&.@Jt\|....~..H......".a........:.BQ.../....LA.H.g..8'. R..,Y.s.._.....v0..r.[.]..H....@.

C:\Users\user\AppData\Local\Temp\Tmp296F.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\Tmp297F.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\Understand

Download File

Process:	C:\Users\user\Desktop\1XZFfxyWZA.exe
File Type:	data
Category:	dropped
Size (bytes):	22111
Entropy (8bit):	7.992473046114103
Encrypted:	true
SSDEEP:	384:vBTQpJ+4olfbU9xGT2XEoIMDo/PN/4fD4P00Nem9Q1fR2D4Cer/e:vZ6+TlfbU9x/XkMi/42be0GfYwr2
MD5:	8EA0D0CE6C02EC6611AF89354D9CDE4D
SHA1:	685BFC5D304E1BBB5FD6FD26EB935CBE83BA13EE
SHA-256:	37700A29DA77BC6C928D1A8C6D0331379CEDB9D96B34C0B3EFB499D1A8C3FF0E
SHA-512:	3A0E654853BE399298036F211AD429461EFF4AEAC502F165FA6C0FC8A65CF41BD27CD415B223B837DEEA326011DBFF16BD44EC6780BF9FF88B8CA84B7FFC8C68
Malicious:	false
Preview:	&.W5.Bs...GT.8. sv...7Rs....'@.~r....M.\..h..... ...8.y....b...f.. .T..,.....$..o...L..Iw..cw.A7..Dl!....#u.........N.V.Eh.L..u.....P..c.m..tjVQ.`..F4[..f,R...<...I.....wME..#...@.`=...:)2.$.#.............I>W.....uj.[....%...%.,.M..`....M [..;5=9.K..1....._....}.q....P.7.f.k.'a16.............hW....1:R[......"...%....WK.?.Q.-B.GQ..<..+{f.e..i..4......$.GE.L.....J....K........~G.g\|So...z6o...l..L.V.9....V.#....P....f.....P...\.....=.r.{.~.b...u....HED.J#.K..}..m#2YP.....K.!....Yv..+..w..6.bU0.'..Z@.N(...7b...x..l.......+.....%..$".v8G.o. ...5I.h,......v..^..T{...8.muc.5-.z.G.z]J....`.l..CX.a.._]7...Y...........Y>Bl<.x....V....k....o...-U...4..a.4.T....T]j=.$.V.T.=.....eIw...Q...h...3.(.G.f_..1;..Y.p-\|8.%%,.+....X.o.>II-.+.v........\|S...w...v....,Zy..<......1......O..u..`5.%........"%#...;y..3...K.n.8..,.r......8...<..-F............\|s..A...D....]#}.v.rZ.....w.5._....ln6.,\|oY.W^~K.6.X....`.._v..~...?....f....%Q].kI...S..:Xc.....Q+.~..

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	2251
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	0158FE9CEAD91D1B027B795984737614
SHA1:	B41A11F909A7BDF1115088790A5680AC4E23031B
SHA-256:	513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
SHA-512:	C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.975076806554261
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	1XZFfxyWZA.exe
File size:	927'085 bytes
MD5:	4aa3a0eb589da4820635577d4c82c3b5
SHA1:	0b0fd6ac3648c6c7166f92e7ed2640deb73bcb5d
SHA256:	c26ce02368f7e800361b6174fb471e5499347e4205b354011908bff9409d2e1e
SHA512:	20f777e04f8e4ce2ce27a206475c73098c512cddbad5fa428b883111fc5252228feb1c9b37054d0b27f321d32009fa1b4a65bd58489c579dcfeab759aa11fc16
SSDEEP:	12288:yCPxHH6TorMltC0ZsI3F/NS+A37MENqIvci90YmlaktA9VMf2R/FWx5Eb0u8S:yux6T/tjtHSZ3gENFvG/tAu2RQx5z7S
TLSH:	4015230ED3E91599EFF22EB624F6024046F6FA0358F1F91AD344ED9C7E75AA0485831B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n...p...B...8.....

File Icon


Icon Hash:	71c4d2d2f2eef833

Static PE Info

General

Entrypoint:	0x403883
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4F47E2DA [Fri Feb 24 19:19:54 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	be41bf7b8cc010b614bd36bbca606973

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 00409268h
mov dword ptr [esp+14h], ebp
call dword ptr [00408030h]
push 00008001h
call dword ptr [004080B4h]
push ebp
call dword ptr [004082C0h]
push 00000008h
mov dword ptr [00472EB8h], eax
call 00007F74186CF33Bh
push ebp
push 000002B4h
mov dword ptr [00472DD0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 00409264h
call dword ptr [00408184h]
push 0040924Ch
push 0046ADC0h
call 00007F74186CF01Dh
call dword ptr [004080B0h]
push eax
mov edi, 004C30A0h
push edi
call 00007F74186CF00Bh
push ebp
call dword ptr [00408134h]
cmp word ptr [004C30A0h], 0022h
mov dword ptr [00472DD8h], eax
mov eax, edi
jne 00007F74186CC90Ah
push 00000022h
pop esi
mov eax, 004C30A2h
push esi
push eax
call 00007F74186CECE1h
push eax
call dword ptr [00408260h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007F74186CC993h
push 00000020h
pop ebx
cmp ax, bx
jne 00007F74186CC90Ah
add esi, 02h
cmp word ptr [esi], bx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9b34	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf4000	0xadca	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xd5b05	0x2868	.ndata
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7a000	0x964	.ndata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6dae	0x6e00	00499a6f70259150109c809d6aa0e6ed	False	0.6611150568181818	data	6.508529563136936	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x2a62	0x2c00	07990aaa54c3bc638bb87a87f3fb13e3	False	0.3526278409090909	data	4.390535020989255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x67ebc	0x200	014871d9a00f0e0c8c2a7cd25606c453	False	0.203125	data	1.4308602597540492	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x73000	0x81000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xf4000	0xadca	0xae00	5c6a4aa96f53247436a8c2f89543d984	False	0.9434940732758621	data	7.776393659717044	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xff000	0xf32	0x1000	00ef3f163db9ba6c4a7a058b876a0197	False	0.58984375	data	5.416607533180126	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xf4268	0x6446	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced	English	United States	0.9994546162835996
RT_ICON	0xfa6b0	0x2a61	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.001013918333487
RT_ICON	0xfd114	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352	English	United States	0.7502276867030966
RT_ICON	0xfe23c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8617021276595744
RT_DIALOG	0xfe6a4	0x100	data	English	United States	0.5234375
RT_DIALOG	0xfe7a4	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0xfe8c0	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0xfe920	0x3e	data	English	United States	0.8387096774193549
RT_VERSION	0xfe960	0x194	OpenPGP Secret Key	English	United States	0.551980198019802
RT_MANIFEST	0xfeaf4	0x2d6	XML 1.0 document, ASCII text, with very long lines (726), with no line terminators	English	United States	0.5647382920110193

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-27T07:18:02.486694+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:02.486694+0100	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	1	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:02.731272+0100	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	1	87.120.115.20	28332	192.168.2.4	49768	TCP
2024-10-27T07:18:08.016687+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:08.270659+0100	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	1	87.120.115.20	28332	192.168.2.4	49768	TCP
2024-10-27T07:18:08.969877+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:09.292832+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:09.858335+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:10.257864+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:11.341987+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:11.634582+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:11.805383+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:12.046773+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:12.333135+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:12.604213+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:12.846262+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:13.085739+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:13.329309+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:13.581898+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:13.820733+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49768	87.120.115.20	28332	TCP
2024-10-27T07:18:14.161017+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49768	87.120.115.20	28332	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 07:18:01.619755030 CET	49768	28332	192.168.2.4	87.120.115.20
Oct 27, 2024 07:18:01.625201941 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:01.625283957 CET	49768	28332	192.168.2.4	87.120.115.20
Oct 27, 2024 07:18:01.634329081 CET	49768	28332	192.168.2.4	87.120.115.20
Oct 27, 2024 07:18:01.639684916 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:02.451410055 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:02.486694098 CET	49768	28332	192.168.2.4	87.120.115.20
Oct 27, 2024 07:18:02.492161036 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:02.731271982 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:02.776163101 CET	49768	28332	192.168.2.4	87.120.115.20
Oct 27, 2024 07:18:08.016686916 CET	49768	28332	192.168.2.4	87.120.115.20
Oct 27, 2024 07:18:08.022542000 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:08.270519972 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:08.270540953 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:08.270556927 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:08.270623922 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:08.270642996 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:08.270646095 CET	49768	28332	192.168.2.4	87.120.115.20
Oct 27, 2024 07:18:08.270658970 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:08.270708084 CET	49768	28332	192.168.2.4	87.120.115.20
Oct 27, 2024 07:18:08.270760059 CET	49768	28332	192.168.2.4	87.120.115.20
Oct 27, 2024 07:18:08.969877005 CET	49768	28332	192.168.2.4	87.120.115.20
Oct 27, 2024 07:18:08.975460052 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:09.209093094 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:09.259587049 CET	49768	28332	192.168.2.4	87.120.115.20
Oct 27, 2024 07:18:09.292831898 CET	49768	28332	192.168.2.4	87.120.115.20
Oct 27, 2024 07:18:09.298378944 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:09.298407078 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:09.298434019 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:09.298450947 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:09.298465967 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:09.298497915 CET	49768	28332	192.168.2.4	87.120.115.20
Oct 27, 2024 07:18:09.298590899 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:09.298616886 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:09.298631907 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:09.298649073 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:09.298708916 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:09.303936958 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:09.303978920 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:09.303994894 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:09.645294905 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:09.697103024 CET	49768	28332	192.168.2.4	87.120.115.20
Oct 27, 2024 07:18:09.858335018 CET	49768	28332	192.168.2.4	87.120.115.20
Oct 27, 2024 07:18:09.863989115 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:10.095957041 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:10.150207996 CET	49768	28332	192.168.2.4	87.120.115.20
Oct 27, 2024 07:18:10.257863998 CET	49768	28332	192.168.2.4	87.120.115.20
Oct 27, 2024 07:18:10.263391972 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:10.495906115 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:10.540818930 CET	49768	28332	192.168.2.4	87.120.115.20
Oct 27, 2024 07:18:11.341986895 CET	49768	28332	192.168.2.4	87.120.115.20
Oct 27, 2024 07:18:11.347379923 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:11.347390890 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:11.347398996 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:11.582719088 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:11.634582043 CET	49768	28332	192.168.2.4	87.120.115.20
Oct 27, 2024 07:18:11.805382967 CET	49768	28332	192.168.2.4	87.120.115.20
Oct 27, 2024 07:18:11.810849905 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:12.043164968 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:12.046772957 CET	49768	28332	192.168.2.4	87.120.115.20
Oct 27, 2024 07:18:12.062995911 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:12.295028925 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:12.333134890 CET	49768	28332	192.168.2.4	87.120.115.20
Oct 27, 2024 07:18:12.338682890 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:12.598926067 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:12.604212999 CET	49768	28332	192.168.2.4	87.120.115.20
Oct 27, 2024 07:18:12.609699965 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:12.841650963 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:12.846261978 CET	49768	28332	192.168.2.4	87.120.115.20
Oct 27, 2024 07:18:12.851903915 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:13.083682060 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:13.085738897 CET	49768	28332	192.168.2.4	87.120.115.20
Oct 27, 2024 07:18:13.091074944 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:13.323714972 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:13.329308987 CET	49768	28332	192.168.2.4	87.120.115.20
Oct 27, 2024 07:18:13.334747076 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:13.334759951 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:13.334829092 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:13.335069895 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:13.335083008 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:13.335367918 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:13.581207991 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:13.581897974 CET	49768	28332	192.168.2.4	87.120.115.20
Oct 27, 2024 07:18:13.587223053 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:13.820009947 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:13.820733070 CET	49768	28332	192.168.2.4	87.120.115.20
Oct 27, 2024 07:18:13.826194048 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:14.062097073 CET	28332	49768	87.120.115.20	192.168.2.4
Oct 27, 2024 07:18:14.103329897 CET	49768	28332	192.168.2.4	87.120.115.20
Oct 27, 2024 07:18:14.161016941 CET	49768	28332	192.168.2.4	87.120.115.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 07:17:07.921838045 CET	60423	53	192.168.2.4	1.1.1.1
Oct 27, 2024 07:17:07.941724062 CET	53	60423	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 27, 2024 07:17:07.921838045 CET	192.168.2.4	1.1.1.1	0x88f4	Standard query (0)	qzvkxaAyizkCBLIA.qzvkxaAyizkCBLIA	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 27, 2024 07:17:07.941724062 CET	1.1.1.1	192.168.2.4	0x88f4	Name error (3)	qzvkxaAyizkCBLIA.qzvkxaAyizkCBLIA	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	02:17:01
Start date:	27/10/2024
Path:	C:\Users\user\Desktop\1XZFfxyWZA.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\1XZFfxyWZA.exe"
Imagebase:	0x400000
File size:	927'085 bytes
MD5 hash:	4AA3A0EB589DA4820635577D4C82C3B5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:17:03
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c copy Accepted Accepted.bat & Accepted.bat
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:17:03
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:17:04
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xf00000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:17:04
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa opssvc"
Imagebase:	0x5f0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:17:05
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xf00000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:17:05
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Imagebase:	0x5f0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:17:06
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 667869
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:17:06
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "AvenueAdaptorDuiDivision" Marco
Imagebase:	0x5f0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:17:06
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Preparation + ..\Sustained + ..\Recommendations + ..\Sw + ..\Mac + ..\Understand N
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:17:06
Start date:	27/10/2024
Path:	C:\Users\user\AppData\Local\Temp\667869\Approaches.pif
Wow64 process (32bit):	true
Commandline:	Approaches.pif N
Imagebase:	0x4b0000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.2251666785.0000000004D5D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.2309383491.0000000004D11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.2251278695.0000000004D11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.2250995716.0000000004F11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.2309264417.0000000004D5E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.2251560532.0000000004F11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.2307864609.0000000004E60000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.2309470984.0000000004DC5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.2251177267.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.2251060881.0000000004DC5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.2258224682.0000000003D9F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.2258182624.0000000004F11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 5%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:17:06
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0x620000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	02:17:54
Start date:	27/10/2024
Path:	C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe
Imagebase:	0x350000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2452067965.0000000002798000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000F.00000002.2448210120.0000000000732000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	17.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.7%
Total number of Nodes:	1526
Total number of Limit Nodes:	32

Executed Functions

Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040512F
GetDlgItem.USER32(?,000003EE), ref: 0040513E
GetClientRect.USER32(?,?), ref: 00405196
GetSystemMetrics.USER32(00000015), ref: 0040519E
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
ShowWindow.USER32(?,00000008), ref: 0040523A
GetDlgItem.USER32(?,000003EC), ref: 0040525B
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
GetDlgItem.USER32(?,000003F8), ref: 0040514D

Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

GetDlgItem.USER32(?,000003EC), ref: 004052AB
CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
CloseHandle.KERNELBASE(00000000), ref: 004052C0
ShowWindow.USER32(00000000), ref: 004052E7
ShowWindow.USER32(?,00000008), ref: 004052EC
ShowWindow.USER32(00000008), ref: 00405333
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
CreatePopupMenu.USER32 ref: 00405376
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
GetWindowRect.USER32(?,?), ref: 0040539E
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
OpenClipboard.USER32(00000000), ref: 0040540B
EmptyClipboard.USER32 ref: 00405411
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
GlobalLock.KERNEL32(00000000), ref: 00405427
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
GlobalUnlock.KERNEL32(00000000), ref: 0040545D
SetClipboardData.USER32(0000000D,00000000), ref: 00405468
CloseClipboard.USER32 ref: 0040546E

Strings

@rD, xrefs: 004053D7
New install of "%s" to "%s", xrefs: 00405182
{, xrefs: 00405352

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: @rD$New install of "%s" to "%s"${
API String ID: 2110491804-2409696222
Opcode ID: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
Opcode Fuzzy Hash: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59

Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038A2
SetErrorMode.KERNELBASE(00008001), ref: 004038AD
OleInitialize.OLE32(00000000), ref: 004038B4

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
CoUninitialize.COMBASE(?), ref: 00403AD1
ExitProcess.KERNEL32 ref: 00403AF1
lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40

Strings

/D=, xrefs: 004039A6
1C, xrefs: 00403B56
\Temp, xrefs: 00403A1B
Error launching installer, xrefs: 00403A7D
NCRC, xrefs: 0040397C
_?=, xrefs: 00403A64
~nsu.tmp, xrefs: 00403AF7
NSIS Error, xrefs: 004038E2
SeShutdownPrivilege, xrefs: 00403C16

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
API String ID: 2435955865-239407132
Opcode ID: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
Opcode Fuzzy Hash: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E

Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86

Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
GetProcAddress.KERNEL32(00000000), ref: 00406327

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC

Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
FindClose.KERNEL32(00000000), ref: 004062EC

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8

Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
ShowWindow.USER32(?), ref: 004054D2
DestroyWindow.USER32 ref: 004054E6
SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
GetDlgItem.USER32(?,?), ref: 00405523
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
IsWindowEnabled.USER32(00000000), ref: 0040553E
GetDlgItem.USER32(?,00000001), ref: 004055ED
GetDlgItem.USER32(?,00000002), ref: 004055F7
SetClassLongW.USER32(?,000000F2,?), ref: 00405611
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
GetDlgItem.USER32(?,00000003), ref: 00405708
ShowWindow.USER32(00000000,?), ref: 0040572A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
EnableWindow.USER32(?,?), ref: 00405757
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
EnableMenuItem.USER32(00000000), ref: 00405774
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
SetWindowTextW.USER32(?,00447240), ref: 004057DC
ShowWindow.USER32(?,0000000A), ref: 00405910

Strings

@rD, xrefs: 004057B9

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: @rD
API String ID: 3282139019-3814967855
Opcode ID: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
Opcode Fuzzy Hash: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

Sleep(%d), xrefs: 0040169D
Call: %d, xrefs: 0040165A
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
Rename: %s, xrefs: 004018F8
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
CreateDirectory: "%s" created, xrefs: 00401849
CreateDirectory: "%s" (%d), xrefs: 004017BF
BringToFront, xrefs: 004016BD
Jump: %d, xrefs: 00401602
Rename failed: %s, xrefs: 0040194B
SetFileAttributes failed., xrefs: 004017A1
Aborting: "%s", xrefs: 0040161D
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
Rename on reboot: %s, xrefs: 00401943
detailprint: %s, xrefs: 00401679
SetFileAttributes: "%s":%08X, xrefs: 0040177B

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE

Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
RegisterClassW.USER32(0046AD60), ref: 00405B0A
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B

Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30

ShowWindow.USER32(00000005,00000000), ref: 00405B91
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
RegisterClassW.USER32(0046AD60), ref: 00405BD3
DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2

Strings

_Nb, xrefs: 00405AD1
RichEd20, xrefs: 00405B9D
RichEdit20A, xrefs: 00405BB6, 00405BBB
.DEFAULT\Control Panel\International, xrefs: 00405999
B%F, xrefs: 00405A1F
@rD, xrefs: 00405965
@%F, xrefs: 004059F6
RichEd32, xrefs: 00405BA8
Control Panel\Desktop\ResourceLocale, xrefs: 00405972
.exe, xrefs: 00405A3D
RichEdit, xrefs: 00405BC4

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-1650083594
Opcode ID: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
Opcode Fuzzy Hash: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

lstrcatW.KERNEL32(00000000,00000000,open,004CB0B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,open,open,00000000,00000000,open,004CB0B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Strings

File: error, user cancel, xrefs: 00401B93
File: error, user retry, xrefs: 00401B40
open, xrefs: 00401A53, 00401A5C, 00401A69, 00401A7B, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: error, user abort, xrefs: 00401B53
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: wrote %d to "%s", xrefs: 00401BD0
File: error creating "%s", xrefs: 00401AF0
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$open
API String ID: 4286501637-2478300759
Opcode ID: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
Opcode Fuzzy Hash: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE

Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403598
GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
Error launching installer, xrefs: 004035D7
Null, xrefs: 0040367E
soft, xrefs: 00403675
Inst, xrefs: 0040366C

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C

Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033E7
GetTickCount.KERNEL32 ref: 00403464
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
wsprintfW.USER32 ref: 004034A4
WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A

Strings

X1C, xrefs: 0040343C
P1B, xrefs: 004033A9
X1C, xrefs: 004033ED
... %d%%, xrefs: 0040349E

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: ... %d%%$P1B$X1C$X1C
API String ID: 651206458-1535804072
Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9

Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
Opcode Fuzzy Hash: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GlobalFree.KERNELBASE(00000000), ref: 00402387

Strings

Pop: stack empty, xrefs: 00401F2C
open, xrefs: 00401EFB, 00401F00, 00401F1A
Exch: stack < %d elements, xrefs: 00401ED8

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: Exch: stack < %d elements$Pop: stack empty$open
API String ID: 1459762280-1711415406
Opcode ID: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
Opcode Fuzzy Hash: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

GlobalFree.KERNELBASE(00000000), ref: 00402387

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

<RM>, xrefs: 00402713
open, xrefs: 00402770
WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$WriteINIStr: wrote [%s] %s=%s in %s$open
API String ID: 247603264-1827671502
Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139

Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405E9D
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8

Strings

nsa, xrefs: 00405E8C

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D

Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85

Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89

Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86

Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85

Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86

Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86

Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNELBASE(?), ref: 004073C5
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
GlobalFree.KERNELBASE(?), ref: 0040743D
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: Global$AllocFree
String ID:
API String ID: 3394109436-0
Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E

Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15

Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8

Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE

Function 00403DAF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C

Function 00403D98 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08

Function 00403D85 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08

Function 00403859 Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(FFFFFFFF,00403AD1,?), ref: 00403864

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a114d1ad3d6f72424773905f6d3d8555ffb504a96b4f495319bf21f79649ad7b
Instruction ID: b9bdbc8744521ee651ba7bc90111acac5a2c88e2b86e9c74d328a3688b9dc09a
Opcode Fuzzy Hash: a114d1ad3d6f72424773905f6d3d8555ffb504a96b4f495319bf21f79649ad7b
Instruction Fuzzy Hash: 7BC0223810020092E1242F34AE0EB063A04F740330F500B3EF0F2F02F0D73C8640006D

Non-executed Functions

Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404993
GetDlgItem.USER32(?,00000408), ref: 004049A0
GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
LoadBitmapW.USER32(0000006E), ref: 00404A02
SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
DeleteObject.GDI32(?), ref: 00404A79
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
ShowWindow.USER32(?,00000005), ref: 00404BCF
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
ImageList_Destroy.COMCTL32(?), ref: 00404D9C
GlobalFree.KERNEL32(?), ref: 00404DAC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
ShowWindow.USER32(?,00000000), ref: 00404F49
GetDlgItem.USER32(?,000003FE), ref: 00404F54
ShowWindow.USER32(00000000), ref: 00404F5B

Strings

, xrefs: 00404F39
M, xrefs: 00404B43
@, xrefs: 00404B90
N, xrefs: 00404C06

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
Opcode Fuzzy Hash: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58

Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 004044F9
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
GetDlgItem.USER32(?,000003FB), ref: 00404527
GetAsyncKeyState.USER32(00000010), ref: 0040452E
GetDlgItem.USER32(?,000003F0), ref: 00404543
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
SetWindowTextW.USER32(?,?), ref: 00404583
SHBrowseForFolderW.SHELL32(?), ref: 0040463D
lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
lstrcatW.KERNEL32(?,00462540), ref: 00404686
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
CoTaskMemFree.OLE32(00000000), ref: 00404648

Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F

GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED

Strings

@%F, xrefs: 00404674
@rD, xrefs: 00404610
A, xrefs: 00404636
82D, xrefs: 004046DB

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: 82D$@%F$@rD$A
API String ID: 3347642858-1086125096
Opcode ID: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
Opcode Fuzzy Hash: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59

Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
lstrcmpA.KERNEL32(name,?), ref: 00406FC7
CloseHandle.KERNEL32(?), ref: 004071E6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

%s: failed opening file "%s", xrefs: 00406F0C
name, xrefs: 00406FBF
GetTTFNameString, xrefs: 00406F07

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64

Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
lstrlenW.KERNEL32(?), ref: 00406D2C
FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
FindClose.KERNEL32(?), ref: 00406E33

Strings

RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
Delete: DeleteFile failed("%s"), xrefs: 00406DFD
Delete: DeleteFile("%s"), xrefs: 00406DBC
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
\*.*, xrefs: 00406D03

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
API String ID: 2035342205-3294556389
Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD

Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47

Strings

@%F, xrefs: 00406A53
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004069DF
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406926
@%F, xrefs: 0040682C

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-784952888
Opcode ID: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
Opcode Fuzzy Hash: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54

Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A

Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
lstrlenW.KERNEL32(?), ref: 004063CC
GetVersionExW.KERNEL32(?), ref: 0040642A

Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
FreeLibrary.KERNEL32(00000000), ref: 004064D4
GlobalFree.KERNEL32(?), ref: 004064DD

Strings

CreateToolhelp32Snapshot, xrefs: 004065B5
EnumProcesses, xrefs: 00406482
EnumProcessModules, xrefs: 0040648A
PSAPI.DLL, xrefs: 00406464
Kernel32.DLL, xrefs: 0040659B
Unknown, xrefs: 004064FC
Process32FirstW, xrefs: 004065BD
Module32FirstW, xrefs: 004065D3
GetModuleBaseNameW, xrefs: 00406494
Module32NextW, xrefs: 004065DE
Process32NextW, xrefs: 004065C8

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68

Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
GetDlgItem.USER32(?,000003E8), ref: 00404181
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
GetSysColor.USER32(?), ref: 004041AF
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
lstrlenW.KERNEL32(?), ref: 004041D6
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2

Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004

GetDlgItem.USER32(?,0000040A), ref: 0040424A
SendMessageW.USER32(00000000), ref: 00404251
GetDlgItem.USER32(?,000003E8), ref: 0040427E
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
SetCursor.USER32(00000000), ref: 004042D2
ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
SetCursor.USER32(00000000), ref: 004042F6
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337

Strings

open, xrefs: 004042DF
N, xrefs: 0040426C
@%F, xrefs: 004042A7

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: @%F$N$open
API String ID: 3928313111-3849437375
Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99

Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1

Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
wsprintfA.USER32 ref: 00406B4D
GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
GlobalFree.KERNEL32(00000000), ref: 00406C52
CloseHandle.KERNEL32(?), ref: 00406C5C

Strings

F, xrefs: 00406AE8
%s=%s, xrefs: 00406B43
NUL, xrefs: 00406A9E
[Rename], xrefs: 00406BC8, 00406BD7

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: F$%s=%s$NUL$[Rename]
API String ID: 565278875-1653569448
Opcode ID: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
Opcode Fuzzy Hash: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteReg: error creating key "%s\%s", xrefs: 004029F5

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
Opcode Fuzzy Hash: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
Opcode Fuzzy Hash: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98

Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 00406195, 0040619A, 004061A1, 004061B0

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-2769509956
Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD

Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
GetSysColor.USER32(00000000), ref: 00403E00
SetTextColor.GDI32(?,00000000), ref: 00403E0C
SetBkMode.GDI32(?,?), ref: 00403E18
GetSysColor.USER32(?), ref: 00403E2B
SetBkColor.GDI32(?,?), ref: 00403E3B
DeleteObject.GDI32(?), ref: 00403E55
CreateBrushIndirect.GDI32(?), ref: 00403E5F

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94

Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: Could not initialize OLE, xrefs: 004024F1
Error registering DLL: Could not load %s, xrefs: 004024DB
Error registering DLL: %s not found in %s, xrefs: 0040249A

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
API String ID: 1033533793-945480824
Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: command="%s", xrefs: 00402241
Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: success ("%s"), xrefs: 00402263

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D

Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
GetMessagePos.USER32 ref: 00404871
ScreenToClient.USER32(?,?), ref: 00404889
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1

Strings

f, xrefs: 0040489D

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(00015E00,00000064,?), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58

Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
wsprintfW.USER32 ref: 00404457
SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A

Strings

@rD, xrefs: 00404402
%u.%u%s%s, xrefs: 00404444

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$@rD
API String ID: 3540041739-1813061909
Opcode ID: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
Opcode Fuzzy Hash: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679

Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
CharNextW.USER32(?,?,?,00000000), ref: 004060AA
CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Strings

*?|<>/":, xrefs: 0040608A

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
DeleteRegKey: "%s\%s", xrefs: 00402843

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D

Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404902
CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Strings

, xrefs: 004048DA
@rD, xrefs: 00404934

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID: $@rD
API String ID: 3748168415-881980237
Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59

Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00406278
lstrcatW.KERNEL32(00000000,...), ref: 0040629B

Strings

%02x%c, xrefs: 00406270
..., xrefs: 00406293

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794

Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405057

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

OleUninitialize.OLE32(00000404,00000000), ref: 004050A5

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

Section: "%s", xrefs: 00405079
Skipping section: "%s", xrefs: 004050B5

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
Opcode Fuzzy Hash: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D

Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
lstrcpynW.KERNEL32(?,?,?), ref: 00407261

Strings

Version , xrefs: 00407241

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC

Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
GetProcAddress.KERNEL32(?,00000000), ref: 00406395
GlobalFree.KERNEL32(00000000), ref: 0040639E

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718

Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
CloseHandle.KERNEL32(?), ref: 00405C71

Strings

Error launching installer, xrefs: 00405C48

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68

Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062A5, 004062AA

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E

Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

Memory Dump Source

Source File: 00000000.00000002.1791334657.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1791250424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791626832.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791652170.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1791787712.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1XZFfxyWZA.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

Analysis Process: Approaches.pifPID: 5440, Parent PID: 6996COMMON

Execution Graph

Execution Coverage:	4.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	93

Executed Functions

Function 004C5240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004C526C
IsDebuggerPresent.KERNEL32 ref: 004C527E
GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 004C52E6

Part of subcall function 004C1821: _memmove.LIBCMT ref: 004C185B

Part of subcall function 004BBBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 004BBC07

SetCurrentDirectoryW.KERNEL32(?), ref: 004C5366
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00500B2E
SetCurrentDirectoryW.KERNEL32(?), ref: 00500B66
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00566D10), ref: 00500BE9
ShellExecuteW.SHELL32(00000000), ref: 00500BF0

Part of subcall function 004C514C: GetSysColorBrush.USER32(0000000F), ref: 004C5156
Part of subcall function 004C514C: LoadCursorW.USER32(00000000,00007F00), ref: 004C5165
Part of subcall function 004C514C: LoadIconW.USER32(00000063), ref: 004C517C
Part of subcall function 004C514C: LoadIconW.USER32(000000A4), ref: 004C518E
Part of subcall function 004C514C: LoadIconW.USER32(000000A2), ref: 004C51A0
Part of subcall function 004C514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 004C51C6
Part of subcall function 004C514C: RegisterClassExW.USER32(?), ref: 004C521C

Part of subcall function 004C50DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004C5109
Part of subcall function 004C50DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 004C512A
Part of subcall function 004C50DB: ShowWindow.USER32(00000000), ref: 004C513E
Part of subcall function 004C50DB: ShowWindow.USER32(00000000), ref: 004C5147

Part of subcall function 004C59D3: _memset.LIBCMT ref: 004C59F9
Part of subcall function 004C59D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 004C5A9E

Strings

AutoIt, xrefs: 00500B23
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00500B28
runas, xrefs: 00500BE4

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 529118366-2030392706
Opcode ID: 3216ccf28980a732ddfd369b45357cc040c998716053a9a4a0f65073c9cff3bc
Instruction ID: 43b8aa99a2d672d23ab06d10fff094a425160be9e8f243c4b116109e5d72d2e9
Opcode Fuzzy Hash: 3216ccf28980a732ddfd369b45357cc040c998716053a9a4a0f65073c9cff3bc
Instruction Fuzzy Hash: 2851E83C90824CAACB11ABB1BC05FED7F74AB19344F10506EF565621A3CBB85589EB15

Function 00513CE2 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004D0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004C2A58,?,00008000), ref: 004D02A4

Part of subcall function 00514FEC: GetFileAttributesW.KERNEL32(?,00513BFE), ref: 00514FED

FindFirstFileW.KERNEL32(?,?), ref: 00513D96
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00513E3E
MoveFileW.KERNEL32(?,?), ref: 00513E51
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00513E6E
FindNextFileW.KERNELBASE(00000000,00000010), ref: 00513E90
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00513EAC

Strings

\*.*, xrefs: 00513D41, 00513D4A, 00513D5F

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 64339bc26e4c40ecd7f31192c610514b26babf2b92c4b6941f14e64aa3c3f49c
Instruction ID: e5ae0cbd312188d542efa1469dd1c95df8cc76f78b9f2166f71496cac6988ce3
Opcode Fuzzy Hash: 64339bc26e4c40ecd7f31192c610514b26babf2b92c4b6941f14e64aa3c3f49c
Instruction Fuzzy Hash: 9351943580120D9ADF15EBA1C9A6EEDBB79AF12304F20026EE441B71A2DF355F4DCB60

Function 004C5D13 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 004C5D40

Part of subcall function 004C1821: _memmove.LIBCMT ref: 004C185B

GetCurrentProcess.KERNEL32(?,00540A18,00000000,00000000,?), ref: 004C5E07
IsWow64Process.KERNEL32(00000000), ref: 004C5E0E
GetNativeSystemInfo.KERNEL32(00000000), ref: 004C5E54
FreeLibrary.KERNEL32(00000000), ref: 004C5E5F
GetSystemInfo.KERNEL32(00000000), ref: 004C5E90
GetSystemInfo.KERNEL32(00000000), ref: 004C5E9C

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 62a18b8528adbb99e3792b696358ad5daba15ecff57d579f4e0f539de0029777
Instruction ID: 3cc2d5d5d6ad86b744485383b59510079320e8b9a25a5cf8a4ca8821005fb8bc
Opcode Fuzzy Hash: 62a18b8528adbb99e3792b696358ad5daba15ecff57d579f4e0f539de0029777
Instruction Fuzzy Hash: 6691D235549BC0DEC771CB688450AAFBFE56F3A300B984A5ED0C793A82D234B588D75E

Function 00514005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004D0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004C2A58,?,00008000), ref: 004D02A4

Part of subcall function 00514FEC: GetFileAttributesW.KERNEL32(?,00513BFE), ref: 00514FED

FindFirstFileW.KERNEL32(?,?), ref: 0051407C
DeleteFileW.KERNEL32(?,?,?,?), ref: 005140CC
FindNextFileW.KERNELBASE(00000000,00000010), ref: 005140DD
FindClose.KERNEL32(00000000), ref: 005140F4
FindClose.KERNEL32(00000000), ref: 005140FD

Strings

\*.*, xrefs: 0051404E

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: de789c284884683627cb68b4e5e25e23cf2c476e80a4f1b2bdf502a238baa477
Instruction ID: f5d75f4c7bd12ea13e283b2f786eebc1e9897aa6468915948260b3ae5a39d929
Opcode Fuzzy Hash: de789c284884683627cb68b4e5e25e23cf2c476e80a4f1b2bdf502a238baa477
Instruction Fuzzy Hash: 953170390083859BD240EF61C895DEFBBA8BE96308F441A1EF5D1931E2DB34DA09CB56

Function 00514148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0051416D
Process32FirstW.KERNEL32(00000000,?), ref: 0051417B
Process32NextW.KERNEL32(00000000,?), ref: 0051419B
CloseHandle.KERNEL32(00000000), ref: 00514245

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: ab4ef7b432e895d1c0f1ff93a9955a43fde13541f5b9fd792663f66430895cf5
Instruction ID: 7bcc8ad803d08ee6a5e169fe4e146df6cd8537e4331bd2c5bb56d3377dd83bd6
Opcode Fuzzy Hash: ab4ef7b432e895d1c0f1ff93a9955a43fde13541f5b9fd792663f66430895cf5
Instruction Fuzzy Hash: CF31C2751083419FD300EF51D885FEFBBE8BF96358F10092EF591821A2EB759989CB92

Function 004BB020 Relevance: 5.6, APIs: 3, Instructions: 1146COMMON

Download Yara Rule

APIs

Part of subcall function 004C3740: CharUpperBuffW.USER32(?,005771DC,00000001,?,00000000,005771DC,?,004B53A5,?,?,?,?), ref: 004C375D

_memmove.LIBCMT ref: 004BB68A

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: BuffCharUpper_memmove
String ID:
API String ID: 2819905725-0
Opcode ID: 67db3da131a185124e2ef2f2014978c22ac7fe92e7d0a2a5d20a8931e83ce789
Instruction ID: 508f6108520d6a12d88cbeadd7bb91e432bffa7fc520555ddacccd5df28a2c75
Opcode Fuzzy Hash: 67db3da131a185124e2ef2f2014978c22ac7fe92e7d0a2a5d20a8931e83ce789
Instruction Fuzzy Hash: 5BA269705083419FD720DF15C480BAAB7E1FF85304F14895EE99A8B352D7B8ED46CBAA

Function 0051494A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,004FFC86), ref: 0051495A
FindFirstFileW.KERNEL32(?,?), ref: 0051496B
FindClose.KERNEL32(00000000), ref: 0051497B

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 76a9db4abe85614ae5327827acd68aa6973ff08f816729b0fda2e42c5b57c979
Instruction ID: 2b7721a5d12e7dfa57a3d1a8a2ccaf98cb39ab116268123e5d48380fd5cfeeb3
Opcode Fuzzy Hash: 76a9db4abe85614ae5327827acd68aa6973ff08f816729b0fda2e42c5b57c979
Instruction Fuzzy Hash: E1E02035414509975210673CEC0D4EB7B5CAE1733DF201705FA35C10D4E7709D889AD5

Function 004B94E0 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8e272bb0b2767dc38d8eaa7a40ec2125d763195954b2fa5a33070a81eea5588
Instruction ID: 2c704c30bc685cd4ec8404445c12ec13ecd05046bfb357abfbee3ef6f1ea48e1
Opcode Fuzzy Hash: c8e272bb0b2767dc38d8eaa7a40ec2125d763195954b2fa5a33070a81eea5588
Instruction Fuzzy Hash: 82229B7490021ADFDB24DF54C590AFAB7B0FF49300F14816BEA46AB351D778AD81CBA9

Function 004BBC70 Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 004BBF57

Part of subcall function 004B52B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004B52E6

Sleep.KERNEL32(0000000A,?,?), ref: 004F36B5

Strings

CALL, xrefs: 004BC277
@TRAY_ID, xrefs: 004F3FCD
@COM_EVENTOBJ, xrefs: 004F3D2E
@GUI_CTRLHANDLE, xrefs: 004F3816
@GUI_WINHANDLE, xrefs: 004F37C1
@GUI_CTRLID, xrefs: 004F376C

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: MessagePeekSleepTimetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
API String ID: 1792118007-922114024
Opcode ID: 0998a17ebd5018da0f533c12acdd1dcbb288f328c8f0e3581e50baf7336abd3f
Instruction ID: e6fa36639e81486b3b4bc1be806af64af8a4131a1c068ad766f4d2ad685441ae
Opcode Fuzzy Hash: 0998a17ebd5018da0f533c12acdd1dcbb288f328c8f0e3581e50baf7336abd3f
Instruction Fuzzy Hash: C4C2AD70608345DFD724DF24C884BAABBE4FF84304F14491EE58A973A1CB78E945DB9A

Function 004B33E7 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004B3444
RegisterClassExW.USER32(00000030), ref: 004B346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004B347F
InitCommonControlsEx.COMCTL32(?), ref: 004B349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004B34AC
LoadIconW.USER32(000000A9), ref: 004B34C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004B34D1

Strings

AutoIt v3 GUI, xrefs: 004B3460
TaskbarCreated, xrefs: 004B3474
+, xrefs: 004B342D
0, xrefs: 004B3426

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 9bee377f5a7f6a174e6595db1fc24d45a72000b0c8e0a9834882ca198f66c98e
Instruction ID: 4040d449450036198e2f6491573d7a3ff534295fa78ff1cbd11d6062340bb96a
Opcode Fuzzy Hash: 9bee377f5a7f6a174e6595db1fc24d45a72000b0c8e0a9834882ca198f66c98e
Instruction Fuzzy Hash: C4313875844309AFDB40CFA4EC88BDABFF0FF19314F20415AE695A62A0D3B50589EF91

Function 004B3411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004B3444
RegisterClassExW.USER32(00000030), ref: 004B346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004B347F
InitCommonControlsEx.COMCTL32(?), ref: 004B349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004B34AC
LoadIconW.USER32(000000A9), ref: 004B34C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004B34D1

Strings

AutoIt v3 GUI, xrefs: 004B3460
TaskbarCreated, xrefs: 004B3474
+, xrefs: 004B342D
0, xrefs: 004B3426

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 62cf04e811dc6175e01464ed371c205191003e1ed5a9a9e8fd2602dd5c42e03e
Instruction ID: e55dbd2de656592620be7947a4b3e92d4f6232b41a55e7d989ccaf445a5394b5
Opcode Fuzzy Hash: 62cf04e811dc6175e01464ed371c205191003e1ed5a9a9e8fd2602dd5c42e03e
Instruction Fuzzy Hash: EB21F5B5904208AFDB009F94E848BCD7BF4FB19704F10511AF618A62A0D7B10588EF92

Function 004C2FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004D00CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,004C3094), ref: 004D00ED

Part of subcall function 004D08C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,004C309F), ref: 004D08E3

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 004C30E2
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 005001BA
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 005001FB
RegCloseKey.ADVAPI32(?), ref: 00500239
_wcscat.LIBCMT ref: 00500292

Strings

\Include\, xrefs: 004C309F
\, xrefs: 005002B5
Include, xrefs: 005001B1, 005001F2
Software\AutoIt v3\AutoIt, xrefs: 004C30D8

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 952086bb94b48e55b8edcb47f1e16032c776af62ef2e5f78879cb672ef1de92f
Instruction ID: 81356b0582286b1d8b5c1fd7716493bb64f4b08aa38a7efd589e840a08c7d19f
Opcode Fuzzy Hash: 952086bb94b48e55b8edcb47f1e16032c776af62ef2e5f78879cb672ef1de92f
Instruction Fuzzy Hash: 977180795453019EC300EF26E859AABBBE8FF65355F40052FF449832B2EF309988EB55

Function 004C514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004C5156
LoadCursorW.USER32(00000000,00007F00), ref: 004C5165
LoadIconW.USER32(00000063), ref: 004C517C
LoadIconW.USER32(000000A4), ref: 004C518E
LoadIconW.USER32(000000A2), ref: 004C51A0
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 004C51C6
RegisterClassExW.USER32(?), ref: 004C521C

Part of subcall function 004B3411: GetSysColorBrush.USER32(0000000F), ref: 004B3444
Part of subcall function 004B3411: RegisterClassExW.USER32(00000030), ref: 004B346E
Part of subcall function 004B3411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004B347F
Part of subcall function 004B3411: InitCommonControlsEx.COMCTL32(?), ref: 004B349C
Part of subcall function 004B3411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004B34AC
Part of subcall function 004B3411: LoadIconW.USER32(000000A9), ref: 004B34C2
Part of subcall function 004B3411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004B34D1

Strings

#, xrefs: 004C5201
AutoIt v3, xrefs: 004C520B
0, xrefs: 004C51FA

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: f2a90b0bb613bf5b66209585ee84cd5b54a7f8bba621f0c468657a88a6d16cd2
Instruction ID: 879934df85f728c2c3f9dd1eacff8af7c570c7decc8d61635ef04783c7a529f6
Opcode Fuzzy Hash: f2a90b0bb613bf5b66209585ee84cd5b54a7f8bba621f0c468657a88a6d16cd2
Instruction Fuzzy Hash: 1E215978904308AFEB109FA4FD09B9D7FB5FB28314F10016AF618A62E1C7B55598BF84

Function 00525E1D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 00525E7E
inet_addr.WSOCK32(?,?,?), ref: 00525EC3
gethostbyname.WS2_32(?), ref: 00525ECF
IcmpCreateFile.IPHLPAPI ref: 00525EDD
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00525F4D
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00525F63
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00525FD8
WSACleanup.WSOCK32 ref: 00525FDE

Strings

Ping, xrefs: 00525F01

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: d3fe45cd18180d5c0e9b47940c2884fa30e7df2bee94ae9209c927bb8490eb39
Instruction ID: b9b09d8492b59bb6c9b3d68acbdf8f2fe0b73db5f0744a421f8a40fd76d00306
Opcode Fuzzy Hash: d3fe45cd18180d5c0e9b47940c2884fa30e7df2bee94ae9209c927bb8490eb39
Instruction Fuzzy Hash: 0C51CD716046109FD720EF25DD49B6ABBE4FF8A314F14492AFA55DB2E1EB30E804DB42

Function 004C4D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 004C4E22
KillTimer.USER32(?,00000001), ref: 004C4E4C
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004C4E6F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004C4E7A
CreatePopupMenu.USER32 ref: 004C4E8E
PostQuitMessage.USER32(00000000), ref: 004C4EAF

Strings

TaskbarCreated, xrefs: 004C4E75

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: ee6f5079587f8f8aa3d82a55be602305aecb078180aaf7e5ce4b8c83276343c3
Instruction ID: 35467e09a2f9da49e1fd140113383650b4d7bc92687869cd6fe7dec293c9d496
Opcode Fuzzy Hash: ee6f5079587f8f8aa3d82a55be602305aecb078180aaf7e5ce4b8c83276343c3
Instruction Fuzzy Hash: 5D41483920450DAADB905F24FD5DFBE3A95F794304F01052FF906822D2CB78AC95B76A

Function 004BAD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 004BADE1
CoUninitialize.COMBASE ref: 004BAE80
UnregisterHotKey.USER32(?), ref: 004BAFD7
DestroyWindow.USER32(?), ref: 004F2F64
FreeLibrary.KERNEL32(?), ref: 004F2FC9
VirtualFree.KERNEL32(?,00000000,00008000), ref: 004F2FF6

Strings

close all, xrefs: 004BADDC

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: b1fb0cc30ffed1f113619d43493302e82dbce479951eadbfbe1a25c60b1b4e8f
Instruction ID: 543351b4a60ae900784fb89df6a68503dec4051e6ded57da09c79cd866328fed
Opcode Fuzzy Hash: b1fb0cc30ffed1f113619d43493302e82dbce479951eadbfbe1a25c60b1b4e8f
Instruction Fuzzy Hash: 9AA14E347012128FCB29EF15C595ABAF764BF04704F1042AFE90A67352CB39AD16CF69

Function 004C56F8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00500C5B

Part of subcall function 004C1821: _memmove.LIBCMT ref: 004C185B

_memset.LIBCMT ref: 004C5787
_wcscpy.LIBCMT ref: 004C57DB
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004C57EB
__swprintf.LIBCMT ref: 00500CD1

Strings

AutoIt - , xrefs: 004C5760
Line %d: , xrefs: 00500CCB

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
String ID: Line %d: $AutoIt -
API String ID: 230667853-4094128768
Opcode ID: 0ad15a7800c5bc7fd8b4fee511fcd3dcc106cf4a7f98f4ed3b276d96a1ee7102
Instruction ID: da6b2ab970df9e69c908f74fe0afaaaa7af13bb90bf21e3f06a67da0149e52e3
Opcode Fuzzy Hash: 0ad15a7800c5bc7fd8b4fee511fcd3dcc106cf4a7f98f4ed3b276d96a1ee7102
Instruction Fuzzy Hash: AE412675008304AAD361EB20EC45FDF77DCAF59354F00061FF095820E2DB78A688D79A

Function 004C50DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004C5109
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 004C512A
ShowWindow.USER32(00000000), ref: 004C513E
ShowWindow.USER32(00000000), ref: 004C5147

Strings

AutoIt v3, xrefs: 004C5101, 004C5106, 004C5107
edit, xrefs: 004C5124

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 6b39fae35e9fe69d3d08c91048157c9f110c6996a02dc8e523159632ec990dca
Instruction ID: 2531d05bad06209f646ee5f18728288fa9b75627e274f3ad848a48d407237022
Opcode Fuzzy Hash: 6b39fae35e9fe69d3d08c91048157c9f110c6996a02dc8e523159632ec990dca
Instruction Fuzzy Hash: A3F017785442987EEA2117237C08E672E7DE7DAF54F11002ABA18A22B2C6711884FAB0

Function 00519B16 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004C4A8C: _fseek.LIBCMT ref: 004C4AA4

Part of subcall function 00519CF1: _wcscmp.LIBCMT ref: 00519DE1
Part of subcall function 00519CF1: _wcscmp.LIBCMT ref: 00519DF4

_free.LIBCMT ref: 00519C5F
_free.LIBCMT ref: 00519C66
_free.LIBCMT ref: 00519CD1

Part of subcall function 004D2F85: RtlFreeHeap.NTDLL(00000000,00000000,?,004D9C54,00000000,004D8D5D,004D59C3), ref: 004D2F99
Part of subcall function 004D2F85: GetLastError.KERNEL32(00000000,?,004D9C54,00000000,004D8D5D,004D59C3), ref: 004D2FAB

_free.LIBCMT ref: 00519CD9

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00519B8F

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 1552873950-2806939583
Opcode ID: 3c82f1ebb9deb1b779d737378182f1072fb352077a4610e6c1cb4742ae12aa26
Instruction ID: 7666a339c3d24d2af75c55fe1fc51faa5fddde80e7d96c286ee2b4ec06c8df18
Opcode Fuzzy Hash: 3c82f1ebb9deb1b779d737378182f1072fb352077a4610e6c1cb4742ae12aa26
Instruction Fuzzy Hash: AD513BB1904219ABEF249F65DC55AAEBBB9FF88304F00049EF249A3341DB755E808F59

Function 004D563D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 004D569B
_memcpy_s.LIBCMT ref: 004D570D
__read_nolock.LIBCMT ref: 004D576B
__filbuf.LIBCMT ref: 004D578E
_memset.LIBCMT ref: 004D57D2

Part of subcall function 004D8D58: __getptd_noexit.LIBCMT ref: 004D8D58

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction ID: 70acc867d378df5a2ca01d9bfa5cfa8e4708ba4c6e66745b43750029fa7ca64b
Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction Fuzzy Hash: 9A519030A00B05DBDB248F6988A466FB7A5AF40324F34876FE829963D0DB78DD518B49

Function 004B52B0 Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004B52E6
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004B534A
TranslateMessage.USER32(?), ref: 004B5356
DispatchMessageW.USER32(?), ref: 004B5360

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: ac2fe987475016d7e03cb76510fdd65b89477f0077b7ccc731e81c82e98f5518
Instruction ID: a864f3ebcc3de560fc65a7d7c764a4460925ca296f3f0c16c2e93752a21643d5
Opcode Fuzzy Hash: ac2fe987475016d7e03cb76510fdd65b89477f0077b7ccc731e81c82e98f5518
Instruction Fuzzy Hash: 183118309087499ADB34CB64FC44BF6B7E89B15344F24106BE926873D1D3B99489F72A

Function 005157FF Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0051581B
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00515829
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00515831
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0051583B
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00515877

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: a573cf6987f6285fbc32a922219ece1c6e3810b9be2668f5502f4c2d13fd8dd7
Instruction ID: 02a7da67a506decd85d84b333a27a2c823697f51060f42f059dd5901a0889404
Opcode Fuzzy Hash: a573cf6987f6285fbc32a922219ece1c6e3810b9be2668f5502f4c2d13fd8dd7
Instruction Fuzzy Hash: 53018735C01A19EBEF00AFE5DC489EDBFB8FB49315F200456E601B2180EB309594DBA1

Function 004BABD5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109comCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 004BAD08
OleInitialize.OLE32(00000000), ref: 004BAD85

Strings

<wW, xrefs: 004BAC6B

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: HandleInitialize
String ID: <wW
API String ID: 3139323997-1195503232
Opcode ID: f4088a4289da7ddf4471ba33705f6918316c25558793291aba3d5b43e8c038be
Instruction ID: aa4f12b828dbcdb5529ede6aa4af8a77e9914dd8f32ee41c6396748c7f69c480
Opcode Fuzzy Hash: f4088a4289da7ddf4471ba33705f6918316c25558793291aba3d5b43e8c038be
Instruction Fuzzy Hash: 5F41BDB09083488ECB98DF2ABD44A557EE6FB6D304B1085AE901CC72B2E7744488FB65

Function 004B1284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,004B1275,SwapMouseButtons,00000004,?), ref: 004B12A8
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,004B1275,SwapMouseButtons,00000004,?), ref: 004B12C9
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,004B1275,SwapMouseButtons,00000004,?), ref: 004B12EB

Strings

Control Panel\Mouse, xrefs: 004B12A6

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: e3c52cbcb6514702ad6ef8569fefca6731e0c1ad2fb9baf5849afdf0bb6e6608
Instruction ID: 348a37be8651d6d044738a3bb655c349eed52395bf4588897b442464f24b490f
Opcode Fuzzy Hash: e3c52cbcb6514702ad6ef8569fefca6731e0c1ad2fb9baf5849afdf0bb6e6608
Instruction Fuzzy Hash: 18115E75510208BFDB208FA4DC84EEF77B8EF05744F50555AF905E7220E2319E4497A8

Function 004D0FE6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004D593C: __FF_MSGBANNER.LIBCMT ref: 004D5953
Part of subcall function 004D593C: __NMSG_WRITE.LIBCMT ref: 004D595A
Part of subcall function 004D593C: RtlAllocateHeap.NTDLL(01870000,00000000,00000001,?,00000004,?,?,004D1003,?), ref: 004D597F

std::exception::exception.LIBCMT ref: 004D101C
__CxxThrowException@8.LIBCMT ref: 004D1031

Part of subcall function 004D87CB: RaiseException.KERNEL32(?,?,?,0056CAF8,?,?,?,?,?,004D1036,?,0056CAF8,?,00000001), ref: 004D8820

Strings

`=T, xrefs: 004D1029
h=T, xrefs: 004D1011

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID: `=T$h=T
API String ID: 3902256705-215454017
Opcode ID: 66394acef9287178c352d191277621248c63daf04fc6d35a7569354b40a37876
Instruction ID: 94b8e4f92fb860c77388db579c4ad44b543c5d26b61499237b4ed4a479173995
Opcode Fuzzy Hash: 66394acef9287178c352d191277621248c63daf04fc6d35a7569354b40a37876
Instruction Fuzzy Hash: 12F0D63050420DB2CB21BA99EC359EE7BACAF01358F10006FFC14937A1DFB48A40C299

Function 004C5B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004C5B58

Part of subcall function 004C56F8: _memset.LIBCMT ref: 004C5787
Part of subcall function 004C56F8: _wcscpy.LIBCMT ref: 004C57DB
Part of subcall function 004C56F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004C57EB

KillTimer.USER32(?,00000001,?,?), ref: 004C5BAD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004C5BBC
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00500D7C

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 757bbfae9541c48c9c2962bcf43cb7dc5e25b5dc1be83502c2dae7ffd2e6490f
Instruction ID: 78cec0b59b2a8f5a427491dee68be6be3fd6613d844ab4624cc300d9382847ec
Opcode Fuzzy Hash: 757bbfae9541c48c9c2962bcf43cb7dc5e25b5dc1be83502c2dae7ffd2e6490f
Instruction Fuzzy Hash: 9221F1755047849BE7B28B248895FEFBFECAB11308F00048EE69A562C1C37839C8DB55

Function 004C278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 004C49C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,004C27AF,?,00000001), ref: 004C49F4

_free.LIBCMT ref: 004FFB04
_free.LIBCMT ref: 004FFB4B

Part of subcall function 004C29BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 004C2ADF

Strings

Bad directive syntax error, xrefs: 004FFB33

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: Bad directive syntax error
API String ID: 2861923089-2118420937
Opcode ID: 2213e95e706cbaeb6deb3b1c85de3b8e27b5c5fe8c1c344cb13ea55fb5171f2d
Instruction ID: 7136041c0b7ec45cebb66475b80960b6c85a7f2870819e3391a792bcdd1306c3
Opcode Fuzzy Hash: 2213e95e706cbaeb6deb3b1c85de3b8e27b5c5fe8c1c344cb13ea55fb5171f2d
Instruction Fuzzy Hash: 36918F7190021DAFCF14EFA5C851DEEBBB4BF49314F10442FE915AB2A1DB789909CB58

Function 004C48B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004C48FA

Strings

AU3! ?T, xrefs: 004C48F4
EA06, xrefs: 005008A1

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: _memmove
String ID: AU3! ?T$EA06
API String ID: 4104443479-114916119
Opcode ID: 9638e4f77fa812c978e2ea809c48764074aa7e91424be1c1792d7b4279b15092
Instruction ID: fa7130f43ce2512592b1e30cd2f3c4bded24ee3578aac24eeed8fd9e003ad236
Opcode Fuzzy Hash: 9638e4f77fa812c978e2ea809c48764074aa7e91424be1c1792d7b4279b15092
Instruction Fuzzy Hash: 6D419F65A041685BDFA19B748A71FBF7FA1AFC5310F14407FE881A72C2D5398D8183E6

Function 00519CF1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 004C4AB2: __fread_nolock.LIBCMT ref: 004C4AD0

_wcscmp.LIBCMT ref: 00519DE1
_wcscmp.LIBCMT ref: 00519DF4

Strings

FILE, xrefs: 00519D2D

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 3570fae12de6612d0a7069c1f91919b9ebfb2dc20adf839a599bc05a0592b004
Instruction ID: 0f8518ece046a4dfa8acb55d76f8de613916852322daed565135aa2c674cdc94
Opcode Fuzzy Hash: 3570fae12de6612d0a7069c1f91919b9ebfb2dc20adf839a599bc05a0592b004
Instruction Fuzzy Hash: BB411875A4020ABAEF20DAA1CC55FEF7BBDEF85714F00446EF900A7280D67599448BA5

Function 004C31BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0050032B
GetOpenFileNameW.COMDLG32(?), ref: 00500375

Part of subcall function 004D0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004C2A58,?,00008000), ref: 004D02A4

Part of subcall function 004D09C5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004D09E4

Strings

X, xrefs: 00500343

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 626fbbf8e383c3b58c6cd1eb974c5d8202a4b7d8cdba5f7cd949c4a0e4bc8de3
Instruction ID: a10404c7d1e400a2c81eab0962e1a5f90448dbe898be2eea531f1cbba3d1f34e
Opcode Fuzzy Hash: 626fbbf8e383c3b58c6cd1eb974c5d8202a4b7d8cdba5f7cd949c4a0e4bc8de3
Instruction Fuzzy Hash: 3D21A475A002889BCF41DF95C845BEE7BF8AF49304F00405FE404A7281DBF959899FA6

Function 0052D1C6 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f8c35b887392965f2326866da8182eed760de892454fb90d784a0dc73b4ed7
Instruction ID: db37b2c66c125550d5dddf7e7303e7ea4ae8335fc787b08664f276e0283c86e8
Opcode Fuzzy Hash: 13f8c35b887392965f2326866da8182eed760de892454fb90d784a0dc73b4ed7
Instruction Fuzzy Hash: 2AF147706083119FC714DF28D484A6ABBF5FF89318F14892EF8998B292D774E945CF92

Function 004C1680 Relevance: 4.7, APIs: 3, Instructions: 187COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004C16DB
_memmove.LIBCMT ref: 004C174C
_memmove.LIBCMT ref: 004C17B9

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: fbc075fa0263312a990675c075c4ce61352f34d64caa691b0e7844302347fe54
Instruction ID: 67f2f10efb8faff4f5e94d81fff353bb1a7e4cd1f26a9742fa8994b244168a92
Opcode Fuzzy Hash: fbc075fa0263312a990675c075c4ce61352f34d64caa691b0e7844302347fe54
Instruction Fuzzy Hash: 8261DF75600209EBDF048F29D980B6A7BB4FF45310F1881AAEC19CF3A5EB39D964CB55

Function 004C59D3 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004C59F9
Shell_NotifyIconW.SHELL32(00000000,?), ref: 004C5A9E
Shell_NotifyIconW.SHELL32(00000001,?), ref: 004C5ABB

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: c6b79fc024d72976eaf0cfc95066341d4717a08a9ac35d4be482eb745c7d542c
Instruction ID: dba0e6a16dba63102b463ba95075c780a421f2226f8eb55fec08751d397ec17b
Opcode Fuzzy Hash: c6b79fc024d72976eaf0cfc95066341d4717a08a9ac35d4be482eb745c7d542c
Instruction Fuzzy Hash: BE31B4785047058FC760DF25E884B9BBBF4FB58308F000A2FF59A82351D7756988DB56

Function 004D593C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 004D5953

Part of subcall function 004DA39B: __NMSG_WRITE.LIBCMT ref: 004DA3C2
Part of subcall function 004DA39B: __NMSG_WRITE.LIBCMT ref: 004DA3CC

__NMSG_WRITE.LIBCMT ref: 004D595A

Part of subcall function 004DA3F8: GetModuleFileNameW.KERNEL32(00000000,005753BA,00000104,00000004,00000001,004D1003), ref: 004DA48A
Part of subcall function 004DA3F8: ___crtMessageBoxW.LIBCMT ref: 004DA538

Part of subcall function 004D32CF: ___crtCorExitProcess.LIBCMT ref: 004D32D5
Part of subcall function 004D32CF: ExitProcess.KERNEL32 ref: 004D32DE

Part of subcall function 004D8D58: __getptd_noexit.LIBCMT ref: 004D8D58

RtlAllocateHeap.NTDLL(01870000,00000000,00000001,?,00000004,?,?,004D1003,?), ref: 004D597F

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 50cbbb49426af2ca0bfa9a3e32fbe8aa73f474896f940315d61c4409b63037cf
Instruction ID: c3c99a7be7643b2ca50732b8beed364ec9a9751ccd0bdf27ad0908262ea4e716
Opcode Fuzzy Hash: 50cbbb49426af2ca0bfa9a3e32fbe8aa73f474896f940315d61c4409b63037cf
Instruction Fuzzy Hash: BB0149B5201B01DAD6102B26AC7163F32498F52775F6000AFF4099B3D1DE7C8C40966E

Function 005192C8 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005192D6

Part of subcall function 004D2F85: RtlFreeHeap.NTDLL(00000000,00000000,?,004D9C54,00000000,004D8D5D,004D59C3), ref: 004D2F99
Part of subcall function 004D2F85: GetLastError.KERNEL32(00000000,?,004D9C54,00000000,004D8D5D,004D59C3), ref: 004D2FAB

_free.LIBCMT ref: 005192E7
_free.LIBCMT ref: 005192F9

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
Instruction ID: 3417f5bf91380df65f8d1829799b75f16bce4d29bf2a8ca6272198f41f2cd18f
Opcode Fuzzy Hash: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
Instruction Fuzzy Hash: 64E0C2E170460253DA20A6396A50EC3BBEC1FC8311714080FF419D3242CE78E880906C

Function 004B5E83 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551COMMON

Download Yara Rule

Strings

CALL, xrefs: 004EE234

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 16c0034d39a258ba1ea898116228a11923d0b9cd6a60ad2e089910cc3fefcdac
Instruction ID: 1e7149a4531829653ede791fb40003ae99727e7fdc58726d3bc23b373d459f0b
Opcode Fuzzy Hash: 16c0034d39a258ba1ea898116228a11923d0b9cd6a60ad2e089910cc3fefcdac
Instruction Fuzzy Hash: 45329C70508341DFCB24DF15C494BAABBE1BF85304F15896EE88A9B362C739EC45CB5A

Function 0052E139 Relevance: 3.2, APIs: 2, Instructions: 227COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 0052E20C

Part of subcall function 004B4D37: __itow.LIBCMT ref: 004B4D62
Part of subcall function 004B4D37: __swprintf.LIBCMT ref: 004B4DAC

_wcscpy.LIBCMT ref: 0052E29B

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: __itow__swprintf_strcat_wcscpy
String ID:
API String ID: 1012013722-0
Opcode ID: 1eb4b024dd6a587c2d4deaf166c6831ca9234e5904f31c4555d7d33dd750f5e0
Instruction ID: 12b940483abe322273ef8f73f6bf91d4095a5d12138d187d237a90cbcf4ea4c9
Opcode Fuzzy Hash: 1eb4b024dd6a587c2d4deaf166c6831ca9234e5904f31c4555d7d33dd750f5e0
Instruction Fuzzy Hash: 97914734A00514DFCB18EF18D5929ADBBE5FF9A314B55845EE80A8F3A2DB34ED01CB94

Function 00516135 Relevance: 3.1, APIs: 2, Instructions: 142COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0051614E

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: fa83e3536d2ff27075cc073466a7c0754417c48821a769477eb64cad3908afe2
Instruction ID: 5294f17c856d1e3d08d645d0793f2a2507c19ef3fa47feffb4f0137e4205e207
Opcode Fuzzy Hash: fa83e3536d2ff27075cc073466a7c0754417c48821a769477eb64cad3908afe2
Instruction Fuzzy Hash: F841D776600209AFEB11EF64C8819EE7BB8FF54354B10452FE516D7251EB74DE84CB50

Function 004C5F8B Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 004C5FEF

Part of subcall function 004D359C: __lock.LIBCMT ref: 004D35A2
Part of subcall function 004D359C: DecodePointer.KERNEL32(00000001,?,004C6004,00508892), ref: 004D35AE
Part of subcall function 004D359C: EncodePointer.KERNEL32(?,?,004C6004,00508892), ref: 004D35B9

Part of subcall function 004C5F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 004C5F18
Part of subcall function 004C5F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 004C5F2D

Part of subcall function 004C5240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004C526C
Part of subcall function 004C5240: IsDebuggerPresent.KERNEL32 ref: 004C527E
Part of subcall function 004C5240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 004C52E6
Part of subcall function 004C5240: SetCurrentDirectoryW.KERNEL32(?), ref: 004C5366

SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 004C602F

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 1f6f32a86fc053c4f330b817de133dd23efc921dad7fa7cd0cf6e2833a4a0ccc
Instruction ID: 46239c8acdb454b0e1bbd3602631e7836fa4fa75a2db4d05a1822696a2db4010
Opcode Fuzzy Hash: 1f6f32a86fc053c4f330b817de133dd23efc921dad7fa7cd0cf6e2833a4a0ccc
Instruction Fuzzy Hash: 6A11C0718083059FC710DF6AFC0595ABBE8EFA8314F00491FF158832B2DBB49588EB96

Function 004D581D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 004D584C
__lock_file.LIBCMT ref: 004D586D

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 665ce5c0cc818c198a18af516655f6e92c45d0c15c825c2ac24048976e463d94
Instruction ID: d632e8a265864572f04299ce83ec07058568344e5ae6fcbfd3a26fc6f1a67c57
Opcode Fuzzy Hash: 665ce5c0cc818c198a18af516655f6e92c45d0c15c825c2ac24048976e463d94
Instruction Fuzzy Hash: 0F014871800749EBCF11BF678C1599F7B61AF40364F14451FB824573A1DB398A21EF55

Function 004D55C6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004D8D58: __getptd_noexit.LIBCMT ref: 004D8D58

__lock_file.LIBCMT ref: 004D560B

Part of subcall function 004D6E3E: __lock.LIBCMT ref: 004D6E61

__fclose_nolock.LIBCMT ref: 004D5616

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 781083d96b4c1e093c9cde6d15be070dc4ad8af65ad0310365fefac43ead4445
Instruction ID: 78ffaa1c143f0a196d40f1effd4d3ac76e2d6d40dfc0333ff47ec2b5a4686efe
Opcode Fuzzy Hash: 781083d96b4c1e093c9cde6d15be070dc4ad8af65ad0310365fefac43ead4445
Instruction Fuzzy Hash: 68F0F671801B04AADB116B2A983176E77912F00338F11410FB428AB3C1CF7C89028B49

Function 004D5E80 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 004D5EB4
__ftell_nolock.LIBCMT ref: 004D5EBF

Part of subcall function 004D8D58: __getptd_noexit.LIBCMT ref: 004D8D58

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: __ftell_nolock__getptd_noexit__lock_file
String ID:
API String ID: 2999321469-0
Opcode ID: 0c0ad6194f1f356653d1eff311cf9b7c1db2ab41033b4c8c419a75bd07dd5dd3
Instruction ID: c9e8de897fde71bebc717d1f076c148dee8dce7695c2aaa9db99c3cd593ea58f
Opcode Fuzzy Hash: 0c0ad6194f1f356653d1eff311cf9b7c1db2ab41033b4c8c419a75bd07dd5dd3
Instruction Fuzzy Hash: B7F0A0319116159ADB00BB7A882276E77A06F0133AF21420FB024AB3C2CF7C8E029A5D

Function 004C5AC3 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004C5AEF
Shell_NotifyIconW.SHELL32(00000002,?), ref: 004C5B1F

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: a865d6e938085291a8d14813cf2c8de8a870839e423fb31ff592531e688b219a
Instruction ID: 6e06789e00de9f0750cbdee9047cafab781b274da0b2befc844fdaabcb7d132d
Opcode Fuzzy Hash: a865d6e938085291a8d14813cf2c8de8a870839e423fb31ff592531e688b219a
Instruction Fuzzy Hash: B6F082748183089BD7929F24AC497A67BBC970530CF0001EAAA4C96296DB751BC8DB55

Function 004D32CF Relevance: 3.0, APIs: 2, Instructions: 7COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 004D32D5

Part of subcall function 004D329B: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,004D32DA,004D1003,?,004D9EEE,000000FF,0000001E,0056CE28,00000008,004D9E52,004D1003,004D1003), ref: 004D32AA
Part of subcall function 004D329B: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 004D32BC

ExitProcess.KERNEL32 ref: 004D32DE

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 1bdb9ee6fe17e4d90c672846d95109bb6b7a187c13d4027465d54071a942e2e7
Instruction ID: a7a39221ddd1fb9b8047cc07ed106516676ad82c2a8eeea26ca4802de70d5398
Opcode Fuzzy Hash: 1bdb9ee6fe17e4d90c672846d95109bb6b7a187c13d4027465d54071a942e2e7
Instruction Fuzzy Hash: CAB09230000208BBCB012F12EC0A8883F29FB02B99B104426F90409171DBB2AA92AA95

Function 004D0E38 Relevance: 2.6, APIs: 2, Instructions: 94COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 004D0ED5
CloseHandle.KERNEL32 ref: 004D0EE7

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: b89868f37a49d2890f6a4aebdff233e85bd5a3441fc4f25572e14943966334b7
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 7E31D370A001099BC718DF18C4A0A6AF7A6FF99300F648AABE409CB351E775EDC1CBC5

Function 0052C355 Relevance: 1.8, APIs: 1, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: LoadString$__swprintf
String ID:
API String ID: 207118244-0
Opcode ID: 8ae352ee2f6233ee2b748d062822ae776d2e6c761f4dedc84d02e6112eb6fd61
Instruction ID: 362d8295bbca3ead1f9a86988cf1b4ccfe40a082571514d68725d5b762307fc9
Opcode Fuzzy Hash: 8ae352ee2f6233ee2b748d062822ae776d2e6c761f4dedc84d02e6112eb6fd61
Instruction Fuzzy Hash: 1EB16E34A0011AEFCB14EF98D881DEEBFB5FF59314F20841AF915A7292DB74A941CB90

Function 004BA820 Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ca90573dbdc92e5c9a5cc6ec5feeb3c1a10bbad88b7a8e14aefd74e9613430
Instruction ID: a288c41a55c1a1baa88a7fcf14a4b2af212cb4c634a3c78ab73623837c3c869f
Opcode Fuzzy Hash: d8ca90573dbdc92e5c9a5cc6ec5feeb3c1a10bbad88b7a8e14aefd74e9613430
Instruction Fuzzy Hash: 3861DEB06002069FDB10EF50C981ABBB7E5EF44300F15842EE9168B391D7B8ED95DB6A

Function 004EE2DF Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 004EE2EA

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 4410e59e7d16152abd1acff33b856a77118db7bcccf792205ace99c6703e2cee
Instruction ID: e7f1840799a274ad9db85e69c011aceb85c293fe8525ca9ba7749ec5558e33ba
Opcode Fuzzy Hash: 4410e59e7d16152abd1acff33b856a77118db7bcccf792205ace99c6703e2cee
Instruction Fuzzy Hash: 13414A74508351DFDB14DF15C494B5ABBE1BF45308F0988AEE88A9B362C33AEC85CB56

Function 004C49C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 004C4B29: FreeLibrary.KERNEL32(00000000,?), ref: 004C4B63

Part of subcall function 004D547B: __wfsopen.LIBCMT ref: 004D5486

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,004C27AF,?,00000001), ref: 004C49F4

Part of subcall function 004C4ADE: FreeLibrary.KERNEL32(00000000), ref: 004C4B18

Part of subcall function 004C48B0: _memmove.LIBCMT ref: 004C48FA

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 1ab51d617cbd398f4773388c026a24e1633c79298bb9107c3adfdea04ed41004
Instruction ID: 2dab74d4dcf8ce8d295a4610191ca68ed1bbbe159a652412e1f76e20fa5e1ce2
Opcode Fuzzy Hash: 1ab51d617cbd398f4773388c026a24e1633c79298bb9107c3adfdea04ed41004
Instruction Fuzzy Hash: 3C112B39750205ABCB20FB71CD26FAE77A4AF80705F10841FF545A61C1EF799E01A798

Function 004C1BCC Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004C1BFE

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 2c79761423f540672bda14eb4514d80e2afe8b87cb0e6c2e844ebd02b31338ab
Instruction ID: 74251058038479ba08e65ef2d88dcc923e2364ea6966a528500ac9f88de0520e
Opcode Fuzzy Hash: 2c79761423f540672bda14eb4514d80e2afe8b87cb0e6c2e844ebd02b31338ab
Instruction Fuzzy Hash: 93115C75204601DFC764DF29D481A16B7E9EF49354720842FE88ACB762E736E841CB44

Function 004EE3C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 004EE3CE

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 7dcaf2a0e9b29d2d1ae1f8bc7ea56e6d8e39c3df1ba1b4f0c0d2d1b4a8e5721a
Instruction ID: 362aff26a878cc1fc2ae65cdb288bfbba6cc3c43b30535732fa4adfd70d8709b
Opcode Fuzzy Hash: 7dcaf2a0e9b29d2d1ae1f8bc7ea56e6d8e39c3df1ba1b4f0c0d2d1b4a8e5721a
Instruction Fuzzy Hash: 56215774508341DFDB14DF15C444B5ABBE4BF85308F09496EF88A57362C339E849CB6A

Function 004C1A36 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004C1A77

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8565a2e206dddf4350968ef93c696b5c539dc39c822a590dc04b60a48f516eb7
Instruction ID: 7c86f529f0f006dc836dd632ba2f5de60eb30d38d147b01a03c01653186ed46f
Opcode Fuzzy Hash: 8565a2e206dddf4350968ef93c696b5c539dc39c822a590dc04b60a48f516eb7
Instruction Fuzzy Hash: CB01FE722017016ED3645F79DC02F67B794DF45790F10852FF51ACB2E1DA76E4408758

Function 0052495B Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00524998

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: 49edc60310bcb739335b52895b862ef7d27971d80abb41ef69364e83d0b90eac
Instruction ID: ca1fa304068682e8a36cd743dcd4e4b5718fdb0c66f164d514eee54fe5cc1cb5
Opcode Fuzzy Hash: 49edc60310bcb739335b52895b862ef7d27971d80abb41ef69364e83d0b90eac
Instruction Fuzzy Hash: 28F06D35608108AF9B10FB65D81AD9F7BBCEF89324B00005AF8059B2A1DA74A9818764

Function 004EDC5A Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 004D0FE6: std::exception::exception.LIBCMT ref: 004D101C
Part of subcall function 004D0FE6: __CxxThrowException@8.LIBCMT ref: 004D1031

_memmove.LIBCMT ref: 004EDC8B

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Exception@8Throw_memmovestd::exception::exception
String ID:
API String ID: 1602317333-0
Opcode ID: 45a849d2a6824c2a98c98ed0063ef32583db97a8290c264e89d73d06c63a9186
Instruction ID: 3d3a2736b9d1820da85cd35be6acf6f6b50fd9790a993e513c198df8a43b648f
Opcode Fuzzy Hash: 45a849d2a6824c2a98c98ed0063ef32583db97a8290c264e89d73d06c63a9186
Instruction Fuzzy Hash: 1EF04974600101DFD310DF68C991E15BBF1BF5A304F34849EE1898B3A2E776E811CB96

Function 004C4A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_fseek.LIBCMT ref: 004C4AA4

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: _fseek
String ID:
API String ID: 2937370855-0
Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction ID: 7cb9379712762bdf4c36a4f267f2e228ffb247faa853cebbd9922defc6d425a9
Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction Fuzzy Hash: ABF085BA400208BFDF108F85DC00DEFBF79EB89724F00459DF9045A210D232EA218BA0

Function 004C4A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,004C27AF,?,00000001), ref: 004C4A63

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b6dd249ad135b866f2eba2bc5dcaa322a90918c6f29f9ad27b0816fad37db799
Instruction ID: fee70c6a6770950561b9e7e0d892d77cdd316c05462d6f34dd35866752eb0659
Opcode Fuzzy Hash: b6dd249ad135b866f2eba2bc5dcaa322a90918c6f29f9ad27b0816fad37db799
Instruction Fuzzy Hash: CCF08C79140701CFCBB48F64E5A0D16BBF0AF54329320A92FE1D683A10C7369944DF08

Function 004F0A79 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 004F0A84

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: ce54d70af485da128e3bc62a3b2ad7fc88895eb2cd7dbcb9420b4d716d389e2f
Instruction ID: f29e8b4541b49d1eca3403ef7d44cd3e9d94a1430c430b0409e7314b833ddb4b
Opcode Fuzzy Hash: ce54d70af485da128e3bc62a3b2ad7fc88895eb2cd7dbcb9420b4d716d389e2f
Instruction Fuzzy Hash: 5BE02BB1B083495EE7349B659404773FBD4AFD0314F10441FD99581342E37DD89497B6

Function 004C4AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 004C4AD0

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction ID: 82e63980b1d0e770d87fc2a549ae2ec3ba40d882dc496128b4215eccbcb9da59
Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction Fuzzy Hash: 9BF0587240020DFFDF04CF80C941EAABB79FB04314F20858AFC188B252D336DA21ABA1

Function 004D09C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004D09E4

Part of subcall function 004C1821: _memmove.LIBCMT ref: 004C185B

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 7803abe2ef5b8cf645dd2917edda6a2feddd5e724ff664a7ed84e01239347ae9
Instruction ID: fc070511f485b1550b9f9e836467381572185d83811b07446eea39b2096615ed
Opcode Fuzzy Hash: 7803abe2ef5b8cf645dd2917edda6a2feddd5e724ff664a7ed84e01239347ae9
Instruction Fuzzy Hash: 5BE026369001281BC720A6999C05FEE77DCDF8A695F0002BBFC08C3214D974AC8086D0

Function 00513EF7 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00513E7D,?,?,?), ref: 00513F0D

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 96d358462a318a07ecca09f9ccc227a333905cc31c6f63e35a8bb5ff3526dfcb
Instruction ID: 515f504ae7ab6dcfe995fa101eaf440b74ff75ccebdb9eae1a13cd7adde3da70
Opcode Fuzzy Hash: 96d358462a318a07ecca09f9ccc227a333905cc31c6f63e35a8bb5ff3526dfcb
Instruction Fuzzy Hash: 8BD0A5315D410CBBDF50DF50CC06F68776CD711705F100194B504D90D0D67155145755

Function 00514FEC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00513BFE), ref: 00514FED

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 02a8b832ffaa837f2e8ae1b037aa6b6cec3d744f10a698b35e0de86ba2cadc51
Instruction ID: 05039a3220d0d2d75b1a084a85c4bf4e07838a7215061bd02437176b129be809
Opcode Fuzzy Hash: 02a8b832ffaa837f2e8ae1b037aa6b6cec3d744f10a698b35e0de86ba2cadc51
Instruction Fuzzy Hash: 80B0923900068056AD281E3C19680D93B0168533A97E83B81E878857E1923D888BE960

Function 004D547B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 004D5486

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 1b54a47bc557fee17ea7da2f432f0f208aaf074cf1bd75395d81a446b85ac8de
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: C5B0927A44020C77CE012A82EC03B593B299B41669F408026FB0C1C262AA77A6A09A8A

Function 004D3588 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

_doexit.LIBCMT ref: 004D3592

Part of subcall function 004D3459: __lock.LIBCMT ref: 004D3467
Part of subcall function 004D3459: DecodePointer.KERNEL32(0056CB70,0000001C,004D33B2,004D1003,00000001,00000000,?,004D3300,000000FF,?,004D9E5E,00000011,004D1003,?,004D9CAC,0000000D), ref: 004D34A6
Part of subcall function 004D3459: DecodePointer.KERNEL32(?,004D3300,000000FF,?,004D9E5E,00000011,004D1003,?,004D9CAC,0000000D), ref: 004D34B7
Part of subcall function 004D3459: EncodePointer.KERNEL32(00000000,?,004D3300,000000FF,?,004D9E5E,00000011,004D1003,?,004D9CAC,0000000D), ref: 004D34D0
Part of subcall function 004D3459: DecodePointer.KERNEL32(-00000004,?,004D3300,000000FF,?,004D9E5E,00000011,004D1003,?,004D9CAC,0000000D), ref: 004D34E0
Part of subcall function 004D3459: EncodePointer.KERNEL32(00000000,?,004D3300,000000FF,?,004D9E5E,00000011,004D1003,?,004D9CAC,0000000D), ref: 004D34E6
Part of subcall function 004D3459: DecodePointer.KERNEL32(?,004D3300,000000FF,?,004D9E5E,00000011,004D1003,?,004D9CAC,0000000D), ref: 004D34FC
Part of subcall function 004D3459: DecodePointer.KERNEL32(?,004D3300,000000FF,?,004D9E5E,00000011,004D1003,?,004D9CAC,0000000D), ref: 004D3507

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Pointer$Decode$Encode$__lock_doexit
String ID:
API String ID: 2158581194-0
Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction ID: 604d1846c197e7eb1c5a45993232e18e039d9a51ab27b2e7ee71e4993ef12649
Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction Fuzzy Hash: DFB0123198030C33DA112942EC03F153B1C4740B54F100022FA0C1C2E1A5D7766040CE

Function 0051C270 Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00514005: FindFirstFileW.KERNEL32(?,?), ref: 0051407C
Part of subcall function 00514005: DeleteFileW.KERNEL32(?,?,?,?), ref: 005140CC
Part of subcall function 00514005: FindNextFileW.KERNELBASE(00000000,00000010), ref: 005140DD
Part of subcall function 00514005: FindClose.KERNEL32(00000000), ref: 005140F4

GetLastError.KERNEL32 ref: 0051C292

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: 8bd6152fbc22e85519573ef05244ade53e99019c2572eab4a71a94b436951bac
Instruction ID: c1b274e717f4a04fa80220d8c5401d9e0ddbc8855fad7b67cba9ae82f9583921
Opcode Fuzzy Hash: 8bd6152fbc22e85519573ef05244ade53e99019c2572eab4a71a94b436951bac
Instruction Fuzzy Hash: B8F0A7352101104FDB10EF5AD844FA9BBE9BF88724F05841EF9468B352CB78BC41CB98

Non-executed Functions

Function 0053D164 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 004B29E2: GetWindowLongW.USER32(?,000000EB), ref: 004B29F3

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0053D208
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0053D249
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0053D28E
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0053D2B8
SendMessageW.USER32 ref: 0053D2E1
_wcsncpy.LIBCMT ref: 0053D359
GetKeyState.USER32(00000011), ref: 0053D37A
GetKeyState.USER32(00000009), ref: 0053D387
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0053D39D
GetKeyState.USER32(00000010), ref: 0053D3A7
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0053D3D0
SendMessageW.USER32 ref: 0053D3F7
SendMessageW.USER32(?,00001030,?,0053B9BA), ref: 0053D4FD
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0053D513
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0053D526
SetCapture.USER32(?), ref: 0053D52F
ClientToScreen.USER32(?,?), ref: 0053D594
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0053D5A1
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0053D5BB
ReleaseCapture.USER32 ref: 0053D5C6
GetCursorPos.USER32(?), ref: 0053D600
ScreenToClient.USER32(?,?), ref: 0053D60D
SendMessageW.USER32(?,00001012,00000000,?), ref: 0053D669
SendMessageW.USER32 ref: 0053D697
SendMessageW.USER32(?,00001111,00000000,?), ref: 0053D6D4
SendMessageW.USER32 ref: 0053D703
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0053D724
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0053D733
GetCursorPos.USER32(?), ref: 0053D753
ScreenToClient.USER32(?,?), ref: 0053D760
GetParent.USER32(?), ref: 0053D780
SendMessageW.USER32(?,00001012,00000000,?), ref: 0053D7E9
SendMessageW.USER32 ref: 0053D81A
ClientToScreen.USER32(?,?), ref: 0053D878
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0053D8A8
SendMessageW.USER32(?,00001111,00000000,?), ref: 0053D8D2
SendMessageW.USER32 ref: 0053D8F5
ClientToScreen.USER32(?,?), ref: 0053D947
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0053D97B

Part of subcall function 004B29AB: GetWindowLongW.USER32(?,000000EB), ref: 004B29BC

GetWindowLongW.USER32(?,000000F0), ref: 0053DA17

Strings

@GUI_DRAGID, xrefs: 0053D562
F, xrefs: 0053D8FB

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 13d6c9436586bf3eeff3aee613076d077c21946f86879cf63f460ac727b1c6cd
Instruction ID: 1cdd10790b326a30e50ec16a47f827bb15b3e681b85d974e52eefb20d71bc0d6
Opcode Fuzzy Hash: 13d6c9436586bf3eeff3aee613076d077c21946f86879cf63f460ac727b1c6cd
Instruction Fuzzy Hash: C642BC35204241AFD724DF28E848FAABFF5FF89314F140A1DF699872A1C7719858DB62

Function 00508F2E Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00509399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005093E3
Part of subcall function 00509399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00509410
Part of subcall function 00509399: GetLastError.KERNEL32 ref: 0050941D

_memset.LIBCMT ref: 00508F71
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00508FC3
CloseHandle.KERNEL32(?), ref: 00508FD4
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00508FEB
GetProcessWindowStation.USER32 ref: 00509004
SetProcessWindowStation.USER32(00000000), ref: 0050900E
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00509028

Part of subcall function 00508DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00508F27), ref: 00508DFE
Part of subcall function 00508DE9: CloseHandle.KERNEL32(?,?,00508F27), ref: 00508E10

Strings

default, xrefs: 00509023
, xrefs: 00508F80
winsta0, xrefs: 00508FE6

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 16895ab15f8c8c5a78724e53a16b80539069b99002ec7c866f71b632a69fec45
Instruction ID: d9f752b9b5efa5bf66cde42c26dc650a4a8d4503b79f84e6ec56eaec0f7380ac
Opcode Fuzzy Hash: 16895ab15f8c8c5a78724e53a16b80539069b99002ec7c866f71b632a69fec45
Instruction Fuzzy Hash: 8D81697190020ABFDF119FA4DC49AEE7F79FF05308F144119F915A22A6D7318E19EB60

Function 00524632 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00540980), ref: 0052465C
IsClipboardFormatAvailable.USER32(0000000D), ref: 0052466A
GetClipboardData.USER32(0000000D), ref: 00524672
CloseClipboard.USER32 ref: 0052467E
GlobalLock.KERNEL32(00000000), ref: 0052469A
CloseClipboard.USER32 ref: 005246A4
GlobalUnlock.KERNEL32(00000000), ref: 005246B9
IsClipboardFormatAvailable.USER32(00000001), ref: 005246C6
GetClipboardData.USER32(00000001), ref: 005246CE
GlobalLock.KERNEL32(00000000), ref: 005246DB
GlobalUnlock.KERNEL32(00000000), ref: 0052470F
CloseClipboard.USER32 ref: 0052481F

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 4c8dc1f3d12a30ae7663253719031ae27628d163c9227b219b81b55b21fcf727
Instruction ID: 73a0cfcc408c35ede6d6267e165bd9f7d6e64145033fd1054df924736fbd18e1
Opcode Fuzzy Hash: 4c8dc1f3d12a30ae7663253719031ae27628d163c9227b219b81b55b21fcf727
Instruction Fuzzy Hash: 5551B5392042116BD700EF60EC89FAE7BA8BF96B14F10052DF656D21E2DF70D9099F66

Function 0051F5D8 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0051F5F9
_wcscmp.LIBCMT ref: 0051F60E
_wcscmp.LIBCMT ref: 0051F625
GetFileAttributesW.KERNEL32(?), ref: 0051F637
SetFileAttributesW.KERNEL32(?,?), ref: 0051F651
FindNextFileW.KERNEL32(00000000,?), ref: 0051F669
FindClose.KERNEL32(00000000), ref: 0051F674
FindFirstFileW.KERNEL32(*.*,?), ref: 0051F690
_wcscmp.LIBCMT ref: 0051F6B7
_wcscmp.LIBCMT ref: 0051F6CE
SetCurrentDirectoryW.KERNEL32(?), ref: 0051F6E0
SetCurrentDirectoryW.KERNEL32(0056B578), ref: 0051F6FE
FindNextFileW.KERNEL32(00000000,00000010), ref: 0051F708
FindClose.KERNEL32(00000000), ref: 0051F715
FindClose.KERNEL32(00000000), ref: 0051F727

Strings

SQ, xrefs: 0051F6E2
*.*, xrefs: 0051F68B

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*$SQ
API String ID: 1803514871-2557518282
Opcode ID: 420f199f1baa8256350415b037b8bea6b3981e8bfeb8279b83dbb6aa4f8c8f01
Instruction ID: 8bc35e9d0ddfa01efda61f6667c0279489e45a3093276dfaf9e95220ccdcffed
Opcode Fuzzy Hash: 420f199f1baa8256350415b037b8bea6b3981e8bfeb8279b83dbb6aa4f8c8f01
Instruction Fuzzy Hash: 1931F6756042196AEB10DFB4DC49ADE7BACFF19325F200166F905D31E0EB70CA84DB60

Function 0051CD9F Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0051CDD0
FindClose.KERNEL32(00000000), ref: 0051CE24
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0051CE49
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0051CE60
FileTimeToSystemTime.KERNEL32(?,?), ref: 0051CE87
__swprintf.LIBCMT ref: 0051CED3
__swprintf.LIBCMT ref: 0051CF16

Part of subcall function 004C1A36: _memmove.LIBCMT ref: 004C1A77

__swprintf.LIBCMT ref: 0051CF6A

Part of subcall function 004D38C8: __woutput_l.LIBCMT ref: 004D3921

__swprintf.LIBCMT ref: 0051CFB8

Part of subcall function 004D38C8: __flsbuf.LIBCMT ref: 004D3943
Part of subcall function 004D38C8: __flsbuf.LIBCMT ref: 004D395B

__swprintf.LIBCMT ref: 0051D007
__swprintf.LIBCMT ref: 0051D056
__swprintf.LIBCMT ref: 0051D0A5

Strings

%02d, xrefs: 0051CF5E, 0051CF68, 0051CFB6, 0051D005, 0051D054, 0051D0A3
%4d%02d%02d%02d%02d%02d, xrefs: 0051CECD
%4d, xrefs: 0051CF10

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 9f19fe9902b2ae0d97745971fb06424081aa07567a67a69f3fba097a0de558ed
Instruction ID: e98bb898188eadc186a2cba3b5b8fdd56ccda14529062f02af56c0d97b0dfc9e
Opcode Fuzzy Hash: 9f19fe9902b2ae0d97745971fb06424081aa07567a67a69f3fba097a0de558ed
Instruction Fuzzy Hash: E0A13DB1404204ABD710EFA5C895EEFB7ECBF95708F40091EF585C2192EB34EA49CB66

Function 00530EB7 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00530FB3
RegCreateKeyExW.ADVAPI32(?,?,00000000,00540980,00000000,?,00000000,?,?), ref: 00531021
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00531069
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 005310F2
RegCloseKey.ADVAPI32(?), ref: 00531412
RegCloseKey.ADVAPI32(00000000), ref: 0053141F

Strings

REG_MULTI_SZ, xrefs: 005311DA
REG_DWORD, xrefs: 005312E3
REG_EXPAND_SZ, xrefs: 0053108F
REG_QWORD, xrefs: 00531360
REG_BINARY, xrefs: 005313AD
REG_SZ, xrefs: 00531130

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 79e3a449c961259923b94bb547369ec4442244abfb1b867a43bf385ec4a370ab
Instruction ID: c62594d8d6acc9852caaf3bd8e80693caa1b3b31ea44ce3247d020258d866007
Opcode Fuzzy Hash: 79e3a449c961259923b94bb547369ec4442244abfb1b867a43bf385ec4a370ab
Instruction Fuzzy Hash: AA028E752006019FCB14EF25C855E6ABBE5FF89714F04895DF88A9B3A2CB38EC01CB95

Function 0051F735 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0051F756
_wcscmp.LIBCMT ref: 0051F76B
_wcscmp.LIBCMT ref: 0051F782

Part of subcall function 00514875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00514890

FindNextFileW.KERNEL32(00000000,?), ref: 0051F7B1
FindClose.KERNEL32(00000000), ref: 0051F7BC
FindFirstFileW.KERNEL32(*.*,?), ref: 0051F7D8
_wcscmp.LIBCMT ref: 0051F7FF
_wcscmp.LIBCMT ref: 0051F816
SetCurrentDirectoryW.KERNEL32(?), ref: 0051F828
SetCurrentDirectoryW.KERNEL32(0056B578), ref: 0051F846
FindNextFileW.KERNEL32(00000000,00000010), ref: 0051F850
FindClose.KERNEL32(00000000), ref: 0051F85D
FindClose.KERNEL32(00000000), ref: 0051F86F

Strings

jQ, xrefs: 0051F82A
*.*, xrefs: 0051F7D3

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*$jQ
API String ID: 1824444939-876706621
Opcode ID: 2f1f551ef38ad36384e0777d329eb4829d2bf7af1b52378ac4280e75d9e166be
Instruction ID: 4b1f830c23e088a6cec108e617b4c6717eb33e330ed56c26a5904bfdcb3693ff
Opcode Fuzzy Hash: 2f1f551ef38ad36384e0777d329eb4829d2bf7af1b52378ac4280e75d9e166be
Instruction Fuzzy Hash: C431D57650061A7AEB109F74DC88ADE7B6CFF59325F200176E905A31E0D770CE85DB60

Function 005088CD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00508E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00508E3C
Part of subcall function 00508E20: GetLastError.KERNEL32(?,00508900,?,?,?), ref: 00508E46
Part of subcall function 00508E20: GetProcessHeap.KERNEL32(00000008,?,?,00508900,?,?,?), ref: 00508E55
Part of subcall function 00508E20: HeapAlloc.KERNEL32(00000000,?,00508900,?,?,?), ref: 00508E5C
Part of subcall function 00508E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00508E73

Part of subcall function 00508EBD: GetProcessHeap.KERNEL32(00000008,00508916,00000000,00000000,?,00508916,?), ref: 00508EC9
Part of subcall function 00508EBD: HeapAlloc.KERNEL32(00000000,?,00508916,?), ref: 00508ED0
Part of subcall function 00508EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00508916,?), ref: 00508EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00508931
_memset.LIBCMT ref: 00508946
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00508965
GetLengthSid.ADVAPI32(?), ref: 00508976
GetAce.ADVAPI32(?,00000000,?), ref: 005089B3
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 005089CF
GetLengthSid.ADVAPI32(?), ref: 005089EC
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 005089FB
HeapAlloc.KERNEL32(00000000), ref: 00508A02
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00508A23
CopySid.ADVAPI32(00000000), ref: 00508A2A
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00508A5B
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00508A81
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00508A95

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 5468d0ea80c8940190d5a45625cf94deec5a604926cdd3f2bc539ba011ef5dbc
Instruction ID: a02998f6629c51c47e594c95e2cf60d830ad2391e13d2161213f2678a3d10a28
Opcode Fuzzy Hash: 5468d0ea80c8940190d5a45625cf94deec5a604926cdd3f2bc539ba011ef5dbc
Instruction Fuzzy Hash: DF614675A0020AEFDF00DFA1DC49EFEBB79BF44314F14826AE955A7290DB319A04DB60

Function 00530A3A Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0053147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0053040D,?,?), ref: 00531491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00530B0C

Part of subcall function 004B4D37: __itow.LIBCMT ref: 004B4D62
Part of subcall function 004B4D37: __swprintf.LIBCMT ref: 004B4DAC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00530BAB
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00530C43
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00530E82
RegCloseKey.ADVAPI32(00000000), ref: 00530E8F

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: efaff1880d20e94e274cd69154626fa14a52bfc6687bd6927bd9701d5b1b582b
Instruction ID: 4be8e72b269e79017996a6bad81d41a9aa1b6e32cfb8d4aac84530999cfaea52
Opcode Fuzzy Hash: efaff1880d20e94e274cd69154626fa14a52bfc6687bd6927bd9701d5b1b582b
Instruction Fuzzy Hash: B5E16D35204305AFCB14DF25C895E6ABBE9FF89718F04896DF44ADB2A2DA34EC05CB51

Function 0051443D Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00514451
__swprintf.LIBCMT ref: 0051445E

Part of subcall function 004D38C8: __woutput_l.LIBCMT ref: 004D3921

FindResourceW.KERNEL32(?,?,0000000E), ref: 00514488
LoadResource.KERNEL32(?,00000000), ref: 00514494
LockResource.KERNEL32(00000000), ref: 005144A1
FindResourceW.KERNEL32(?,?,00000003), ref: 005144C1
LoadResource.KERNEL32(?,00000000), ref: 005144D3
SizeofResource.KERNEL32(?,00000000), ref: 005144E2
LockResource.KERNEL32(?), ref: 005144EE
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0051454F

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: c83d49d68a8018b45fd76783f12be7b8e5127c1bf47ffc7eb35e095bb52997ea
Instruction ID: ecf4f8fa9034a82e21a60dae980bb9f752b22d9ed5ac9f72502a3131ce53fec9
Opcode Fuzzy Hash: c83d49d68a8018b45fd76783f12be7b8e5127c1bf47ffc7eb35e095bb52997ea
Instruction Fuzzy Hash: 8E31D07550121AABEB119FA0EC48EFB7FA9FF05305F104415F905D2190E774DA94EB60

Function 00524830 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00524857
EmptyClipboard.USER32 ref: 0052485D
GlobalAlloc.KERNEL32(00000002,?), ref: 00524872
CloseClipboard.USER32 ref: 00524911

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 8af8b149f87157a7bc70507b4c9c5326e7fff8db84c83e3fb40ebf1f890305b9
Instruction ID: dde12ead143a3bea6d3b8fceb67623043b2512f7669a250f46fd071bec329da6
Opcode Fuzzy Hash: 8af8b149f87157a7bc70507b4c9c5326e7fff8db84c83e3fb40ebf1f890305b9
Instruction Fuzzy Hash: CE21E7392052209FD711AF20FC09B6E7BA8FF95724F118419FA06972E2CB74AD01DF94

Function 0051FA36 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004C1A36: _memmove.LIBCMT ref: 004C1A77

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0051FA83
FindClose.KERNEL32(00000000), ref: 0051FB96

Part of subcall function 004B52B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004B52E6

Sleep.KERNEL32(0000000A), ref: 0051FAB3
_wcscmp.LIBCMT ref: 0051FAC7
_wcscmp.LIBCMT ref: 0051FAE2
FindNextFileW.KERNEL32(?,?), ref: 0051FB80

Strings

*.*, xrefs: 0051FA68

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
String ID: *.*
API String ID: 2185952417-438819550
Opcode ID: 7ff882bba4d34a8f229159bb4deb2c4081804a0d49f1bfa010bb9861c41de034
Instruction ID: b202375249af73f25f01e067c063d4f99e271a0d8f46f337c356ef4b4014bb92
Opcode Fuzzy Hash: 7ff882bba4d34a8f229159bb4deb2c4081804a0d49f1bfa010bb9861c41de034
Instruction Fuzzy Hash: BC41B0B590420AAFDF14DF64CC58AEEBBB4FF05314F14416AE814A32A1EB349E84CB50

Function 00515778 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00509399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005093E3
Part of subcall function 00509399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00509410
Part of subcall function 00509399: GetLastError.KERNEL32 ref: 0050941D

ExitWindowsEx.USER32(?,00000000), ref: 005157B4

Strings

@, xrefs: 005157A7
SeShutdownPrivilege, xrefs: 00515784
, xrefs: 005157A2

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 536c92d295837eb5c8d42c9deeb899ab3ae44b7e6dfb245ecba2ede24b197958
Instruction ID: f8b8ae8439de2d85da6bf5c8fb40709ff6099068e1593d2a46d958497950631a
Opcode Fuzzy Hash: 536c92d295837eb5c8d42c9deeb899ab3ae44b7e6dfb245ecba2ede24b197958
Instruction Fuzzy Hash: DE01DF31750712EAF72C62A8DC8BBFA7E58FB85780F240929F913D20D2FA705CC08560

Function 0052696E Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 005269C7
WSAGetLastError.WSOCK32(00000000), ref: 005269D6
bind.WSOCK32(00000000,?,00000010), ref: 005269F2
listen.WSOCK32(00000000,00000005), ref: 00526A01
WSAGetLastError.WSOCK32(00000000), ref: 00526A1B
closesocket.WSOCK32(00000000,00000000), ref: 00526A2F

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 5f9db1961b11e09de5c3fad9560fb7fae9688b00ca43e60620d276925618435a
Instruction ID: 6f76117058d081d912c15cd3d04612708ee5e6b0d1a46bf7b03920fdb4800285
Opcode Fuzzy Hash: 5f9db1961b11e09de5c3fad9560fb7fae9688b00ca43e60620d276925618435a
Instruction Fuzzy Hash: 6721F5346002119FCB10EF64D889BAEBBB9FF45724F10855DE916A73D2CB30AC01DB91

Function 004B1663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 004B29E2: GetWindowLongW.USER32(?,000000EB), ref: 004B29F3

DefDlgProcW.USER32(?,?,?,?,?), ref: 004B1DD6
GetSysColor.USER32(0000000F), ref: 004B1E2A
SetBkColor.GDI32(?,00000000), ref: 004B1E3D

Part of subcall function 004B166C: DefDlgProcW.USER32(?,00000020,?), ref: 004B16B4

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 438f2c4d0a6efbc75a95b6625eca43ab9ecf255cb9646005f3793d713bf8a14c
Instruction ID: 172ce8fbc9c93b1ab93b95c7f6ec93ce5813164d430d935f06257802b1b148b8
Opcode Fuzzy Hash: 438f2c4d0a6efbc75a95b6625eca43ab9ecf255cb9646005f3793d713bf8a14c
Instruction Fuzzy Hash: E7A17074105445BADB2C6B6A5CA9EFB3A5DEB45302FA0050BF401D52B5CB2CAD02E2BF

Function 0051C2FF Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0051C329
_wcscmp.LIBCMT ref: 0051C359
_wcscmp.LIBCMT ref: 0051C36E
FindNextFileW.KERNEL32(00000000,?), ref: 0051C37F
FindClose.KERNEL32(00000000,00000001,00000000), ref: 0051C3AF

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 3567e555e448284fca855d9442482f9b43b7b201d79635b3cea7f949d32b515d
Instruction ID: 424f7e11c86eea0ba3b99890356748713f26205a50abc1e90e82ea107b28a82b
Opcode Fuzzy Hash: 3567e555e448284fca855d9442482f9b43b7b201d79635b3cea7f949d32b515d
Instruction Fuzzy Hash: 1551CF356046028FD714DF68C490EEABBE8FF49314F104A1EE966C73A1DB75AD44CB91

Function 00526E32 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00528475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 005284A0

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00526E89
WSAGetLastError.WSOCK32(00000000), ref: 00526EB2
bind.WSOCK32(00000000,?,00000010), ref: 00526EEB
WSAGetLastError.WSOCK32(00000000), ref: 00526EF8
closesocket.WSOCK32(00000000,00000000), ref: 00526F0C

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 8959c13143b85ca3e35370d67630727bc6b6db92e6ac0411f10c6bd8323a2bb9
Instruction ID: 56ab1cc89a7d3c98836cd2e61832e4b4748bdd68ff2a3e36658cedf4f5fe9c6f
Opcode Fuzzy Hash: 8959c13143b85ca3e35370d67630727bc6b6db92e6ac0411f10c6bd8323a2bb9
Instruction Fuzzy Hash: 50410675600210AFDB14AF65DC86FBE77A8EF85718F00845DFA05AB3C3CA789D008BA5

Function 005359B3 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00535A02
IsWindowEnabled.USER32 ref: 00535A10
GetForegroundWindow.USER32(?,?,00000001), ref: 00535A1D
IsIconic.USER32 ref: 00535A2B
IsZoomed.USER32 ref: 00535A39

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 3b60c7282fcfaac2f6734464c8f484039aff9a562279512f589909a8dfdf70ad
Instruction ID: e7a749a2a5eb703b8aea64729b34505df8cee07b28eb9acbed3fbc93d2022659
Opcode Fuzzy Hash: 3b60c7282fcfaac2f6734464c8f484039aff9a562279512f589909a8dfdf70ad
Instruction Fuzzy Hash: 281134323009119FE7211F268C84BAE7F9CFF84321F015529F906D3281EB34E901DAE4

Function 004F0030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 004F0034
__swprintf.LIBCMT ref: 004F0065

Strings

%.3d, xrefs: 004F003F
WIN_XPe, xrefs: 004F00A4

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 79797839fec57e00bf7e811fea92b95968755829ea82f129c309f0dee0d0393a
Instruction ID: 0266f97753e2eda8336ba44ccad54a9926a49d321c9039c4173074a7a5975898
Opcode Fuzzy Hash: 79797839fec57e00bf7e811fea92b95968755829ea82f129c309f0dee0d0393a
Instruction Fuzzy Hash: C5D0127280811CEEC7149A90D944EF977BCAB84304F200053F706E2041DA3D979DAA2B

Function 005229BA Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00521ED6,00000000), ref: 00522AAD
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00522AE4

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 9f76fbe3f6a1eaff84a441d82a96c3c474335e6db9f0e902fea3864c7b04536d
Instruction ID: 1f8f01d77991d8c39c10cb964f66a42a339720b6e9c56a89e72ecfa640fd7b17
Opcode Fuzzy Hash: 9f76fbe3f6a1eaff84a441d82a96c3c474335e6db9f0e902fea3864c7b04536d
Instruction Fuzzy Hash: 9C41F679600219BFEB20DE55EC85EBBBBACFF42714F10441EF605A76C1DBB09E419A60

Function 00509399 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 004D0FE6: std::exception::exception.LIBCMT ref: 004D101C
Part of subcall function 004D0FE6: __CxxThrowException@8.LIBCMT ref: 004D1031

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005093E3
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00509410
GetLastError.KERNEL32 ref: 0050941D

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 51e7cb28c64139ac370d7045902391f7ed2535023c4dc98a3326cda37054e4b5
Instruction ID: c0ae2b30caf0bfeeea1677f6f9ef300d2d13b71e38b107cc0081df917f333f80
Opcode Fuzzy Hash: 51e7cb28c64139ac370d7045902391f7ed2535023c4dc98a3326cda37054e4b5
Instruction Fuzzy Hash: A01191B1414205AFD728DF54EC89D6FBBBCFB44714B20852EF45A93291EB70AC41CB64

Function 00514254 Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00514271
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 005142B2
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 005142BD

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: fbdf735de3a2680ba4c615962df370405adf5a7c8a0f39080727b8fe247b4c34
Instruction ID: a011bd33089bed3f389bb6821284dc08a81b24be683b71be180e48b45f0a38e9
Opcode Fuzzy Hash: fbdf735de3a2680ba4c615962df370405adf5a7c8a0f39080727b8fe247b4c34
Instruction Fuzzy Hash: 77117C79E01228BBEB108FA5AC44BEFBFBCEB45B20F104556FD14E7280C6704A449BA1

Function 00514F1C Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00514F45
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00514F5C
FreeSid.ADVAPI32(?), ref: 00514F6C

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 5f9fb0c10bf2d9ee816b44b8f1ecc0d00429816a43b100bfda0554729d26d549
Instruction ID: cbeca2c2893b32a0b8ad1215546a50ac26aed670ebe4cbc3914e34c88e1b2587
Opcode Fuzzy Hash: 5f9fb0c10bf2d9ee816b44b8f1ecc0d00429816a43b100bfda0554729d26d549
Instruction Fuzzy Hash: D4F04F7591130CFFDF00DFE0DC89AEEBBBCEF08205F505469AA05E2280D7345A449B50

Function 00511AC6 Relevance: 3.0, APIs: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00511B01
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00511B14

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: eb264c128c222177e7f0849af8238d3c143cfdccdd7a6b12c58031e15dca72b3
Instruction ID: 8636ffb30b70c82e5993e220d861e0ea2828e078f8d9e2ae11f1f27f2198cda3
Opcode Fuzzy Hash: eb264c128c222177e7f0849af8238d3c143cfdccdd7a6b12c58031e15dca72b3
Instruction Fuzzy Hash: B6F0497590420DABEB10CFA4C805BFE7BB4FF14316F10804AFE5596292D3799615DF94

Function 0051A6AD Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,00529B52,?,0054098C,?), ref: 0051A6DA
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,00529B52,?,0054098C,?), ref: 0051A6EC

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 65a2e6dffe461c9fb8c424c1316fba25aa80e4b8ea3ee6b6bf54f26efef21573
Instruction ID: 2debc83b991743d636f9a7a32ff56a56146cad1f0ef214fbc8441c990aaa9934
Opcode Fuzzy Hash: 65a2e6dffe461c9fb8c424c1316fba25aa80e4b8ea3ee6b6bf54f26efef21573
Instruction Fuzzy Hash: 8BF02E3940521DBFDB219FA4CC48FDA376CFF09361F004256B508D2191D6309980CBE1

Function 00508DE9 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00508F27), ref: 00508DFE
CloseHandle.KERNEL32(?,?,00508F27), ref: 00508E10

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 1f4d333438fc1e0b697e7091e9308fe7adf4feb963d63465edecfebf322d22c6
Instruction ID: 803b09a3debdaa890a3b9f9252ae95c4ad8fff9e365af7c96e0999e3215d34b1
Opcode Fuzzy Hash: 1f4d333438fc1e0b697e7091e9308fe7adf4feb963d63465edecfebf322d22c6
Instruction Fuzzy Hash: 83E0BF75010610EFE7262B51FC19DB77BADEB05315724891EF99A804B0DB715CD0DB50

Function 004DA385 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,004D8F87,?,?,?,00000001), ref: 004DA38A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 004DA393

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 09cc24ac911ceb8bdc2448d199023ae88ea57e50e274b7a1413abf6603f65121
Instruction ID: 98fd600b2a611f99cef6028f5f7fcb27e2f1831e4374b87b439f3a5137fa9209
Opcode Fuzzy Hash: 09cc24ac911ceb8bdc2448d199023ae88ea57e50e274b7a1413abf6603f65121
Instruction Fuzzy Hash: E1B09235064208ABCE402F91EC09BC83F68EB56A6AF105410FB0D440A0CB725454AA91

Function 005245D5 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 005245F0

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 65efedf68523131f3484cc2b0dbab654b30c41e5dba8a6ab46329b0020d95e29
Instruction ID: d021ab2028d6bcd5772e765164e2b1c21fd129d1f9fabdd4b85eb7908a5f1282
Opcode Fuzzy Hash: 65efedf68523131f3484cc2b0dbab654b30c41e5dba8a6ab46329b0020d95e29
Instruction Fuzzy Hash: 8BE0DF353102259FC710AF5AE800A8AFBECAFA5760F00841AFD49C7391DA70E8018FA0

Function 005151E2 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00515205

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 354da2b55e83c8d3e109574061eead4e21410149d25bba9f8da75bc893623333
Instruction ID: 7868638dff8d2b91a2ed4944eb03d5becca7ea0954f1daad62e8f5f09f9e2217
Opcode Fuzzy Hash: 354da2b55e83c8d3e109574061eead4e21410149d25bba9f8da75bc893623333
Instruction Fuzzy Hash: 04D067A51E0A0AB9FD5A07249A1FFF61A09F3817C1FD4554A7192850C1B9B858C9E821

Function 00509369 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00508FA7), ref: 00509389

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 5b387d87d063a48a92dff55384ff29593269b5784b78fb495c783fa5a362ebeb
Instruction ID: 4dbe6456012cbe0b7b33132f8f48aa55adeff6051926fbfca83460d25fae31a0
Opcode Fuzzy Hash: 5b387d87d063a48a92dff55384ff29593269b5784b78fb495c783fa5a362ebeb
Instruction Fuzzy Hash: 2CD05E3226050EABEF018EA4DC05EEE3B69EB04B01F808111FE15C50A0C775D835AB60

Function 004F0722 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 004F0734

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 8c048f866613332831ff430e1f843681c67bf486b4488e4d899c818a1c3a0c48
Instruction ID: fa6c2c74ecd5fa17e63dcc937ce8f34e4742cb6710545742877efd22680ee9a2
Opcode Fuzzy Hash: 8c048f866613332831ff430e1f843681c67bf486b4488e4d899c818a1c3a0c48
Instruction Fuzzy Hash: 05C04CF581010DDBCB15DBA0D98CEFE77BCAB04304F200056A205B2140D7789B449A71

Function 004DA354 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 004DA35A

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c4375e40e56b87191e20735b3e22834c0b61db63d477585a14d8a3b6593a072e
Instruction ID: 2a517f81d355663314b8cfc42cc45874b15827242de0e2dff45776cb6e38b8f1
Opcode Fuzzy Hash: c4375e40e56b87191e20735b3e22834c0b61db63d477585a14d8a3b6593a072e
Instruction Fuzzy Hash: BBA0243003010CF7CF001F41FC044C47F5CD7015547004010F50C00031C733541055C0

Function 00533BA9 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00540980), ref: 00533C65
IsWindowVisible.USER32(?), ref: 00533C89

Strings

TABLEFT, xrefs: 00533CC5
ISENABLED, xrefs: 00533CA9
GETCURRENTSELECTION, xrefs: 00533E21
GETCURRENTCOL, xrefs: 00533F66
CURRENTTAB, xrefs: 00533CFB
GETSELECTED, xrefs: 00533EE1
HIDEDROPDOWN, xrefs: 00533D3E
GETLINECOUNT, xrefs: 00533F04
UNCHECK, xrefs: 00533EC1
TABRIGHT, xrefs: 00533CDB
SETCURRENTSELECTION, xrefs: 00533DF4
SHOWDROPDOWN, xrefs: 00533D1E
GETLINE, xrefs: 00533FD9
GETCURRENTLINE, xrefs: 00533F2B
SENDCOMMANDID, xrefs: 00534018
CHECK, xrefs: 00533EAB
ISCHECKED, xrefs: 00533E77
EDITPASTE, xrefs: 00533F9D
ISVISIBLE, xrefs: 00533C75
FINDSTRING, xrefs: 00533DB4
DELSTRING, xrefs: 00533D87
ADDSTRING, xrefs: 00533D54
SELECTSTRING, xrefs: 00533E44

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 2d0cf5fcd6bb144f26c2e69566cf923b61a246e5421fe953839a1cbf95be3035
Instruction ID: 6e5dd23a46b798602e2d82a513731f38c3ddff7d1b8c563e4ac09b069aec05a9
Opcode Fuzzy Hash: 2d0cf5fcd6bb144f26c2e69566cf923b61a246e5421fe953839a1cbf95be3035
Instruction Fuzzy Hash: B9D15D342042058BCB14EF11C465AAEBFE6BF94358F10485EF9865B3E2CB35ED4ACB56

Function 0053ABFF Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0053AC55
GetSysColorBrush.USER32(0000000F), ref: 0053AC86
GetSysColor.USER32(0000000F), ref: 0053AC92
SetBkColor.GDI32(?,000000FF), ref: 0053ACAC
SelectObject.GDI32(?,?), ref: 0053ACBB
InflateRect.USER32(?,000000FF,000000FF), ref: 0053ACE6
GetSysColor.USER32(00000010), ref: 0053ACEE
CreateSolidBrush.GDI32(00000000), ref: 0053ACF5
FrameRect.USER32(?,?,00000000), ref: 0053AD04
DeleteObject.GDI32(00000000), ref: 0053AD0B
InflateRect.USER32(?,000000FE,000000FE), ref: 0053AD56
FillRect.USER32(?,?,?), ref: 0053AD88
GetWindowLongW.USER32(?,000000F0), ref: 0053ADB3

Part of subcall function 0053AF18: GetSysColor.USER32(00000012), ref: 0053AF51
Part of subcall function 0053AF18: SetTextColor.GDI32(?,?), ref: 0053AF55
Part of subcall function 0053AF18: GetSysColorBrush.USER32(0000000F), ref: 0053AF6B
Part of subcall function 0053AF18: GetSysColor.USER32(0000000F), ref: 0053AF76
Part of subcall function 0053AF18: GetSysColor.USER32(00000011), ref: 0053AF93
Part of subcall function 0053AF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0053AFA1
Part of subcall function 0053AF18: SelectObject.GDI32(?,00000000), ref: 0053AFB2
Part of subcall function 0053AF18: SetBkColor.GDI32(?,00000000), ref: 0053AFBB
Part of subcall function 0053AF18: SelectObject.GDI32(?,?), ref: 0053AFC8
Part of subcall function 0053AF18: InflateRect.USER32(?,000000FF,000000FF), ref: 0053AFE7
Part of subcall function 0053AF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0053AFFE
Part of subcall function 0053AF18: GetWindowLongW.USER32(00000000,000000F0), ref: 0053B013

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 782984d6a4ba0f034724c9d3615e24c6e68b0ac7a92c0880677480a0843e5e38
Instruction ID: 52a61950820a58ebc89e064fe6750f15cfd2437a1ae2ea013f42e13ab0e13b2b
Opcode Fuzzy Hash: 782984d6a4ba0f034724c9d3615e24c6e68b0ac7a92c0880677480a0843e5e38
Instruction Fuzzy Hash: 03A1B275008301AFD7519F64DC08EAB7BA9FF89325F202A1DFAA6961E0D731D848DF52

Function 004B2FE8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 004B3072
DeleteObject.GDI32(00000000), ref: 004B30B8
DeleteObject.GDI32(00000000), ref: 004B30C3
DestroyIcon.USER32(00000000,?,?,?), ref: 004B30CE
DestroyWindow.USER32(00000000,?,?,?), ref: 004B30D9
SendMessageW.USER32(?,00001308,?,00000000), ref: 004EC77C
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 004EC7B5
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004ECBDE

Part of subcall function 004B1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,004B2412,?,00000000,?,?,?,?,004B1AA7,00000000,?), ref: 004B1F76

SendMessageW.USER32(?,00001053), ref: 004ECC1B
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 004ECC32
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 004ECC48
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 004ECC53

Strings

0, xrefs: 004ECA72

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 0b3abd1897c0342d3d52c09c621ecbecde1cbdf217487461be0cbfd714569b7c
Instruction ID: e282d2be33c2bc8b9ca74873ad41b155c445bfd48798a1a424ba4f865eb2469b
Opcode Fuzzy Hash: 0b3abd1897c0342d3d52c09c621ecbecde1cbdf217487461be0cbfd714569b7c
Instruction Fuzzy Hash: C112B030604241EFDB25DF26C884BA6B7E1FF05306F14456AF949CB262C739EC46DBA9

Function 004C27FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON

Download Yara Rule

APIs

Part of subcall function 004D0FE6: std::exception::exception.LIBCMT ref: 004D101C
Part of subcall function 004D0FE6: __CxxThrowException@8.LIBCMT ref: 004D1031

__wcsnicmp.LIBCMT ref: 004C286A
__wcsnicmp.LIBCMT ref: 004C287E
__wcsnicmp.LIBCMT ref: 004C2896
__wcsnicmp.LIBCMT ref: 004C28AE
__wcsnicmp.LIBCMT ref: 004C28C6
__wcsnicmp.LIBCMT ref: 004C28DE
__wcsnicmp.LIBCMT ref: 004C28F6
__wcsnicmp.LIBCMT ref: 004C290A
__wcsnicmp.LIBCMT ref: 004C2948
__wcsnicmp.LIBCMT ref: 004C295C
__wcsnicmp.LIBCMT ref: 004C2970
__wcsnicmp.LIBCMT ref: 004C2984

Strings

', xrefs: 004FFB9F
Bad directive syntax error, xrefs: 004FFBD3, 004FFBF0
", xrefs: 004FFB89
#include-once, xrefs: 004C28C0
#requireadmin, xrefs: 004C2890
#OnAutoItStartRegister, xrefs: 004C28A8
#include, xrefs: 004C28D8
#notrayicon, xrefs: 004C2878
Cannot parse #include, xrefs: 004FFCE5
#ce, xrefs: 004C297E
Unterminated group of comments, xrefs: 004FFCFA
#pragma compile, xrefs: 004C2864
#cs, xrefs: 004C2904, 004C2956
#comments-start, xrefs: 004C28F0, 004C2942
#comments-end, xrefs: 004C296A

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 2660009612-1645009161
Opcode ID: 574e9b18a029b32e80df867959cd056e988de96de09d318e8c07f00297f8dda0
Instruction ID: 98c1c676e75862ab3e20b7f1ec0e1abd0d15bc25165ac1cf8496df9d12d2f926
Opcode Fuzzy Hash: 574e9b18a029b32e80df867959cd056e988de96de09d318e8c07f00297f8dda0
Instruction Fuzzy Hash: 8DA1B074A00209BBCB10AF21D952FBF3B64BF45744F00016FF905AB292EBF99A45D769

Function 00527B95 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00527BC8
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00527C87
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00527CC5
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00527CD7
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00527D1D
GetClientRect.USER32(00000000,?), ref: 00527D29
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00527D6D
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00527D7C
GetStockObject.GDI32(00000011), ref: 00527D8C
SelectObject.GDI32(00000000,00000000), ref: 00527D90
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00527DA0
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00527DA9
DeleteDC.GDI32(00000000), ref: 00527DB2
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00527DDE
SendMessageW.USER32(00000030,00000000,00000001), ref: 00527DF5
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00527E30
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00527E44
SendMessageW.USER32(00000404,00000001,00000000), ref: 00527E55
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00527E85
GetStockObject.GDI32(00000011), ref: 00527E90
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00527E9B
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00527EA5

Strings

msctls_progress32, xrefs: 00527E26
AutoIt v3, xrefs: 00527D15
static, xrefs: 00527D67, 00527E7F
DISPLAY, xrefs: 00527D72

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 739320b15a3d670d41fe5889c3168528852abde5d1856262805aab8e87498659
Instruction ID: 4e1c58bd670ac7a09914011bbf0a64c37ef2d145b0a4b66c6a654220763838a5
Opcode Fuzzy Hash: 739320b15a3d670d41fe5889c3168528852abde5d1856262805aab8e87498659
Instruction Fuzzy Hash: 0EA190B5A00219BFEB14DBA4EC4AFAE7B79EF19314F104118FA14A72E1C770AD44DB64

Function 0051B353 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0051B361
GetDriveTypeW.KERNEL32(?,00542C4C,?,\\.\,00540980), ref: 0051B43E
SetErrorMode.KERNEL32(00000000,00542C4C,?,\\.\,00540980), ref: 0051B59C

Strings

SATA, xrefs: 0051B54F
Fibre, xrefs: 0051B52C
Removable, xrefs: 0051B490
SAS, xrefs: 0051B548
FileBackedVirtual, xrefs: 0051B56B
RAID, xrefs: 0051B53A
CDROM, xrefs: 0051B472
1394, xrefs: 0051B51E
SSA, xrefs: 0051B525
USB, xrefs: 0051B533
ATA, xrefs: 0051B517
MMC, xrefs: 0051B55D
Fixed, xrefs: 0051B486
ATAPI, xrefs: 0051B510
\\.\, xrefs: 0051B3B3
Unknown, xrefs: 0051B45E, 0051B502
Network, xrefs: 0051B47C
SCSI, xrefs: 0051B509
Virtual, xrefs: 0051B564
iSCSI, xrefs: 0051B541
SSD, xrefs: 0051B4C9
RAMDisk, xrefs: 0051B468
PhysicalDrive, xrefs: 0051B3EA

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: a9667f81b00965ce9d75f11cb8e72708140f74b4bb758d0b96132aeecf28e712
Instruction ID: 6ccb85bd1050a4b88c70c1be18daaef3eec27d36dafe10301e5280e47471032a
Opcode Fuzzy Hash: a9667f81b00965ce9d75f11cb8e72708140f74b4bb758d0b96132aeecf28e712
Instruction Fuzzy Hash: 0151A934B40209DBFB00EB20C9819FC7FA2FB49344765851AF402E7291E775AEC1DB55

Function 0053A041 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 0053A0F7
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0053A1B0
SendMessageW.USER32(?,00001102,00000002,?), ref: 0053A1CC

Strings

0, xrefs: 0053A209

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 29cc9237f20749a62773c770aafa4037ea178ecedf31aca1d65efd4908f0d63f
Instruction ID: 5c1636406ec615731750b14a4fab0b5da881ad6bdb9adf2daee8ef7e0426d440
Opcode Fuzzy Hash: 29cc9237f20749a62773c770aafa4037ea178ecedf31aca1d65efd4908f0d63f
Instruction Fuzzy Hash: 8402FE30108301AFEB25CF14C849BAABFE4FF99318F048A1DF9DA962A1C775D944DB52

Function 0053AF18 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0053AF51
SetTextColor.GDI32(?,?), ref: 0053AF55
GetSysColorBrush.USER32(0000000F), ref: 0053AF6B
GetSysColor.USER32(0000000F), ref: 0053AF76
CreateSolidBrush.GDI32(?), ref: 0053AF7B
GetSysColor.USER32(00000011), ref: 0053AF93
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0053AFA1
SelectObject.GDI32(?,00000000), ref: 0053AFB2
SetBkColor.GDI32(?,00000000), ref: 0053AFBB
SelectObject.GDI32(?,?), ref: 0053AFC8
InflateRect.USER32(?,000000FF,000000FF), ref: 0053AFE7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0053AFFE
GetWindowLongW.USER32(00000000,000000F0), ref: 0053B013
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0053B05F
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0053B086
InflateRect.USER32(?,000000FD,000000FD), ref: 0053B0A4
DrawFocusRect.USER32(?,?), ref: 0053B0AF
GetSysColor.USER32(00000011), ref: 0053B0BD
SetTextColor.GDI32(?,00000000), ref: 0053B0C5
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0053B0D9
SelectObject.GDI32(?,0053AC1F), ref: 0053B0F0
DeleteObject.GDI32(?), ref: 0053B0FB
SelectObject.GDI32(?,?), ref: 0053B101
DeleteObject.GDI32(?), ref: 0053B106
SetTextColor.GDI32(?,?), ref: 0053B10C
SetBkColor.GDI32(?,?), ref: 0053B116

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: d489a45546dfceb7efe4ea176ec82cca8105100e10e4a926b436aed1dad0f148
Instruction ID: 23a89949c160d2ff53e7512f9223e67e98cca07a7f2c02a1168aaa33d8c402a3
Opcode Fuzzy Hash: d489a45546dfceb7efe4ea176ec82cca8105100e10e4a926b436aed1dad0f148
Instruction Fuzzy Hash: B2619A75900208AFDB159FA4DC48AEE7FB9FF09324F205115FA15AB2E1D7719940EF90

Function 00538FFA Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 005390EA
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005390FB
CharNextW.USER32(0000014E), ref: 0053912A
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0053916B
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00539181
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00539192
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 005391AF
SetWindowTextW.USER32(?,0000014E), ref: 005391FB
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00539211
SendMessageW.USER32(?,00001002,00000000,?), ref: 00539242
_memset.LIBCMT ref: 00539267
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 005392B0
_memset.LIBCMT ref: 0053930F
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00539339
SendMessageW.USER32(?,00001074,?,00000001), ref: 00539391
SendMessageW.USER32(?,0000133D,?,?), ref: 0053943E
InvalidateRect.USER32(?,00000000,00000001), ref: 00539460
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 005394AA
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 005394D7
DrawMenuBar.USER32(?), ref: 005394E6
SetWindowTextW.USER32(?,0000014E), ref: 0053950E

Strings

0, xrefs: 00539478

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 9310447fa977c2ecf55bb9f25b964562a8b1e216e6b8e7b2f06e2bcb58d5f450
Instruction ID: 1050df816f0a24571a8b6690dfec23d1f7075b406377dca3fd4a26cc9cd2dced
Opcode Fuzzy Hash: 9310447fa977c2ecf55bb9f25b964562a8b1e216e6b8e7b2f06e2bcb58d5f450
Instruction Fuzzy Hash: 49E1A4B5900209AFDF219F55CC88EEE7FB8FF05714F108156FA19AA290D7B08985DF61

Function 00534ECC Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00535007
GetDesktopWindow.USER32 ref: 0053501C
GetWindowRect.USER32(00000000), ref: 00535023
GetWindowLongW.USER32(?,000000F0), ref: 00535085
DestroyWindow.USER32(?), ref: 005350B1
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 005350DA
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005350F8
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 0053511E
SendMessageW.USER32(?,00000421,?,?), ref: 00535133
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00535146
IsWindowVisible.USER32(?), ref: 00535166
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00535181
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00535195
GetWindowRect.USER32(?,?), ref: 005351AD
MonitorFromPoint.USER32(?,?,00000002), ref: 005351D3
GetMonitorInfoW.USER32(00000000,?), ref: 005351ED
CopyRect.USER32(?,?), ref: 00535204
SendMessageW.USER32(?,00000412,00000000), ref: 0053526F

Strings

0, xrefs: 00534FB2
tooltips_class32, xrefs: 005350D3
(, xrefs: 005351E0

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: b6a5e9c3447832e85f114eee376ee8a465d9eda496c50fd0b66d050d22a1743f
Instruction ID: 12bc0742aff4b83238ca0c55e6ba82aabd6a9b3aed052239a3fdea5f18955519
Opcode Fuzzy Hash: b6a5e9c3447832e85f114eee376ee8a465d9eda496c50fd0b66d050d22a1743f
Instruction Fuzzy Hash: 22B1AB70604740AFDB04DF64C888BABBBE4FF88304F00991DF9999B291D771E804CB96

Function 0051498A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0051499C
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 005149C2
_wcscpy.LIBCMT ref: 005149F0
_wcscmp.LIBCMT ref: 005149FB
_wcscat.LIBCMT ref: 00514A11
_wcsstr.LIBCMT ref: 00514A1C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00514A38
_wcscat.LIBCMT ref: 00514A81
_wcscat.LIBCMT ref: 00514A88
_wcsncpy.LIBCMT ref: 00514AB3

Strings

%u.%u.%u.%u, xrefs: 00514B16
DefaultLangCodepage, xrefs: 00514A9B
\VarFileInfo\Translation, xrefs: 00514A30
StringFileInfo\, xrefs: 00514A0B
04090000, xrefs: 00514A6E

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 53233804e5403bef792e92e53068ead926c41b25ea64a0b4fceddf709c3dc2ed
Instruction ID: 4bc4c410d31a672f5c47f31764c466c144330547522687b2212811adb15b4176
Opcode Fuzzy Hash: 53233804e5403bef792e92e53068ead926c41b25ea64a0b4fceddf709c3dc2ed
Instruction Fuzzy Hash: E7413A726042047AEB10BB218D57EFF7BACFF41714F10045FF905A7292EB789A41A6A9

Function 004B2BA9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004B2C8C
GetSystemMetrics.USER32(00000007), ref: 004B2C94
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004B2CBF
GetSystemMetrics.USER32(00000008), ref: 004B2CC7
GetSystemMetrics.USER32(00000004), ref: 004B2CEC
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004B2D09
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 004B2D19
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 004B2D4C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 004B2D60
GetClientRect.USER32(00000000,000000FF), ref: 004B2D7E
GetStockObject.GDI32(00000011), ref: 004B2D9A
SendMessageW.USER32(00000000,00000030,00000000), ref: 004B2DA5

Part of subcall function 004B2714: GetCursorPos.USER32(?), ref: 004B2727
Part of subcall function 004B2714: ScreenToClient.USER32(005777B0,?), ref: 004B2744
Part of subcall function 004B2714: GetAsyncKeyState.USER32(00000001), ref: 004B2769
Part of subcall function 004B2714: GetAsyncKeyState.USER32(00000002), ref: 004B2777

SetTimer.USER32(00000000,00000000,00000028,004B13C7), ref: 004B2DCC

Strings

AutoIt v3 GUI, xrefs: 004B2D44
hT, xrefs: 004B2BEC, 004EC433

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI$hT
API String ID: 1458621304-844108874
Opcode ID: 22a5b2b2d0fdb5e005d6b2e13a428443f0ef32b9fdb0a51b72433db76f9f8b97
Instruction ID: 372add8b45b3e6fafda9099d161e61c4d9fefe702fccc116eba0728acd98ae3c
Opcode Fuzzy Hash: 22a5b2b2d0fdb5e005d6b2e13a428443f0ef32b9fdb0a51b72433db76f9f8b97
Instruction Fuzzy Hash: B8B1AE3060020A9FDB14DFA8DD85BEE7BB4FB18315F20412AFA15A72D0CB78E851DB65

Function 004D0429 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 004C1821: _memmove.LIBCMT ref: 004C185B

GetForegroundWindow.USER32(00540980,?,?,?,?,?), ref: 004D04E3
IsWindow.USER32(?), ref: 005066BB

Strings

CLASS, xrefs: 005064E5
REGEXPTITLE, xrefs: 005064B4
LAST, xrefs: 00506472
REGEXPCLASS, xrefs: 00506506
INSTANCE, xrefs: 005065FA
TITLE, xrefs: 00506650
ALL, xrefs: 00506622
HANDLE, xrefs: 0050649E
ACTIVE, xrefs: 00506488

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Window$Foreground_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 3828923867-1919597938
Opcode ID: 7c4d844a4102925e1af47feeb11036d8b84b19bbfb39a250be7e719019e5a29c
Instruction ID: 0a40bea3a6131cd2403b89e543203bce55163e22af2081821ae8c99a8da6b1ce
Opcode Fuzzy Hash: 7c4d844a4102925e1af47feeb11036d8b84b19bbfb39a250be7e719019e5a29c
Instruction Fuzzy Hash: AFD1A230104202EBCB04EF21C491AAEBFA5FF55348F104A1FF856576E2DB35E969CB96

Function 0053441F Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005344AC
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 0053456C

Strings

ISSELECTED, xrefs: 00534577
SELECT, xrefs: 00534606
SELECTCLEAR, xrefs: 005345EB
GETSELECTEDCOUNT, xrefs: 0053454F
GETSELECTED, xrefs: 0053469A
GETSUBITEMCOUNT, xrefs: 005344F7
GETTEXT, xrefs: 00534515
DESELECT, xrefs: 0053465A
SELECTINVERT, xrefs: 0053463C
FINDITEM, xrefs: 005346DF
GETITEMCOUNT, xrefs: 005344DE
VIEWCHANGE, xrefs: 0053472B
SELECTALL, xrefs: 005345D3

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 234a83e9cb7a0d481cbbdc76c064f21401819f5ab42c5bb76c174bdfb2da2732
Instruction ID: 16dcbe0a53b69b1d316939d5808078ea0244fd5ed4e69c25613d31f81bd7df75
Opcode Fuzzy Hash: 234a83e9cb7a0d481cbbdc76c064f21401819f5ab42c5bb76c174bdfb2da2732
Instruction Fuzzy Hash: 05A15B302142419FCB14EF25C852A6ABBE5FF95318F10496EB8969B3E2DB34FC06CB55

Function 005256C8 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 005256E1
LoadCursorW.USER32(00000000,00007F8A), ref: 005256EC
LoadCursorW.USER32(00000000,00007F00), ref: 005256F7
LoadCursorW.USER32(00000000,00007F03), ref: 00525702
LoadCursorW.USER32(00000000,00007F8B), ref: 0052570D
LoadCursorW.USER32(00000000,00007F01), ref: 00525718
LoadCursorW.USER32(00000000,00007F81), ref: 00525723
LoadCursorW.USER32(00000000,00007F88), ref: 0052572E
LoadCursorW.USER32(00000000,00007F80), ref: 00525739
LoadCursorW.USER32(00000000,00007F86), ref: 00525744
LoadCursorW.USER32(00000000,00007F83), ref: 0052574F
LoadCursorW.USER32(00000000,00007F85), ref: 0052575A
LoadCursorW.USER32(00000000,00007F82), ref: 00525765
LoadCursorW.USER32(00000000,00007F84), ref: 00525770
LoadCursorW.USER32(00000000,00007F04), ref: 0052577B
LoadCursorW.USER32(00000000,00007F02), ref: 00525786
GetCursorInfo.USER32(?), ref: 00525796
GetLastError.KERNEL32(00000001,00000000), ref: 005257C1

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 525456fce26b3486b3114d7bc59e293715d78914e3e33984f56ff9731020e627
Instruction ID: 691f0eb8d0b4812a87c48d6e463e23c7702cc8abbb263bbce3b163e552585b34
Opcode Fuzzy Hash: 525456fce26b3486b3114d7bc59e293715d78914e3e33984f56ff9731020e627
Instruction Fuzzy Hash: AD418470E44319AADB109FBA9C49D6EFFF8EF51B50B10452FE509E72D1DAB8A400CE61

Function 0050B13A Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0050B17B
__swprintf.LIBCMT ref: 0050B21C
_wcscmp.LIBCMT ref: 0050B22F
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0050B284
_wcscmp.LIBCMT ref: 0050B2C0
GetClassNameW.USER32(?,?,00000400), ref: 0050B2F7
GetDlgCtrlID.USER32(?), ref: 0050B349
GetWindowRect.USER32(?,?), ref: 0050B37F
GetParent.USER32(?), ref: 0050B39D
ScreenToClient.USER32(00000000), ref: 0050B3A4
GetClassNameW.USER32(?,?,00000100), ref: 0050B41E
_wcscmp.LIBCMT ref: 0050B432
GetWindowTextW.USER32(?,?,00000400), ref: 0050B458
_wcscmp.LIBCMT ref: 0050B46C

Part of subcall function 004D385C: _iswctype.LIBCMT ref: 004D3864

Strings

%s%u, xrefs: 0050B216

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: f19413a68d1dc6ae53acc058cf2d02f80f4f306cecfb9aeb343c38f17fce7455
Instruction ID: 6f26c84f62c10e407950255770be279cba2ae8fb1a1c83700ed219697a7cdb57
Opcode Fuzzy Hash: f19413a68d1dc6ae53acc058cf2d02f80f4f306cecfb9aeb343c38f17fce7455
Instruction Fuzzy Hash: 33A1C071204606ABEB14DF24C8C4BEEBBE9FF44354F10852AF999821D1DB34EA55CB91

Function 0050BA6D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0050BAB1
_wcscmp.LIBCMT ref: 0050BAC2
GetWindowTextW.USER32(00000001,?,00000400), ref: 0050BAEA
CharUpperBuffW.USER32(?,00000000), ref: 0050BB07
_wcscmp.LIBCMT ref: 0050BB25
_wcsstr.LIBCMT ref: 0050BB36
GetClassNameW.USER32(00000018,?,00000400), ref: 0050BB6E
_wcscmp.LIBCMT ref: 0050BB7E
GetWindowTextW.USER32(00000002,?,00000400), ref: 0050BBA5
GetClassNameW.USER32(00000018,?,00000400), ref: 0050BBEE
_wcscmp.LIBCMT ref: 0050BBFE
GetClassNameW.USER32(00000010,?,00000400), ref: 0050BC26
GetWindowRect.USER32(00000004,?), ref: 0050BC8F

Strings

@, xrefs: 0050BA92
ThumbnailClass, xrefs: 0050BB79, 0050BBF9

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: a21899ade7aaed1222d2a92f15fd8ef0892eece23df7ab885eb7188971bb1758
Instruction ID: 770b24eae95cf392bc90a2d68629bc4fea82bebd27160c468e4d4129854e89b4
Opcode Fuzzy Hash: a21899ade7aaed1222d2a92f15fd8ef0892eece23df7ab885eb7188971bb1758
Instruction Fuzzy Hash: D1818C710042069BEB10DF15C8C5FAA7BE8FF44318F14856AFD899A0E6DB34DE49CB61

Function 0050B8B6 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0050B915

Strings

CLASSNAME=, xrefs: 0050B952
[ACTIVE, xrefs: 0050B902
HANDLE=, xrefs: 0050B90E
LAST, xrefs: 0050B8DA
[REGEXPTITLE:, xrefs: 0050B93D
[LAST, xrefs: 0050B9C2
REGEXP=, xrefs: 0050B92A
ALL, xrefs: 0050B9A9
[HANDLE:, xrefs: 0050B921
[ALL, xrefs: 0050B9BB
[CLASS:, xrefs: 0050B965
ACTIVE, xrefs: 0050B8F0

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: e85e5bb9d7ae26b3ca269add11ff76c4c93671789f891a353b45fe0587b24e2d
Instruction ID: 18dc70daf94d696239df1b3ce7b35fb8278bbb8cad094bd596e0e7c3453f4dcd
Opcode Fuzzy Hash: e85e5bb9d7ae26b3ca269add11ff76c4c93671789f891a353b45fe0587b24e2d
Instruction Fuzzy Hash: DC31D474A44205A6EB14FFA1CD93FAD7BA4BF11354F20092FF541B20E2EF596E04CA5A

Function 0050CB97 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0050CBAA
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0050CBBC
SetWindowTextW.USER32(?,?), ref: 0050CBD3
GetDlgItem.USER32(?,000003EA), ref: 0050CBE8
SetWindowTextW.USER32(00000000,?), ref: 0050CBEE
GetDlgItem.USER32(?,000003E9), ref: 0050CBFE
SetWindowTextW.USER32(00000000,?), ref: 0050CC04
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0050CC25
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0050CC3F
GetWindowRect.USER32(?,?), ref: 0050CC48
SetWindowTextW.USER32(?,?), ref: 0050CCB3
GetDesktopWindow.USER32 ref: 0050CCB9
GetWindowRect.USER32(00000000), ref: 0050CCC0
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0050CD0C
GetClientRect.USER32(?,?), ref: 0050CD19
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0050CD3E
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0050CD69

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 9377454a9ed1764fd8aa3a746b02bd14ce829d7c71209dac137228442c3d1f9f
Instruction ID: ca7db06c3f8ee62b9db04c9e7972697f853c24cab2b45af015d73d43f8711a42
Opcode Fuzzy Hash: 9377454a9ed1764fd8aa3a746b02bd14ce829d7c71209dac137228442c3d1f9f
Instruction Fuzzy Hash: 26518F31900709AFDB20DFA8CE89BAEBFF5FF45709F100618E656A65E0C774A914DB50

Function 0053A7DE Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0053A87E
DestroyWindow.USER32(00000000,?), ref: 0053A8F8

Part of subcall function 004C1821: _memmove.LIBCMT ref: 004C185B

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0053A972
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0053A994
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0053A9A7
DestroyWindow.USER32(00000000), ref: 0053A9C9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,004B0000,00000000), ref: 0053AA00
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0053AA19
GetDesktopWindow.USER32 ref: 0053AA32
GetWindowRect.USER32(00000000), ref: 0053AA39
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0053AA51
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0053AA69

Part of subcall function 004B29AB: GetWindowLongW.USER32(?,000000EB), ref: 004B29BC

Strings

0, xrefs: 0053A894
tooltips_class32, xrefs: 0053A96B, 0053A9F9

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: bbde36e7cbede4cdce9825bc4d6e0e7c7192bc14f0879a67b688629d8b225bc2
Instruction ID: 8414f32fa9d491c9590295220760196a701fd33bde94ec08297947802c52f264
Opcode Fuzzy Hash: bbde36e7cbede4cdce9825bc4d6e0e7c7192bc14f0879a67b688629d8b225bc2
Instruction Fuzzy Hash: 0F71FE76140204AFD722CF28DC08FAB7BE5FB89304F18051DF98A972A1D771E945EB62

Function 0053CCA6 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 004B29E2: GetWindowLongW.USER32(?,000000EB), ref: 004B29F3

DragQueryPoint.SHELL32(?,?), ref: 0053CCCF

Part of subcall function 0053B1A9: ClientToScreen.USER32(?,?), ref: 0053B1D2
Part of subcall function 0053B1A9: GetWindowRect.USER32(?,?), ref: 0053B248
Part of subcall function 0053B1A9: PtInRect.USER32(?,?,0053C6BC), ref: 0053B258

SendMessageW.USER32(?,000000B0,?,?), ref: 0053CD38
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0053CD43
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0053CD66
_wcscat.LIBCMT ref: 0053CD96
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0053CDAD
SendMessageW.USER32(?,000000B0,?,?), ref: 0053CDC6
SendMessageW.USER32(?,000000B1,?,?), ref: 0053CDDD
SendMessageW.USER32(?,000000B1,?,?), ref: 0053CDFF
DragFinish.SHELL32(?), ref: 0053CE06
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0053CEF9

Strings

@GUI_DRAGID, xrefs: 0053CE71
@GUI_DRAGFILE, xrefs: 0053CEA8
@GUI_DROPID, xrefs: 0053CE26

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: a6f45fa54ae6d286c0c1cb2cdf4ab8056073555ebbaad2572370b0eea76d55b5
Instruction ID: e906bcb01b0c7a226a8be9ef7ecb021e350a5921d8ab93051fbd53345d399bfb
Opcode Fuzzy Hash: a6f45fa54ae6d286c0c1cb2cdf4ab8056073555ebbaad2572370b0eea76d55b5
Instruction Fuzzy Hash: 78616A71108301AFC701EF61DC85D9BBFE8FB99354F100A1EF696931A2DB309A49DB62

Function 005182D5 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 0051831A
VariantCopy.OLEAUT32(00000000,?), ref: 00518323
VariantClear.OLEAUT32(00000000), ref: 0051832F
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0051841D
__swprintf.LIBCMT ref: 0051844D
VarR8FromDec.OLEAUT32(?,?), ref: 00518479
VariantInit.OLEAUT32(?), ref: 0051852A
SysFreeString.OLEAUT32(?), ref: 005185BE
VariantClear.OLEAUT32(?), ref: 00518618
VariantClear.OLEAUT32(?), ref: 00518627
VariantInit.OLEAUT32(00000000), ref: 00518665

Strings

Default, xrefs: 005184DA
%4d%02d%02d%02d%02d%02d, xrefs: 00518447

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: afa3499ad0058d6cc67f2a73ece91b160b8c478451e43f3786bb4b62444acb06
Instruction ID: d8f9b9b6af6d13a4db126b393565dd7cce5e04f8997225d9777cb11c5e7a1a6e
Opcode Fuzzy Hash: afa3499ad0058d6cc67f2a73ece91b160b8c478451e43f3786bb4b62444acb06
Instruction Fuzzy Hash: BED1CF31604515EBEB309F65C894BFEBBB4BF05B00F28895AE415AB291DF74DC84DBA0

Function 005349CF Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00534A61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00534AAC

Strings

GETTEXT, xrefs: 00534BFF
GETTOTALCOUNT, xrefs: 00534A93
SELECT, xrefs: 00534C5D
EXISTS, xrefs: 00534B15
EXPAND, xrefs: 00534B5E
COLLAPSE, xrefs: 00534AF2
CHECK, xrefs: 00534ACC
GETITEMCOUNT, xrefs: 00534B8E
ISCHECKED, xrefs: 00534C2F
GETSELECTED, xrefs: 00534BBC
UNCHECK, xrefs: 00534C88

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 7c8e05bb88006798cc181808ddb9646be40382b50dfe3241cf9f0cfc7f0b5d6d
Instruction ID: 113f3134b0146c12b7bac351ded21e5f9b68b0aec8b1c7c882c2c3752e04ae0d
Opcode Fuzzy Hash: 7c8e05bb88006798cc181808ddb9646be40382b50dfe3241cf9f0cfc7f0b5d6d
Instruction Fuzzy Hash: 75913C342047119BCB04EF11C451A69BBE6BF94358F10885EF8965B3A3CB39FD49CB96

Function 0051E25D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0051E31F
SystemTimeToFileTime.KERNEL32(?,?), ref: 0051E32F
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0051E33B
__wsplitpath.LIBCMT ref: 0051E399
_wcscat.LIBCMT ref: 0051E3B1
_wcscat.LIBCMT ref: 0051E3C3
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0051E3D8
SetCurrentDirectoryW.KERNEL32(?), ref: 0051E3EC
SetCurrentDirectoryW.KERNEL32(?), ref: 0051E41E
SetCurrentDirectoryW.KERNEL32(?), ref: 0051E43F
_wcscpy.LIBCMT ref: 0051E44B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0051E48A

Strings

*.*, xrefs: 0051E445

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 3194e1b6872f76fd2d5c2b65b95aff023e9292af7cbf422677580e10319d016d
Instruction ID: a5dba0987dfe668bca832bd10d9b1b04cb3bad95f643c716c58c5603948bd577
Opcode Fuzzy Hash: 3194e1b6872f76fd2d5c2b65b95aff023e9292af7cbf422677580e10319d016d
Instruction Fuzzy Hash: 296189765042059FDB10EF60C845EDEB7E8FF89314F04891EF98983251DB39E985CBA6

Function 004B23F7 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 004B1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,004B2412,?,00000000,?,?,?,?,004B1AA7,00000000,?), ref: 004B1F76

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 004B24AF
KillTimer.USER32(-00000001,?,?,?,?,004B1AA7,00000000,?,?,004B1EBE,?,?), ref: 004B254A
DestroyAcceleratorTable.USER32(00000000), ref: 004EBFE7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004B1AA7,00000000,?,?,004B1EBE,?,?), ref: 004EC018
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004B1AA7,00000000,?,?,004B1EBE,?,?), ref: 004EC02F
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004B1AA7,00000000,?,?,004B1EBE,?,?), ref: 004EC04B
DeleteObject.GDI32(00000000), ref: 004EC05D

Strings

hT, xrefs: 004B256F

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID: hT
API String ID: 641708696-71396654
Opcode ID: 4c4d220767d87dceb63c36b4915e8de04e34a99a4566d0d11a3a9b8c02ecf31e
Instruction ID: 0fa11c61f36981e1b8c73f8522ce7bcd75435e9730c9e5addbb98f120114e162
Opcode Fuzzy Hash: 4c4d220767d87dceb63c36b4915e8de04e34a99a4566d0d11a3a9b8c02ecf31e
Instruction Fuzzy Hash: F861E130114204DFCB359F15EE48BAA77F1FB54316F10851EE04646A70C3B8A896EFAA

Function 0051A27B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0051A2C2

Part of subcall function 004C1A36: _memmove.LIBCMT ref: 004C1A77

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0051A2E3
__swprintf.LIBCMT ref: 0051A33C
__swprintf.LIBCMT ref: 0051A355
_wprintf.LIBCMT ref: 0051A3FC
_wprintf.LIBCMT ref: 0051A41A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 0051A3F7
"%s" (%d) : ==> %s:, xrefs: 0051A415
Line %d (File "%s"):, xrefs: 0051A336, 0051A34F
Incorrect parameters to object property !, xrefs: 0051A39E
Error: , xrefs: 0051A3C4
^ ERROR , xrefs: 0051A391

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: dffdef01a510c7de5004d0b2542186c643378e4991d069baad004c1cd56de687
Instruction ID: 95c5050448e85bf9c86d92307f8c0c32ecd37de3a1044c54fee9ea1e04dd18bc
Opcode Fuzzy Hash: dffdef01a510c7de5004d0b2542186c643378e4991d069baad004c1cd56de687
Instruction Fuzzy Hash: CD51F075800109AADF15EBE1DD46EEEBB78BF18344F10016EF405B20A2EB792F89DB51

Function 00510065 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000001,?,004FF8B8,00000001,0000138C,00000001,00000001,00000001,?,00523FF9,00000001), ref: 0051009A
LoadStringW.USER32(00000000,?,004FF8B8,00000001), ref: 005100A3

Part of subcall function 004C1A36: _memmove.LIBCMT ref: 004C1A77

GetModuleHandleW.KERNEL32(00000000,00577310,?,00000FFF,?,?,004FF8B8,00000001,0000138C,00000001,00000001,00000001,?,00523FF9,00000001,00000001), ref: 005100C5
LoadStringW.USER32(00000000,?,004FF8B8,00000001), ref: 005100C8
__swprintf.LIBCMT ref: 00510118
__swprintf.LIBCMT ref: 00510129
_wprintf.LIBCMT ref: 005101D2
MessageBoxW.USER32(00000000,?,?,00011010), ref: 005101E9

Strings

^ ERROR, xrefs: 0051017E
%s (%d) : ==> %s: %s %s, xrefs: 005101CD
Line %d (File "%s"):, xrefs: 00510112
Line %d:, xrefs: 00510123
Error: , xrefs: 005101A0

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 22b112fe0620217fe4ec76cca266ff250aa6450f99737afccbca3e47db74add5
Instruction ID: 53b20a67337c84d5f20637a8c0d54b05d950933293785b432c53c2e007bc3a1c
Opcode Fuzzy Hash: 22b112fe0620217fe4ec76cca266ff250aa6450f99737afccbca3e47db74add5
Instruction Fuzzy Hash: 6F41C176840119AACF00FBE1CD86EEEB77CAF19344F10011EF501B20A2DA796F49CB65

Function 0051A995 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 004B4D37: __itow.LIBCMT ref: 004B4D62
Part of subcall function 004B4D37: __swprintf.LIBCMT ref: 004B4DAC

CharLowerBuffW.USER32(?,?), ref: 0051AA0E
GetDriveTypeW.KERNEL32 ref: 0051AA5B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0051AAA3
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0051AADA
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0051AB08

Part of subcall function 004C1821: _memmove.LIBCMT ref: 004C185B

Strings

open , xrefs: 0051AA6A
close cd wait, xrefs: 0051AAF3
wait, xrefs: 0051AAC5
type cdaudio alias cd wait, xrefs: 0051AA86
set cd door , xrefs: 0051AAA9
open, xrefs: 0051AA35
closed, xrefs: 0051AA22, 0051AA2B
close, xrefs: 0051AA14

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: e366daafec90f0a995d59c376a10effa7a7d7361d10080afded950fa5e84a5dd
Instruction ID: cb2a0a56b9900b498076e982369bbd0929c2f0d3b596edc99607bd8f6e546c30
Opcode Fuzzy Hash: e366daafec90f0a995d59c376a10effa7a7d7361d10080afded950fa5e84a5dd
Instruction Fuzzy Hash: 645169751042049FD700EF11C891DAAB7F8FF99358F10492EF896972A2DB35EE49CB52

Function 0051A832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0051A852
__swprintf.LIBCMT ref: 0051A874
CreateDirectoryW.KERNEL32(?,00000000), ref: 0051A8B1
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0051A8D6
_memset.LIBCMT ref: 0051A8F5
_wcsncpy.LIBCMT ref: 0051A931
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0051A966
CloseHandle.KERNEL32(00000000), ref: 0051A971
RemoveDirectoryW.KERNEL32(?), ref: 0051A97A
CloseHandle.KERNEL32(00000000), ref: 0051A984

Strings

\, xrefs: 0051A88A
:, xrefs: 0051A895
\??\%s, xrefs: 0051A86E

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 6296fab060f09c4c7826547106889255b4ab27d43b91ee7f793fa0765dae4682
Instruction ID: 30c6d7ffaa63c64d06459f2947de07bfa2876aff949849e5c846cfd047887554
Opcode Fuzzy Hash: 6296fab060f09c4c7826547106889255b4ab27d43b91ee7f793fa0765dae4682
Instruction Fuzzy Hash: AB31D475500109ABEB219FA1DC48FEF77BCFF89704F1041BAF608D21A4E77496848B25

Function 0053C0A5 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0053982C,?,?), ref: 0053C0C8
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0053982C,?,?,00000000,?), ref: 0053C0DF
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0053982C,?,?,00000000,?), ref: 0053C0EA
CloseHandle.KERNEL32(00000000,?,?,?,?,0053982C,?,?,00000000,?), ref: 0053C0F7
GlobalLock.KERNEL32(00000000), ref: 0053C100
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0053982C,?,?,00000000,?), ref: 0053C10F
GlobalUnlock.KERNEL32(00000000), ref: 0053C118
CloseHandle.KERNEL32(00000000,?,?,?,?,0053982C,?,?,00000000,?), ref: 0053C11F
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0053982C,?,?,00000000,?), ref: 0053C130
OleLoadPicture.OLEAUT32(?,00000000,00000000,00543C7C,?), ref: 0053C149
GlobalFree.KERNEL32(00000000), ref: 0053C159
GetObjectW.GDI32(00000000,00000018,?), ref: 0053C17D
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0053C1A8
DeleteObject.GDI32(00000000), ref: 0053C1D0
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0053C1E6

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: a8b551f73134c0ac8d70a0473301704137cd568180ae7acedcdb5c479c75cbcd
Instruction ID: 6c5ead211e404df41e3cfcc48ad2c7c8d5f55a0b890fb22def0376445508918c
Opcode Fuzzy Hash: a8b551f73134c0ac8d70a0473301704137cd568180ae7acedcdb5c479c75cbcd
Instruction Fuzzy Hash: 6E412A79500204AFDB219F64DC4CEAE7FB8FF9A715F204058FA05A72A0D7709945EB60

Function 0053C854 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B29E2: GetWindowLongW.USER32(?,000000EB), ref: 004B29F3

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0053C8A4
GetFocus.USER32 ref: 0053C8B4
GetDlgCtrlID.USER32(00000000), ref: 0053C8BF
_memset.LIBCMT ref: 0053C9EA
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0053CA15
GetMenuItemCount.USER32(?), ref: 0053CA35
GetMenuItemID.USER32(?,00000000), ref: 0053CA48
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0053CA7C
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0053CAC4
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0053CAFC
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0053CB31

Strings

0, xrefs: 0053C9E2

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: be18876701f8b0711b5618ca0a0f5821f32b6dae1a1d44df9c33100c7410677a
Instruction ID: 60e4a8649caad0a191835dc966edba54e2e689dc33d2f9d476c66136772b72a1
Opcode Fuzzy Hash: be18876701f8b0711b5618ca0a0f5821f32b6dae1a1d44df9c33100c7410677a
Instruction Fuzzy Hash: A4817971208305AFD710CF14D895AABBFE8FB89354F10492EF999A7291C730E905DBA2

Function 00508ACA Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00508E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00508E3C
Part of subcall function 00508E20: GetLastError.KERNEL32(?,00508900,?,?,?), ref: 00508E46
Part of subcall function 00508E20: GetProcessHeap.KERNEL32(00000008,?,?,00508900,?,?,?), ref: 00508E55
Part of subcall function 00508E20: HeapAlloc.KERNEL32(00000000,?,00508900,?,?,?), ref: 00508E5C
Part of subcall function 00508E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00508E73

Part of subcall function 00508EBD: GetProcessHeap.KERNEL32(00000008,00508916,00000000,00000000,?,00508916,?), ref: 00508EC9
Part of subcall function 00508EBD: HeapAlloc.KERNEL32(00000000,?,00508916,?), ref: 00508ED0
Part of subcall function 00508EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00508916,?), ref: 00508EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00508B2E
_memset.LIBCMT ref: 00508B43
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00508B62
GetLengthSid.ADVAPI32(?), ref: 00508B73
GetAce.ADVAPI32(?,00000000,?), ref: 00508BB0
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00508BCC
GetLengthSid.ADVAPI32(?), ref: 00508BE9
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00508BF8
HeapAlloc.KERNEL32(00000000), ref: 00508BFF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00508C20
CopySid.ADVAPI32(00000000), ref: 00508C27
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00508C58
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00508C7E
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00508C92

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: caf6b865dd656f75c5fe5c9b9250f31e5a24d56934d395de00c9bc7d28d5c175
Instruction ID: f4c9c758d6b9fb5d57fa0ed9579cd9e916d732e34696c8e6a025f8440fff7a0d
Opcode Fuzzy Hash: caf6b865dd656f75c5fe5c9b9250f31e5a24d56934d395de00c9bc7d28d5c175
Instruction Fuzzy Hash: 3461597590020AAFDF10DF90DC48EFEBB79BF15304F148169EA55AB290DB309A04DB60

Function 00527A04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00527A79
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00527A85
CreateCompatibleDC.GDI32(?), ref: 00527A91
SelectObject.GDI32(00000000,?), ref: 00527A9E
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00527AF2
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00527B2E
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00527B52
SelectObject.GDI32(00000006,?), ref: 00527B5A
DeleteObject.GDI32(?), ref: 00527B63
DeleteDC.GDI32(00000006), ref: 00527B6A
ReleaseDC.USER32(00000000,?), ref: 00527B75

Strings

(, xrefs: 00527AFA

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 646aefda6ae086bf3492d771cb41a8caa29e464889e8da1b77222c4048957578
Instruction ID: 66c8fcaa4eaac2388b0858c29a61de9af49ca5b1ef6a4c35513f747caa4eb899
Opcode Fuzzy Hash: 646aefda6ae086bf3492d771cb41a8caa29e464889e8da1b77222c4048957578
Instruction Fuzzy Hash: 37515C75904219EFCB14CFA8DC89EAEBBB9FF49310F14841DFA4AA7250D731A944CB50

Function 0051A48D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0051A4D4

Part of subcall function 004C1A36: _memmove.LIBCMT ref: 004C1A77

LoadStringW.USER32(?,?,00000FFF,?), ref: 0051A4F6
__swprintf.LIBCMT ref: 0051A54F
__swprintf.LIBCMT ref: 0051A568
_wprintf.LIBCMT ref: 0051A61E
_wprintf.LIBCMT ref: 0051A63C

Strings

^ ERROR, xrefs: 0051A5C0
"%s" (%d) : ==> %s:, xrefs: 0051A637
"%s" (%d) : ==> %s:%s%s, xrefs: 0051A619
Line %d (File "%s"):, xrefs: 0051A549, 0051A562
Error: , xrefs: 0051A5E6

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: bfb32bdd8803a3d0a1bc4dbb7bc14a80a639eeeede24c03fa9dab65fe50122da
Instruction ID: 4ffe27f9a9d260f89efefccec97e82a8c443697caa005340b6b9c56202901309
Opcode Fuzzy Hash: bfb32bdd8803a3d0a1bc4dbb7bc14a80a639eeeede24c03fa9dab65fe50122da
Instruction Fuzzy Hash: 48511E75800109ABDF11EBE0CD46EEEBB78BF19344F10016AF405B20A2EB356F88DB65

Function 00519710 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0051951A: __time64.LIBCMT ref: 00519524

Part of subcall function 004C4A8C: _fseek.LIBCMT ref: 004C4AA4

__wsplitpath.LIBCMT ref: 005197EF

Part of subcall function 004D431E: __wsplitpath_helper.LIBCMT ref: 004D435E

_wcscpy.LIBCMT ref: 00519802
_wcscat.LIBCMT ref: 00519815
__wsplitpath.LIBCMT ref: 0051983A
_wcscat.LIBCMT ref: 00519850
_wcscat.LIBCMT ref: 00519863

Part of subcall function 00519560: _memmove.LIBCMT ref: 00519599
Part of subcall function 00519560: _memmove.LIBCMT ref: 005195A8

_wcscmp.LIBCMT ref: 005197AA

Part of subcall function 00519CF1: _wcscmp.LIBCMT ref: 00519DE1
Part of subcall function 00519CF1: _wcscmp.LIBCMT ref: 00519DF4

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00519A0D
_wcsncpy.LIBCMT ref: 00519A80
DeleteFileW.KERNEL32(?,?), ref: 00519AB6
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00519ACC
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00519ADD
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00519AEF

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 9729e96e048ed69246c87d9a9102c7b973ebf781032a21f713668f6297a7fd70
Instruction ID: a11158eb05d4c84fe44c06f122be37fc069d7baafcf0e1422890a88e71e93d42
Opcode Fuzzy Hash: 9729e96e048ed69246c87d9a9102c7b973ebf781032a21f713668f6297a7fd70
Instruction Fuzzy Hash: 1FC14BB1900219AADF11DF95CC95EDEBBBDAF84304F0040ABF609E6251EB749A848F65

Function 004C5BD7 Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004C5BF1
GetMenuItemCount.USER32(00577890), ref: 00500E7B
GetMenuItemCount.USER32(00577890), ref: 00500F2B
GetCursorPos.USER32(?), ref: 00500F6F
SetForegroundWindow.USER32(00000000), ref: 00500F78
TrackPopupMenuEx.USER32(00577890,00000000,?,00000000,00000000,00000000), ref: 00500F8B
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00500F97

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 13a532db939a1c4ad200ae73468a32a29df6dbe6c01c37be750fd05404bad966
Instruction ID: d75cc279465b7e019af9f51fb2c08b0472297c70d8394c1ffe608fce5c3de440
Opcode Fuzzy Hash: 13a532db939a1c4ad200ae73468a32a29df6dbe6c01c37be750fd05404bad966
Instruction Fuzzy Hash: 3571F474604605BFEB209B54DC89FEEBF68FF05364F20421AF624AA1D1C7B168A0DB95

Function 0051AEEA Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00540980), ref: 0051AF4E
GetDriveTypeW.KERNEL32(00000061,0056B5F0,00000061), ref: 0051B018
_wcscpy.LIBCMT ref: 0051B042

Strings

ramdisk, xrefs: 0051AFC2
network, xrefs: 0051AFAC
unknown, xrefs: 0051AFD9
L,T, xrefs: 0051B03A
fixed, xrefs: 0051AF96
removable, xrefs: 0051AF80
all, xrefs: 0051AF54
cdrom, xrefs: 0051AF6A

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: L,T$all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1359098487
Opcode ID: 90dfe659e0cf02fe879a0331eab49357a6a04e32e8e5c63090581fe80cd07dfa
Instruction ID: 0b1e2b0c4f9b2b01ffb08eea5077bc7ed1a66f985d99096c45c123334227e5bb
Opcode Fuzzy Hash: 90dfe659e0cf02fe879a0331eab49357a6a04e32e8e5c63090581fe80cd07dfa
Instruction Fuzzy Hash: F551D3741083059FE310EF15C891AEABBE5FF95308F50481EF496872A2EB31DD8ACA53

Function 005083FA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 004C1821: _memmove.LIBCMT ref: 004C185B

_memset.LIBCMT ref: 00508489
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005084BE
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005084DA
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005084F6
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00508520
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00508548
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00508553
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00508558

Strings

\CLSID, xrefs: 00508440
\IPC$, xrefs: 005084A0
SOFTWARE\Classes\, xrefs: 0050842A

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 80a6bc39d7a06924db76618477509a354c03aee755cb9e289670afeb24148e0a
Instruction ID: 2c8ce01e30afdbe53bc96b9a405cc393bf7384f86497dad94d3f3e425b3f0e63
Opcode Fuzzy Hash: 80a6bc39d7a06924db76618477509a354c03aee755cb9e289670afeb24148e0a
Instruction Fuzzy Hash: 98411976C1022DABCF11EBA5DC95EEDBB78FF15344F00452EE945A32A1EA349D04CB90

Function 0053147A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0053040D,?,?), ref: 00531491

Strings

HKEY_CURRENT_CONFIG, xrefs: 0053154E
HKEY_LOCAL_MACHINE, xrefs: 005314FA
HKEY_CLASSES_ROOT, xrefs: 00531524
HKCC, xrefs: 0053155F
HKCR, xrefs: 00531539
HKU, xrefs: 005315A3
HKLM, xrefs: 0053150F
HKEY_CURRENT_USER, xrefs: 00531570
HKCU, xrefs: 00531581
HKEY_USERS, xrefs: 00531592

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: a651369832c36ad86e22ab1d2747e95d7a54932a2df3e6e443a8bd751c4be288
Instruction ID: e2023d39f77a90abd82af1370004c1e0914eddc3fded3d3d34069b57d606d040
Opcode Fuzzy Hash: a651369832c36ad86e22ab1d2747e95d7a54932a2df3e6e443a8bd751c4be288
Instruction Fuzzy Hash: 1E416C3050025A8BCF10EF61D850AEA3FA5BF62318F60441BFC92572A2DB34ED19CB69

Function 00515882 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 004C1821: _memmove.LIBCMT ref: 004C185B

Part of subcall function 004C153B: _memmove.LIBCMT ref: 004C15C4

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 005158EB
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00515901
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00515912
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00515924
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00515935

Strings

open , xrefs: 0051589A
alias PlayMe, xrefs: 005158C4
status PlayMe mode, xrefs: 005158E6
close PlayMe, xrefs: 005158FC, 00515929
play PlayMe, xrefs: 00515930
play PlayMe wait, xrefs: 0051591F

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 0a7148d2a4a0c862aebb1ab6d31a71c3555d280ac7a0f64c05693ab529db95a8
Instruction ID: a041770cbae2a03389394804b68e4a92201aa8d43530125b6cc840ea1f78b56e
Opcode Fuzzy Hash: 0a7148d2a4a0c862aebb1ab6d31a71c3555d280ac7a0f64c05693ab529db95a8
Instruction Fuzzy Hash: D8115175B50119F9E760A662DC5AEFF6F7CFBD2B54F80082E7401A31E1EA701984C5A1

Function 00514C0C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00514C27
gethostname.WSOCK32(?,00000100), ref: 00514C41
gethostbyname.WSOCK32(?), ref: 00514C4E
_wcscpy.LIBCMT ref: 00514C76
_memmove.LIBCMT ref: 00514C89
inet_ntoa.WSOCK32(?), ref: 00514C94
_strcat.LIBCMT ref: 00514CA2
_wcscpy.LIBCMT ref: 00514CB9
WSACleanup.WSOCK32 ref: 00514CC7
_wcscpy.LIBCMT ref: 00514CD5

Strings

0.0.0.0, xrefs: 00514C70

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 72b9c9db635e25d0ff11c1a7f37f9281e364a4273076493ac147f79900a6887c
Instruction ID: 7f02a38bd07ce8f7f8879e02e9938fc3363b0d1d49e66576782d66f6a5067401
Opcode Fuzzy Hash: 72b9c9db635e25d0ff11c1a7f37f9281e364a4273076493ac147f79900a6887c
Instruction Fuzzy Hash: 8F116631904108ABEB11BB609D4AEEA7BBCEF91718F1011ABF504962D1EF749DC1DEA0

Function 00515530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00515535

Part of subcall function 004D083E: timeGetTime.WINMM(?,00000002,004BC22C), ref: 004D0842

Sleep.KERNEL32(0000000A), ref: 00515561
EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 00515585
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 005155A7
SetActiveWindow.USER32 ref: 005155C6
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 005155D4
SendMessageW.USER32(00000010,00000000,00000000), ref: 005155F3
Sleep.KERNEL32(000000FA), ref: 005155FE
IsWindow.USER32 ref: 0051560A
EndDialog.USER32(00000000), ref: 0051561B

Strings

BUTTON, xrefs: 00515599

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 04d412ce04b0dc89d5c86c28bb0363dc294b3593e59415b47425cbb4f067633f
Instruction ID: a96b5ec1b168db469d492850b9db8cd915f233c913adea0d81e3ea18640e116d
Opcode Fuzzy Hash: 04d412ce04b0dc89d5c86c28bb0363dc294b3593e59415b47425cbb4f067633f
Instruction Fuzzy Hash: 3F219D78144604FFF7405B60FC88AB53F6AFBA5348F502028B50A821A1FF715CD8BA61

Function 0051DBD0 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 004B4D37: __itow.LIBCMT ref: 004B4D62
Part of subcall function 004B4D37: __swprintf.LIBCMT ref: 004B4DAC

CoInitialize.OLE32(00000000), ref: 0051DC2D
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0051DCC0
SHGetDesktopFolder.SHELL32(?), ref: 0051DCD4
CoCreateInstance.OLE32(00543D4C,00000000,00000001,0056B86C,?), ref: 0051DD20
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0051DD8F
CoTaskMemFree.OLE32(?,?), ref: 0051DDE7
_memset.LIBCMT ref: 0051DE24
SHBrowseForFolderW.SHELL32(?), ref: 0051DE60
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0051DE83
CoTaskMemFree.OLE32(00000000), ref: 0051DE8A
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0051DEC1
CoUninitialize.OLE32(00000001,00000000), ref: 0051DEC3

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 02dcb6a8881be91115cb2924cf2f714e166ae2185d3c3d6b6ebe507c300afeb4
Instruction ID: f906ed07bb18ebb8ae782962c0998074d2b1b87f6db2e891801307f1fd934c9c
Opcode Fuzzy Hash: 02dcb6a8881be91115cb2924cf2f714e166ae2185d3c3d6b6ebe507c300afeb4
Instruction Fuzzy Hash: 98B1FB75A00119AFDB14DFA5C888DEEBBB9FF89304B108459E905EB261DB34ED45CBA0

Function 0051081B Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00510896
SetKeyboardState.USER32(?), ref: 00510901
GetAsyncKeyState.USER32(000000A0), ref: 00510921
GetKeyState.USER32(000000A0), ref: 00510938
GetAsyncKeyState.USER32(000000A1), ref: 00510967
GetKeyState.USER32(000000A1), ref: 00510978
GetAsyncKeyState.USER32(00000011), ref: 005109A4
GetKeyState.USER32(00000011), ref: 005109B2
GetAsyncKeyState.USER32(00000012), ref: 005109DB
GetKeyState.USER32(00000012), ref: 005109E9
GetAsyncKeyState.USER32(0000005B), ref: 00510A12
GetKeyState.USER32(0000005B), ref: 00510A20

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 18f267504dbcd5d91ef7dc6521139b9f1d343dd2952c46a75704d95827529cef
Instruction ID: 4065837b6754f43b51e6d8ff750ee567b03bd3f583a557674578a16e76205e8e
Opcode Fuzzy Hash: 18f267504dbcd5d91ef7dc6521139b9f1d343dd2952c46a75704d95827529cef
Instruction Fuzzy Hash: D451CA34A0878929FB35EBB044147EABFB4AF01784F08559ED5C2571C3DAE49ACCCBA5

Function 0050CE00 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0050CE1C
GetWindowRect.USER32(00000000,?), ref: 0050CE2E
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0050CE8C
GetDlgItem.USER32(?,00000002), ref: 0050CE97
GetWindowRect.USER32(00000000,?), ref: 0050CEA9
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0050CEFD
GetDlgItem.USER32(?,000003E9), ref: 0050CF0B
GetWindowRect.USER32(00000000,?), ref: 0050CF1C
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0050CF5F
GetDlgItem.USER32(?,000003EA), ref: 0050CF6D
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0050CF8A
InvalidateRect.USER32(?,00000000,00000001), ref: 0050CF97

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 2a607daaf8d444f99cc8f89dc5fe2dd56aa0dcd6e1860cd5d2bdcabe73cdcd74
Instruction ID: 5170750da7b266246e5f0f5ea510308468dc11948317042147dfb4e750a07175
Opcode Fuzzy Hash: 2a607daaf8d444f99cc8f89dc5fe2dd56aa0dcd6e1860cd5d2bdcabe73cdcd74
Instruction Fuzzy Hash: CA514175B00205AFDF18CF68CD85AAEBBBAFB99714F148229F616D62D0D770AD048B50

Function 004B2581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 004B29AB: GetWindowLongW.USER32(?,000000EB), ref: 004B29BC

GetSysColor.USER32(0000000F), ref: 004B25AF

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 6240702833fb85813dd9fba58ac1200ef821abab58f6d57106ab538563830f5a
Instruction ID: 61aadd6810c5cf96364bc9ef81335eae7ff939d359a8b4aee2787ef8380ec9d8
Opcode Fuzzy Hash: 6240702833fb85813dd9fba58ac1200ef821abab58f6d57106ab538563830f5a
Instruction Fuzzy Hash: A741C531400144AFDB255F289D88BFA3765FB1A335F244266FE658A2E1C7748C42EB39

Function 004C29BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 004D0B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,004C2A3E,?,00008000), ref: 004D0BA7

Part of subcall function 004D0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004C2A58,?,00008000), ref: 004D02A4

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 004C2ADF
SetCurrentDirectoryW.KERNEL32(?), ref: 004C2C2C

Part of subcall function 004C3EBE: _wcscpy.LIBCMT ref: 004C3EF6

Part of subcall function 004D386D: _iswctype.LIBCMT ref: 004D3875

Strings

Bad directive syntax error, xrefs: 0050008F
AU3!, xrefs: 004C2A93
EA06, xrefs: 004FFD48
#include depth exceeded. Make sure there are no recursive includes, xrefs: 004FFD17
Unterminated string, xrefs: 005000D6
Error opening the file, xrefs: 004FFD33, 004FFDAA

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-3738523708
Opcode ID: 91a75a1f18ed8a57a6f8bf353503b55e3a3ba62460c95e7e7c3523ac636626fc
Instruction ID: 80e62707913b936519b90c9087953c77a62c69e3d9732e63f64371f5eff92db3
Opcode Fuzzy Hash: 91a75a1f18ed8a57a6f8bf353503b55e3a3ba62460c95e7e7c3523ac636626fc
Instruction Fuzzy Hash: 7B02B0341083419FC764EF25C951EAFBBE5BF89318F00491EF58A932A2DB78D949CB46

Function 004B4D37 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 004B4D62
__swprintf.LIBCMT ref: 004B4DAC
__i64tow.LIBCMT ref: 004EDB3B

Strings

0x%p, xrefs: 004EDB1D
False, xrefs: 004EDB03
%.15g, xrefs: 004B4DA6
True, xrefs: 004EDAFC

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: c3af9010431c78394cb63bda1813a76a2bff3af97c119d566daa3b044740985f
Instruction ID: f6d7a5bf0a1708c2b84bdff396e4e9a71a8bad7445f03a879938f74e9f80ec08
Opcode Fuzzy Hash: c3af9010431c78394cb63bda1813a76a2bff3af97c119d566daa3b044740985f
Instruction Fuzzy Hash: FA41E671A04209AFEB34DF35D841EBA73E8EB45305F20446FE149D7392EA799942C729

Function 00537777 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0053778F
CreateMenu.USER32 ref: 005377AA
SetMenu.USER32(?,00000000), ref: 005377B9
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00537846
IsMenu.USER32(?), ref: 0053785C
CreatePopupMenu.USER32 ref: 00537866
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00537893
DrawMenuBar.USER32 ref: 0053789B

Strings

F, xrefs: 00537887
0, xrefs: 00537785

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 436693c9a25ce7b6bab0a62946c3ad35c0272a8d5cc4d874b7bb6084a07da0a8
Instruction ID: 933f6f1a5828452efd50c89aa83f64b5acc5c33f32f2a217bd7aebf236181a29
Opcode Fuzzy Hash: 436693c9a25ce7b6bab0a62946c3ad35c0272a8d5cc4d874b7bb6084a07da0a8
Instruction Fuzzy Hash: EA414AB9A00209EFDB20DF64D888ADABBF5FF59314F144429FA45A7360D730A914EF50

Function 00537AE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00537B83
CreateCompatibleDC.GDI32(00000000), ref: 00537B8A
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00537B9D
SelectObject.GDI32(00000000,00000000), ref: 00537BA5
GetPixel.GDI32(00000000,00000000,00000000), ref: 00537BB0
DeleteDC.GDI32(00000000), ref: 00537BB9
GetWindowLongW.USER32(?,000000EC), ref: 00537BC3
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00537BD7
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00537BE3

Strings

static, xrefs: 00537B1B

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: fe49962ee2913e78cd772e0597fa0ae61f2f28f5af05669862377da6f2b330a3
Instruction ID: 2e0d6cbef8263d3b39defb09997f9345ef1aad031eff234248a7f49cd1858308
Opcode Fuzzy Hash: fe49962ee2913e78cd772e0597fa0ae61f2f28f5af05669862377da6f2b330a3
Instruction Fuzzy Hash: B8319676104219ABDF219FA4DC48FDB7F69FF1E324F211214FA59A21E0D7319824EBA0

Function 004D7030 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004D706B

Part of subcall function 004D8D58: __getptd_noexit.LIBCMT ref: 004D8D58

__gmtime64_s.LIBCMT ref: 004D7104
__gmtime64_s.LIBCMT ref: 004D713A
__gmtime64_s.LIBCMT ref: 004D7157
__allrem.LIBCMT ref: 004D71AD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004D71C9
__allrem.LIBCMT ref: 004D71E0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004D71FE
__allrem.LIBCMT ref: 004D7215
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004D7233
__invoke_watson.LIBCMT ref: 004D72A4

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction ID: 4db20f51c7b17ff179786b7703b6438af8cdf02af32b315c4ae941496d4c9d84
Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction Fuzzy Hash: C8712572A04756ABD7159E7ACC96B6BB3A8AF01325F14422FF514E73C1F778D9008788

Function 00512CCE Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00512CE9
GetMenuItemInfoW.USER32(00577890,000000FF,00000000,00000030), ref: 00512D4A
SetMenuItemInfoW.USER32(00577890,00000004,00000000,00000030), ref: 00512D80
Sleep.KERNEL32(000001F4), ref: 00512D92
GetMenuItemCount.USER32(?), ref: 00512DD6
GetMenuItemID.USER32(?,00000000), ref: 00512DF2
GetMenuItemID.USER32(?,-00000001), ref: 00512E1C
GetMenuItemID.USER32(?,?), ref: 00512E61
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00512EA7
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00512EBB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00512EDC

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 1236e775eb9e029397f723fad346c1f9b0ce3df5bae1841b127964dff0a25d00
Instruction ID: 5bc3647efd670a3b6430e2523a39b4647723d0361a84ed951a44a93a8fae4b65
Opcode Fuzzy Hash: 1236e775eb9e029397f723fad346c1f9b0ce3df5bae1841b127964dff0a25d00
Instruction Fuzzy Hash: FE61BF74900249AFEB10DF64DC88AFE7FB8FB41308F144559F851A7291D731ADA6EB21

Function 00537548 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 005375CA
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 005375CD
GetWindowLongW.USER32(?,000000F0), ref: 005375F1
_memset.LIBCMT ref: 00537602
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00537614
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 0053768C

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 1feb4a8a811d9dd10d547541c469e8ee0c15e4e94068cf551641f19f5ef71beb
Instruction ID: 5cc505467f5f57419809fc566277cec7d73314f637a4a1aabf9c40df671875f1
Opcode Fuzzy Hash: 1feb4a8a811d9dd10d547541c469e8ee0c15e4e94068cf551641f19f5ef71beb
Instruction Fuzzy Hash: 376158B5900208AFDB20DFA4DC85EEE7BB8FB49710F140199FA14A72A1C770AD45EB60

Function 005077B6 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 005077DD
SafeArrayAllocData.OLEAUT32(?), ref: 00507836
VariantInit.OLEAUT32(?), ref: 00507848
SafeArrayAccessData.OLEAUT32(?,?), ref: 00507868
VariantCopy.OLEAUT32(?,?), ref: 005078BB
SafeArrayUnaccessData.OLEAUT32(?), ref: 005078CF
VariantClear.OLEAUT32(?), ref: 005078E4
SafeArrayDestroyData.OLEAUT32(?), ref: 005078F1
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005078FA
VariantClear.OLEAUT32(?), ref: 0050790C
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00507917

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: a22dd6bd5fb4b6fcd77779d53d3a4cfbc73844bc8c22eea1db17eb3f64e831cc
Instruction ID: 4c27f2678ecc33c8b2c6bb271a5e7a9bf5b7b90b83d6a7dbd7a70b64b0fe9ada
Opcode Fuzzy Hash: a22dd6bd5fb4b6fcd77779d53d3a4cfbc73844bc8c22eea1db17eb3f64e831cc
Instruction Fuzzy Hash: 21414E35E0011D9FCF04DFA4C8489EDBBB9FF58354F108469EA55A72A1C770AA49DFA0

Function 00510508 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00510530
GetAsyncKeyState.USER32(000000A0), ref: 005105B1
GetKeyState.USER32(000000A0), ref: 005105CC
GetAsyncKeyState.USER32(000000A1), ref: 005105E6
GetKeyState.USER32(000000A1), ref: 005105FB
GetAsyncKeyState.USER32(00000011), ref: 00510613
GetKeyState.USER32(00000011), ref: 00510625
GetAsyncKeyState.USER32(00000012), ref: 0051063D
GetKeyState.USER32(00000012), ref: 0051064F
GetAsyncKeyState.USER32(0000005B), ref: 00510667
GetKeyState.USER32(0000005B), ref: 00510679

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: e7bd946c2276a6c49c1ba37cae8a487f52c4574b0a91a1fd157cf2bac5847711
Instruction ID: ce06426fdfb868ecf88b41f57a005e533a2b72b60c38976ec69dde8a695d452f
Opcode Fuzzy Hash: e7bd946c2276a6c49c1ba37cae8a487f52c4574b0a91a1fd157cf2bac5847711
Instruction Fuzzy Hash: AA41D9745047CA6DFF31976488047F5BEA1BB62304F08605AD6C64B5C1EBE499D8CFA2

Function 00528AA5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 004B4D37: __itow.LIBCMT ref: 004B4D62
Part of subcall function 004B4D37: __swprintf.LIBCMT ref: 004B4DAC

CoInitialize.OLE32 ref: 00528AED
CoUninitialize.OLE32 ref: 00528AF8
CoCreateInstance.OLE32(?,00000000,00000017,00543BBC,?), ref: 00528B58
IIDFromString.OLE32(?,?), ref: 00528BCB
VariantInit.OLEAUT32(?), ref: 00528C65
VariantClear.OLEAUT32(?), ref: 00528CC6

Strings

Invalid parameter, xrefs: 00528BE4
Failed to create object, xrefs: 00528B63, 00528C19
NULL Pointer assignment, xrefs: 00528B9D

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 2ee1bfbb14e23fa5d4079c8286faf2e7fc8145824ca2125a71aa5378b9d3d045
Instruction ID: 95997b079e67485d2e62662f316852c080c0fe9c21ba40c188ae2d1a8daf2d89
Opcode Fuzzy Hash: 2ee1bfbb14e23fa5d4079c8286faf2e7fc8145824ca2125a71aa5378b9d3d045
Instruction Fuzzy Hash: 2461AF702057219FD710DF54D849B6ABBE8BF8A714F10084DF981AB2D1CB74ED48CBA6

Function 0051BB06 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0051BB13
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0051BB89
GetLastError.KERNEL32 ref: 0051BB93
SetErrorMode.KERNEL32(00000000,READY), ref: 0051BC00

Strings

READY, xrefs: 0051BBD9
NOTREADY, xrefs: 0051BBBF
INVALID, xrefs: 0051BBD2
READONLY, xrefs: 0051BBCB
UNKNOWN, xrefs: 0051BBB8

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 69591a1cae6a035ff8a81cfe5eb1315c7c75fc2a3d9fcd8815d390de44139c7c
Instruction ID: 81830b9bb155251d2957d41c373afc001a4ffc5d7446266f223713ee7208f9eb
Opcode Fuzzy Hash: 69591a1cae6a035ff8a81cfe5eb1315c7c75fc2a3d9fcd8815d390de44139c7c
Instruction Fuzzy Hash: 6F31C139A04209AFFB10EF65C845EEDBBB8FF45308F10842AE905D72D6DB759981CB50

Function 005134DD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0051357C

Strings

,zW0zW, xrefs: 0051350F
info, xrefs: 0051351D
warning, xrefs: 00513565
blank, xrefs: 005134FE
,zW0zW, xrefs: 0051358D
question, xrefs: 00513535
stop, xrefs: 0051354D

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: IconLoad
String ID: ,zW0zW$,zW0zW$blank$info$question$stop$warning
API String ID: 2457776203-4133049043
Opcode ID: b4629c208fe37807a60852dbb862dad12e60862cda5843f1c258570250c1699b
Instruction ID: e4c0173b6d27c073aa26beba89f2fa30e93168dac5c1094eb20ed87925cd223e
Opcode Fuzzy Hash: b4629c208fe37807a60852dbb862dad12e60862cda5843f1c258570250c1699b
Instruction Fuzzy Hash: DE11F675609306BAB7009A15DCA2CEE7F99FF06B64B20002BFA0096281E7796F8056A5

Function 00509B47 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004C1A36: _memmove.LIBCMT ref: 004C1A77

Part of subcall function 0050B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0050B7BD

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00509BCC
GetDlgCtrlID.USER32 ref: 00509BD7
GetParent.USER32 ref: 00509BF3
SendMessageW.USER32(00000000,?,00000111,?), ref: 00509BF6
GetDlgCtrlID.USER32(?), ref: 00509BFF
GetParent.USER32(?), ref: 00509C1B
SendMessageW.USER32(00000000,?,?,00000111), ref: 00509C1E

Strings

ComboBox, xrefs: 00509B54
ListBox, xrefs: 00509B89

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 992c5f292bf7bee60f02867adc278ee4ca46f0702eb561e66fb2c9d10c208e6e
Instruction ID: 3f9eb9a7ba5acacc01aeb09d98fbcd1c449416608f45eb9d8e23b2ca1dd6fd1b
Opcode Fuzzy Hash: 992c5f292bf7bee60f02867adc278ee4ca46f0702eb561e66fb2c9d10c208e6e
Instruction Fuzzy Hash: 0721C475901104ABDF04EB61CC85EFEBBB5FFA6310F10011AF962932E6DB7598199A20

Function 00509C32 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004C1A36: _memmove.LIBCMT ref: 004C1A77

Part of subcall function 0050B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0050B7BD

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00509CB5
GetDlgCtrlID.USER32 ref: 00509CC0
GetParent.USER32 ref: 00509CDC
SendMessageW.USER32(00000000,?,00000111,?), ref: 00509CDF
GetDlgCtrlID.USER32(?), ref: 00509CE8
GetParent.USER32(?), ref: 00509D04
SendMessageW.USER32(00000000,?,?,00000111), ref: 00509D07

Strings

ComboBox, xrefs: 00509C3F
ListBox, xrefs: 00509C74

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 58b182d5474ef30870416ff1bfed62bacfca1612b5ed79588bdfdb412a1185ef
Instruction ID: 78942d66ac54717e2b53f6897595d6f9f52d2f91669f732bd71d44d44a529a66
Opcode Fuzzy Hash: 58b182d5474ef30870416ff1bfed62bacfca1612b5ed79588bdfdb412a1185ef
Instruction Fuzzy Hash: D821B37AD41104BBDF00EB61CC85EFEBBB9FF95300F100116F952971E6DB7999199A20

Function 00509D1B Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00509D27
GetClassNameW.USER32(00000000,?,00000100), ref: 00509D3C
_wcscmp.LIBCMT ref: 00509D4E
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00509DC9

Strings

largeicons, xrefs: 00509D5D
details, xrefs: 00509D77
smallicons, xrefs: 00509D91
list, xrefs: 00509DAB
SHELLDLL_DefView, xrefs: 00509D48

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: b323680e900ec3f2ffaf1433fcdabc10552ddeddd625c8cfabcb25a6da7e703c
Instruction ID: 5076b4caa6df4daa99304343a119cd6b59ac474b2111a0f1f3a801429f869b51
Opcode Fuzzy Hash: b323680e900ec3f2ffaf1433fcdabc10552ddeddd625c8cfabcb25a6da7e703c
Instruction Fuzzy Hash: 52115CBB289303B9FA006620EC17DAE7B9CFB11325B200017FA01B10D6FE6569105996

Function 00528F95 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00528FC1
CoInitialize.OLE32(00000000), ref: 00528FEE
CoUninitialize.OLE32 ref: 00528FF8
GetRunningObjectTable.OLE32(00000000,?), ref: 005290F8
SetErrorMode.KERNEL32(00000001,00000029), ref: 00529225
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00543BDC), ref: 00529259
CoGetObject.OLE32(?,00000000,00543BDC,?), ref: 0052927C
SetErrorMode.KERNEL32(00000000), ref: 0052928F
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0052930F
VariantClear.OLEAUT32(?), ref: 0052931F

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 1337000bff5a1535d40a6a7142e83f5881d27b6654fcfa1be55997ef3331ab83
Instruction ID: 0db9077591c3b601e09ee27505df0d51c5493b6017078683086b8454939eca8b
Opcode Fuzzy Hash: 1337000bff5a1535d40a6a7142e83f5881d27b6654fcfa1be55997ef3331ab83
Instruction Fuzzy Hash: 3EC13571608315AFC700DF65D88496ABBE9FF8A308F10491DF98A9B391DB71ED05CB62

Function 005119CD Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 005119EF
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00510A67,?,00000001), ref: 00511A03
GetWindowThreadProcessId.USER32(00000000), ref: 00511A0A
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00510A67,?,00000001), ref: 00511A19
GetWindowThreadProcessId.USER32(?,00000000), ref: 00511A2B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00510A67,?,00000001), ref: 00511A44
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00510A67,?,00000001), ref: 00511A56
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00510A67,?,00000001), ref: 00511A9B
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00510A67,?,00000001), ref: 00511AB0
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00510A67,?,00000001), ref: 00511ABB

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: c55b1bf31fd38c7f42279912ce19d8a4953d71094506c36717393031383c57fa
Instruction ID: 728d7dea332b9b00b1875f0bfaf287a3251e049ab54f2296c20bf236e14cdff0
Opcode Fuzzy Hash: c55b1bf31fd38c7f42279912ce19d8a4953d71094506c36717393031383c57fa
Instruction Fuzzy Hash: B031EC35241604AFEB109B10ED88BF93FAAFF65309F214145FA0583190CBB09CC8ABA8

Function 004EC0E3 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 004B260D
SetTextColor.GDI32(?,000000FF), ref: 004B2617
SetBkMode.GDI32(?,00000001), ref: 004B262C
GetStockObject.GDI32(00000005), ref: 004B2634
GetClientRect.USER32(?), ref: 004EC0FC
SendMessageW.USER32(?,00001328,00000000,?), ref: 004EC113
GetWindowDC.USER32(?), ref: 004EC11F
GetPixel.GDI32(00000000,?,?), ref: 004EC12E
ReleaseDC.USER32(?,00000000), ref: 004EC140
GetSysColor.USER32(00000005), ref: 004EC15E

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: d0587f236e944368dd3f5df15ace211f661e139747e4264a7b13d64a5342d187
Instruction ID: 877f1a852c6ceb5c3d9e1aedd2bc5e12bd5ad7e820d88dda7feb2afa9741c68a
Opcode Fuzzy Hash: d0587f236e944368dd3f5df15ace211f661e139747e4264a7b13d64a5342d187
Instruction Fuzzy Hash: DC11AC35500244BFDB211FA4EC48BEA7BB1FB29326F201226FB2A941E1CB710955FF21

Function 0050AD69 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0050B13A), ref: 0050B078

Strings

CLASS, xrefs: 0050ADF7
CLASSNN, xrefs: 0050AE1A
REGEXPCLASS, xrefs: 0050AE3D
INSTANCE, xrefs: 0050AF86
NAME, xrefs: 0050AEAA
TEXT, xrefs: 0050AFAF

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 8eb2d33b9b4d641343fb5dbe7fe4e30111f23fd900a01220b6130daa629498be
Instruction ID: b9a1153a2e312cfb6bd080083455f3dd66a548f3dd6d6462c304533b3c952253
Opcode Fuzzy Hash: 8eb2d33b9b4d641343fb5dbe7fe4e30111f23fd900a01220b6130daa629498be
Instruction Fuzzy Hash: 9291E370A00606EADB48EF61C491BEEFFB5BF14304F10811EE85AA7292DF306959CB95

Function 004B31F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 004B327E

Part of subcall function 004B218F: GetClientRect.USER32(?,?), ref: 004B21B8
Part of subcall function 004B218F: GetWindowRect.USER32(?,?), ref: 004B21F9
Part of subcall function 004B218F: ScreenToClient.USER32(?,?), ref: 004B2221

GetDC.USER32 ref: 004ED073
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 004ED086
SelectObject.GDI32(00000000,00000000), ref: 004ED094
SelectObject.GDI32(00000000,00000000), ref: 004ED0A9
ReleaseDC.USER32(?,00000000), ref: 004ED0B1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 004ED13C

Strings

U, xrefs: 004ED011

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 72d74a98f13330e7b09406b5f833ef257b841f0463a7e9a1a182d8596ab5fe76
Instruction ID: 689192c52ecee75ae4aed27648f9d0c0ca22e6d6da0f59e16869f8c8a1470dc0
Opcode Fuzzy Hash: 72d74a98f13330e7b09406b5f833ef257b841f0463a7e9a1a182d8596ab5fe76
Instruction Fuzzy Hash: 80712430800249DFCF248F65C884AFA7BB5FF49316F18426BED555A2A2C7398842EB65

Function 0053C634 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B29E2: GetWindowLongW.USER32(?,000000EB), ref: 004B29F3

Part of subcall function 004B2714: GetCursorPos.USER32(?), ref: 004B2727
Part of subcall function 004B2714: ScreenToClient.USER32(005777B0,?), ref: 004B2744
Part of subcall function 004B2714: GetAsyncKeyState.USER32(00000001), ref: 004B2769
Part of subcall function 004B2714: GetAsyncKeyState.USER32(00000002), ref: 004B2777

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0053C69C
ImageList_EndDrag.COMCTL32 ref: 0053C6A2
ReleaseCapture.USER32 ref: 0053C6A8
SetWindowTextW.USER32(?,00000000), ref: 0053C752
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0053C765
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0053C847

Strings

@GUI_DRAGFILE, xrefs: 0053C7DC
@GUI_DROPID, xrefs: 0053C799

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 89963c57045dda6d2ae54a41adaf1005bb2650bf7b715fccf60b325f8b2bce66
Instruction ID: 4cdd7e392e406b942a029766287e3fc4c8f12b57cb3917c67fa4b743b613bba8
Opcode Fuzzy Hash: 89963c57045dda6d2ae54a41adaf1005bb2650bf7b715fccf60b325f8b2bce66
Instruction Fuzzy Hash: 1751D074104304AFDB00EF14DC59FAA7BE1FB98318F10491EF599972E2CB30A959DB62

Function 005220E1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0052211C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00522148
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0052218A
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0052219F
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005221AC
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 005221DC
InternetCloseHandle.WININET(00000000), ref: 00522223

Part of subcall function 00522B4F: GetLastError.KERNEL32(?,?,00521EE3,00000000,00000000,00000001), ref: 00522B64
Part of subcall function 00522B4F: SetEvent.KERNEL32(?,?,00521EE3,00000000,00000000,00000001), ref: 00522B79

Strings

, xrefs: 005221CD

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 38f22b063e1dff8b3fc22cd4599633e7ba03241bb8c8b0282e898afdc9db8491
Instruction ID: 9a2df5109b2e63d908ced4775072f69a27710f49a073b73c6cb58832ca5b868b
Opcode Fuzzy Hash: 38f22b063e1dff8b3fc22cd4599633e7ba03241bb8c8b0282e898afdc9db8491
Instruction Fuzzy Hash: 80419DB9500228BEEB129F50DC89FFB7BACFF0A354F104116FA059A181D7719E44DBA1

Function 00529330 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00540980), ref: 00529412
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00540980), ref: 00529446
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 005295C0
SysFreeString.OLEAUT32(?), ref: 005295EA

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 35b0cb649c5f26d99ec62df30d9eefbe52fe7956540f506aae6b81d338622e60
Instruction ID: c39dbf6b7ca3f267daaf9ffefe7c59e3e20e8517487228b0cf702712bdf4c6c0
Opcode Fuzzy Hash: 35b0cb649c5f26d99ec62df30d9eefbe52fe7956540f506aae6b81d338622e60
Instruction Fuzzy Hash: CDF11B75A00219AFCF14DF94D884EEEBBB5FF86314F148458F906AB291D731AE45CB90

Function 0052FD7D Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0052FD9E
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0052FF31
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0052FF55
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0052FF95
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0052FFB7
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00530133
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00530165
CloseHandle.KERNEL32(?), ref: 00530194
CloseHandle.KERNEL32(?), ref: 0053020B

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 8f15e63115a98bda8dfab377d44d4e6b041a9d3d42c179d625c6e0f738592a63
Instruction ID: 88a7b37e115c48c40262f5486d9fa1acb142371d40f75099db758724cf7f45d3
Opcode Fuzzy Hash: 8f15e63115a98bda8dfab377d44d4e6b041a9d3d42c179d625c6e0f738592a63
Instruction Fuzzy Hash: B0E1CE312043019FC715EF25D895B6ABBE5BF85318F14882EF9898B2E2CB35DC45CB62

Function 0051527C Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00514BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00513B8A,?), ref: 00514BE0

Part of subcall function 00514BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00513B8A,?), ref: 00514BF9

Part of subcall function 00514FEC: GetFileAttributesW.KERNEL32(?,00513BFE), ref: 00514FED

lstrcmpiW.KERNEL32(?,?), ref: 005152FB
_wcscmp.LIBCMT ref: 00515315
MoveFileW.KERNEL32(?,?), ref: 00515330

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 6571736800d85a1206218e5249b82172a54ada5be9e6889c8362464e7fead1b1
Instruction ID: f00fba925145ef61695540d2d6d5970641168bbe3690fe7657cfd9f013a376dd
Opcode Fuzzy Hash: 6571736800d85a1206218e5249b82172a54ada5be9e6889c8362464e7fead1b1
Instruction Fuzzy Hash: D45180B20083859BD664DBA0C881DDBB7ECAF85304F50491FF289D3152EF74A689876A

Function 00538C6A Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00538D24

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 3adeb2fde37871b5e1adadbda56371be040d4a54cf198d728f33d5d0d4b07f58
Instruction ID: e0a5c5da66ea90b2beca3c0e54e2d4fc7fe840f5490e88f506dcfb788aba82dc
Opcode Fuzzy Hash: 3adeb2fde37871b5e1adadbda56371be040d4a54cf198d728f33d5d0d4b07f58
Instruction Fuzzy Hash: F051C230600308BFEF289F24CC89BB97FA4BB15314F240916F615EA1E1CF71AD94EA60

Function 004B2F42 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 004EC638
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 004EC65A
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 004EC672
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 004EC690
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 004EC6B1
DestroyIcon.USER32(00000000), ref: 004EC6C0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 004EC6DD
DestroyIcon.USER32(?), ref: 004EC6EC

Part of subcall function 0053AAD4: DeleteObject.GDI32(00000000), ref: 0053AB0D

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 59eb9030e094515e469432645deb3bbf050f030bbd33bd180c086771a71705c5
Instruction ID: 45e505fbd9e0e200154165e6d9e12dc927f836ed85e799cfaa803a156b74c4d5
Opcode Fuzzy Hash: 59eb9030e094515e469432645deb3bbf050f030bbd33bd180c086771a71705c5
Instruction Fuzzy Hash: B1519B70600209AFDB20DF25DD85BBB7BB5FB58311F20051AF90697290D7B4AC91EB65

Function 0050A226 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0050B52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0050B54D
Part of subcall function 0050B52D: GetCurrentThreadId.KERNEL32 ref: 0050B554
Part of subcall function 0050B52D: AttachThreadInput.USER32(00000000,?,0050A23B,?,00000001), ref: 0050B55B

MapVirtualKeyW.USER32(00000025,00000000), ref: 0050A246
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 0050A263
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 0050A266
MapVirtualKeyW.USER32(00000025,00000000), ref: 0050A26F
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 0050A28D
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0050A290
MapVirtualKeyW.USER32(00000025,00000000), ref: 0050A299
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 0050A2B0
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0050A2B3

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: bb77e1171cc99aca475f3e13e3b78f5a8e2ece988df97a9db3739135324fbd7b
Instruction ID: 29b0a8b664b0c424c368c58a0c5b5cf62d9b801208b4b74eb71cf5b4b3dc7dee
Opcode Fuzzy Hash: bb77e1171cc99aca475f3e13e3b78f5a8e2ece988df97a9db3739135324fbd7b
Instruction Fuzzy Hash: 6A11E575550218BEFA106F609C89FAA3F2DEB9D754F212415F3406B0D0CAF35C50EAA0

Function 005094D9 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0050915A,00000B00,?,?), ref: 005094E2
HeapAlloc.KERNEL32(00000000,?,0050915A,00000B00,?,?), ref: 005094E9
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0050915A,00000B00,?,?), ref: 005094FE
GetCurrentProcess.KERNEL32(?,00000000,?,0050915A,00000B00,?,?), ref: 00509506
DuplicateHandle.KERNEL32(00000000,?,0050915A,00000B00,?,?), ref: 00509509
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0050915A,00000B00,?,?), ref: 00509519
GetCurrentProcess.KERNEL32(0050915A,00000000,?,0050915A,00000B00,?,?), ref: 00509521
DuplicateHandle.KERNEL32(00000000,?,0050915A,00000B00,?,?), ref: 00509524
CreateThread.KERNEL32(00000000,00000000,0050954A,00000000,00000000,00000000), ref: 0050953E

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 71f4b0f204251347f4f7dbd650438f03e94b131cd94f53eb2b757385fa87614b
Instruction ID: 915fe707a7fbcb8461f797ead1e6836b55998d20c632b4d72ffdf7129135571b
Opcode Fuzzy Hash: 71f4b0f204251347f4f7dbd650438f03e94b131cd94f53eb2b757385fa87614b
Instruction Fuzzy Hash: 0E01A8B9240304BFE610ABA5DC4DFAB7BACEB99715F105411FA05DB1E1CA709804DA20

Function 0052A20D Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 0052A265
NULL Pointer assignment, xrefs: 0052A28E, 0052A5B2

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 0ee8c77a3521069555d36413df29b55ec62083c9e390eb85bdd8743ff18dde60
Instruction ID: 5cc1b98722f2bb8d2e9714f8d39c41688b91d1a719bfaef4de61a6e771683311
Opcode Fuzzy Hash: 0ee8c77a3521069555d36413df29b55ec62083c9e390eb85bdd8743ff18dde60
Instruction Fuzzy Hash: 7AC1A371A0022A9FDF10DF98E884AAEBBF5FF59314F148469E905A72C1E770DD44CB91

Function 005297FD Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00529851
VariantInit.OLEAUT32(?), ref: 00529922
VariantInit.OLEAUT32(?), ref: 00529A23
VariantClear.OLEAUT32(?), ref: 00529A2D
VariantClear.OLEAUT32(?), ref: 00529A8A

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00529A06
Null Object assignment in FOR..IN loop, xrefs: 005298B2, 005299E0, 00529A98

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: a8bf4984838b0ba518de7e0febe9b406bf40d395e9d72857f815999ff70ef282
Instruction ID: fd3fd4f386aa3a0b44604d1257d78fa51de7af6fb69b10c08f53f20a6127f6d5
Opcode Fuzzy Hash: a8bf4984838b0ba518de7e0febe9b406bf40d395e9d72857f815999ff70ef282
Instruction Fuzzy Hash: 37919F70A00229ABDF24CFA5D884FEEBBB8FF46714F10855EF515AB291D7709944CBA0

Function 005373A5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00537449
SendMessageW.USER32(?,00001036,00000000,?), ref: 0053745D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00537477
_wcscat.LIBCMT ref: 005374D2
SendMessageW.USER32(?,00001057,00000000,?), ref: 005374E9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00537517

Strings

SysListView32, xrefs: 0053741B

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 6b24c68af8c9d8bb35314c17964c933dd87bcfc4ee079cd54d1546aac7a5a048
Instruction ID: f8459c833bd9f54fac054f863937fadd267634f377bdfe2a49a3f6e6e88c2b13
Opcode Fuzzy Hash: 6b24c68af8c9d8bb35314c17964c933dd87bcfc4ee079cd54d1546aac7a5a048
Instruction Fuzzy Hash: 2B41A271904348AFEF219F64CC85BEE7BA8FF48354F10442AFA85A7291D6719D849B60

Function 0052F01C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00514148: CreateToolhelp32Snapshot.KERNEL32 ref: 0051416D
Part of subcall function 00514148: Process32FirstW.KERNEL32(00000000,?), ref: 0051417B
Part of subcall function 00514148: CloseHandle.KERNEL32(00000000), ref: 00514245

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0052F08D
GetLastError.KERNEL32 ref: 0052F0A0
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0052F0CF
TerminateProcess.KERNEL32(00000000,00000000), ref: 0052F14C
GetLastError.KERNEL32(00000000), ref: 0052F157
CloseHandle.KERNEL32(00000000), ref: 0052F18C

Strings

SeDebugPrivilege, xrefs: 0052F0AB

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 78d144301dacccdc1b2d907d32aa2174aca17de3ba54c1a326053fb209b3ce93
Instruction ID: 4530000cc8b6fa81480d5afc16c718cfb480a9d6267ceaa672e1c8c3ae2c3bcb
Opcode Fuzzy Hash: 78d144301dacccdc1b2d907d32aa2174aca17de3ba54c1a326053fb209b3ce93
Instruction Fuzzy Hash: 6B41B1312002119FD725EF24ECA9FADBBA5BF85718F14842DF9425B2D3CB74A814CB95

Function 005147E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00514802
LoadStringW.USER32(00000000), ref: 00514809
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0051481F
LoadStringW.USER32(00000000), ref: 00514826
_wprintf.LIBCMT ref: 0051484C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0051486A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00514847

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: f4883e62005cff2a8edcfbe07b64f72180bddb4ff9c6b2315eeb9f49c63946ae
Instruction ID: f17f4d3594ea00b4e82d5c3401e946dff4c670cb03546b88b392d62977b3b746
Opcode Fuzzy Hash: f4883e62005cff2a8edcfbe07b64f72180bddb4ff9c6b2315eeb9f49c63946ae
Instruction Fuzzy Hash: AF01A2F68002087FE711EBA09D89EF7777CE708305F101596BB0AE2081EA349E888F75

Function 0053DB04 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B29E2: GetWindowLongW.USER32(?,000000EB), ref: 004B29F3

GetSystemMetrics.USER32(0000000F), ref: 0053DB42
GetSystemMetrics.USER32(0000000F), ref: 0053DB62
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0053DD9D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0053DDBB
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0053DDDC
ShowWindow.USER32(00000003,00000000), ref: 0053DDFB
InvalidateRect.USER32(?,00000000,00000001), ref: 0053DE20
DefDlgProcW.USER32(?,00000005,?,?), ref: 0053DE43

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 91c68ef7d1c294efd9f5ee051d33f9f59d0fb961ce59767a7b5e60940a7d7fc7
Instruction ID: 5f677cac7d5b7526ab6f7a91d88052a2e356dced40a96ac5646064b27c7578e0
Opcode Fuzzy Hash: 91c68ef7d1c294efd9f5ee051d33f9f59d0fb961ce59767a7b5e60940a7d7fc7
Instruction Fuzzy Hash: 15B19835A00219EFCF14CF69D985BAE7FB1FF48701F088069ED489E295D730A994DBA0

Function 00530371 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004C1A36: _memmove.LIBCMT ref: 004C1A77

Part of subcall function 0053147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0053040D,?,?), ref: 00531491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0053044E

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper_memmove
String ID:
API String ID: 3479070676-0
Opcode ID: 998f6140bb98a013e8091349c45272b0e51727edfd20e80d1aecca2222b49836
Instruction ID: 5e668f30d35685383313afcf7efdc8cd7ad359d37915d91e470d993538b48a92
Opcode Fuzzy Hash: 998f6140bb98a013e8091349c45272b0e51727edfd20e80d1aecca2222b49836
Instruction Fuzzy Hash: E4A166302043019FCB10EF25C895F6EBBE5BF84318F14891DF9969B2A2DB39E955CB46

Function 004B2E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,004EC508,00000004,00000000,00000000,00000000), ref: 004B2E9F
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,004EC508,00000004,00000000,00000000,00000000,000000FF), ref: 004B2EE7
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,004EC508,00000004,00000000,00000000,00000000), ref: 004EC55B
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,004EC508,00000004,00000000,00000000,00000000), ref: 004EC5C7

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 17907d67676e7bf46bf8bf88fa6449226f5b74886a5649caabbcf4f5fcdcb2fa
Instruction ID: 92ba76f0026f170fe89991b8d24b8b15b1a76b390c2eaff8c4ac6a4aa0444744
Opcode Fuzzy Hash: 17907d67676e7bf46bf8bf88fa6449226f5b74886a5649caabbcf4f5fcdcb2fa
Instruction Fuzzy Hash: AB41EA306046C0AAD735472B9ACC7EB7B91BB95305F24440FE447467A0C6BCE986E73A

Function 00517681 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00517698

Part of subcall function 004D0FE6: std::exception::exception.LIBCMT ref: 004D101C
Part of subcall function 004D0FE6: __CxxThrowException@8.LIBCMT ref: 004D1031

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 005176CF
EnterCriticalSection.KERNEL32(?), ref: 005176EB
_memmove.LIBCMT ref: 00517739
_memmove.LIBCMT ref: 00517756
LeaveCriticalSection.KERNEL32(?), ref: 00517765
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 0051777A
InterlockedExchange.KERNEL32(?,000001F6), ref: 00517799

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: d2a1141c305a1f484e52abb94533e7081c08cb21017161d213a0908e03c3765c
Instruction ID: 208d8e30e515ccaf97f312c808ac5618f06860fccbbffedd62acb5e281eeb29d
Opcode Fuzzy Hash: d2a1141c305a1f484e52abb94533e7081c08cb21017161d213a0908e03c3765c
Instruction Fuzzy Hash: 0D319235904108EBDB10EF95DC85EAEBB78FF45304F2440AAFD04AB296D7709E54DBA4

Function 005367F8 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00536810
GetDC.USER32(00000000), ref: 00536818
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00536823
ReleaseDC.USER32(00000000,00000000), ref: 0053682F
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 0053686B
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 0053687C
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0053964F,?,?,000000FF,00000000,?,000000FF,?), ref: 005368B6
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 005368D6

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 6b1f228d22a72e1c38c1d591577f624c6fe436fb57883aac8b9ddb14a7a1d85c
Instruction ID: 17152d837097148f788782f651f95d90209888c07eafa31ba96bf63d0ae33e4f
Opcode Fuzzy Hash: 6b1f228d22a72e1c38c1d591577f624c6fe436fb57883aac8b9ddb14a7a1d85c
Instruction Fuzzy Hash: A9317A76101210BFEB108F508C8AFEA3FA9FB5A765F044065FE089A291C6759851CBB0

Function 0050C748 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0050C75D
_memcmp.LIBCMT ref: 0050C77F
_memcmp.LIBCMT ref: 0050C797
_memcmp.LIBCMT ref: 0050C7AA
_memcmp.LIBCMT ref: 0050C7C4
_memcmp.LIBCMT ref: 0050C7D7
_memcmp.LIBCMT ref: 0050C7EF
_memcmp.LIBCMT ref: 0050C80A

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 13ebda3978e587a1e5f84ae05e7a91ba9143724fbbbe3f7e5401fb3427b740c4
Instruction ID: b7633ace9342f77d5bf17a370f12a4ef5d740094e02b2dfe00f6333dd860df72
Opcode Fuzzy Hash: 13ebda3978e587a1e5f84ae05e7a91ba9143724fbbbe3f7e5401fb3427b740c4
Instruction Fuzzy Hash: 0E21D7726012057BD31477118E96FAF3F6CFF16788B04422AFD06A63D3E714DE1186A9

Function 0051F166 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 004B4D37: __itow.LIBCMT ref: 004B4D62
Part of subcall function 004B4D37: __swprintf.LIBCMT ref: 004B4DAC

Part of subcall function 004C436A: _wcscpy.LIBCMT ref: 004C438D

_wcstok.LIBCMT ref: 0051F2D7
_wcscpy.LIBCMT ref: 0051F366
_memset.LIBCMT ref: 0051F399

Strings

X, xrefs: 0051F3D6

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: feffc89af8dba5871137c46ebb5c4f5618dc798964a8564c14e6d16b8fab70b1
Instruction ID: f6a719abf3e0885b02d97ecfa670718057c3692fe130522c632cb323ab2a51cb
Opcode Fuzzy Hash: feffc89af8dba5871137c46ebb5c4f5618dc798964a8564c14e6d16b8fab70b1
Instruction Fuzzy Hash: 05C1DF746043409FD754EF24C895E9ABBE4FF85318F00492EF89A972A2DB34EC45CB96

Function 005271EE Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 005272EB
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 0052730C
WSAGetLastError.WSOCK32(00000000), ref: 0052731F
htons.WSOCK32(?,?,?,00000000,?), ref: 005273D5
inet_ntoa.WSOCK32(?), ref: 00527392

Part of subcall function 0050B4EA: _strlen.LIBCMT ref: 0050B4F4
Part of subcall function 0050B4EA: _memmove.LIBCMT ref: 0050B516

_strlen.LIBCMT ref: 0052742F
_memmove.LIBCMT ref: 00527498

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: af4e560c07dec91dc25409c79deaa9c0476ec5b4cd88ee0c4a950fcb561b9536
Instruction ID: 79734c0a11fb00fb97a89dee92e43ccfdfda947efce5fb4c2897d3356e24895e
Opcode Fuzzy Hash: af4e560c07dec91dc25409c79deaa9c0476ec5b4cd88ee0c4a950fcb561b9536
Instruction Fuzzy Hash: 7381F471508214ABC710EB25EC95F6BBBA8FF89318F10491DF9419B2D2DB34DD01CBA2

Function 004B1800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c33c3a173affd8a84abdeaa2062b4c443527f21bd72b19c523007e9a0280b87
Instruction ID: 893280b4d6dfa3daddb8a8d489ebdb9ce18e604d6079abc4647a6bec71a22f97
Opcode Fuzzy Hash: 8c33c3a173affd8a84abdeaa2062b4c443527f21bd72b19c523007e9a0280b87
Instruction Fuzzy Hash: 1F719E34900109EFCB04DF59CC88AEF7B75FF86314F64815AF915AB261C7389A51CBA4

Function 0053B9C3 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01885760), ref: 0053BA5D
IsWindowEnabled.USER32(01885760), ref: 0053BA69
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0053BB4D
SendMessageW.USER32(01885760,000000B0,?,?), ref: 0053BB84
IsDlgButtonChecked.USER32(?,?), ref: 0053BBC1
GetWindowLongW.USER32(01885760,000000EC), ref: 0053BBE3
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0053BBFB

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: ef5e7c5d3629760a14c1dc70627787d1f56d71c3164923c1fe01054aa728c3ae
Instruction ID: fe7fec1d68c77cd430d0b811c1345f726c0f6e7d41ae2b8268e9e54dc6d5423e
Opcode Fuzzy Hash: ef5e7c5d3629760a14c1dc70627787d1f56d71c3164923c1fe01054aa728c3ae
Instruction Fuzzy Hash: EC71C234604609AFEF249F54D8A4FFABFB5FF59300F144059EA4A972A1CB31AD50EB60

Function 0052FB07 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0052FB31
_memset.LIBCMT ref: 0052FBFA
ShellExecuteExW.SHELL32(?), ref: 0052FC3F

Part of subcall function 004B4D37: __itow.LIBCMT ref: 004B4D62
Part of subcall function 004B4D37: __swprintf.LIBCMT ref: 004B4DAC

Part of subcall function 004C436A: _wcscpy.LIBCMT ref: 004C438D

GetProcessId.KERNEL32(00000000), ref: 0052FCB6
CloseHandle.KERNEL32(00000000), ref: 0052FCE5

Strings

@, xrefs: 0052FC0E

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: f1c23e189533db678ff9f988616f1ebb0443831905661a037f70e5cbdbe43232
Instruction ID: 7478732c1099cf20af30c9ab8edeaf5f064324dfdb27a0e269de6e6c1f49357a
Opcode Fuzzy Hash: f1c23e189533db678ff9f988616f1ebb0443831905661a037f70e5cbdbe43232
Instruction Fuzzy Hash: 9E61B075A00629DFCB14EF55E4909ADBBF4FF49314F10846EE846AB392CB34AD41CB94

Function 0051174C Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0051178B
GetKeyboardState.USER32(?), ref: 005117A0
SetKeyboardState.USER32(?), ref: 00511801
PostMessageW.USER32(?,00000101,00000010,?), ref: 0051182F
PostMessageW.USER32(?,00000101,00000011,?), ref: 0051184E
PostMessageW.USER32(?,00000101,00000012,?), ref: 00511894
PostMessageW.USER32(?,00000101,0000005B,?), ref: 005118B7

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: b75c78954c234967a31c69a4fcaf2708ceb088592c4dee3626b273c7c882af52
Instruction ID: 95e15741a5dd19b17dea6b45b043e96e2b7e69cb4b4b554855f965486da6153d
Opcode Fuzzy Hash: b75c78954c234967a31c69a4fcaf2708ceb088592c4dee3626b273c7c882af52
Instruction Fuzzy Hash: 9C51E4A0A08BD53DFB368234CC59BFA7EE97B06704F0C89C9E2D5558C2D298ACC4D758

Function 00511565 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 005115A4
GetKeyboardState.USER32(?), ref: 005115B9
SetKeyboardState.USER32(?), ref: 0051161A
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00511646
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00511663
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 005116A7
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 005116C8

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 057a468c31e5bbe648b29a33fa9df90d25a27f1e08bf17cfe26e47503d2048e5
Instruction ID: d6f8ae329974c1980b164ba30646641b8ff6a9b097c0b12bbfb72c1f8af19b7b
Opcode Fuzzy Hash: 057a468c31e5bbe648b29a33fa9df90d25a27f1e08bf17cfe26e47503d2048e5
Instruction Fuzzy Hash: 3C5106A0504BD63DFB3287248C45BFABEA97F46300F0C44C9E2D5469C2D695ECD8EB68

Function 00515BB8 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00515BC5
_wcsncpy.LIBCMT ref: 00515BFA
_wcsncpy.LIBCMT ref: 00515C2C
_wcsncpy.LIBCMT ref: 00515C5F
_wcsncpy.LIBCMT ref: 00515CA1
_wcsncpy.LIBCMT ref: 00515CDB
_wcsncpy.LIBCMT ref: 00515D0A

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: f26da7d513aea9034aed5a763032542ea78e530cf1b878e63cca52cb864e25d0
Instruction ID: a0b97965edc672f650dd71cc9eea38192ba7b69a79c512c3c75cef918de980c2
Opcode Fuzzy Hash: f26da7d513aea9034aed5a763032542ea78e530cf1b878e63cca52cb864e25d0
Instruction Fuzzy Hash: 9641C0A5C10618B6DB11EBB5CC469CFB7B8AF44310F50885BE508E3221F738A755C3EA

Function 00513B64 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00514BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00513B8A,?), ref: 00514BE0

Part of subcall function 00514BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00513B8A,?), ref: 00514BF9

lstrcmpiW.KERNEL32(?,?), ref: 00513BAA
_wcscmp.LIBCMT ref: 00513BC6
MoveFileW.KERNEL32(?,?), ref: 00513BDE
_wcscat.LIBCMT ref: 00513C26
SHFileOperationW.SHELL32(?), ref: 00513C92

Strings

\*.*, xrefs: 00513C20

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: fa28390a2af5759a293f3a5c31d3bc7fccc020dc19bd2117db6990f7a1419da9
Instruction ID: 2802fcd7dcf855191b6823292e488378a33ae3b6d181c4dab7a65c727074be7c
Opcode Fuzzy Hash: fa28390a2af5759a293f3a5c31d3bc7fccc020dc19bd2117db6990f7a1419da9
Instruction Fuzzy Hash: E6419D7150C344AAD752EF64C495ADBBBE8BF89344F50192EF089C3291EB34D6C88B56

Function 005378B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005378CF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00537976
IsMenu.USER32(?), ref: 0053798E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005379D6
DrawMenuBar.USER32 ref: 005379E9

Strings

0, xrefs: 005378C3

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 82d86acc3a2440e562cfc0efca7187eff01ed0313dc04afdc5241a39ba1d86dc
Instruction ID: 36a1eddf4c01611a7680705c1f586e96bd53907b2b0bdc12006a7f48fa304de1
Opcode Fuzzy Hash: 82d86acc3a2440e562cfc0efca7187eff01ed0313dc04afdc5241a39ba1d86dc
Instruction Fuzzy Hash: E94147B6A04209EFDB20DF54E884EDABBF9FB0D315F048229E95997250C730AD54DFA0

Function 00531602 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00531631
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0053165B
FreeLibrary.KERNEL32(00000000), ref: 00531712

Part of subcall function 00531602: RegCloseKey.ADVAPI32(?), ref: 00531678
Part of subcall function 00531602: FreeLibrary.KERNEL32(?), ref: 005316CA
Part of subcall function 00531602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 005316ED

RegDeleteKeyW.ADVAPI32(?,?), ref: 005316B5

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 2348878a846d088406409097c052d710c55230dfd24e8ad394096940653c64b1
Instruction ID: 17fb21dae2983d38cd357017fdc89db53a6aa360115648b56b0c32a2b12acc3a
Opcode Fuzzy Hash: 2348878a846d088406409097c052d710c55230dfd24e8ad394096940653c64b1
Instruction Fuzzy Hash: A0315E75900109BFDB148FA0DC89EFFBBBCFF09304F140169E906A2140EB749E499BA4

Function 005368F2 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00536911
GetWindowLongW.USER32(01885760,000000F0), ref: 00536944
GetWindowLongW.USER32(01885760,000000F0), ref: 00536979
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 005369AB
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 005369D5
GetWindowLongW.USER32(?,000000F0), ref: 005369E6
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00536A00

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 54f89945ddb830a31d89446352be118710dd486fd5ba73d970e441de59172fb9
Instruction ID: 89d53537994f8b5345ac21356a55419cbf993519c9bee9b1b0baeb1a7bb289ed
Opcode Fuzzy Hash: 54f89945ddb830a31d89446352be118710dd486fd5ba73d970e441de59172fb9
Instruction Fuzzy Hash: DD318B36604154AFDB21CF18EC88F643BE0FB5A354F2951A8F6098F2B1CB31AC54EB41

Function 0050E287 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0050E2CA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0050E2F0
SysAllocString.OLEAUT32(00000000), ref: 0050E2F3
SysAllocString.OLEAUT32(?), ref: 0050E311
SysFreeString.OLEAUT32(?), ref: 0050E31A
StringFromGUID2.OLE32(?,?,00000028), ref: 0050E33F
SysAllocString.OLEAUT32(?), ref: 0050E34D

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: bbfdfcdd5c0aa57ac33766a919f2fe6e32f9f604fed08072a81cf9e4dee4b641
Instruction ID: 2e98953d01b2154d79eb43cf39abdb4a2ac6e45a50ce5b418f3a28e2a3209767
Opcode Fuzzy Hash: bbfdfcdd5c0aa57ac33766a919f2fe6e32f9f604fed08072a81cf9e4dee4b641
Instruction Fuzzy Hash: F4217476604219AFDF109FA8DC89CFF7BACFB09364B144929FE14DB290D670AC459760

Function 0052685E Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00528475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 005284A0

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 005268B1
WSAGetLastError.WSOCK32(00000000), ref: 005268C0
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 005268F9
connect.WSOCK32(00000000,?,00000010), ref: 00526902
WSAGetLastError.WSOCK32 ref: 0052690C
closesocket.WSOCK32(00000000), ref: 00526935
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0052694E

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 931da9034bd3fe0cb8fcec1ac333493cde3c845b3f35b0e5436882e41bf89987
Instruction ID: 8b612c5917d2dfae213f4b184f798e0fe8b9edd698f7d8eab80a9628e20d93e1
Opcode Fuzzy Hash: 931da9034bd3fe0cb8fcec1ac333493cde3c845b3f35b0e5436882e41bf89987
Instruction Fuzzy Hash: BE31B375600128AFDB10AF64DC85BBE7BEDFF46728F144029F905AB2D1CB74AC449BA1

Function 0050E360 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0050E3A5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0050E3CB
SysAllocString.OLEAUT32(00000000), ref: 0050E3CE
SysAllocString.OLEAUT32 ref: 0050E3EF
SysFreeString.OLEAUT32 ref: 0050E3F8
StringFromGUID2.OLE32(?,?,00000028), ref: 0050E412
SysAllocString.OLEAUT32(?), ref: 0050E420

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 3ca6996124b817116618f00d8b61d2f5cdcfccde962f6c0d06f6fc295f33ea11
Instruction ID: 50f4a76281c80b83e6ccc556d6a6276c6d463e6b25de99bcbb6284c689921f37
Opcode Fuzzy Hash: 3ca6996124b817116618f00d8b61d2f5cdcfccde962f6c0d06f6fc295f33ea11
Instruction Fuzzy Hash: 3C218B35604204AFDF149FA8DC89DBE7BECFB093647608929FA05CB2E0D674EC459764

Function 00537BF2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 004B214F
Part of subcall function 004B2111: GetStockObject.GDI32(00000011), ref: 004B2163
Part of subcall function 004B2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 004B216D

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00537C57
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00537C64
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00537C6F
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00537C7E
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00537C8A

Strings

Msctls_Progress32, xrefs: 00537C28

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: b8a656cb8a41c3a94612c33c14e93f83fc06315f4e9f34be90d4c6bd9c9278b1
Instruction ID: 0d7559c81da6195d93c4b7bd2d79883975e05498a23046ef7488005449a6f1d4
Opcode Fuzzy Hash: b8a656cb8a41c3a94612c33c14e93f83fc06315f4e9f34be90d4c6bd9c9278b1
Instruction Fuzzy Hash: 191190B254021DBEEF258F60CC85EE77F5DFF09798F015115BB08A60A0C6729C21DBA4

Function 004D9D16 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 004D9D16

Part of subcall function 004D33B7: EncodePointer.KERNEL32(00000000), ref: 004D33BA
Part of subcall function 004D33B7: __initp_misc_winsig.LIBCMT ref: 004D33D5
Part of subcall function 004D33B7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 004DA0D0
Part of subcall function 004D33B7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004DA0E4
Part of subcall function 004D33B7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004DA0F7
Part of subcall function 004D33B7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004DA10A
Part of subcall function 004D33B7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004DA11D
Part of subcall function 004D33B7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 004DA130
Part of subcall function 004D33B7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 004DA143
Part of subcall function 004D33B7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 004DA156
Part of subcall function 004D33B7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 004DA169
Part of subcall function 004D33B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 004DA17C
Part of subcall function 004D33B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 004DA18F
Part of subcall function 004D33B7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 004DA1A2
Part of subcall function 004D33B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 004DA1B5
Part of subcall function 004D33B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 004DA1C8
Part of subcall function 004D33B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 004DA1DB
Part of subcall function 004D33B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 004DA1EE

__mtinitlocks.LIBCMT ref: 004D9D1B
__mtterm.LIBCMT ref: 004D9D24

Part of subcall function 004D9D8C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,004D9D29,004D7EFD,0056CD38,00000014), ref: 004D9E86
Part of subcall function 004D9D8C: _free.LIBCMT ref: 004D9E8D
Part of subcall function 004D9D8C: DeleteCriticalSection.KERNEL32(0RW,?,?,004D9D29,004D7EFD,0056CD38,00000014), ref: 004D9EAF

__calloc_crt.LIBCMT ref: 004D9D49
__initptd.LIBCMT ref: 004D9D6B
GetCurrentThreadId.KERNEL32 ref: 004D9D72

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: c335c0bfef38aecb4c5f3aaf7a2e645650f00c0add8be579ca9890adf1d3fc8d
Instruction ID: 4ed04737e2182c9121b566a055bd473de51191204cd06db021aa9d3307f6ac08
Opcode Fuzzy Hash: c335c0bfef38aecb4c5f3aaf7a2e645650f00c0add8be579ca9890adf1d3fc8d
Instruction Fuzzy Hash: C9F06D326197115AE6347B76BC2768B26D6DB41738F20061FF554D63D2EF288C419198

Function 004D41B9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,004D4282,?), ref: 004D41D3
GetProcAddress.KERNEL32(00000000), ref: 004D41DA
EncodePointer.KERNEL32(00000000), ref: 004D41E6
DecodePointer.KERNEL32(00000001,004D4282,?), ref: 004D4203

Strings

combase.dll, xrefs: 004D41CE
RoInitialize, xrefs: 004D41C2

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: c1f4f504dfda2d3e93c793b47b8125c89dca9e50ac0ebb4e1bbccb3a72621903
Instruction ID: a2cf96e4f379e46a8985abdd93b002ba73cbbc0f8120395d9a8bf4043b21b50b
Opcode Fuzzy Hash: c1f4f504dfda2d3e93c793b47b8125c89dca9e50ac0ebb4e1bbccb3a72621903
Instruction Fuzzy Hash: AFE0ED78550B11AFEB105F70EC4DB993954B76170AFA05825B645D51E0DBF54188FE04

Function 004D428E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,004D41A8), ref: 004D42A8
GetProcAddress.KERNEL32(00000000), ref: 004D42AF
EncodePointer.KERNEL32(00000000), ref: 004D42BA
DecodePointer.KERNEL32(004D41A8), ref: 004D42D5

Strings

combase.dll, xrefs: 004D42A3
RoUninitialize, xrefs: 004D4297

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: f4cade963d33a16cc2f4e26d277bac17b9a9a0e7deca1ab835026230ec11cd49
Instruction ID: 72e1a7bee3547e969dcf2f21933f2c444b9989849f7e0cc8f47142ef2f04a418
Opcode Fuzzy Hash: f4cade963d33a16cc2f4e26d277bac17b9a9a0e7deca1ab835026230ec11cd49
Instruction Fuzzy Hash: 6DE09278950B00ABEB109F60AD0DB853A64B761B8BFA01526F245D62F0DBF44588FA14

Function 004B218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004B21B8
GetWindowRect.USER32(?,?), ref: 004B21F9
ScreenToClient.USER32(?,?), ref: 004B2221
GetClientRect.USER32(?,?), ref: 004B2350
GetWindowRect.USER32(?,?), ref: 004B2369

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 07afe034632822aa3a2d3b1f45925c420f634db12df03f8c247168367b68776b
Instruction ID: f617c692b9618e394e71d5517037429220e533580513904977dab47699076ddc
Opcode Fuzzy Hash: 07afe034632822aa3a2d3b1f45925c420f634db12df03f8c247168367b68776b
Instruction Fuzzy Hash: 8BB17A3990024ADBCF10CFA9C5807EEB7B1FF08310F14916AED59EB254DB78A941DB69

Function 00516A73 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00516BC6
_memmove.LIBCMT ref: 00516B01

Part of subcall function 004B4D37: __itow.LIBCMT ref: 004B4D62
Part of subcall function 004B4D37: __swprintf.LIBCMT ref: 004B4DAC

_memmove.LIBCMT ref: 00516B74
_memmove.LIBCMT ref: 00516C5B
_memmove.LIBCMT ref: 00516C74
_memmove.LIBCMT ref: 00516C90

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 3e565685ac210e845bbe011017c515c4a5cf1181a4cbdb9c033d3fa72d8085da
Instruction ID: f35470077dfd6b428e372f095358e62e9677985577845c3417d426a7f263c70d
Opcode Fuzzy Hash: 3e565685ac210e845bbe011017c515c4a5cf1181a4cbdb9c033d3fa72d8085da
Instruction Fuzzy Hash: AC619E3050025AABDF11EF61C895EFE3BA8BF4530CF04455EF8955B2A2DB389D85CB64

Function 00530844 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004C1A36: _memmove.LIBCMT ref: 004C1A77

Part of subcall function 0053147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0053040D,?,?), ref: 00531491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0053091D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0053095D
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00530980
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 005309A9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 005309EC
RegCloseKey.ADVAPI32(00000000), ref: 005309F9

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 077a8b2115a5b5f313c5e5f50bbb7e336fdc0735b0201506e3fc7e52a2fd7f29
Instruction ID: 55f3726be3dc14da22de249a0bdce2328931628aaf273bac64309fa3400e7695
Opcode Fuzzy Hash: 077a8b2115a5b5f313c5e5f50bbb7e336fdc0735b0201506e3fc7e52a2fd7f29
Instruction Fuzzy Hash: D3517831208305AFD710EF64C895E6EBBE9FF89318F04491EF589872A2DB35E905CB52

Function 00535DD6 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00535E38
GetMenuItemCount.USER32(00000000), ref: 00535E6F
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00535E97
GetMenuItemID.USER32(?,?), ref: 00535F06
GetSubMenu.USER32(?,?), ref: 00535F14
PostMessageW.USER32(?,00000111,?,00000000), ref: 00535F65

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 6fc1d2e4d8637da3b8a749656fe99107305478eb3a08af5c9609c08f3dc7c3b1
Instruction ID: 017d905aaff17b9e8fec1da915617747ccd5497e3f080de80e56e2fac31fa39d
Opcode Fuzzy Hash: 6fc1d2e4d8637da3b8a749656fe99107305478eb3a08af5c9609c08f3dc7c3b1
Instruction Fuzzy Hash: D851CC75A00615AFCF11EFA4C845AEEBBB9FF48314F10449AF901BB391DB34AE419B90

Function 0050F688 Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0050F6A2
VariantClear.OLEAUT32(00000013), ref: 0050F714
VariantClear.OLEAUT32(00000000), ref: 0050F76F
_memmove.LIBCMT ref: 0050F799
VariantClear.OLEAUT32(?), ref: 0050F7E6
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0050F814

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 80e234d15699451e8e1a6c554eb3a00849108904d037455cf507fabc09a48cea
Instruction ID: f03779a3bcc8dfce130967e44ddd5cf78c6341e888dcf5dbd51e9875488d1f90
Opcode Fuzzy Hash: 80e234d15699451e8e1a6c554eb3a00849108904d037455cf507fabc09a48cea
Instruction Fuzzy Hash: F5514D75A00209EFCB24CF58C884AAABBB8FF4C314B15856AE959DB341D730E911CFA0

Function 005129B1 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005129FF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00512A4A
IsMenu.USER32(00000000), ref: 00512A6A
CreatePopupMenu.USER32 ref: 00512A9E
GetMenuItemCount.USER32(000000FF), ref: 00512AFC
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00512B2D

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 5838735bdb227f5e77a98f1b3989edba899dd570c1d289f60c803b3576a5428e
Instruction ID: 9a6d2e556e5962e42e6c2e6150fc4291caea70f77888901462c6d964e77c0f46
Opcode Fuzzy Hash: 5838735bdb227f5e77a98f1b3989edba899dd570c1d289f60c803b3576a5428e
Instruction Fuzzy Hash: 7351CC3060424ADBEF21CF68D888AEEBFF4FF55318F104519E8129B2A0D7B09DA4CB51

Function 004B1B41 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 004B29E2: GetWindowLongW.USER32(?,000000EB), ref: 004B29F3

BeginPaint.USER32(?,?,?,?,?,?), ref: 004B1B76
GetWindowRect.USER32(?,?), ref: 004B1BDA
ScreenToClient.USER32(?,?), ref: 004B1BF7
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004B1C08
EndPaint.USER32(?,?), ref: 004B1C52

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 57544bb2f84c53937036e48e0ed57569e376976e7e082defc26cd14d6fe37468
Instruction ID: 2f76afd2117068f76ffa1bb3bf538d580ffba5a411878fa98ad391858f7462fb
Opcode Fuzzy Hash: 57544bb2f84c53937036e48e0ed57569e376976e7e082defc26cd14d6fe37468
Instruction Fuzzy Hash: CA41E130104204AFD710DF25DC98FA73BF8EB59325F14056AFA99872B2C734A849EB66

Function 0053BD10 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(005777B0,00000000,01885760,?,?,005777B0,?,0053BC1A,?,?), ref: 0053BD84
EnableWindow.USER32(?,00000000), ref: 0053BDA8
ShowWindow.USER32(005777B0,00000000,01885760,?,?,005777B0,?,0053BC1A,?,?), ref: 0053BE08
ShowWindow.USER32(?,00000004,?,0053BC1A,?,?), ref: 0053BE1A
EnableWindow.USER32(?,00000001), ref: 0053BE3E
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0053BE61

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 4261089d11e3ddfbaa697a47e4b81e591ef65be28e9604015f51e4deb3e1436d
Instruction ID: d6ff6ff09c953a333548b84e3185173ce9615de0517bccebea44c11652401edc
Opcode Fuzzy Hash: 4261089d11e3ddfbaa697a47e4b81e591ef65be28e9604015f51e4deb3e1436d
Instruction Fuzzy Hash: 33416C75600144AFEB22CF28C489BD47FF5FF46314F2841A9EB498F2A2CB31A855DB51

Function 00527788 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,0052550C,?,?,00000000,00000001), ref: 00527796

Part of subcall function 0052406C: GetWindowRect.USER32(?,?), ref: 0052407F

GetDesktopWindow.USER32 ref: 005277C0
GetWindowRect.USER32(00000000), ref: 005277C7
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 005277F9

Part of subcall function 005157FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00515877

GetCursorPos.USER32(?), ref: 00527825
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00527883

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: fb5e19d0a3420ccf1c4858abb445d44824f6ace88e06e381256cb572ef191c23
Instruction ID: f37e88952f2dc3ed1ccf35e2abc8222a269ca4dda56e252d26bb84ee655c6ed8
Opcode Fuzzy Hash: fb5e19d0a3420ccf1c4858abb445d44824f6ace88e06e381256cb572ef191c23
Instruction Fuzzy Hash: 8C31C17250831AABD720DF14D849F9ABBA9FFC9314F100919F595971C1DA30E948CB92

Function 00509431 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00508CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00508CDE
Part of subcall function 00508CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00508CE8
Part of subcall function 00508CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00508CF7
Part of subcall function 00508CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00508CFE
Part of subcall function 00508CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00508D14

GetLengthSid.ADVAPI32(?,00000000,0050904D), ref: 00509482
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0050948E
HeapAlloc.KERNEL32(00000000), ref: 00509495
CopySid.ADVAPI32(00000000,00000000,?), ref: 005094AE
GetProcessHeap.KERNEL32(00000000,00000000,0050904D), ref: 005094C2
HeapFree.KERNEL32(00000000), ref: 005094C9

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 2c4ca3d65d61851ac34908ab684b70ef471d6ac4680f195a5f2047815738f630
Instruction ID: 9115765bb11c20099abdafedb7a086c2a053e7676fe61da7961e4591ee3eda58
Opcode Fuzzy Hash: 2c4ca3d65d61851ac34908ab684b70ef471d6ac4680f195a5f2047815738f630
Instruction Fuzzy Hash: 0611DC36500204EFDF108FA4CC09BFE7BA9FB5231AF209018E98597295C7369905DB60

Function 005091CF Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00509200
OpenProcessToken.ADVAPI32(00000000), ref: 00509207
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00509216
CloseHandle.KERNEL32(00000004), ref: 00509221
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00509250
DestroyEnvironmentBlock.USERENV(00000000), ref: 00509264

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 38d9a02486c7d459b76161f7b929624b63fb50770fc7d570e79025c5d49f0808
Instruction ID: 7f7ec54d42aa624863cdf304c5a020aa98385f15c4a40ddac72095293c1e1f03
Opcode Fuzzy Hash: 38d9a02486c7d459b76161f7b929624b63fb50770fc7d570e79025c5d49f0808
Instruction Fuzzy Hash: CA11477650124AABDB118F94ED49BDE7BA9FB09308F144014FE04A21A1C2769D64EB61

Function 0050C329 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0050C34E
GetDeviceCaps.GDI32(00000000,00000058), ref: 0050C35F
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0050C366
ReleaseDC.USER32(00000000,00000000), ref: 0050C36E
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0050C385
MulDiv.KERNEL32(000009EC,?,?), ref: 0050C397

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 638c0b3ed3059473aed82798b9023af7f5d352a34e7fb77f21628eab49f2270e
Instruction ID: e8a4d7884c75d83af3205530d41bf6a39c8973529bcc4573210e46579569a6d9
Opcode Fuzzy Hash: 638c0b3ed3059473aed82798b9023af7f5d352a34e7fb77f21628eab49f2270e
Instruction Fuzzy Hash: A4017175E00208BBEB109BA59C49A9EBFA8EB59351F104065FE08A7280D6309810CFA0

Function 0053C552 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 004B16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 004B1729
Part of subcall function 004B16CF: SelectObject.GDI32(?,00000000), ref: 004B1738
Part of subcall function 004B16CF: BeginPath.GDI32(?), ref: 004B174F
Part of subcall function 004B16CF: SelectObject.GDI32(?,00000000), ref: 004B1778

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0053C57C
LineTo.GDI32(00000000,00000003,?), ref: 0053C590
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0053C59E
LineTo.GDI32(00000000,00000000,?), ref: 0053C5AE
EndPath.GDI32(00000000), ref: 0053C5BE
StrokePath.GDI32(00000000), ref: 0053C5CE

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 664af906cfffde48d33dc4170731eed00e3417832a9950b25ebd088d9cfa27af
Instruction ID: d77b4912a14965b8598bbca3c80e7b718f2de25c2a0dea68871e541c6acb47e8
Opcode Fuzzy Hash: 664af906cfffde48d33dc4170731eed00e3417832a9950b25ebd088d9cfa27af
Instruction Fuzzy Hash: AE111E7600010CBFDF129F90DC48FDA7FADEF19358F148011BA18561A1C771AE59EBA0

Function 004D07BB Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 004D07EC
MapVirtualKeyW.USER32(00000010,00000000), ref: 004D07F4
MapVirtualKeyW.USER32(000000A0,00000000), ref: 004D07FF
MapVirtualKeyW.USER32(000000A1,00000000), ref: 004D080A
MapVirtualKeyW.USER32(00000011,00000000), ref: 004D0812
MapVirtualKeyW.USER32(00000012,00000000), ref: 004D081A

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 61d8042f7bf506f677284c59e0e24c7146b48c304500a095af2ae5bd31880539
Instruction ID: 3d5c7b5d9748b5b3813c11797b8514cab1a017e6b9fa81bd60a0295d9882d0c8
Opcode Fuzzy Hash: 61d8042f7bf506f677284c59e0e24c7146b48c304500a095af2ae5bd31880539
Instruction Fuzzy Hash: 43016CB09027597DE3008F5A8C85B52FFA8FF59354F00411BA15C47941C7F5A868CBE5

Function 005159A4 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 005159B4
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 005159CA
GetWindowThreadProcessId.USER32(?,?), ref: 005159D9
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005159E8
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005159F2
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005159F9

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 6cec11a6f57d4beded226ce4b11e1cf961a26f918f5359ba4d8f743a0f01a316
Instruction ID: 6a4198ff73c4414a1787920d24d60369c3a7544c7a3d5c1b23b757168c752c5c
Opcode Fuzzy Hash: 6cec11a6f57d4beded226ce4b11e1cf961a26f918f5359ba4d8f743a0f01a316
Instruction Fuzzy Hash: CAF06D36240158BBE7215B929C0DEEF7E3CEBD7B15F101159FA0192090E7B01A15D6B5

Function 005177EB Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 005177FE
EnterCriticalSection.KERNEL32(?,?,004BC2B6,?,?), ref: 0051780F
TerminateThread.KERNEL32(00000000,000001F6,?,004BC2B6,?,?), ref: 0051781C
WaitForSingleObject.KERNEL32(00000000,000003E8,?,004BC2B6,?,?), ref: 00517829

Part of subcall function 005171F0: CloseHandle.KERNEL32(00000000,?,00517836,?,004BC2B6,?,?), ref: 005171FA

InterlockedExchange.KERNEL32(?,000001F6), ref: 0051783C
LeaveCriticalSection.KERNEL32(?,?,004BC2B6,?,?), ref: 00517843

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: a6c6ff287858490fdedf8267d89b48253f34b09d90ebf283cfc32a01a6101c02
Instruction ID: 5bdd9944662ea20c631f3fb07fdfd26147e62bb2c11596b59b87f0f2387aa7fc
Opcode Fuzzy Hash: a6c6ff287858490fdedf8267d89b48253f34b09d90ebf283cfc32a01a6101c02
Instruction Fuzzy Hash: 53F0803A159211ABD7111B54EC4CAEB7B75FF5A705F242421F303550E0CBF55845DB50

Function 0050954A Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00509555
UnloadUserProfile.USERENV(?,?), ref: 00509561
CloseHandle.KERNEL32(?), ref: 0050956A
CloseHandle.KERNEL32(?), ref: 00509572
GetProcessHeap.KERNEL32(00000000,?), ref: 0050957B
HeapFree.KERNEL32(00000000), ref: 00509582

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: b8bf5551db01b9def13024286d3b186f611861bf3c809bddb0012bce90547a94
Instruction ID: 7b900d51ae41ffaecd2d1f95d6065e66855af8d6939e203f14dc8dc7613c390e
Opcode Fuzzy Hash: b8bf5551db01b9def13024286d3b186f611861bf3c809bddb0012bce90547a94
Instruction Fuzzy Hash: FBE0ED3A004101BBD7011FE1EC0C995BF39FF6A7267206A20F715814B0CB329464EB50

Function 00528CD7 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00528CFD
CharUpperBuffW.USER32(?,?), ref: 00528E0C
VariantClear.OLEAUT32(?), ref: 00528F84

Part of subcall function 00517B1D: VariantInit.OLEAUT32(00000000), ref: 00517B5D
Part of subcall function 00517B1D: VariantCopy.OLEAUT32(00000000,?), ref: 00517B66
Part of subcall function 00517B1D: VariantClear.OLEAUT32(00000000), ref: 00517B72

Strings

AUTOIT.ERROR, xrefs: 00528E12
Incorrect Parameter format, xrefs: 00528D35, 00528EF7

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 66deb8fc302039277491ccb3eb4193d070b990727ed606b3774741885f31db5c
Instruction ID: baf8cb5e5fcfb18a1f4dbcb313ca223ed2b65c51c8c87cae38256db162de05a7
Opcode Fuzzy Hash: 66deb8fc302039277491ccb3eb4193d070b990727ed606b3774741885f31db5c
Instruction Fuzzy Hash: 82916B756043019FC700DF64D48496ABBF5BFDA314F14896EF88A8B3A2DB30E949CB52

Function 0051323D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004C436A: _wcscpy.LIBCMT ref: 004C438D

_memset.LIBCMT ref: 0051332E
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0051335D
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00513410
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0051343E

Strings

0, xrefs: 0051331A

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: ba7d80870823633c14f0bc20c20e4891b868460a3049c0b8ee57aaa7365c91da
Instruction ID: 278fea7422b9ddfbbfd46fc17bf05228140d655e12ee35f8a31e7482412a7d88
Opcode Fuzzy Hash: ba7d80870823633c14f0bc20c20e4891b868460a3049c0b8ee57aaa7365c91da
Instruction Fuzzy Hash: 2651F5312083009BEB12AF28D8696AB7FE4BF45314F04492EF8A5D31E1DB74CE84D756

Function 00512EFA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00512F67
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00512F83
DeleteMenu.USER32(?,00000007,00000000), ref: 00512FC9
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00577890,00000000), ref: 00513012

Strings

0, xrefs: 00512F5C

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 25ed0642f73977cddc845de2624123ff9473af5b191d5b55a515d44da213b2bb
Instruction ID: 3c0aed2d5441c3f92d7828707750165dbbc8806edb8c16054f3e978de4de101a
Opcode Fuzzy Hash: 25ed0642f73977cddc845de2624123ff9473af5b191d5b55a515d44da213b2bb
Instruction Fuzzy Hash: 5341A0312083429FE720DF24C899F9ABFE8BF89314F104A1EF56597291D770EA45CB52

Function 00509A48 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004C1A36: _memmove.LIBCMT ref: 004C1A77

Part of subcall function 0050B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0050B7BD

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00509ACC
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00509ADF
SendMessageW.USER32(?,00000189,?,00000000), ref: 00509B0F

Part of subcall function 004C1821: _memmove.LIBCMT ref: 004C185B

Strings

ComboBox, xrefs: 00509A56
ListBox, xrefs: 00509A8B

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 1c565930e8bc50343b04d295b589a951af5fc302f5aeaff7c85398e36fd9e598
Instruction ID: 5971b407819d8541e4efb9a8fbf481b0d02827530b411cadca678c9ccac9d190
Opcode Fuzzy Hash: 1c565930e8bc50343b04d295b589a951af5fc302f5aeaff7c85398e36fd9e598
Instruction Fuzzy Hash: 932128759051047FDB24EBA0DC45DFEBF68EF52364F10411EF815A32E6DB3849099620

Function 00536A0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 004B2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 004B214F
Part of subcall function 004B2111: GetStockObject.GDI32(00000011), ref: 004B2163
Part of subcall function 004B2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 004B216D

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00536A86
LoadLibraryW.KERNEL32(?), ref: 00536A8D
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00536AA2
DestroyWindow.USER32(?), ref: 00536AAA

Strings

SysAnimate32, xrefs: 00536A61

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: e1b89bd73f23463a521221d79e38427894fcb4357821e46a73ad085454131a3e
Instruction ID: fa93601ec109f9b6b7c3004c0ad438c4efb92f67cab433959db9899fa5a8b5ea
Opcode Fuzzy Hash: e1b89bd73f23463a521221d79e38427894fcb4357821e46a73ad085454131a3e
Instruction Fuzzy Hash: 0C215B75204205FFEF108FA49C81EBB7BA9FB59368F20D61DFA51A3190D3719C91A760

Function 00517357 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00517377
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005173AA
GetStdHandle.KERNEL32(0000000C), ref: 005173BC
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 005173F6

Strings

nul, xrefs: 005173F1

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 09f9a679b057ef03e133b8004d7afba863db9197f3f5b41adb1bf33728d29a9b
Instruction ID: 47934c1d5f68f17a51bc1e8b432cca7a31ee1544a29b5b67bd9eb8f077b382bd
Opcode Fuzzy Hash: 09f9a679b057ef03e133b8004d7afba863db9197f3f5b41adb1bf33728d29a9b
Instruction Fuzzy Hash: F7215E7450820AABEB208F68DC45ADA7FB4BF59724F204E19FDB0D72D0D7709990DB50

Function 00517425 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00517444
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00517476
GetStdHandle.KERNEL32(000000F6), ref: 00517487
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 005174C1

Strings

nul, xrefs: 005174BC

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 657f9e0cb558dc3c2e3ca1a0a2c0213bf6c0b2b20c64bfb6303b072eb0dcb4f6
Instruction ID: 3beca03035a5d9d2d26a2ffd53d9d3dda9a7c7950b9834c113fb2d3afe92d2ae
Opcode Fuzzy Hash: 657f9e0cb558dc3c2e3ca1a0a2c0213bf6c0b2b20c64bfb6303b072eb0dcb4f6
Instruction Fuzzy Hash: 5021833960820A9BEF209F6C9C48AD97FB8BF59734F200A19F9A1D72D0D7F09895C751

Function 0051B283 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0051B297
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0051B2EB
__swprintf.LIBCMT ref: 0051B304
SetErrorMode.KERNEL32(00000000,00000001,00000000,00540980), ref: 0051B342

Strings

%lu, xrefs: 0051B2FE

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 1b4ea69b8780deb691929a51c70f7cd1d6e11f64ca7292f45a0560def652834d
Instruction ID: ba8cde149ce26c4ce00def53dd8d11b1a765e273a039011308b846cef5402f3d
Opcode Fuzzy Hash: 1b4ea69b8780deb691929a51c70f7cd1d6e11f64ca7292f45a0560def652834d
Instruction Fuzzy Hash: 9021B335A00109AFCB10EFA5CC45DEEBBB8FF89708B104069F905D7292DB71EA45CB61

Function 0050AC05 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004C1821: _memmove.LIBCMT ref: 004C185B

Part of subcall function 0050AA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0050AA6F
Part of subcall function 0050AA52: GetWindowThreadProcessId.USER32(?,00000000), ref: 0050AA82
Part of subcall function 0050AA52: GetCurrentThreadId.KERNEL32 ref: 0050AA89
Part of subcall function 0050AA52: AttachThreadInput.USER32(00000000), ref: 0050AA90

GetFocus.USER32 ref: 0050AC2A

Part of subcall function 0050AA9B: GetParent.USER32(?), ref: 0050AAA9

GetClassNameW.USER32(?,?,00000100), ref: 0050AC73
EnumChildWindows.USER32(?,0050ACEB), ref: 0050AC9B
__swprintf.LIBCMT ref: 0050ACB5

Strings

%s%d, xrefs: 0050ACAF

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 215b54565dfcf47786ede390b9259e0415a7c7440567ba8b0252217db52b8637
Instruction ID: b0c0d53a51086cfacbb887fc994152baf331434efc67eae6396a4a65e3815df2
Opcode Fuzzy Hash: 215b54565dfcf47786ede390b9259e0415a7c7440567ba8b0252217db52b8637
Instruction Fuzzy Hash: EF11C075600305ABDF11BFA08D8AFEE3B6CBB85704F104069BE08AA1C2CA7459499B75

Function 005122E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00512318

Strings

REMOVE, xrefs: 0051231E
KEYS, xrefs: 0051232F
EXISTS, xrefs: 00512340
APPEND, xrefs: 00512351

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: bdceb12020979cd7b0df4f031412aaa3ca97e327ac501b8bf09b99ad16e32310
Instruction ID: d577e03674560a3035dafd434ea0fd6e9f56becc1c18df272dfa3c9e179cd165
Opcode Fuzzy Hash: bdceb12020979cd7b0df4f031412aaa3ca97e327ac501b8bf09b99ad16e32310
Instruction Fuzzy Hash: EC117C349001189FDF00EF94C8609EEBBF4FF26308F10846AE820A7262EB365E56DB40

Function 0052F23E Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0052F2F0
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0052F320
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0052F453
CloseHandle.KERNEL32(?), ref: 0052F4D4

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 1907b4a4b7fdc340b59e3fcf87a851aeed6bb1014288cdf49083ecb4d4bcb6af
Instruction ID: 21dfee5e8a834c67b9f05bb1f85a75208ce3dc66e0c64c1d43c4deef00cf6f0e
Opcode Fuzzy Hash: 1907b4a4b7fdc340b59e3fcf87a851aeed6bb1014288cdf49083ecb4d4bcb6af
Instruction Fuzzy Hash: A081C4716003109FD724EF25E842F6ABBE5BF85714F14882EF955DB2D2D7B4AC008BA5

Function 00530697 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004C1A36: _memmove.LIBCMT ref: 004C1A77

Part of subcall function 0053147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0053040D,?,?), ref: 00531491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0053075D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0053079C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 005307E3
RegCloseKey.ADVAPI32(?,?), ref: 0053080F
RegCloseKey.ADVAPI32(00000000), ref: 0053081C

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: ac05ca0b65857abde23dfac400d66223487ac00c59b3b47700ec85ccb291f179
Instruction ID: 2542189c9a1bfc908b931a79d7eb9bdefebff87382ade5747785350faeb4ecd5
Opcode Fuzzy Hash: ac05ca0b65857abde23dfac400d66223487ac00c59b3b47700ec85ccb291f179
Instruction Fuzzy Hash: 5C516935208305AFC714EF64C895F6ABBE9FF89308F00891EF595872A2DB35E905CB52

Function 0051EBB4 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0051EC62
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0051EC8B
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0051ECCA

Part of subcall function 004B4D37: __itow.LIBCMT ref: 004B4D62
Part of subcall function 004B4D37: __swprintf.LIBCMT ref: 004B4DAC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0051ECEF
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0051ECF7

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: c2bb2755a962a495329da4b22b7686f4768e778634285bf1a06c30961bd9f082
Instruction ID: deae5c633b890b05e1d29d73ec66e750c927c11f4145684ed6fd6d8eb8e703e4
Opcode Fuzzy Hash: c2bb2755a962a495329da4b22b7686f4768e778634285bf1a06c30961bd9f082
Instruction Fuzzy Hash: F2518E39A00105DFDB01EF65C985AADBBF5FF48304B14809AE849AB3A2CB35ED41DB64

Function 0053A67B Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ebeb9e42af545cfef676ac048d0cadbd19db51a3418b6971ed838f2111e96d7
Instruction ID: f8607da1d1a90f8dbd2ace0f91f26a9e15f3d0e1e1601998162e2142f31eaed4
Opcode Fuzzy Hash: 9ebeb9e42af545cfef676ac048d0cadbd19db51a3418b6971ed838f2111e96d7
Instruction Fuzzy Hash: 0741C175900114AFD710DB28CCC8FE9BFB8FB0A350F150265E99AA72E1D6709D41EA51

Function 004B2714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004B2727
ScreenToClient.USER32(005777B0,?), ref: 004B2744
GetAsyncKeyState.USER32(00000001), ref: 004B2769
GetAsyncKeyState.USER32(00000002), ref: 004B2777

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: e497f33ebca97d65da4e9fcc238c566454b12e887d7ee2a6b06db56975e1857d
Instruction ID: cf58201ec5b1e0173c7ab60b4ffe5d97eba59f146e40fad5f68f5fdcde45b352
Opcode Fuzzy Hash: e497f33ebca97d65da4e9fcc238c566454b12e887d7ee2a6b06db56975e1857d
Instruction Fuzzy Hash: AD41B435504109FFCF159FA9C948AEABB74FB05324F20831BF82496290CB34AD51DBA9

Function 005095D7 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005095E8
PostMessageW.USER32(?,00000201,00000001), ref: 00509692
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0050969A
PostMessageW.USER32(?,00000202,00000000), ref: 005096A8
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 005096B0

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 8838698d39bc1b8f77a5fb934ec1438ab49c9150edcbe7f39136da69628981c2
Instruction ID: 6869c983559ccb4ab70c1872b1cc7b0bae7584847557c535abb691210fa56137
Opcode Fuzzy Hash: 8838698d39bc1b8f77a5fb934ec1438ab49c9150edcbe7f39136da69628981c2
Instruction Fuzzy Hash: 7631DA71900219EBDF10CFA8D94CAEE3FB5FB45319F204228F925AB2D1C3B19924DB90

Function 0053B7BD Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 004B29E2: GetWindowLongW.USER32(?,000000EB), ref: 004B29F3

GetWindowLongW.USER32(?,000000F0), ref: 0053B804
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0053B829
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0053B841
GetSystemMetrics.USER32(00000004), ref: 0053B86A
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,0052155C,00000000), ref: 0053B888

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 777ebad6506963ae48b175226bbb17c73eda66862b7efa57659d39637c557a53
Instruction ID: a5523a8393062e75eae58b728c03c1454eb5b1df32490d9fbb4ac961b012d4eb
Opcode Fuzzy Hash: 777ebad6506963ae48b175226bbb17c73eda66862b7efa57659d39637c557a53
Instruction Fuzzy Hash: B321B571A14215AFDB149F38DC08BAA7FA8FB15324F204B39FA25D71E0E7308954DB90

Function 00526138 Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00526159
GetForegroundWindow.USER32 ref: 00526170
GetDC.USER32(00000000), ref: 005261AC
GetPixel.GDI32(00000000,?,00000003), ref: 005261B8
ReleaseDC.USER32(00000000,00000003), ref: 005261F3

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: eb8dce094042bf28975aba975aec1bef96bde77aaee08c63413975788670e718
Instruction ID: a514617eb62a4c2d223bfa2f9461b1170d7440e964caf1e144e13572883fea24
Opcode Fuzzy Hash: eb8dce094042bf28975aba975aec1bef96bde77aaee08c63413975788670e718
Instruction Fuzzy Hash: 5421A475A002049FD714EF65DC88AAABBF9FF99314F14846DE94A97292CB30AC44DB90

Function 004B16CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 004B1729
SelectObject.GDI32(?,00000000), ref: 004B1738
BeginPath.GDI32(?), ref: 004B174F
SelectObject.GDI32(?,00000000), ref: 004B1778

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: b1eb66b663eefdaac0b758c62c07ecbb280e5ea993faa252d9a3486f8c2e53bc
Instruction ID: e1c73ffe63f768615681a7e5e2b19d8d903f7c9b8b452dcf29ae95abb4162aa3
Opcode Fuzzy Hash: b1eb66b663eefdaac0b758c62c07ecbb280e5ea993faa252d9a3486f8c2e53bc
Instruction Fuzzy Hash: 5F21C73040420CEFDB108F55FC4C7DA3BA8F724315F544256F819A22B0D7749899FBAA

Function 0050C837 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0050C84C
_memcmp.LIBCMT ref: 0050C86A
_memcmp.LIBCMT ref: 0050C87D
_memcmp.LIBCMT ref: 0050C895
_memcmp.LIBCMT ref: 0050C8AD

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 8603a850e4e9c89f1a84ea5526406e71dbe85a3f767542ecf05edc6b650870b9
Instruction ID: 909f220d28863a2c5d2722a167b8fb5feee82253f7e88ed170541a8137d50297
Opcode Fuzzy Hash: 8603a850e4e9c89f1a84ea5526406e71dbe85a3f767542ecf05edc6b650870b9
Instruction Fuzzy Hash: FE019272A001057BE21467119D92FEF7F5CFF62388F04C22AFE0696792E764DE1592E8

Function 0051504E Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00515075
__beginthreadex.LIBCMT ref: 00515093
MessageBoxW.USER32(?,?,?,?), ref: 005150A8
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 005150BE
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 005150C5

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 45c62cc195bdc6cf79fc773a27bee06540ee9f9eaf208fc2d2304204a83dd564
Instruction ID: 9a64e196047022cc987a9ebf4f6212849b36e58f04f5efbaca5333d0d59a8d81
Opcode Fuzzy Hash: 45c62cc195bdc6cf79fc773a27bee06540ee9f9eaf208fc2d2304204a83dd564
Instruction Fuzzy Hash: 11114079904608BBD7019FA8AC08ADB7FACAB99310F100255F914D33A1E771898497F0

Function 00508E20 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00508E3C
GetLastError.KERNEL32(?,00508900,?,?,?), ref: 00508E46
GetProcessHeap.KERNEL32(00000008,?,?,00508900,?,?,?), ref: 00508E55
HeapAlloc.KERNEL32(00000000,?,00508900,?,?,?), ref: 00508E5C
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00508E73

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: eed87f7636848786f1c7cc95bb22bd80f7f62727ebb5be6f6d9c522afa2c20bc
Instruction ID: 265b1ea3a1def1818d4a91d0514d469848b62265f423bb87cc41dbfe8220a614
Opcode Fuzzy Hash: eed87f7636848786f1c7cc95bb22bd80f7f62727ebb5be6f6d9c522afa2c20bc
Instruction Fuzzy Hash: DB016D74200204BFDB205FA5DC48DBB7FADFF9A758B200529FA89C32A0DA319C14DA60

Function 00507D28 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00507C62,80070057,?,?,?,00508073), ref: 00507D45
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00507C62,80070057,?,?), ref: 00507D60
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00507C62,80070057,?,?), ref: 00507D6E
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00507C62,80070057,?), ref: 00507D7E
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00507C62,80070057,?,?), ref: 00507D8A

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 70d311b1e2f5a5794b454e3685630f11a3383e5d3ddaa37fdefac9070b8e2a20
Instruction ID: d5447f5a749a2d371686085d14645229b5ff528099c40b9efb2bdfd32a678e5f
Opcode Fuzzy Hash: 70d311b1e2f5a5794b454e3685630f11a3383e5d3ddaa37fdefac9070b8e2a20
Instruction Fuzzy Hash: 28018C76A01218BBCB104F54DD04BAD7FADFF48351F204014B909D6250D731ED00AAA0

Function 00508CC7 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00508CDE
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00508CE8
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00508CF7
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00508CFE
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00508D14

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 61f9cb81a0ffd7d49e347706234bc9159d759f7d1d293995dd7b9e187755574e
Instruction ID: d5912ec5f6d94b75f1f0e61afb59b93c15b1b6ebbd830fcf4185b9fbc03c809d
Opcode Fuzzy Hash: 61f9cb81a0ffd7d49e347706234bc9159d759f7d1d293995dd7b9e187755574e
Instruction Fuzzy Hash: FEF03135200204AFDB110FA59C8DEBB3F6DFF6A758B605515FA45861D0CA71DC45EB60

Function 00508D28 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00508D3F
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00508D49
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00508D58
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00508D5F
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00508D75

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 50154e2f9fed1fb35d5946b0d7824854be6b495fb6d0b573c184031ce3c6736f
Instruction ID: 03352dbec898679dcd1f33870615e0f0406f73b8ec0ee305343eb840c47ca851
Opcode Fuzzy Hash: 50154e2f9fed1fb35d5946b0d7824854be6b495fb6d0b573c184031ce3c6736f
Instruction Fuzzy Hash: 81F06935200204AFEB210FA5AC88EBA3BACEF5A758F640615FA84831D0CA709904EA60

Function 0050CD7C Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0050CD90
GetWindowTextW.USER32(00000000,?,00000100), ref: 0050CDA7
MessageBeep.USER32(00000000), ref: 0050CDBF
KillTimer.USER32(?,0000040A), ref: 0050CDDB
EndDialog.USER32(?,00000001), ref: 0050CDF5

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 51ecf35b1860b27fe853dd92f60ffd2097ead1383e8f01c873f5fb4fbf26a947
Instruction ID: dea1bdddeacab4aadba8ce06fd8dffa7d7ad5db908f2c3532d7d45d97ea2ca77
Opcode Fuzzy Hash: 51ecf35b1860b27fe853dd92f60ffd2097ead1383e8f01c873f5fb4fbf26a947
Instruction Fuzzy Hash: 7D01A735500704ABEB205B10DC4EBAA7F78FB12705F000669A682610E1DBF0A9589A80

Function 004B178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 004B179B
StrokeAndFillPath.GDI32(?,?,004EBBC9,00000000,?), ref: 004B17B7
SelectObject.GDI32(?,00000000), ref: 004B17CA
DeleteObject.GDI32 ref: 004B17DD
StrokePath.GDI32(?), ref: 004B17F8

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 46c66b0df4506956eabafbfff8627723e88a5a00978eb24fb242759f7d52e0fe
Instruction ID: a814294cf2f871a4de0251f4882bac8cae1b1bad347a63c64d52c7de743896ea
Opcode Fuzzy Hash: 46c66b0df4506956eabafbfff8627723e88a5a00978eb24fb242759f7d52e0fe
Instruction Fuzzy Hash: 28F01D3000824CEBDB155F15FC0CB993BA4A725326F548215E92D952F1CB344599FF69

Function 0051C9DA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0051CA75
CoCreateInstance.OLE32(00543D3C,00000000,00000001,00543BAC,?), ref: 0051CA8D

Part of subcall function 004C1A36: _memmove.LIBCMT ref: 004C1A77

CoUninitialize.OLE32 ref: 0051CCFA

Strings

.lnk, xrefs: 0051CA09, 0051CA31, 0051CA3B

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 92c97a73267eb652983ac8761d798d747e8549e6a8ec74c85bb22e144ee3e1eb
Instruction ID: fc741081a8ea3480d580ca310570462937587c285bd2dc588733e487a775b28d
Opcode Fuzzy Hash: 92c97a73267eb652983ac8761d798d747e8549e6a8ec74c85bb22e144ee3e1eb
Instruction Fuzzy Hash: A2A14871204205AFD300EF64C881EABB7ECFF95718F00491DF555972A2EB70EA49CBA6

Function 004BE3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 004D0FE6: std::exception::exception.LIBCMT ref: 004D101C
Part of subcall function 004D0FE6: __CxxThrowException@8.LIBCMT ref: 004D1031

Part of subcall function 004C1A36: _memmove.LIBCMT ref: 004C1A77

Part of subcall function 004C1680: _memmove.LIBCMT ref: 004C16DB

__swprintf.LIBCMT ref: 004BE598

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 004BE431

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: b85e889539f280a4e6eaa62d3c6344860e5895a9eb275f8c8d2b5b1fed4f9259
Instruction ID: 7d778aba824d3c70edcc71f2ef810294e4e0c7b17c948a682f4b0f4efe2e8ed9
Opcode Fuzzy Hash: b85e889539f280a4e6eaa62d3c6344860e5895a9eb275f8c8d2b5b1fed4f9259
Instruction Fuzzy Hash: F191C375104200AFD714EF26C895DBFB7E4EF96304F40091FF596972A2EA28ED05CB6A

Function 004D523D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004D52CD

Part of subcall function 004E0320: __87except.LIBCMT ref: 004E035B

Strings

pow, xrefs: 004D52A5, 004D52C2

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: b2c13554bf222fb4056088b8f1820cd7e48e7bf1f34b04de1972b3fda92c85bd
Instruction ID: 3ff72c8ecc28dc0000c32d8a1191dbe7880dd8ce1a86974f8b7342c7561e4500
Opcode Fuzzy Hash: b2c13554bf222fb4056088b8f1820cd7e48e7bf1f34b04de1972b3fda92c85bd
Instruction Fuzzy Hash: 48519021A0964187CB117716CA6137F27909B10752F304D9BE4E5863E9EEBC8CCDAE4F

Function 004D0654 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 004D0699
+, xrefs: 004D0690

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 3cd98e10429ef468e84b5f68548ac197e3bf2a71af1f28e08820ddcb62d45643
Instruction ID: 604473a2167f3280d002edc92bafdaf77cc8a4e35eda8ca60210ab941db9b25c
Opcode Fuzzy Hash: 3cd98e10429ef468e84b5f68548ac197e3bf2a71af1f28e08820ddcb62d45643
Instruction Fuzzy Hash: D05101795002568FDB15EF28C454AFE7BA4FF56314F14805AF8929B2E0D738AC62CB61

Function 004BE7F7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004BE937
_memmove.LIBCMT ref: 004BE9D0
_free.LIBCMT ref: 004BE9F6
_memmove.LIBCMT ref: 004BEAA9

Strings

#VL, xrefs: 004BE9E2

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: _memmove$_free
String ID: #VL
API String ID: 2620147621-1455544002
Opcode ID: 4c8aea9570a4a7de95de07c03fd465e4297104e69e909c3fcb056de6b21acec4
Instruction ID: c5cbcf0f33afd2352df715822add82dc7524b9d2799c64edb6ad9d896c8396bb
Opcode Fuzzy Hash: 4c8aea9570a4a7de95de07c03fd465e4297104e69e909c3fcb056de6b21acec4
Instruction Fuzzy Hash: 41514A716083418FDB24CF2AC490BABB7E5BFC9314F14492EE98987351E735E801CB56

Function 004CCF0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004CCFC2
_memmove.LIBCMT ref: 004CD060
_memset.LIBCMT ref: 004CD084

Strings

ERCP, xrefs: 004CCF2D

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 643029c73b0f0f10f914dc8bbadc44228b097a53b95b36b8b45cc51f9fffc2d6
Instruction ID: 2736b4c4dae4925c03fbbe6bfafa0a0d7dbd22a6837f600f4bd40acb36267c4c
Opcode Fuzzy Hash: 643029c73b0f0f10f914dc8bbadc44228b097a53b95b36b8b45cc51f9fffc2d6
Instruction Fuzzy Hash: 8951C3719007099BCB64CF69C881BABBBE4FF04318F24857FE44ADB280E7359585CB49

Function 0050A3AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00511CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00509E4E,?,?,00000034,00000800,?,00000034), ref: 00511CE5

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0050A3F7

Part of subcall function 00511C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00509E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 00511CB0

Part of subcall function 00511BDD: GetWindowThreadProcessId.USER32(?,?), ref: 00511C08
Part of subcall function 00511BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00509E12,00000034,?,?,00001004,00000000,00000000), ref: 00511C18
Part of subcall function 00511BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00509E12,00000034,?,?,00001004,00000000,00000000), ref: 00511C2E

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0050A464
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0050A4B1

Strings

@, xrefs: 0050A4C9

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 23949d5dd13512376ed9a45a08af11d518d6c19d55ecb91df6943eeeef462b42
Instruction ID: 702826d782aa732362ececcc3d60265d5f9bb3de91f40c2fa6a79a3411780701
Opcode Fuzzy Hash: 23949d5dd13512376ed9a45a08af11d518d6c19d55ecb91df6943eeeef462b42
Instruction Fuzzy Hash: F9415A7690121CAEDF10DFA4CD85ADEBBB8FB45344F104099FA45A7180DA706E89CBA1

Function 005379FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00537A86
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00537A9A
SendMessageW.USER32(?,00001002,00000000,?), ref: 00537ABE

Strings

SysMonthCal32, xrefs: 00537A51

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: a484a03b45e15fcd16d042bf5ae210221f7a22c9f7b161f8325045225515b83d
Instruction ID: e43890cad28395d6290f46b60ac71330cc9c62cd81fbfa7ff55cf58ae76d2ff5
Opcode Fuzzy Hash: a484a03b45e15fcd16d042bf5ae210221f7a22c9f7b161f8325045225515b83d
Instruction Fuzzy Hash: 0721803260421DABDF258E54CC86FEE3B69FB8C714F110114FE156B190DAB1A9559BA0

Function 005381B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0053826F
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0053827D
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00538284

Strings

msctls_updown32, xrefs: 005381E9

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 19756df4cd66b015cb904396bca17ed917657a696a4ca8636325cc2ffbd1ab85
Instruction ID: 897c0c66e1865b1e27db8c41320afb9be2a65c28f16e7373344ab3e8270cfae9
Opcode Fuzzy Hash: 19756df4cd66b015cb904396bca17ed917657a696a4ca8636325cc2ffbd1ab85
Instruction Fuzzy Hash: 00218DB5600209AFDB15DF54DC85DB73BEDFB5A398B180059FA0597251CB70EC11DAA0

Function 005372D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00537360
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00537370
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00537395

Strings

Listbox, xrefs: 0053732D

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 373f6bd88ba3ecce330cd63af2f2d34fe416c53e4cc5cb15a3c3866e9e6e88c2
Instruction ID: c583c1595e0c00274a96e894377fbbff610f94e4df945949fc93129cab2313b6
Opcode Fuzzy Hash: 373f6bd88ba3ecce330cd63af2f2d34fe416c53e4cc5cb15a3c3866e9e6e88c2
Instruction Fuzzy Hash: AE21A172604118BBDF218F54DC85EBF3BAAFB8D754F118524FA0597190C6719C519BA0

Function 00537D33 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00537D97
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00537DAC
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00537DB9

Strings

msctls_trackbar32, xrefs: 00537D6E

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 4c9d846009d7c59e81ff638f9979076d9149825a74924367f2ad2f349b4b1042
Instruction ID: 5c94abe1b402b0a4838656e558ef5a68e1c26371733d555db0e8d47b02396851
Opcode Fuzzy Hash: 4c9d846009d7c59e81ff638f9979076d9149825a74924367f2ad2f349b4b1042
Instruction Fuzzy Hash: F11123B260420DBADF209F64CC05FEB3BA9FF8CB14F11452CFB41A6090C6719810DB20

Function 004EB4F1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 004EB544: _memset.LIBCMT ref: 004EB551

Part of subcall function 004D0B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,004EB520,?,?,?,004B100A), ref: 004D0B79

IsDebuggerPresent.KERNEL32(?,?,?,004B100A), ref: 004EB524
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,004B100A), ref: 004EB533

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 004EB52E
=U, xrefs: 004EB514

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule$=U
API String ID: 3158253471-4021499502
Opcode ID: 288faa75133d1eb8725f9e114071bbe3756a6a24f3e3cf4c6141e2d429fa568e
Instruction ID: 541c63c1fee73736840b7881f0c8079e49cf9528ced5d4457ba40e60de20d27b
Opcode Fuzzy Hash: 288faa75133d1eb8725f9e114071bbe3756a6a24f3e3cf4c6141e2d429fa568e
Instruction Fuzzy Hash: 63E039742047518BD320AF26E4147537AF0AB1474EF10891FE85AC2781EBB8E548DBA5

Function 0052C6D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,004F027A,?), ref: 0052C6E7
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0052C6F9

Strings

kernel32.dll, xrefs: 0052C6E2
GetSystemWow64DirectoryW, xrefs: 0052C6F3

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 0d7c6a3e3d696166466a29e3f91e4d6695d80a0edda44fd425a547e72dea6b23
Instruction ID: b2c5af30750b5431c9bcd170da54dd0f026e9e755f1f490eae9a38a5f62fd276
Opcode Fuzzy Hash: 0d7c6a3e3d696166466a29e3f91e4d6695d80a0edda44fd425a547e72dea6b23
Instruction Fuzzy Hash: BCE0C2781103228FDB205B25DC48A9E7ED4FF26309B64A42EE985C32D0D770C880CF50

Function 004C4B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,004C4B44,?,004C49D4,?,?,004C27AF,?,00000001), ref: 004C4B85
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 004C4B97

Strings

kernel32.dll, xrefs: 004C4B80
Wow64DisableWow64FsRedirection, xrefs: 004C4B91

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 516039a1e6f18215e9e91387e6ea352068401ab52d16275e61c80a0d3caae6e5
Instruction ID: dca2e9a5c1eabf3b85fcd52cfa6f34f5dfcdb20d00e9f4b274fdf02765ef3b51
Opcode Fuzzy Hash: 516039a1e6f18215e9e91387e6ea352068401ab52d16275e61c80a0d3caae6e5
Instruction Fuzzy Hash: 74D012785207128FD7205F31DD18B4676E4AF15355F21A83ED585D26D0E674E880DA14

Function 004C4BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,004C4AF7,?), ref: 004C4BB8
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 004C4BCA

Strings

kernel32.dll, xrefs: 004C4BB3
Wow64RevertWow64FsRedirection, xrefs: 004C4BC4

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: a0f69f53f1a1b03ae2fe978129f6d0a07f396368387ae9a3fa0b33dc605dd9a4
Instruction ID: 9ceabbf3d3ffdbc34bb00f69a43d0aa18899cdda3ef257c2a05f8b2075181908
Opcode Fuzzy Hash: a0f69f53f1a1b03ae2fe978129f6d0a07f396368387ae9a3fa0b33dc605dd9a4
Instruction Fuzzy Hash: 1ED0C2784203128FD7204F30DC08B4776D4AF05344B20AC2ED481C2694EA74D880CA00

Function 00531447 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00531696), ref: 00531455
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00531467

Strings

advapi32.dll, xrefs: 00531450
RegDeleteKeyExW, xrefs: 00531461

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 1f0fdcddac4a9dc793c75f939ac24ed8180dd10fed698d5cea789091cca7577a
Instruction ID: fb3a8452711cc939a165698e8190ee8f724dcf2df98d8784201057fa4e58cc16
Opcode Fuzzy Hash: 1f0fdcddac4a9dc793c75f939ac24ed8180dd10fed698d5cea789091cca7577a
Instruction Fuzzy Hash: F2D01774510B228FDB209F75CC086567EE4BF17399F21D82A98E6D32A0EA70D8C0CA14

Function 004C55F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,004C5E3D), ref: 004C55FE
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 004C5610

Strings

kernel32.dll, xrefs: 004C55F9
GetNativeSystemInfo, xrefs: 004C560A

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: e36cbb9bf53b47343ab779d4bbfdd3e3545f61bc96b8311bc28041e9eb3058c9
Instruction ID: a479b184fdf9b4f6928144fe4f022f5d516b768f2a34146ee97a369c97af1f8c
Opcode Fuzzy Hash: e36cbb9bf53b47343ab779d4bbfdd3e3545f61bc96b8311bc28041e9eb3058c9
Instruction Fuzzy Hash: E6D0127C5207128FE7205F31CC0869B7AE4AF15359B21A82ED586D22D1D674D4C0CA54

Function 005297CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,005293DE,?,00540980), ref: 005297D8
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 005297EA

Strings

kernel32.dll, xrefs: 005297D3
GetModuleHandleExW, xrefs: 005297E4

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 3d28603c667011185100d7690a3dc9fdf89366b7a36b3884b5a0a0312a09224c
Instruction ID: c3a7a30c80df0115034a97b2baf23148fc89ef7b7c43e855a737dcd9169d8cee
Opcode Fuzzy Hash: 3d28603c667011185100d7690a3dc9fdf89366b7a36b3884b5a0a0312a09224c
Instruction Fuzzy Hash: B3D012745207238FEB205F31EC886467AD4FF16395F25A829D585D32D0DB74C880CA11

Function 0052E713 Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0052E7A7
CharLowerBuffW.USER32(?,?), ref: 0052E7EA

Part of subcall function 0052DE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0052DEAE

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0052E9EA
_memmove.LIBCMT ref: 0052E9FD

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 0d7c15b2802acc6573ddac9af3c3681a7fd8707f0b60ad2e996dbb95d730eaeb
Instruction ID: 9b8be83aa13b6a13835801bb6f4568d553d7e9adef56615454bb4bd2295ebe0d
Opcode Fuzzy Hash: 0d7c15b2802acc6573ddac9af3c3681a7fd8707f0b60ad2e996dbb95d730eaeb
Instruction Fuzzy Hash: EDC18C716043118FC754DF24C481A6ABBE4FF8A318F14896EF8999B392D731E945CF92

Function 0052877D Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 005287AD
CoUninitialize.OLE32 ref: 005287B8

Part of subcall function 0053DF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00528A0E,?,00000000), ref: 0053DF71

VariantInit.OLEAUT32(?), ref: 005287C3
VariantClear.OLEAUT32(?), ref: 00528A94

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: f5d3d1723792dd96f95cf9a53ed77b94736e1f2ab6bb2906227ed4bb7133e365
Instruction ID: 2e89119085dcb11cec911909cda89f8fcd02f2171ad9bdf86665ea398c0bb9c8
Opcode Fuzzy Hash: f5d3d1723792dd96f95cf9a53ed77b94736e1f2ab6bb2906227ed4bb7133e365
Instruction Fuzzy Hash: FFA16A75204B119FDB00EF55D481B6ABBE4BF89324F14884EF9859B3A2CB34ED44CB96

Function 0050814E Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00543C4C,?), ref: 00508308
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00543C4C,?), ref: 00508320
CLSIDFromProgID.OLE32(?,?,00000000,00540988,000000FF,?,00000000,00000800,00000000,?,00543C4C,?), ref: 00508345
_memcmp.LIBCMT ref: 00508366

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 24c468e05b264e61ddcd06eb9ac126331b60c7590ca99fd2fc3178ff151883a6
Instruction ID: b784cdeb3e9f2bc640cece9bc477b7c7e83abe2032ef758379ab8c30ab4e1e84
Opcode Fuzzy Hash: 24c468e05b264e61ddcd06eb9ac126331b60c7590ca99fd2fc3178ff151883a6
Instruction Fuzzy Hash: 24812A75A00109EFCB04DFD4C984EEEBBB9FF89315F204559E546AB290DB71AE06CB60

Function 0050749B Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005074AC
SysAllocString.OLEAUT32(00000000), ref: 00507555
VariantCopy.OLEAUT32 ref: 00507584
VariantClear.OLEAUT32(?), ref: 005075AB

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: a3982103bfbdf174123422809584f0ef1e8035a7febe978f5179226e504d737a
Instruction ID: fcf485d6eaf033ba082b302eee7059eb2602a3ab590f0804e24e123f29e416f8
Opcode Fuzzy Hash: a3982103bfbdf174123422809584f0ef1e8035a7febe978f5179226e504d737a
Instruction Fuzzy Hash: 4151C630A08B0A9BDB209F799895A7DBBE4BF4C314B309C1FE557C72E1DA75B8408B15

Function 0052F4F6 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0052F526
Process32FirstW.KERNEL32(00000000,?), ref: 0052F534

Part of subcall function 004C1A36: _memmove.LIBCMT ref: 004C1A77

Process32NextW.KERNEL32(00000000,?), ref: 0052F5F4
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0052F603

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 29c300ae5664ab11638224643e4df082184d450cd6f6c4e02045f39ed065d36a
Instruction ID: afdff868667e6300a692e9450df4d550de6b0aac1f5c92fcf31c02939318ca3b
Opcode Fuzzy Hash: 29c300ae5664ab11638224643e4df082184d450cd6f6c4e02045f39ed065d36a
Instruction Fuzzy Hash: 06518D75104311AFD310EF21E885EABBBE8FF95704F00492EF585972A2EB74A904CB96

Function 004D492A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004D49C0
__flush.LIBCMT ref: 004D49E0
__write.LIBCMT ref: 004D4A13
__flsbuf.LIBCMT ref: 004D4A41

Part of subcall function 004D8D58: __getptd_noexit.LIBCMT ref: 004D8D58

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction ID: 08b7e7756bff9081cd184b59a3aa7909172c24fc5924847940c5a8df192c9fba
Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction Fuzzy Hash: ED41A471700606ABDF288FBAC8B496F7BA5AFC1364B24816FE85587740D7789D418B4C

Function 0050A638 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0050A68A
__itow.LIBCMT ref: 0050A6BB

Part of subcall function 0050A90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0050A976

SendMessageW.USER32(?,0000110A,00000001,?), ref: 0050A724
__itow.LIBCMT ref: 0050A77B

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 9aed4b12785a6120e3eb4bf1c7d5e8730afb4f2d00fdad69a2d2a50b521c6285
Instruction ID: 3551c45b33443320f746e7dd9ef2cf4d860080d6542b54aabe62a57f0a130df4
Opcode Fuzzy Hash: 9aed4b12785a6120e3eb4bf1c7d5e8730afb4f2d00fdad69a2d2a50b521c6285
Instruction Fuzzy Hash: 9E418C75A00309ABDF20EF55C846FEE7FB9EB49754F04001EB905A32D2DB749944CAA2

Function 00527095 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 005270BC
WSAGetLastError.WSOCK32(00000000), ref: 005270CC

Part of subcall function 004B4D37: __itow.LIBCMT ref: 004B4D62
Part of subcall function 004B4D37: __swprintf.LIBCMT ref: 004B4DAC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00527130
WSAGetLastError.WSOCK32(00000000), ref: 0052713C

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 5b6ae848d1b5bc4e7a66d5d34b36450ce2e22a5e65a5c4b027c9ed677b8e0078
Instruction ID: 1e55300641649925afb5749c97b6ce04af0063da19fa71dad9e26c7af092294b
Opcode Fuzzy Hash: 5b6ae848d1b5bc4e7a66d5d34b36450ce2e22a5e65a5c4b027c9ed677b8e0078
Instruction Fuzzy Hash: 3C41D3747002106FE724AF24DC86FAA77A8EF49B18F04845DFA199B3C3DA749C008BA5

Function 00526B05 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00540980), ref: 00526B92
_strlen.LIBCMT ref: 00526BC4

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: ca5b5ba76c21fdfc5c5cbb86c0f1e8a9baba7cb0bdd44eccbe9eeac074786c8a
Instruction ID: c6065734e6d60375ce0fb507444ffd4fb8d3ee399399da92b8af434d9436e2a3
Opcode Fuzzy Hash: ca5b5ba76c21fdfc5c5cbb86c0f1e8a9baba7cb0bdd44eccbe9eeac074786c8a
Instruction Fuzzy Hash: 84411431600119ABCB04FBA5EC95FAEBBA9FF55304F10815AF90A972D2DB34AD01C794

Function 00538E76 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00538F03

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 9afcfbdb7c4d84b4d2da010e61c005f7df7ffa05dced2cc2b9cd3646ddc6580a
Instruction ID: a5841fd9800ac3910c86a785f8a2c8c0d8b14f6fe92547ba794e2174b70ed04b
Opcode Fuzzy Hash: 9afcfbdb7c4d84b4d2da010e61c005f7df7ffa05dced2cc2b9cd3646ddc6580a
Instruction Fuzzy Hash: 2D31C334600309AFEF289A14DC45FB83FA6FB09310F244901FA15D61E1DF74D994EA51

Function 0053B1A9 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0053B1D2
GetWindowRect.USER32(?,?), ref: 0053B248
PtInRect.USER32(?,?,0053C6BC), ref: 0053B258
MessageBeep.USER32(00000000), ref: 0053B2C9

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: a5252355fe404c432903ec8e757d552e422e3b9c954132667a394ad1b6444887
Instruction ID: be505952ecb97da2c416cc04d1a4e8a2c6ccd80bc26687f4e74e4b395d3d2d1d
Opcode Fuzzy Hash: a5252355fe404c432903ec8e757d552e422e3b9c954132667a394ad1b6444887
Instruction Fuzzy Hash: C2419138A04109DFEF11CF58D884B9E7BF5FF89310F1846A9FA189B251D730A845DB51

Function 005112D5 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00511326
SetKeyboardState.USER32(00000080,?,00000001), ref: 00511342
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 005113A8
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 005113FA

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: bafe33bd10ee7919f90f68badaa4f17318999313f0bc36fa30bb7437aa402850
Instruction ID: e92d3ad3bdd934a69a711560b4fd96e26672dabb6d4017955888eb8a75494207
Opcode Fuzzy Hash: bafe33bd10ee7919f90f68badaa4f17318999313f0bc36fa30bb7437aa402850
Instruction Fuzzy Hash: 6F317C30940A08AEFF3086258C09BFDBFB5BB45310F144A8AE6A1525D8D3748DC59B9D

Function 00511410 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00511465
SetKeyboardState.USER32(00000080,?,00008000), ref: 00511481
PostMessageW.USER32(00000000,00000101,00000000), ref: 005114E0
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00511532

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 6defe34f943e6e356f75e7b263d48a6b6fcc95e0ee2f566f882cdca1be2cd510
Instruction ID: 19bdd6916ef32db3bd628c4794031093b46b291a377a5e1cd799c4773563fdd1
Opcode Fuzzy Hash: 6defe34f943e6e356f75e7b263d48a6b6fcc95e0ee2f566f882cdca1be2cd510
Instruction Fuzzy Hash: A1318E30940A095EFF348B659C04BFEBF76FB95710F08438AE681521D1C3B889C59BA9

Function 004E63F5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004E642B
__isleadbyte_l.LIBCMT ref: 004E6459
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 004E6487
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 004E64BD

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 4d13b203cf430a75e84806617e42d976c195870f1d513f9cab0a13311a19e25d
Instruction ID: 8e9b07aacb40dcf1889bd19b53401871ff61fd9c69d815ffa383fec3ed6e4053
Opcode Fuzzy Hash: 4d13b203cf430a75e84806617e42d976c195870f1d513f9cab0a13311a19e25d
Instruction Fuzzy Hash: 07313431600296AFDB218F36CC44BAB7FA5FF51392F16412AF824872D1DB38E850DB58

Function 0053552B Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0053553F

Part of subcall function 00513B34: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00513B4E
Part of subcall function 00513B34: GetCurrentThreadId.KERNEL32 ref: 00513B55
Part of subcall function 00513B34: AttachThreadInput.USER32(00000000,?,005155C0), ref: 00513B5C

GetCaretPos.USER32(?), ref: 00535550
ClientToScreen.USER32(00000000,?), ref: 0053558B
GetForegroundWindow.USER32 ref: 00535591

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 9941df6fcf66b8183c795f57b42b2aa1f5f62906a9060a282cb060bee761709c
Instruction ID: e09979a08bcc493c6e923cf5dca09c7e36d87ab69cd870765ec40d1924b94929
Opcode Fuzzy Hash: 9941df6fcf66b8183c795f57b42b2aa1f5f62906a9060a282cb060bee761709c
Instruction Fuzzy Hash: 53312F71D00108AFDB10EFA5D885DEFB7FDEF98304F10446AE515E7242EA75AE448BA4

Function 0053CB40 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B29E2: GetWindowLongW.USER32(?,000000EB), ref: 004B29F3

GetCursorPos.USER32(?), ref: 0053CB7A
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,004EBCEC,?,?,?,?,?), ref: 0053CB8F
GetCursorPos.USER32(?), ref: 0053CBDC
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,004EBCEC,?,?,?), ref: 0053CC16

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 97f09ca70f4635ab1c33078d929a7ef70cbcb817b7502e9d2b80c0ccbf895bb6
Instruction ID: 394db416b5238ef6a4ce63e6a94495f2ac20543fd5cf279d1e2683582b801e26
Opcode Fuzzy Hash: 97f09ca70f4635ab1c33078d929a7ef70cbcb817b7502e9d2b80c0ccbf895bb6
Instruction Fuzzy Hash: C931CE35600018AFCB159F59DC69EFABFB5FB0A310F544099F909AB2A1C3319D50EFA0

Function 004D0BC0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 004D0BE2

Part of subcall function 004C402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00517E51,?,?,00000000), ref: 004C4041
Part of subcall function 004C402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00517E51,?,?,00000000,?,?), ref: 004C4065

_fprintf.LIBCMT ref: 004D0C19
OutputDebugStringW.KERNEL32(?), ref: 0050694C

Part of subcall function 004D4CCA: _flsall.LIBCMT ref: 004D4CE3

__setmode.LIBCMT ref: 004D0C4E

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 9bb366e65d8fde2b78a99239811bc48bc48ae9c56388bbbb30b4a1a0774c4dfe
Instruction ID: d1232fc06ea760cfbdae43db24a5850b79fdaa525dfcd0ecb58155b9abe8a19a
Opcode Fuzzy Hash: 9bb366e65d8fde2b78a99239811bc48bc48ae9c56388bbbb30b4a1a0774c4dfe
Instruction Fuzzy Hash: 50112331A041046BCB08B7A6A857AFE7B28AF81328F14015FF204573C2DE39584253A9

Function 00509274 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00508D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00508D3F
Part of subcall function 00508D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00508D49
Part of subcall function 00508D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00508D58
Part of subcall function 00508D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00508D5F
Part of subcall function 00508D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00508D75

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005092C1
_memcmp.LIBCMT ref: 005092E4
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0050931A
HeapFree.KERNEL32(00000000), ref: 00509321

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: af40c822d7296bf6e80a767131a55bb4b96a90f37f5a6878dc51a48363b0117f
Instruction ID: 940dbdc2b3b5cf6ab247d3a25004a1315ebbb1ad3839e8b95c356d94121db6f0
Opcode Fuzzy Hash: af40c822d7296bf6e80a767131a55bb4b96a90f37f5a6878dc51a48363b0117f
Instruction Fuzzy Hash: 24218C32E40109EFDB10DFA4C949BEEBBB8FF54305F184459E894A7296D770AA04DF90

Function 0053634E Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 005363BD
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005363D7
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005363E5
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 005363F3

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 5ae415c9d7c176764f29496f9fd1efe208529149c65cd04f56d0cc662292028b
Instruction ID: a9c08868cb0286b5be60f0c2ebd90190ebec9f98e01876faf9d188e11a7577d2
Opcode Fuzzy Hash: 5ae415c9d7c176764f29496f9fd1efe208529149c65cd04f56d0cc662292028b
Instruction Fuzzy Hash: 0B119D35205514AFDB04AB24DC55FFA7B99EB86324F14851DFA16CB2D2CB64AD008BA4

Function 0050E45A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0050F858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0050E46F,?,?,?,0050F262,00000000,000000EF,00000119,?,?), ref: 0050F867
Part of subcall function 0050F858: lstrcpyW.KERNEL32(00000000,?,?,0050E46F,?,?,?,0050F262,00000000,000000EF,00000119,?,?,00000000), ref: 0050F88D
Part of subcall function 0050F858: lstrcmpiW.KERNEL32(00000000,?,0050E46F,?,?,?,0050F262,00000000,000000EF,00000119,?,?), ref: 0050F8BE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0050F262,00000000,000000EF,00000119,?,?,00000000), ref: 0050E488
lstrcpyW.KERNEL32(00000000,?,?,0050F262,00000000,000000EF,00000119,?,?,00000000), ref: 0050E4AE
lstrcmpiW.KERNEL32(00000002,cdecl,?,0050F262,00000000,000000EF,00000119,?,?,00000000), ref: 0050E4E2

Strings

cdecl, xrefs: 0050E4D9

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: d7b82652e8bcedf3075977d08b583649584597ab660e6a722631238ab292184c
Instruction ID: 463747ba17777eb2db5b410cece0bd117de10a966e5649063e36a4f78941d452
Opcode Fuzzy Hash: d7b82652e8bcedf3075977d08b583649584597ab660e6a722631238ab292184c
Instruction Fuzzy Hash: B011033A100345AFCB21AF24DC0AD7E7BA8FF85310B50442BF906CB2E0EB709840CB90

Function 004E5312 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004E5331

Part of subcall function 004D593C: __FF_MSGBANNER.LIBCMT ref: 004D5953
Part of subcall function 004D593C: __NMSG_WRITE.LIBCMT ref: 004D595A
Part of subcall function 004D593C: RtlAllocateHeap.NTDLL(01870000,00000000,00000001,?,00000004,?,?,004D1003,?), ref: 004D597F

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 6631c454ce6057006449512f6b2e585ec792cad10a9d1744cc480f92a34b680a
Instruction ID: 10342d3c23e81a06c3887e0933b479d51362d350362311e28889e087d9ff94f0
Opcode Fuzzy Hash: 6631c454ce6057006449512f6b2e585ec792cad10a9d1744cc480f92a34b680a
Instruction Fuzzy Hash: 33112B31505A55AFCB202F73BC1566B3B945F213AEF20091FFD08963D0DEBC89409758

Function 00514365 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00514385
_memset.LIBCMT ref: 005143A6
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 005143F8
CloseHandle.KERNEL32(00000000), ref: 00514401

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 6462549dd1f9a6cb4e44a1e4f8a81fff462e8fe4ea38af1797132212826e2878
Instruction ID: dbe67f7c73af867ea8cf080e275cc36024fd3b7b069ea62b2659b427f685523a
Opcode Fuzzy Hash: 6462549dd1f9a6cb4e44a1e4f8a81fff462e8fe4ea38af1797132212826e2878
Instruction Fuzzy Hash: 1B11E7759012287AE7309BA5AC4DFEBBB7CEF45724F10459AF908E72C0D2744E808BA4

Function 00526A54 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004C402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00517E51,?,?,00000000), ref: 004C4041
Part of subcall function 004C402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00517E51,?,?,00000000,?,?), ref: 004C4065

gethostbyname.WSOCK32(?,?,?), ref: 00526A84
WSAGetLastError.WSOCK32(00000000), ref: 00526A8F
_memmove.LIBCMT ref: 00526ABC
inet_ntoa.WSOCK32(?), ref: 00526AC7

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 8045fb0f6ad11eb7eec0907c1ae45b72d53988787b42730773156ae50e476156
Instruction ID: 240d68ce49da507407da4fc4b0bd33c7bc61dd7f9fa9ba3b9f4ffdb846e0b8a3
Opcode Fuzzy Hash: 8045fb0f6ad11eb7eec0907c1ae45b72d53988787b42730773156ae50e476156
Instruction Fuzzy Hash: DC118475500009AFCB00EBA5DD46DEE77B8FF55304B14405AF501A72A2DF34AE04DBA1

Function 004B166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 004B29E2: GetWindowLongW.USER32(?,000000EB), ref: 004B29F3

DefDlgProcW.USER32(?,00000020,?), ref: 004B16B4
GetClientRect.USER32(?,?), ref: 004EB93C
GetCursorPos.USER32(?), ref: 004EB946
ScreenToClient.USER32(?,?), ref: 004EB951

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 4d490e1d979497b044fd7e427f4022ea66bcb961999ecb40a20c051921b5126a
Instruction ID: fb3d18daa45112fce199f7d7a13d61bdc2f495730e5a4f833f49eac89b445c65
Opcode Fuzzy Hash: 4d490e1d979497b044fd7e427f4022ea66bcb961999ecb40a20c051921b5126a
Instruction Fuzzy Hash: 4A118839A00019ABCB00EF98D899DFE77B8FB19300F54044AFA01E7160D334BA51DBB9

Function 005096F9 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00509719
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0050972B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00509741
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0050975C

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 17bd4046ee136b98d8adf10b8e5a266ebffe0f49dfdac657bf1d58dc2202d298
Instruction ID: 3c87ae7a4aac6472f8d9203b28f5fcd04f1767e707e38df71399d4d14b49de56
Opcode Fuzzy Hash: 17bd4046ee136b98d8adf10b8e5a266ebffe0f49dfdac657bf1d58dc2202d298
Instruction Fuzzy Hash: AC11487A901218FFEB10DF95C984E9DBBB8FB49710F204091EA04B7294D671AE10DB90

Function 004B2111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 004B214F
GetStockObject.GDI32(00000011), ref: 004B2163
SendMessageW.USER32(00000000,00000030,00000000), ref: 004B216D

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 670482d66643bdc2f34e6c8d74ffb1554a2afad3dbe04a824a9be370c6330386
Instruction ID: d4a55342d2702c8e0e6abe0da978c9058729a8dd29d198d8ac8a03103620b549
Opcode Fuzzy Hash: 670482d66643bdc2f34e6c8d74ffb1554a2afad3dbe04a824a9be370c6330386
Instruction Fuzzy Hash: 9311EDB2101108BFDF024F98DC40EEB7B68EF29398F040106FB0442160C775DC60EBA1

Function 00511941 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,005104EC,?,0051153F,?,00008000), ref: 0051195E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,005104EC,?,0051153F,?,00008000), ref: 00511983
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,005104EC,?,0051153F,?,00008000), ref: 0051198D
Sleep.KERNEL32(?,?,?,?,?,?,?,005104EC,?,0051153F,?,00008000), ref: 005119C0

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: cb329bfe3cdeccd4bdb13e4641ed017349ac6507b0deb591236c9b19ec65f60c
Instruction ID: 2ff919fb62ca0651cc9dde7edccabd149d851ca8087f3814d7f6b30624fc008c
Opcode Fuzzy Hash: cb329bfe3cdeccd4bdb13e4641ed017349ac6507b0deb591236c9b19ec65f60c
Instruction Fuzzy Hash: 9B115A31C0091CDBDF00AFA5D998BEEBF78FF19741F004486EA90B2280CB309690DB99

Function 0053E1CE Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0053E1EA
LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 0053E201
RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 0053E216
RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 0053E234

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: f164b18d29c53e8082861f1d909eb8535a01209f261ee195eec834612290e43f
Instruction ID: c6c8909821e00d2daf08bdd2c66465bf09b09ada35314ce7eeb545f604c06641
Opcode Fuzzy Hash: f164b18d29c53e8082861f1d909eb8535a01209f261ee195eec834612290e43f
Instruction Fuzzy Hash: D9115EB92053149BE7308F51DD0AF93BBFCFB01B04F108959B616D61D0D7B0E508ABA1

Function 004E71E7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 004E720B

Part of subcall function 004E78F2: __fltout2.LIBCMT ref: 004E791B

__cftog_l.LIBCMT ref: 004E7231
__cftoe_l.LIBCMT ref: 004E7263

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 74a9329e89e19570b9d1704a451c9f52d514f834f653e7b4b3593c272f8cd85b
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: BF01957204818EBBCF125E86CC41CEE3F23BF19366F048556FA1858131C33AC971AB85

Function 0053B937 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0053B956
ScreenToClient.USER32(?,?), ref: 0053B96E
ScreenToClient.USER32(?,?), ref: 0053B992
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0053B9AD

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 60902a1554e04cc3eaf77cf95db1dbf32ca4592390891590c0125515e0b58f14
Instruction ID: 23111b39f2e1515221f0aae3156b4703624c3ab6852dfa12497b4dba6b7f4d3a
Opcode Fuzzy Hash: 60902a1554e04cc3eaf77cf95db1dbf32ca4592390891590c0125515e0b58f14
Instruction Fuzzy Hash: 171174B9D00209EFDB41CF98C884AEEBBF9FF59310F104156E915E3210D731AA659F50

Function 0053BCA7 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0053BCB6
_memset.LIBCMT ref: 0053BCC5
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00578F20,00578F64), ref: 0053BCF4
CloseHandle.KERNEL32 ref: 0053BD06

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 8e55e341bca083bd453e84a160cb92988109b276cbf83c5a49fd4c2bafdec6dc
Instruction ID: 3bc1cbed0314487d112631a0a12f66c0f16653e453060cb74a783432eef61221
Opcode Fuzzy Hash: 8e55e341bca083bd453e84a160cb92988109b276cbf83c5a49fd4c2bafdec6dc
Instruction Fuzzy Hash: 7FF03AB26803047AE2502F61AC09FBB3E9DEB29755F004822FA0CD51A2DB754C54B7A9

Function 00517195 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 005171A1

Part of subcall function 00517C7F: _memset.LIBCMT ref: 00517CB4

_memmove.LIBCMT ref: 005171C4
_memset.LIBCMT ref: 005171D1
LeaveCriticalSection.KERNEL32(?), ref: 005171E1

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: d15c100bda0be67828bd069dbc18fcf07346f1537f32ecbea7f19b74f0030799
Instruction ID: abb0532684ca07bcbf45f342642bac72087b99499448019b7e54fba2cd9435f0
Opcode Fuzzy Hash: d15c100bda0be67828bd069dbc18fcf07346f1537f32ecbea7f19b74f0030799
Instruction Fuzzy Hash: 6BF0303A100104ABCB016F55DC89A8ABB69EF45365F04C056FE085E26AC735A955DBB4

Function 0053C3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 004B16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 004B1729
Part of subcall function 004B16CF: SelectObject.GDI32(?,00000000), ref: 004B1738
Part of subcall function 004B16CF: BeginPath.GDI32(?), ref: 004B174F
Part of subcall function 004B16CF: SelectObject.GDI32(?,00000000), ref: 004B1778

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0053C3E8
LineTo.GDI32(00000000,?,?), ref: 0053C3F5
EndPath.GDI32(00000000), ref: 0053C405
StrokePath.GDI32(00000000), ref: 0053C413

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: ad8e083f55698307c67ab99dacedc6bdda8356ef1a7c28058fa5d4fae55a71a8
Instruction ID: 72cf6a9aa6b4113eb6251bc51c8262cdb3fd1946a662644b15aca6b5acbfcaaa
Opcode Fuzzy Hash: ad8e083f55698307c67ab99dacedc6bdda8356ef1a7c28058fa5d4fae55a71a8
Instruction Fuzzy Hash: C8F0E235005258BBDB232F50AC0DFCE3F59AF2A315F548000FB15610E283B41559FFA9

Function 0050AA52 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0050AA6F
GetWindowThreadProcessId.USER32(?,00000000), ref: 0050AA82
GetCurrentThreadId.KERNEL32 ref: 0050AA89
AttachThreadInput.USER32(00000000), ref: 0050AA90

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 8627bbbafe9edb7d42fafddb4a698375a6f8bd9cb6166e8f13818f0dde3b664d
Instruction ID: b41ff9c3460c0bdfc1f3dff957cf602e182b85ac50f85ef3f905b306701505ee
Opcode Fuzzy Hash: 8627bbbafe9edb7d42fafddb4a698375a6f8bd9cb6166e8f13818f0dde3b664d
Instruction Fuzzy Hash: E7E03931641328BADB215FA29E0CEEB3F1CFF227A1F108011FA0A850D0C771C554DBA0

Function 004B25F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 004B260D
SetTextColor.GDI32(?,000000FF), ref: 004B2617
SetBkMode.GDI32(?,00000001), ref: 004B262C
GetStockObject.GDI32(00000005), ref: 004B2634
GetWindowDC.USER32(?,00000000), ref: 004EC1C4
GetPixel.GDI32(00000000,00000000,00000000), ref: 004EC1D1
GetPixel.GDI32(00000000,?,00000000), ref: 004EC1EA
GetPixel.GDI32(00000000,00000000,?), ref: 004EC203
GetPixel.GDI32(00000000,?,?), ref: 004EC223
ReleaseDC.USER32(?,00000000), ref: 004EC22E

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 28be68adf6e938f82605d3321695b42b3ca3f55bab27190fa47258dae1db0bfe
Instruction ID: c271f3cc74dbf2e71a180a51a317873359819bf4671ce81678dbe10afe539fb4
Opcode Fuzzy Hash: 28be68adf6e938f82605d3321695b42b3ca3f55bab27190fa47258dae1db0bfe
Instruction Fuzzy Hash: 11E0E531500284BBDB210F64AC487D83B10EB16336F109366FB68480E183710584EF11

Function 00509330 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00509339
OpenThreadToken.ADVAPI32(00000000,?,?,?,00508F04), ref: 00509340
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00508F04), ref: 0050934D
OpenProcessToken.ADVAPI32(00000000,?,?,?,00508F04), ref: 00509354

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 994ca19a6e0e383bea0a2b8ff65234c90db7beb46c8a29eaf9c2f77209411218
Instruction ID: 24728ad9fefbbf8e2e675a11615d885cd36708c9bfbbb658ca3240b5665a0e50
Opcode Fuzzy Hash: 994ca19a6e0e383bea0a2b8ff65234c90db7beb46c8a29eaf9c2f77209411218
Instruction Fuzzy Hash: E3E04F3A6012119BD7205FB19D0DBDA3BACAF6279AF208C18A745C90D0E6349448DB50

Function 004F0679 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 004F0679
GetDC.USER32(00000000), ref: 004F0683
GetDeviceCaps.GDI32(00000000,0000000C), ref: 004F06A3
ReleaseDC.USER32(?), ref: 004F06C4

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 28baad6c0ef07f6eeea6f46d8623534395be05c6bd7522c5f1e0dcc41c1e6d81
Instruction ID: c0c66a2034ce4bd0293f0acff4b8e6fc8b21efa859448a576700f019fcc509b0
Opcode Fuzzy Hash: 28baad6c0ef07f6eeea6f46d8623534395be05c6bd7522c5f1e0dcc41c1e6d81
Instruction Fuzzy Hash: 19E0ED79800204DFDB415F60D80869D7BB5EB98318F219409FE5A97250C7385556AF55

Function 004F068D Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 004F068D
GetDC.USER32(00000000), ref: 004F0697
GetDeviceCaps.GDI32(00000000,0000000C), ref: 004F06A3
ReleaseDC.USER32(?), ref: 004F06C4

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 2101874b4e615c477f8cecb64acb96da920cd09be12444de4377ae6d364ea73a
Instruction ID: dc01518eaf515084a2942e9d2da072222317f09536eac663133a4a87ef696ee9
Opcode Fuzzy Hash: 2101874b4e615c477f8cecb64acb96da920cd09be12444de4377ae6d364ea73a
Instruction Fuzzy Hash: 8FE01A79800204AFCB419F60D8086DD7BF5EFAC318F218409FE5AA7290CB389556AF54

Function 0051B5EF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 004C436A: _wcscpy.LIBCMT ref: 004C438D

Part of subcall function 004B4D37: __itow.LIBCMT ref: 004B4D62
Part of subcall function 004B4D37: __swprintf.LIBCMT ref: 004B4DAC

__wcsnicmp.LIBCMT ref: 0051B670
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0051B739

Strings

LPT, xrefs: 0051B66A

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: b893abcdb08dbca74d4cedeb49ccfaa6f9a881d6e2117d2a9c962e025ff8ac7d
Instruction ID: 0ba5814c3424afce84933b17b367c280da52f8d853d671fabf3a15cdf2e6d29a
Opcode Fuzzy Hash: b893abcdb08dbca74d4cedeb49ccfaa6f9a881d6e2117d2a9c962e025ff8ac7d
Instruction Fuzzy Hash: 70617175A00219AFEB14DF54C895EEEBBB4FF88310F10405AF946AB391D774AE80CB54

Function 004F7190 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004F7237
_memmove.LIBCMT ref: 004F7291

Strings

#VL, xrefs: 004F730B, 004FCAB3, 004FCACF

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: _memmove
String ID: #VL
API String ID: 4104443479-1455544002
Opcode ID: ed52ba59dd125920568edfc2a4267409331458e80aea695c913e49b9978fbab4
Instruction ID: 1c6f60f785d4f8370eb974ca0cee2d39774d86aa6055c8c53421df10d5dbae56
Opcode Fuzzy Hash: ed52ba59dd125920568edfc2a4267409331458e80aea695c913e49b9978fbab4
Instruction Fuzzy Hash: A6518D70A00609DFCF24CFA8C980ABEBBB0FF44304F14852AE95AD7350E738A955CB55

Function 004BE00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 004BE01E
GlobalMemoryStatusEx.KERNEL32(?), ref: 004BE037

Strings

@, xrefs: 004BE02B

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 9f939185d32eab51932bb201694471a2a7e34e2572ee722fa1d9e070553416e0
Instruction ID: b0e87a5987cb9a89ec88edc3cb81cb2d08494298afd51d22871221bc79be055e
Opcode Fuzzy Hash: 9f939185d32eab51932bb201694471a2a7e34e2572ee722fa1d9e070553416e0
Instruction Fuzzy Hash: 2C5159715087449BE320AF51E885BAFBBF8FBC4318F51484EF2D941192EB749528CB2A

Function 00538096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00538186
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0053819B

Strings

', xrefs: 005380EF

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 0ce17b360bedc880eb8d8987cc26696c53d98d5ba9efe7fc9e8b749d8d9624e6
Instruction ID: 722f404f4cda974f35dacdb6958c46c100eb77a525baa26e6a7646e773f10443
Opcode Fuzzy Hash: 0ce17b360bedc880eb8d8987cc26696c53d98d5ba9efe7fc9e8b749d8d9624e6
Instruction Fuzzy Hash: 00412874A013099FDB18CF64D885BEA7BB5FB08340F10046AF908EB351DB70A946DFA0

Function 00522C5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00522C6A
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00522CA0

Strings

|, xrefs: 00522C71

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 8204d35aeb6e0b4b125b8bcc15d1425d6b7782b3e3bf7ad68f2e6ff04d4ee69c
Instruction ID: 5fbeb381091f3e0a7f773208a79539de3817124bb00af1f905c70009959708e7
Opcode Fuzzy Hash: 8204d35aeb6e0b4b125b8bcc15d1425d6b7782b3e3bf7ad68f2e6ff04d4ee69c
Instruction Fuzzy Hash: 65311975C00119ABDF41EFA1DC85EEEBFB9FF05308F10001AF915A6272DA355916DBA4

Function 00537088 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 0053713C
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00537178

Strings

static, xrefs: 005370D8

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: d37afdf7d137072b9f8f09a362bba4229cd2677ea5fe9f5ee4661fc15eaf9461
Instruction ID: 718dcf3ce1feb13cf1057e224fe8a387089b88b21dee994d5295e85c9e07ad46
Opcode Fuzzy Hash: d37afdf7d137072b9f8f09a362bba4229cd2677ea5fe9f5ee4661fc15eaf9461
Instruction Fuzzy Hash: AA31A171500608AEEB249F78CC84AFB77B9FF88724F10961DF99587191DA30AC91DB60

Function 00513049 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005130B8
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 005130F3

Strings

0, xrefs: 005130B1

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: da74aeaa2869c0b7a9d3d9c7373a06724827fcd4de5085f14f7754c35f799674
Instruction ID: 4b9b523c385934f215ac892472febe6e0a97340e07f637ca4b1527d200f3404a
Opcode Fuzzy Hash: da74aeaa2869c0b7a9d3d9c7373a06724827fcd4de5085f14f7754c35f799674
Instruction Fuzzy Hash: EE31DF31A40209ABFB248F58D895BEEBFB8FB05350F24401DE985A61A0D7709F84DB50

Function 005240B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00524132

Part of subcall function 004C1A36: _memmove.LIBCMT ref: 004C1A77

Strings

, $, xrefs: 00524172
AUTOITCALLVARIABLE%d, xrefs: 00524124

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: e7d14079e5d9bdbafaea8060995673c5153db957b6e4f2575a7a3ecbcd5edcc6
Instruction ID: 75893cbc3ddf75f72a55d197cd3fc7e444d6df31dcbe199e4a837e16e8b82c00
Opcode Fuzzy Hash: e7d14079e5d9bdbafaea8060995673c5153db957b6e4f2575a7a3ecbcd5edcc6
Instruction Fuzzy Hash: 3721C174A00229ABCF10EF65D892FAE7BB8BF55344F000459F905A7282DB34E995CFA5

Function 00536CF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00536D86
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00536D91

Strings

Combobox, xrefs: 00536D53

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: ae5acc351f17a52ec2996b72cb65b391cf696f3eb87c1b340d4b24a5cabe75d7
Instruction ID: 60b0961ac95d8c63caa8f09ccd260d8e8f6cf0c6267b05da8c5d80086f9db295
Opcode Fuzzy Hash: ae5acc351f17a52ec2996b72cb65b391cf696f3eb87c1b340d4b24a5cabe75d7
Instruction Fuzzy Hash: 69119071300209BFEF219E54DC81EFB3F6AFB883A4F118529F9189B290D6719C5097A0

Function 0053722C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 004B2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 004B214F
Part of subcall function 004B2111: GetStockObject.GDI32(00000011), ref: 004B2163
Part of subcall function 004B2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 004B216D

GetWindowRect.USER32(00000000,?), ref: 00537296
GetSysColor.USER32(00000012), ref: 005372B0

Strings

static, xrefs: 00537273

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: d4b00e6bc79ada17ae21f4a5807ff15f69f3c1a2078221e055e8ea40c5615e07
Instruction ID: b4826ed37a4f3fe64227f9ebf8761731d2284f7e81027b18c058e7aafd158d4f
Opcode Fuzzy Hash: d4b00e6bc79ada17ae21f4a5807ff15f69f3c1a2078221e055e8ea40c5615e07
Instruction Fuzzy Hash: 7B214776A1420AAFDB14DFA8CC45AFA7BE8FB08304F105518FE55D3251D734A8509B60

Function 00536F45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00536FC7
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00536FD6

Strings

edit, xrefs: 00536FAB

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 1b3ad440715d6924113ace8f0d29c1d0a6b39c65028df912309b15c2fe01112a
Instruction ID: 4461db0f923131ec6b8960b86f3be01d2eb2ad5ab9cc92fda5b36031ded825a7
Opcode Fuzzy Hash: 1b3ad440715d6924113ace8f0d29c1d0a6b39c65028df912309b15c2fe01112a
Instruction Fuzzy Hash: 1A116D71100209BBEB104E64AC84EFB3F69FB15368F209718FA64931E4C775DC90AB60

Function 00513156 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005131C9
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 005131E8

Strings

0, xrefs: 005131BF

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 2d30ed0aeda0497587678b9ad481907ae20e50af5806832a506ac583a655006c
Instruction ID: bcca0cdbee2e371cf8e4d696804e81f1e5fda68e33e57cd424dcc53791d2cca8
Opcode Fuzzy Hash: 2d30ed0aeda0497587678b9ad481907ae20e50af5806832a506ac583a655006c
Instruction Fuzzy Hash: 78112636940218BBFB20DB98EC15BDD7BBCBB05300F144122E816A7290D774AF89DB91

Function 004B34E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 004B351D
DestroyWindow.USER32(?,?,004C4E61), ref: 004B3576

Strings

hT, xrefs: 004B34E5

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: DeleteDestroyObjectWindow
String ID: hT
API String ID: 2587070983-71396654
Opcode ID: 37d5366bd4dbe97ed992c954f1fb7ded6a569294940e02707d37c33dd81b619f
Instruction ID: 773f54d05bb3f154f20865fb129e4b6e1ebe84fb0edb1d6ea8cbfc00e4e16636
Opcode Fuzzy Hash: 37d5366bd4dbe97ed992c954f1fb7ded6a569294940e02707d37c33dd81b619f
Instruction Fuzzy Hash: E8214834608214DFD728DF1AF858BA933E0F758316B14415EE40A87360D738DE89FB6A

Function 005228A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 005228F8
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00522921

Strings

<local>, xrefs: 005228E9

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 15fa0e6d842274aae9f71fa25d36fe90f66c33b2993728ab005a24c125b6ec72
Instruction ID: af108ca409d9d368d548c32efa7b441c12c90280cb595dfebae9ae0b93c12d2b
Opcode Fuzzy Hash: 15fa0e6d842274aae9f71fa25d36fe90f66c33b2993728ab005a24c125b6ec72
Instruction Fuzzy Hash: 3911C178501335BAEB248A519C88EF6BF68FF17354F10462AF50582080E370A894DAE0

Function 0051D116 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 0051D180

Strings

0.0.0.0, xrefs: 0051D18E
L,T, xrefs: 0051D12E

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: _wcscmp
String ID: 0.0.0.0$L,T
API String ID: 856254489-3887575609
Opcode ID: 45624a6d1f05d226045a171b362992e7c7ac4aa52ad80059006dd518e582d985
Instruction ID: 0936fbabd80aa7e7a4d05e4fad2b6e7cd34e0ed233be3fa8e10631526d9ca522
Opcode Fuzzy Hash: 45624a6d1f05d226045a171b362992e7c7ac4aa52ad80059006dd518e582d985
Instruction Fuzzy Hash: 8B11B635740214AFDB04EE55C881DE9BBB9BF84714F108449F9095B3A2CA34ED81CB74

Function 00528475 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005286E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0052849D,?,00000000,?,?), ref: 005286F7

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 005284A0
htons.WSOCK32(00000000,?,00000000), ref: 005284DD

Strings

255.255.255.255, xrefs: 005284B8

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 566b9b708c9ce6a6c032d9a8bdbf32dbf5935dbb7518f47f2b4497383e0e8703
Instruction ID: 7877e6cdba4bef04024f112b849c079cabc004bba59e8726fa53b8c87d602c27
Opcode Fuzzy Hash: 566b9b708c9ce6a6c032d9a8bdbf32dbf5935dbb7518f47f2b4497383e0e8703
Instruction Fuzzy Hash: CC11E53560021AABDF10AFA4DC46FFEBB64FF55318F10451AFA11972D1DB31A814C695

Function 005099BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004C1A36: _memmove.LIBCMT ref: 004C1A77

Part of subcall function 0050B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0050B7BD

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00509A2B

Strings

ComboBox, xrefs: 005099CA
ListBox, xrefs: 005099F5

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: d92c4e77e74560d0bd89a1a349aa6abe7c9a87ba40c6c15603ba3a6ed86c7ed5
Instruction ID: c80f21c9c28355581a665b1935766f148b899a01db266560c09f0177ceb3fdb2
Opcode Fuzzy Hash: d92c4e77e74560d0bd89a1a349aa6abe7c9a87ba40c6c15603ba3a6ed86c7ed5
Instruction Fuzzy Hash: 92012875A42114ABCF14EBA4CC52DFE7B69FF52320B10060EF872532D6DF3558089650

Function 004BBBC6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 004BBC07

Part of subcall function 004C1821: _memmove.LIBCMT ref: 004C185B

_wcscat.LIBCMT ref: 004F3593

Strings

sW, xrefs: 004BBC47

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: sW
API String ID: 257928180-355236606
Opcode ID: ee7b637977de2091d094be4a0ad6a8cb683bbf67338a9896b1441719d744a13c
Instruction ID: 95888cdba9fcd02084ad4b1dcc6dfa81c1800088807fbb0c2dfacdc15fc7eeb2
Opcode Fuzzy Hash: ee7b637977de2091d094be4a0ad6a8cb683bbf67338a9896b1441719d744a13c
Instruction Fuzzy Hash: EE11C634904208968B00EFA4A842EDD7BB8FF09344B1044AFB94997291DFB497846B65

Function 0051934C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00519367
__fread_nolock.LIBCMT ref: 0051937C

Strings

EA06, xrefs: 005193AE

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: c2d72e102bbb791409d5d3653e6c35a44dada660cd15b8fd2663ebaef0e1a4b2
Instruction ID: db66d1a4ac830750199d6b959729d5f31faeb6e65f3ee03faa0cfd40df19e6eb
Opcode Fuzzy Hash: c2d72e102bbb791409d5d3653e6c35a44dada660cd15b8fd2663ebaef0e1a4b2
Instruction Fuzzy Hash: 8E01F9729042587EEB18D6A9C856EFEBBF89B01301F00469FF552D2281E979A6148760

Function 005098B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004C1A36: _memmove.LIBCMT ref: 004C1A77

Part of subcall function 0050B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0050B7BD

SendMessageW.USER32(?,00000180,00000000,?), ref: 00509923

Strings

ComboBox, xrefs: 005098C2
ListBox, xrefs: 005098ED

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: a3240ef86101f4a74e0b3711abe233fef448b11790d7f79b866b9f2895341de0
Instruction ID: 2846ed28bead1afcb651eb5eb73ad447e3e7483c987945eb3d481b71331b1feb
Opcode Fuzzy Hash: a3240ef86101f4a74e0b3711abe233fef448b11790d7f79b866b9f2895341de0
Instruction Fuzzy Hash: 9401DB76A421046BCB14EBA0C956FFF7BACEF56340F14011EB852732D7DA159E0896B1

Function 0050993A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004C1A36: _memmove.LIBCMT ref: 004C1A77

Part of subcall function 0050B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0050B7BD

SendMessageW.USER32(?,00000182,?,00000000), ref: 005099A6

Strings

ComboBox, xrefs: 00509947
ListBox, xrefs: 00509972

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 5637d60e681c5d34bd619ae537aa73d07d5ea7abb7cda49904beabb1c901dd33
Instruction ID: 794ec292cb7e1402142e102c5b5c386f4104e27c0f460cda3b391dbb3dc6530d
Opcode Fuzzy Hash: 5637d60e681c5d34bd619ae537aa73d07d5ea7abb7cda49904beabb1c901dd33
Instruction Fuzzy Hash: E401DB76A4210967CB10EBA4CA52FFF7BACAF12340F10041EB846732D7DA259E089671

Function 004D6D9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 004D6DC0
__calloc_crt.LIBCMT ref: 004D6DD9

Strings

@bW, xrefs: 004D6DF0

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: __calloc_crt
String ID: @bW
API String ID: 3494438863-757045664
Opcode ID: 6a852750895b7022b0eb1285b05a8f6098ff2dc22593dd9b669237d0c6829e1a
Instruction ID: 3d6081c33436612a207b11481f0c64b15d6434378343aa33cd2eae4de99b42d8
Opcode Fuzzy Hash: 6a852750895b7022b0eb1285b05a8f6098ff2dc22593dd9b669237d0c6829e1a
Instruction Fuzzy Hash: FCF0447530C2168BE7648B19BC216A627D6E714724F11546BF118CA396E7388CC56688

Function 005154E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00515501
_wcscmp.LIBCMT ref: 00515513

Strings

#32770, xrefs: 0051550D

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 523632909b7099edec279b6ad8dac06a2ed2f20242e1724be1e92eb1380774d4
Instruction ID: 6dbf7baefc454473c42f029d85f7f9890ae6806cbae72c1c14ee4cc0d771d23b
Opcode Fuzzy Hash: 523632909b7099edec279b6ad8dac06a2ed2f20242e1724be1e92eb1380774d4
Instruction Fuzzy Hash: 38E0617650022867E7109A59AC09FEBFBECEB55731F000017FD04D3051F570A94487E1

Function 00508892 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 005088A0

Part of subcall function 004D3588: _doexit.LIBCMT ref: 004D3592

Strings

AutoIt, xrefs: 00508894
Error allocating memory., xrefs: 00508899

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 107f02c774d396c970f6be1044d465f5a8ae2379dca60f448fd435e382af7822
Instruction ID: 3daf0e8f90be1c631c52f8900e62592257c6ffa1b3dc3a3d92a0b52bbe661b14
Opcode Fuzzy Hash: 107f02c774d396c970f6be1044d465f5a8ae2379dca60f448fd435e382af7822
Instruction Fuzzy Hash: B0D02B3138032832D22032A57C2FFCA3E488F05B5AF00442FFF08651C34DE989C041D9

Function 004F0251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 004F0091

Part of subcall function 0052C6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,004F027A,?), ref: 0052C6E7
Part of subcall function 0052C6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0052C6F9

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 004F0289

Strings

WIN_XPe, xrefs: 004F00A4

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 471c5416355ad427aa5d5d000ca26f8455753e361e07b2488c8a126e34261369
Instruction ID: da0f22990dd5d51770b84b844335cf3048e18467bc4dbfc168c28e63a950f930
Opcode Fuzzy Hash: 471c5416355ad427aa5d5d000ca26f8455753e361e07b2488c8a126e34261369
Instruction Fuzzy Hash: 1BF03070804109DFCB25DB60D948BFD7BF8AB88304F241086E306A2291CB745F85EF25

Function 004C5800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19windowCOMMON

Download Yara Rule

APIs

DestroyIcon.USER32(,zW0zW,00577A2C,00577890,?,004C5A53,00577A2C,00577A30,?,00000004), ref: 004C5823

Strings

SZL,zW0zW, xrefs: 004C5804
,zW0zW, xrefs: 004C5808, 004C5821

Memory Dump Source

Source File: 0000000A.00000002.2319349962.00000000004B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004B0000, based on PE: true

Associated: 0000000A.00000002.2319111667.00000000004B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319545760.0000000000566000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319612947.0000000000570000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2319649878.0000000000579000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_Approaches.jbxd

Similarity

API ID: DestroyIcon
String ID: ,zW0zW$SZL,zW0zW
API String ID: 1234817797-1022688643
Opcode ID: 450dc1450bc8bb00de05d2db7c401bf2685ebb90b92a595e73c96e901cd9ac86
Instruction ID: e684a68824a9cc96fa6364273251553694b81b7bd8cdfbf061896aef6a9d794b
Opcode Fuzzy Hash: 450dc1450bc8bb00de05d2db7c401bf2685ebb90b92a595e73c96e901cd9ac86
Instruction Fuzzy Hash: B9E0C23A014206EBE7203F08D800B9AFBE8EF21321F34801BE08056150D3B978F0DBA9

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1XZFfxyWZA.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Desktop\Google Chrome.lnk

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

C:\Users\user\AppData\Local\Temp\667869\Approaches.pif

C:\Users\user\AppData\Local\Temp\667869\N

C:\Users\user\AppData\Local\Temp\667869\RegAsm.exe

C:\Users\user\AppData\Local\Temp\Abu

C:\Users\user\AppData\Local\Temp\Accepted

C:\Users\user\AppData\Local\Temp\Accepted.bat

C:\Users\user\AppData\Local\Temp\Mac

C:\Users\user\AppData\Local\Temp\Marco

Windows Analysis Report
1XZFfxyWZA.exe

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre