Edit tour

Windows Analysis Report
R2T8ccXCek.exe

Overview

General Information

Sample name:	R2T8ccXCek.exe renamed because original name is a hash value
Original sample name:	e788c2cf1c0760d6672ea1ff733581f31c9a2e05019dec1ed1eaa341c8710a05.exe
Analysis ID:	1554994
MD5:	a8dfbb9f5cf96f742c05776b0a5b4fe8
SHA1:	600e98dad7e474b7c49557516dfd398087e49914
SHA256:	e788c2cf1c0760d6672ea1ff733581f31c9a2e05019dec1ed1eaa341c8710a05
Tags:	ConsolHQLTDexeuser-JAMESWT_MHT
Infos:

Detection

Score:	6
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates COM task schedule object (often to register a task for autostart)

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

R2T8ccXCek.exe (PID: 6516 cmdline: "C:\Users\user\Desktop\R2T8ccXCek.exe" MD5: A8DFBB9F5CF96F742C05776B0A5B4FE8)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: R2T8ccXCek.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: R2T8ccXCek.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: R2T8ccXCek.exe, decoder.dll.0.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: R2T8ccXCek.exe, decoder.dll.0.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: R2T8ccXCek.exe

Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00AF43B0 FindFirstFileW,GetLastError,FindClose,	0_2_00AF43B0
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00B12380 FindFirstFileW,FindClose,	0_2_00B12380
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00A0A950 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW,	0_2_00A0A950
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00B114D0 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	0_2_00B114D0
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00AF3DE0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW,	0_2_00AF3DE0
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00AFC0B0 FindFirstFileW,FindClose,FindClose,	0_2_00AFC0B0
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00B0E3A0 FindFirstFileW,FindClose,	0_2_00B0E3A0
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00B1E610 FindFirstFileW,FindClose,	0_2_00B1E610
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00B1B3D0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_00B1B3D0
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00B1B7D0 FindFirstFileW,FindClose,	0_2_00B1B7D0
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00AF3A50 FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,	0_2_00AF3A50
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00B2FB20 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_00B2FB20

Source: C:\Users\user\Desktop\R2T8ccXCek.exe

Code function: 0_2_00B1A620 _wcschr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,

0_2_00B1A620

Source: R2T8ccXCek.exe	String found in binary or memory: RShlwapi.dllShell32.dllmsiexec.exebinJavaHomeSoftware\JavaSoft\Java Development Kit\Software\JavaSoft\Java Runtime Environment\FlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmp.part= "GETattachmentDLD123filenamecharsetutf-16ISO-8859-1POSTutf-8Local Network ServerFTP ServerUS-ASCIIAdvancedInstallerRange: bytes=%u- equals www.yahoo.com (Yahoo)
Source: R2T8ccXCek.exe, 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmp, R2T8ccXCek.exe, 00000000.00000000.2113182248.0000000000C08000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Shlwapi.dllShell32.dllmsiexec.exebinJavaHomeSoftware\JavaSoft\Java Development Kit\Software\JavaSoft\Java Runtime Environment\FlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmp.part= "GETattachmentDLD123filenamecharsetutf-16ISO-8859-1POSTutf-8Local Network ServerFTP ServerUS-ASCIIAdvancedInstallerRange: bytes=%u- equals www.yahoo.com (Yahoo)

Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00B315E0 NtdllDefWindowProc_W,	0_2_00B315E0
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00AB1FB0 GetSystemDirectoryW,_wcschr,LoadLibraryExW,NtdllDefWindowProc_W,	0_2_00AB1FB0
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00A50010 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	0_2_00A50010
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00A02250 NtdllDefWindowProc_W,	0_2_00A02250
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00A0C4F0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection,	0_2_00A0C4F0
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00A08720 NtdllDefWindowProc_W,	0_2_00A08720
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00A08890 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	0_2_00A08890
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_009FEBE0 GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,GetWindowTextLengthW,GetWindowTextW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W,	0_2_009FEBE0
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00A46EE0 NtdllDefWindowProc_W,	0_2_00A46EE0
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_009FF190 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,GetWindowTextLengthW,GetWindowTextW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,NtdllDefWindowProc_W,SysFreeString,	0_2_009FF190
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00A1D320 NtdllDefWindowProc_W,	0_2_00A1D320
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00A115F0 NtdllDefWindowProc_W,	0_2_00A115F0
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00A01670 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow,	0_2_00A01670
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_009FF7C0 NtdllDefWindowProc_W,	0_2_009FF7C0
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00A01C90 NtdllDefWindowProc_W,	0_2_00A01C90
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00A97F20 NtdllDefWindowProc_W,	0_2_00A97F20

Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_3_006D4F09	0_3_006D4F09
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00A0A950	0_2_00A0A950
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00B2B350	0_2_00B2B350
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00B07D70	0_2_00B07D70
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00A141B0	0_2_00A141B0
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00B8E2BE	0_2_00B8E2BE
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00A0E290	0_2_00A0E290
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00B8E64C	0_2_00B8E64C
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00AD2A50	0_2_00AD2A50
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00BA8B95	0_2_00BA8B95
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00A08CD0	0_2_00A08CD0
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_009F2F40	0_2_009F2F40
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00A252F0	0_2_00A252F0
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00A135A0	0_2_00A135A0
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00A65570	0_2_00A65570
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00A17630	0_2_00A17630
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00ACB7A0	0_2_00ACB7A0
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00A21860	0_2_00A21860
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00A4FA40	0_2_00A4FA40
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00B9DD6A	0_2_00B9DD6A
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00A63FC0	0_2_00A63FC0

Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: String function: 009F8800 appears 187 times
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: String function: 00B83CF9 appears 33 times
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: String function: 009F99C0 appears 69 times
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: String function: 009F6FF0 appears 39 times
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: String function: 009F9390 appears 41 times
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: String function: 00A23810 appears 112 times

Source: R2T8ccXCek.exe, 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNameInstaller.exe4 vs R2T8ccXCek.exe
Source: R2T8ccXCek.exe	Binary or memory string: OriginalFileNameInstaller.exe4 vs R2T8ccXCek.exe
Source: R2T8ccXCek.exe	Binary or memory string: OriginalFilenameDecoder.dllF vs R2T8ccXCek.exe

Source: R2T8ccXCek.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: clean6.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\R2T8ccXCek.exe

Code function: 0_2_00AF2230 FormatMessageW,GetLastError,

0_2_00AF2230

Source: C:\Users\user\Desktop\R2T8ccXCek.exe

Code function: 0_2_00B1C990 GetDiskFreeSpaceExW,

0_2_00B1C990

Source: C:\Users\user\Desktop\R2T8ccXCek.exe

Code function: 0_2_00B36D50 CoCreateInstance,

0_2_00B36D50

Source: C:\Users\user\Desktop\R2T8ccXCek.exe

Code function: 0_2_00A8AB40 FindResourceW,LoadResource,LockResource,SizeofResource,

0_2_00A8AB40

Source: C:\Users\user\Desktop\R2T8ccXCek.exe

File created: C:\Users\user\AppData\Roaming\ConsolHQ LTD

Jump to behavior

Source: R2T8ccXCek.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\R2T8ccXCek.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\R2T8ccXCek.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\R2T8ccXCek.exe

File read: C:\Users\user\Desktop\R2T8ccXCek.exe

Jump to behavior

Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: lpk.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Section loaded: taskschd.dll	Jump to behavior

Source: C:\Users\user\Desktop\R2T8ccXCek.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Automated click: OK
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: R2T8ccXCek.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: R2T8ccXCek.exe

Static file information: File size 50171956 > 1048576

Source: R2T8ccXCek.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x216e00

Source: R2T8ccXCek.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: R2T8ccXCek.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: R2T8ccXCek.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: R2T8ccXCek.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: R2T8ccXCek.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: R2T8ccXCek.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: R2T8ccXCek.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: R2T8ccXCek.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: R2T8ccXCek.exe, decoder.dll.0.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: R2T8ccXCek.exe, decoder.dll.0.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: R2T8ccXCek.exe

Source: R2T8ccXCek.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: R2T8ccXCek.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: R2T8ccXCek.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: R2T8ccXCek.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: R2T8ccXCek.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\R2T8ccXCek.exe

Code function: 0_2_00AF2350 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_00AF2350

Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_3_006DC879 push 00000000h; ret	0_3_006DC87C
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_3_006D8E36 push 00000000h; iretd	0_3_006D8E38
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_3_006E060C pushfd ; ret	0_3_006E0675
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00B86C6E push ecx; ret	0_2_00B86C81
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00A05BE0 push ecx; mov dword ptr [esp], ecx	0_2_00A05BE1

Source: C:\Users\user\Desktop\R2T8ccXCek.exe

File created: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\decoder.dll

Jump to dropped file

Source: C:\Users\user\Desktop\R2T8ccXCek.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\decoder.dll

Jump to dropped file

Source: C:\Users\user\Desktop\R2T8ccXCek.exe

Evaded block: after key decision

graph_0-64709

Source: C:\Users\user\Desktop\R2T8ccXCek.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-66711

Source: C:\Users\user\Desktop\R2T8ccXCek.exe	File Volume queried: C:\Users\user\AppData\Roaming FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	File Volume queried: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00AF43B0 FindFirstFileW,GetLastError,FindClose,	0_2_00AF43B0
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00B12380 FindFirstFileW,FindClose,	0_2_00B12380
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00A0A950 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW,	0_2_00A0A950
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00B114D0 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	0_2_00B114D0
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00AF3DE0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW,	0_2_00AF3DE0
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00AFC0B0 FindFirstFileW,FindClose,FindClose,	0_2_00AFC0B0
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00B0E3A0 FindFirstFileW,FindClose,	0_2_00B0E3A0
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00B1E610 FindFirstFileW,FindClose,	0_2_00B1E610
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00B1B3D0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_00B1B3D0
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00B1B7D0 FindFirstFileW,FindClose,	0_2_00B1B7D0
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00AF3A50 FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,	0_2_00AF3A50
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00B2FB20 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_00B2FB20

Source: C:\Users\user\Desktop\R2T8ccXCek.exe

Code function: 0_2_00B1A620 _wcschr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,

0_2_00B1A620

Source: C:\Users\user\Desktop\R2T8ccXCek.exe

Code function: 0_2_00B8365A VirtualQuery,GetSystemInfo,

0_2_00B8365A

Source: C:\Users\user\Desktop\R2T8ccXCek.exe

Code function: 0_2_00B8AD13 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00B8AD13

Source: C:\Users\user\Desktop\R2T8ccXCek.exe

Code function: 0_2_00B277C0 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,FlushFileBuffers,WriteFile,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,OutputDebugStringW,WriteFile,WriteFile,FlushFileBuffers,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,

0_2_00B277C0

Source: C:\Users\user\Desktop\R2T8ccXCek.exe

Code function: 0_2_00AF2350 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_00AF2350

Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00B9C66D mov ecx, dword ptr fs:[00000030h]	0_2_00B9C66D
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00BA783E mov eax, dword ptr fs:[00000030h]	0_2_00BA783E
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00B85CA1 mov esi, dword ptr fs:[00000030h]	0_2_00B85CA1

Source: C:\Users\user\Desktop\R2T8ccXCek.exe

Code function: 0_2_00B85D0D GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

0_2_00B85D0D

Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00B86738 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00B86738
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: 0_2_00B8AD13 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00B8AD13

Source: C:\Users\user\Desktop\R2T8ccXCek.exe

Code function: 0_2_00B1EAB0 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle,

0_2_00B1EAB0

Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,MsgWaitForMultipleObjectsEx,MsgWaitForMultipleObjectsEx,PeekMessageW,TranslateMessage,DispatchMessageW,PeekMessageW,TranslateMessage,DispatchMessageW,MsgWaitForMultipleObjectsEx,	0_2_00B14050
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: GetLocaleInfoW,	0_2_00BA0186
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: GetLocaleInfoW,	0_2_00BA41E6
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00BA430F
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00BA44E4
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: GetLocaleInfoW,	0_2_00BA4415
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_00BA3B80
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: EnumSystemLocalesW,	0_2_00B9FC09
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: GetLocaleInfoW,	0_2_00BA3D7B
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: EnumSystemLocalesW,	0_2_00BA3E22
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: EnumSystemLocalesW,	0_2_00BA3E6D
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00BA3F93
Source: C:\Users\user\Desktop\R2T8ccXCek.exe	Code function: EnumSystemLocalesW,	0_2_00BA3F08

Source: C:\Users\user\Desktop\R2T8ccXCek.exe

Code function: 0_2_00B2BB20 CreateNamedPipeW,CreateFileW,

0_2_00B2BB20

Source: C:\Users\user\Desktop\R2T8ccXCek.exe

Code function: 0_2_00B872F4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00B872F4

Source: C:\Users\user\Desktop\R2T8ccXCek.exe

Code function: 0_2_00B2A240 GetUserNameW,GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,

0_2_00B2A240

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Native API	1 DLL Side-Loading	1 Scheduled Task/Job	1 Process Injection	LSASS Memory	3 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 System Owner/User Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	15 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
R2T8ccXCek.exe	0%	ReversingLabs
R2T8ccXCek.exe	3%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\decoder.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\decoder.dll	0%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1554994
Start date and time:	2024-11-13 10:08:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	R2T8ccXCek.exe renamed because original name is a hash value
Original Sample Name:	e788c2cf1c0760d6672ea1ff733581f31c9a2e05019dec1ed1eaa341c8710a05.exe
Detection:	CLEAN
Classification:	clean6.winEXE@1/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 64% Number of executed functions: 60 Number of non-executed functions: 154
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56
Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, slscr.update.microsoft.com, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\decoder.dll

Download File

Process:	C:\Users\user\Desktop\R2T8ccXCek.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	209920
Entropy (8bit):	6.447659228395253
Encrypted:	false
SSDEEP:	3072:tScXkSa4E7uzTK+NbkuO2DcUC1myXxskH9Xq4fa2KbDI0lSmb9D:Q7sO+EZ9LH2j7Mmb9
MD5:	A5FFDCF45D3D123139C49017B22F444E
SHA1:	7B3D3D293F9A34570FC91500A6580496147C7658
SHA-256:	8F49245444B02BF0E103C5A5850A0B2FB1F2880C917261D146E3B8BC3C166E40
SHA-512:	5FF195A70825EFCED761ACEEEC5A6F0D0E18C1A4074482F584EFABEF7166C957C728D71D6185E3487A1405C608D820EFA4E07C584D60A8D51625E5D8A9A89397
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n..a..2..2..2..3 ..2..3...2x.3...2x.3:..2x.3?..2..3?..2..3-..2..2...2..3v..2..3+..2..^2+..2.62+..2..3+..2Rich..2................PE..L...?..b.........."!.....`...................p............................................@......................... ...........<....p.. .......................0 ......p...........................`...@............p..t............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data...dV..........................@....rsrc... ....p......................@..@.reloc..0 ......."..................@..B........................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.977439534348002
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	R2T8ccXCek.exe
File size:	50'171'956 bytes
MD5:	a8dfbb9f5cf96f742c05776b0a5b4fe8
SHA1:	600e98dad7e474b7c49557516dfd398087e49914
SHA256:	e788c2cf1c0760d6672ea1ff733581f31c9a2e05019dec1ed1eaa341c8710a05
SHA512:	0ea8aa8886c493815cb3eb016fd3ff0ec4d4d1c76015cc0c5f7d72993c512f6bc0eea5893944637b58d20a8d838f6ecf45cbfa16877939df85da89b1e477aee4
SSDEEP:	786432:aVGyFtrCko6pqBZAgycX1vEDBW9qLvKrt7VOHMrS93SaJ9+BQF6gjQH:6b+kHpBgycFpRflaCIXZjQH
TLSH:	96B72330364EC52BDA6615B02A2C9A9F542C7E710F7168C7B3DC2E6E1BB49C25731E27
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............{...{...{.3.x...{.3.~.X.{.3.}...{.......{...x...{...~...{.3.....{.3.z...{.3.\|...{...z.8.{.\.r...{.\.....{.......{.\.y...{

File Icon


Icon Hash:	9713331b4d3b2f0c

Static PE Info

General

Entrypoint:	0x596c64
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6213B2EE [Mon Feb 21 15:42:38 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	836688c7d21e39394af41ce9a8c2d728

Entrypoint Preview

Instruction
call 00007FF0646CA66Dh
jmp 00007FF0646C9E0Fh
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007FF0646C9463h
jmp 00007FF0646C9F72h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [0069E01Ch]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [0069E01Ch]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [0069E01Ch]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x29cb94	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2a7000	0x3d55c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2e5000	0x256bc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x246778	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x246800	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x219f38	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x218000	0x2c0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x299f88	0x260	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x216c3f	0x216e00	b670db57563315716440578ee99e5466	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x218000	0x85b8c	0x85c00	59a6fbcfc1f150b26bf16fdd47452e43	False	0.3120947721962617	data	4.605894063170113	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x29e000	0x89f0	0x6a00	1cea180402edcf39ea7c6193312cce32	False	0.14180424528301888	DOS executable (block device driver 0aY)	2.8670521481443174	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2a7000	0x3d55c	0x3d600	9c215b5617dafedde9588bb2401248ca	False	0.2635724287169043	data	5.856059532970926	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2e5000	0x256bc	0x25800	08f0f06260e93e98732bfb4145f07cca	False	0.446171875	data	6.512576488264422	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
IMAGE_FILE	0x2a7bf0	0x6	ISO-8859 text, with no line terminators	English	United States	2.1666666666666665
IMAGE_FILE	0x2a7bf8	0x6	ISO-8859 text, with no line terminators	English	United States	2.1666666666666665
RTF_FILE	0x2a7c00	0x2e9	Rich Text Format data, version 1, ANSI, code page 1252	English	United States	0.5503355704697986
RTF_FILE	0x2a7eec	0xa1	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	English	United States	0.906832298136646
RT_BITMAP	0x2a7f90	0x13e	Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 5 important colors	English	United States	0.25471698113207547
RT_BITMAP	0x2a80d0	0x828	Device independent bitmap graphic, 32 x 16 x 32, image size 0	English	United States	0.03017241379310345
RT_BITMAP	0x2a88f8	0x48a8	Device independent bitmap graphic, 290 x 16 x 32, image size 0	English	United States	0.11881720430107527
RT_BITMAP	0x2ad1a0	0xa6a	Device independent bitmap graphic, 320 x 16 x 4, image size 2562, resolution 2834 x 2834 px/m	English	United States	0.21680420105026257
RT_BITMAP	0x2adc0c	0x152	Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 10 important colors	English	United States	0.5295857988165681
RT_BITMAP	0x2add60	0x828	Device independent bitmap graphic, 32 x 16 x 32, image size 0	English	United States	0.4875478927203065
RT_ICON	0x2ae588	0x7c5a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9958534899792675
RT_ICON	0x2b61e4	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	English	United States	0.142848692771797
RT_ICON	0x2c6a0c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.29470954356846474
RT_ICON	0x2c8fb4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.3621013133208255
RT_ICON	0x2ca05c	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.45819672131147543
RT_MENU	0x2ca9e4	0x5c	data	English	United States	0.8478260869565217
RT_MENU	0x2caa40	0x2a	data	English	United States	1.0714285714285714
RT_DIALOG	0x2caa6c	0xac	data	English	United States	0.7151162790697675
RT_DIALOG	0x2cab18	0x2a6	data	English	United States	0.5132743362831859
RT_DIALOG	0x2cadc0	0x3b4	data	English	United States	0.43248945147679324
RT_DIALOG	0x2cb174	0xbc	data	English	United States	0.7180851063829787
RT_DIALOG	0x2cb230	0x204	data	English	United States	0.560077519379845
RT_DIALOG	0x2cb434	0x282	data	English	United States	0.48598130841121495
RT_DIALOG	0x2cb6b8	0xcc	data	English	United States	0.6911764705882353
RT_DIALOG	0x2cb784	0x146	data	English	United States	0.5736196319018405
RT_DIALOG	0x2cb8cc	0x226	data	English	United States	0.4690909090909091
RT_DIALOG	0x2cbaf4	0x388	data	English	United States	0.45464601769911506
RT_DIALOG	0x2cbe7c	0x1b4	data	English	United States	0.5458715596330275
RT_DIALOG	0x2cc030	0x136	data	English	United States	0.6064516129032258
RT_DIALOG	0x2cc168	0x4c	data	English	United States	0.8289473684210527
RT_STRING	0x2cc1b4	0x45c	data	English	United States	0.3844086021505376
RT_STRING	0x2cc610	0x344	data	English	United States	0.37320574162679426
RT_STRING	0x2cc954	0x2f8	data	English	United States	0.4039473684210526
RT_STRING	0x2ccc4c	0x598	data	English	United States	0.2807262569832402
RT_STRING	0x2cd1e4	0x3aa	StarOffice Gallery theme i, 1627418368 objects, 1st n	English	United States	0.4211087420042644
RT_STRING	0x2cd590	0x5c0	data	English	United States	0.3498641304347826
RT_STRING	0x2cdb50	0x568	data	English	United States	0.32875722543352603
RT_STRING	0x2ce0b8	0x164	data	English	United States	0.5421348314606742
RT_STRING	0x2ce21c	0x520	data	English	United States	0.39176829268292684
RT_STRING	0x2ce73c	0x1a0	data	English	United States	0.45913461538461536
RT_STRING	0x2ce8dc	0x18a	data	English	United States	0.5228426395939086
RT_STRING	0x2cea68	0x216	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.46254681647940077
RT_STRING	0x2cec80	0x624	data	English	United States	0.3575063613231552
RT_STRING	0x2cf2a4	0x660	data	English	United States	0.3474264705882353
RT_STRING	0x2cf904	0x2e2	data	English	United States	0.4037940379403794
RT_GROUP_ICON	0x2cfbe8	0x4c	data	English	United States	0.7763157894736842
RT_VERSION	0x2cfc34	0x2dc	data	English	United States	0.453551912568306
RT_HTML	0x2cff10	0x37c8	ASCII text, with very long lines (443), with CRLF line terminators	English	United States	0.08291316526610644
RT_HTML	0x2d36d8	0x1316	ASCII text, with CRLF line terminators	English	United States	0.18399508800654932
RT_HTML	0x2d49f0	0x4fa	HTML document, ASCII text, with CRLF line terminators	English	United States	0.3626373626373626
RT_HTML	0x2d4eec	0x6acd	HTML document, ASCII text, with CRLF line terminators	English	United States	0.10679931238798873
RT_HTML	0x2db9bc	0x6a2	HTML document, ASCII text, with CRLF line terminators	English	United States	0.3486454652532391
RT_HTML	0x2dc060	0x104a	HTML document, ASCII text, with CRLF line terminators	English	United States	0.2170263788968825
RT_HTML	0x2dd0ac	0x15b1	HTML document, ASCII text, with CRLF line terminators	English	United States	0.17612101566720692
RT_HTML	0x2de660	0x205c	exported SGML document, ASCII text, with very long lines (659), with CRLF line terminators	English	United States	0.13604538870111058
RT_HTML	0x2e06bc	0x368d	HTML document, ASCII text, with CRLF line terminators	English	United States	0.10834228428213391
RT_MANIFEST	0x2e3d4c	0x80f	XML 1.0 document, ASCII text, with CRLF, LF line terminators	English	United States	0.40814348036839554

Imports

DLL

Import

KERNEL32.dll

CreateFileW, CloseHandle, WriteFile, DeleteFileW, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, RemoveDirectoryW, GetTempPathW, GetTempFileNameW, CreateDirectoryW, MoveFileW, GetLastError, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetCurrentThreadId, RaiseException, SetLastError, GlobalUnlock, GlobalLock, GlobalAlloc, MulDiv, lstrcmpW, CreateEventW, FindClose, FindFirstFileW, GetFullPathNameW, SetEvent, InitializeCriticalSection, lstrcpynW, CreateThread, WaitForSingleObject, GetProcAddress, LoadLibraryExW, Sleep, GetDiskFreeSpaceExW, DecodePointer, GetExitCodeThread, GetCurrentProcessId, FreeLibrary, GetSystemDirectoryW, lstrlenW, VerifyVersionInfoW, VerSetConditionMask, lstrcmpiW, GetModuleHandleW, LoadLibraryW, GetDriveTypeW, CompareStringW, FindNextFileW, GetLogicalDriveStringsW, GetFileSize, GetFileAttributesW, GetShortPathNameW, SetFileAttributesW, GetFileTime, CopyFileW, ReadFile, SetFilePointer, SystemTimeToFileTime, MultiByteToWideChar, WideCharToMultiByte, GetCurrentProcess, GetSystemInfo, WaitForMultipleObjects, VirtualProtect, VirtualQuery, LoadLibraryExA, GetStringTypeW, SetUnhandledExceptionFilter, FormatMessageW, FileTimeToSystemTime, GetEnvironmentVariableW, GetEnvironmentStringsW, LocalFree, InitializeCriticalSectionEx, LoadLibraryA, GetModuleFileNameA, GetCurrentThread, GetConsoleOutputCP, FlushFileBuffers, SetConsoleTextAttribute, GetStdHandle, GetConsoleScreenBufferInfo, OutputDebugStringW, CreateProcessW, GetExitCodeProcess, GetTickCount, GetCommandLineW, SetCurrentDirectoryW, SetEndOfFile, EnumResourceLanguagesW, GetLocaleInfoW, GetSystemDefaultLangID, GetUserDefaultLangID, GetWindowsDirectoryW, GetSystemTime, GetDateFormatW, GetTimeFormatW, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, ResetEvent, GlobalFree, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, GetLocalTime, CreateNamedPipeW, ConnectNamedPipe, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, IsWow64Process, TerminateThread, LocalAlloc, CompareFileTime, CopyFileExW, OpenEventW, PeekNamedPipe, QueryPerformanceCounter, QueryPerformanceFrequency, EncodePointer, LCMapStringEx, GetSystemTimeAsFileTime, CompareStringEx, GetCPInfo, IsDebuggerPresent, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, WaitForSingleObjectEx, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, RtlUnwind, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitProcess, GetModuleHandleExW, GetFileType, GetTimeZoneInformation, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetConsoleMode, IsValidCodePage, GetACP, GetOEMCP, GetFileSizeEx, SetFilePointerEx, FindFirstFileExW, GetCommandLineA, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, ReadConsoleW, WriteConsoleW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	04:09:00
Start date:	13/11/2024
Path:	C:\Users\user\Desktop\R2T8ccXCek.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\R2T8ccXCek.exe"
Imagebase:	0x9f0000
File size:	50'171'956 bytes
MD5 hash:	A8DFBB9F5CF96F742C05776B0A5B4FE8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	28%
Total number of Nodes:	2000
Total number of Limit Nodes:	108

Executed Functions

Function 00B07D70 Relevance: 28.0, APIs: 4, Strings: 11, Instructions: 1745COMMON

Download Yara Rule

APIs

Part of subcall function 009F9E50: GetProcessHeap.KERNEL32 ref: 009F9EA5
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9ED7
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9F62

Part of subcall function 009F9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00A069F0,-00000010,?,00A0AA9D,*.*), ref: 009F93B7

SetEvent.KERNEL32(?,?,00000000,?,00000001), ref: 00B07F67
SetEvent.KERNEL32(?), ref: 00B07FC5

Part of subcall function 00B12AB0: DeleteFileW.KERNEL32(?,00000000,00000000,?,00000000,80004005,?,?,?,BACC40AC), ref: 00B12ADB

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 00B08434
A valid language was received from commnad line. This is:, xrefs: 00B082AF
Language of a related product is:, xrefs: 00B0849C
Language selected programatically for UI:, xrefs: 00B08552
AI_BOOTSTRAPPERLANGS, xrefs: 00B08E29, 00B08E3B, 00B08E45
Language used for UI:, xrefs: 00B085CE
%hu, xrefs: 00B082DD
Code returned to Windows by setup:, xrefs: 00B08121
Advinst_Extract_, xrefs: 00B07DC5, 00B07DD7, 00B07DE1
Software\Caphyon\Advanced Installer\, xrefs: 00B08420
Languages of setup:, xrefs: 00B0907D

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: EventInit_thread_footer$DeleteFileFindHeapProcessResource
String ID: %hu$A valid language was received from commnad line. This is:$AI_BOOTSTRAPPERLANGS$Advinst_Extract_$Code returned to Windows by setup:$Language of a related product is:$Language selected programatically for UI:$Language used for UI:$Languages of setup:$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$Software\Caphyon\Advanced Installer\
API String ID: 4144826820-297406034
Opcode ID: af476ce2e8cf0fab6abf153049822fd090c6c5520de0b5fafe0129c010443852
Instruction ID: 3010ccc72c1a964592c6200bebd07649fe73d3125fba2dba7b38f70692df6b79
Opcode Fuzzy Hash: af476ce2e8cf0fab6abf153049822fd090c6c5520de0b5fafe0129c010443852
Instruction Fuzzy Hash: 3BE2A370A00649DFDB00DBA8C849BAEBBF5FF45314F1482A9E455EB2D2DB749E04CB91

Function 00B2B350 Relevance: 26.8, APIs: 13, Strings: 2, Instructions: 551
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PackageCode, xrefs: 00B2B69B
SELECT `Value` FROM `Property` WHERE `Property` = '%s', xrefs: 00B2B3BE

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID:
String ID: PackageCode$SELECT `Value` FROM `Property` WHERE `Property` = '%s'
API String ID: 0-2409377028
Opcode ID: 8555520dd175609bb70e9c2f238223d02e62daf4ca16c527984b4761d77d5550
Instruction ID: 3f30ebf2c1a31ddadfa60e7be00965707f1ce07071e60b31f853baf6dc95b3ba
Opcode Fuzzy Hash: 8555520dd175609bb70e9c2f238223d02e62daf4ca16c527984b4761d77d5550
Instruction Fuzzy Hash: CF12D271A00219DFDB14DF68EC49FAEBBE8EF44310F1441A9F919AB2A2DB759D01CB50

Function 00A0A950 Relevance: 20.1, APIs: 8, Strings: 3, Instructions: 877fileCOMMON

Download Yara Rule

APIs

FindClose.KERNEL32(00000000), ref: 00A0AA5F
PathIsUNCW.SHLWAPI(00000001,*.*), ref: 00A0AAC3
FindFirstFileW.KERNEL32(00000001,?,*.*), ref: 00A0AD0C
GetFullPathNameW.KERNEL32(00000001,00000000,00000000,00000000), ref: 00A0AD26
GetFullPathNameW.KERNEL32(00000001,00000000,00000000,00000000), ref: 00A0AD5A
FindClose.KERNEL32(00000000), ref: 00A0ADCB
SetLastError.KERNEL32(0000007B), ref: 00A0ADD5
PathIsUNCW.SHLWAPI(?,?,BACC40AC,?,00000000), ref: 00A0B00E

Strings

*.*, xrefs: 00A0AA8A, 00A0AA94
\\?\, xrefs: 00A0AC1A, 00A0ACD0, 00A0B155, 00A0B209
\\?\UNC\, xrefs: 00A0AAE3, 00A0ABFF, 00A0B02E, 00A0B13A

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Path$Find$CloseFullName$ErrorFileFirstLast
String ID: *.*$\\?\$\\?\UNC\
API String ID: 2310598285-1700010636
Opcode ID: b513c3d895995c42d2868f8f337e60dab246c6ba2c2abbf77d09bd09f13ce83b
Instruction ID: acea22e5675d618b95a1e8a61ebf705935d13dc710dd13ce1afb0a2d7d07e8cf
Opcode Fuzzy Hash: b513c3d895995c42d2868f8f337e60dab246c6ba2c2abbf77d09bd09f13ce83b
Instruction Fuzzy Hash: B262F431A0060A9FDB14DF68D989BAEB7B5FF94314F148668E815DB3E1DB31AD00CB91

Function 00B1EAB0 Relevance: 16.6, APIs: 11, Instructions: 117
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00B1EAF8
OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00B1EB05
GetLastError.KERNEL32 ref: 00B1EB0F
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 00B1EB39
GetLastError.KERNEL32 ref: 00B1EB3F
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,?,?,?), ref: 00B1EB65
AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00B1EB98
EqualSid.ADVAPI32(00000000,?), ref: 00B1EBA7
FreeSid.ADVAPI32(?), ref: 00B1EBB6
CloseHandle.KERNEL32(00000000), ref: 00B1EBF0

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Token$ErrorInformationLastProcess$AllocateCloseCurrentEqualFreeHandleInitializeOpen
String ID:
API String ID: 695978879-0
Opcode ID: 25f753f89b36aeb539f3ac9351253fa5056a9032785fad0f60d9f197fca4a747
Instruction ID: 97fd60df16a244ec721d1375533171bf561cacdc2fefcc00a27ee3d9c8ff07ba
Opcode Fuzzy Hash: 25f753f89b36aeb539f3ac9351253fa5056a9032785fad0f60d9f197fca4a747
Instruction Fuzzy Hash: E4413871904209EBDF109FA0CD89BEEBBF8FF08318F504055E912B32A0DB759A49DB64

Function 00B114D0 Relevance: 15.7, APIs: 10, Instructions: 749COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Init_thread_footer$HeapProcess
String ID:
API String ID: 275895251-0
Opcode ID: 168aa56858333730f103b008223c3debf89f48b38bb40d2a5a2bf61433704468
Instruction ID: f9df1818bb41378f5ea4c12d02ec28cd308d050351a050a8f1e0711a2d0d5643
Opcode Fuzzy Hash: 168aa56858333730f103b008223c3debf89f48b38bb40d2a5a2bf61433704468
Instruction Fuzzy Hash: 6062BE70A00649CFDB10CFA8C984BDEBBF5FF45314F1486A9E515AB291DB70AE85CB50

Function 00B14050 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009F9E50: GetProcessHeap.KERNEL32 ref: 009F9EA5
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9ED7
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9F62

GetLocaleInfoW.KERNEL32(?,00000002,00C1337C,00000000), ref: 00B140C1
GetLocaleInfoW.KERNEL32(?,00000002,00B13B85,-00000001,00000078,-00000001), ref: 00B140FD
MsgWaitForMultipleObjectsEx.USER32(00000001,?,000000FF,000005FF,00000004), ref: 00B14181
PeekMessageW.USER32(?,00000000), ref: 00B141C7
TranslateMessage.USER32(00000000), ref: 00B141D2
DispatchMessageW.USER32(00000000), ref: 00B141D9
MsgWaitForMultipleObjectsEx.USER32(00000001,00000000,000000FF,000005FF,00000004), ref: 00B141EB

Strings

%d-%s, xrefs: 00B14107

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Message$InfoInit_thread_footerLocaleMultipleObjectsWait$DispatchHeapPeekProcessTranslate
String ID: %d-%s
API String ID: 445213441-1781338863
Opcode ID: f4e635cfb0c9626aee84970442de1f86a22dbabca83107a07b3c7354de74a8d5
Instruction ID: dbb1c11e53d05f5cffd06240e218d920fe0b6c5c24ae551b69baf1870b80dea8
Opcode Fuzzy Hash: f4e635cfb0c9626aee84970442de1f86a22dbabca83107a07b3c7354de74a8d5
Instruction Fuzzy Hash: 0A510471A00209ABD710DF94CC49FAFBBE8FF49724F504669F614A72C0DB719945CBA0

Function 00B2A240 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 00B2A2CE
GetLastError.KERNEL32 ref: 00B2A2D4
GetUserNameW.ADVAPI32(00000000,?), ref: 00B2A31C
GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 00B2A352
GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000,00000000,00000000), ref: 00B2A39C

Strings

UserDomain, xrefs: 00B2A34D, 00B2A397

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: EnvironmentNameUserVariable$ErrorLast
String ID: UserDomain
API String ID: 3567734997-2275544873
Opcode ID: 36cb19c6cd29f0cb1b7f557088eab20e1efd3cb95504b4757d4f90890e25b28e
Instruction ID: 0482367e55e3973774d38f87f55214cc2554bd24b08e80b759d04abc412707fb
Opcode Fuzzy Hash: 36cb19c6cd29f0cb1b7f557088eab20e1efd3cb95504b4757d4f90890e25b28e
Instruction Fuzzy Hash: 05612671A00218DFDF14DFA8D854BEEBBF4FF48304F144129E405A7680DB75AA49CBA5

Function 00AF2350 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ComCtl32.dll,BACC40AC,00000000,?,00000000), ref: 00AF238E
GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00AF23B1
FreeLibrary.KERNEL32(00000000), ref: 00AF242F

Strings

ComCtl32.dll, xrefs: 00AF2382
LoadIconMetric, xrefs: 00AF23AB

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: ComCtl32.dll$LoadIconMetric
API String ID: 145871493-764666640
Opcode ID: 31f2597153eb9c1a80d7d6da14bae7ee4f19dcef3dd5546670860a1c4d7f62fc
Instruction ID: 8aaa706f826b2299c9e8374cb2f7bae5b344371886fcc65d4378eeb9b873d974
Opcode Fuzzy Hash: 31f2597153eb9c1a80d7d6da14bae7ee4f19dcef3dd5546670860a1c4d7f62fc
Instruction Fuzzy Hash: A13196B1A00259ABDF158FA5DC44BBFBFF8EB48754F01422AF915A7280D7B98D04CB90

Function 00AB1FB0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00AB1FF1

Part of subcall function 009F9E50: GetProcessHeap.KERNEL32 ref: 009F9EA5
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9ED7
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9F62

_wcschr.LIBVCRUNTIME ref: 00AB20AF

Part of subcall function 009F9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00A069F0,-00000010,?,00A0AA9D,*.*), ref: 009F93B7

LoadLibraryExW.KERNEL32(?,00000000,00000000,-00000010), ref: 00AB20C4

Strings

Kernel32.dll, xrefs: 00AB1FCC, 00AB209F, 00AB20A0, 00AB2134

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Init_thread_footer$DirectoryFindHeapLibraryLoadProcessResourceSystem_wcschr
String ID: Kernel32.dll
API String ID: 1122257418-1926710522
Opcode ID: 74c947cda6cb3d9d904189f41b40d9ef7290ef92abdf169082902c4de955796d
Instruction ID: 9aa294327bee3edec810190f1f154341ff5bb440f4d34dab416e68677e830024
Opcode Fuzzy Hash: 74c947cda6cb3d9d904189f41b40d9ef7290ef92abdf169082902c4de955796d
Instruction Fuzzy Hash: 68A17BB0900645EFE714DF68C818B9ABBF4FF04318F10865DE4199B681D7BAAA18CF91

Function 00B1C990 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00B1CA6A

Strings

\, xrefs: 00B1CA0E
\, xrefs: 00B1C9E4
\, xrefs: 00B1C9EC

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: DiskFreeSpace
String ID: \$\$\
API String ID: 1705453755-3791832595
Opcode ID: d38a5afa1057374d02f17f6b230d2709f6be9e2d099b4c4f637e9d9571ff3c01
Instruction ID: 21ec6c04082d817828565b5304acd691419988a6ee1840d0089ee873e084e8fb
Opcode Fuzzy Hash: d38a5afa1057374d02f17f6b230d2709f6be9e2d099b4c4f637e9d9571ff3c01
Instruction Fuzzy Hash: CB41F422DA02598ACB31DF2484416EBBBE4FF94354F954AAEE8CC93144E7308DC583C6

Function 00B85D0D Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000008,?,00A00DC7), ref: 00B85D12
HeapAlloc.KERNEL32(00000000), ref: 00B85D19
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B85D5F
HeapFree.KERNEL32(00000000), ref: 00B85D66

Part of subcall function 00B85BAB: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,00B85D55,00000000), ref: 00B85BCF
Part of subcall function 00B85BAB: HeapAlloc.KERNEL32(00000000,?,00B85D55,00000000), ref: 00B85BD6

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Heap$Process$Alloc$Free
String ID:
API String ID: 1864747095-0
Opcode ID: a10627c2e230d9dbd1a71da456140a4df22a7d2b306de11ecf358258dca05059
Instruction ID: c051c477a89fc41e46e23044ddcff5b10518d6717c6b8377508f9a73896c22a8
Opcode Fuzzy Hash: a10627c2e230d9dbd1a71da456140a4df22a7d2b306de11ecf358258dca05059
Instruction Fuzzy Hash: 93F03072644E1697CB753BB87C4CF5F2AE9EB8475171280A8F996C6264DE60C805CB60

Function 00AF43B0 Relevance: 4.6, APIs: 3, Instructions: 92fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,?,?,00000000), ref: 00AF444F
FindClose.KERNEL32(00000000), ref: 00AF44AE

Part of subcall function 009F9B10: RtlAllocateHeap.NTDLL(?,00000000,?,BACC40AC,00000000,00BAD840,000000FF,?,?,00C89A1C,?,00B2BB18,80004005,BACC40AC), ref: 009F9B5A

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Find$AllocateCloseFileFirstHeap
String ID:
API String ID: 1673784098-0
Opcode ID: 071b4f123f5befb002268068c2542569506cf1d41bd819c4af91e6398ab1aa50
Instruction ID: 12ebda7b426071c44bfbcf754a2a23151e336cc5e5618ece2be1150f0d6b7a3b
Opcode Fuzzy Hash: 071b4f123f5befb002268068c2542569506cf1d41bd819c4af91e6398ab1aa50
Instruction Fuzzy Hash: 2931F074905618CBCB28DF94C888B7AB7B4FB48315F20829AEA59A7380D7315D44CB90

Function 00B12380 Relevance: 3.4, APIs: 2, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Init_thread_footer$HeapProcess
String ID:
API String ID: 275895251-0
Opcode ID: 7e0e6ead53376437bfd6891197f3445d4688b3a4982f8a71d07c65dcded5b245
Instruction ID: 9e1b56f3ca45799218f8c9802b62fd5a2b0f1a0b840e099657e7059ebc2996e0
Opcode Fuzzy Hash: 7e0e6ead53376437bfd6891197f3445d4688b3a4982f8a71d07c65dcded5b245
Instruction Fuzzy Hash: 93E16B30A006099FDB14DFA8C888BEEB7F4FF44324F5485A9E915AB291EB74AD45CB50

Function 00AF3DE0 Relevance: 3.1, APIs: 2, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1201570d9616b56bf780742e28f7587a9c2ee9813efe9789150c0ec7afb0a7c4
Instruction ID: 56a681fd9ac7ab5f2d56019a5c0dd5369397e9dde67a1b41d4a1e9d1936fbaa4
Opcode Fuzzy Hash: 1201570d9616b56bf780742e28f7587a9c2ee9813efe9789150c0ec7afb0a7c4
Instruction Fuzzy Hash: 6E414B32A01649DBDF24DFA8C959BAEB3B4FF50320F548229F9159B2D1EB709E04CB50

Function 00B2BB20 Relevance: 3.1, APIs: 2, Instructions: 85filepipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeW.KERNEL32(?,00000003,00000006,000000FF,00007F90,00007F90,00001388,00000000,?,BACC40AC,BACC40AC,?,?,?,00000000,00BF6015), ref: 00B2BBA8
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,?,BACC40AC,BACC40AC,?,?,?,00000000,00BF6015,000000FF), ref: 00B2BBCA

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Create$FileNamedPipe
String ID:
API String ID: 1328467360-0
Opcode ID: 8af4b7706b205f05e2a92dcefd6a109f8b7313aaabe5868113d2ee9455032d59
Instruction ID: 5c95b7ce56e28a099ffee9eee1d929ab31deb2fa8cc4e6bc8813a770257681b6
Opcode Fuzzy Hash: 8af4b7706b205f05e2a92dcefd6a109f8b7313aaabe5868113d2ee9455032d59
Instruction Fuzzy Hash: D331F531584745AFD7208F14DC01F9ABBE4EB05720F10865EFDA95B6D0CB71A900CB54

Function 00B36D50 Relevance: 1.5, APIs: 1, Instructions: 49comCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF2890: __Init_thread_footer.LIBCMT ref: 00AF2970

CoCreateInstance.COMBASE(00C131D8,00000000,00000001,00C2F490,000000B0), ref: 00B36DCE

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: CreateInit_thread_footerInstance
String ID:
API String ID: 3436645735-0
Opcode ID: 42167a47190887f48de24a8c81bbb96a17fa314b931026f538de10e7cd8bb73d
Instruction ID: e6468eac2dfe9abfa31d126c4cab517e92043faacca3cf182d3d8c8b6811e3b5
Opcode Fuzzy Hash: 42167a47190887f48de24a8c81bbb96a17fa314b931026f538de10e7cd8bb73d
Instruction Fuzzy Hash: C511C071604745EFDB20CF58D804B9ABBF8EB05B14F10466EF8159B7C0C7B6A504CB90

Function 00B315E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Init_thread_footer$CreateHeapInstanceProcess
String ID:
API String ID: 3807588171-0
Opcode ID: f4ffa1df6700c1a381870c55edaf65be3727a90e443d252ec905019d22e344f0
Instruction ID: 1c9d42dea51af4c08b12cb39181ac2878dd6a884b9ba739e086b90744caacb96
Opcode Fuzzy Hash: f4ffa1df6700c1a381870c55edaf65be3727a90e443d252ec905019d22e344f0
Instruction Fuzzy Hash: 926155B1500708CFE710CF68C44839ABBF4FF45318F248AADD58A9B782D7B5A609CB91

Function 00AF2BA0 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 247
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 00AF2C0E
RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 00AF2C55
RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 00AF2C74
RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 00AF2CA3
RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 00AF2D18
RegQueryValueExW.ADVAPI32(00000000,BuildBranch,00000000,00000000,?,?), ref: 00AF2D81
RegQueryValueExW.KERNEL32(00000000,ReleaseId,00000000,00000000,?,?), ref: 00AF2DE4
RegQueryValueExW.KERNEL32(00000000,CSDVersion,00000000,00000000,?,?), ref: 00AF2E36
GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00AF2ED3
GetProcAddress.KERNEL32(00000000), ref: 00AF2EDA
__Init_thread_footer.LIBCMT ref: 00AF2EEE
GetCurrentProcess.KERNEL32(?), ref: 00AF2F11
IsWow64Process.KERNEL32(00000000), ref: 00AF2F18
RegCloseKey.ADVAPI32(00000000), ref: 00AF2F52

Strings

CSDVersion, xrefs: 00AF2E2B
CurrentMinorVersionNumber, xrefs: 00AF2C69
ReleaseId, xrefs: 00AF2DD9
rs_prerelease, xrefs: 00AF2DA1
kernel32, xrefs: 00AF2ECE
CurrentMajorVersionNumber, xrefs: 00AF2C4A
BuildBranch, xrefs: 00AF2D76
IsWow64Process, xrefs: 00AF2EC9
CurrentVersion, xrefs: 00AF2C98
co_release, xrefs: 00AF2D89
Software\Microsoft\Windows NT\CurrentVersion, xrefs: 00AF2C04
CurrentBuildNumber, xrefs: 00AF2D0D

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: QueryValue$Process$AddressCloseCurrentHandleInit_thread_footerModuleOpenProcWow64
String ID: BuildBranch$CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$co_release$kernel32$rs_prerelease
API String ID: 1906320730-525127412
Opcode ID: f63835decc02a851a2f658d0ee3e5c9d45585784feb40e43a32b638304a3b17c
Instruction ID: 8f9f9c0e6d7069a06ab8be3b1a2199b53359a6bfabcdf6b689846c2c55251bf3
Opcode Fuzzy Hash: f63835decc02a851a2f658d0ee3e5c9d45585784feb40e43a32b638304a3b17c
Instruction Fuzzy Hash: EAA15F7190062CDFDB20DF60DD49BAEBBF8FB04705F1141AAF549A6190EB749A88CF94

Function 00AF2F80 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 220
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,00000000), ref: 00AF2FF0
RegQueryValueExW.KERNEL32(00000000,ProductType,00000000,00000000,?), ref: 00AF302B
RegQueryValueExW.KERNEL32(00000000,ProductSuite,00000000,00000000,?,?), ref: 00AF30A6
RegCloseKey.KERNEL32(00000000), ref: 00AF327E

Strings

Small Business, xrefs: 00AF30E0
Storage Server, xrefs: 00AF3205
ProductSuite, xrefs: 00AF309B
Security Appliance, xrefs: 00AF31EE
Blade, xrefs: 00AF31C0
Terminal Server, xrefs: 00AF3144
DataCenter, xrefs: 00AF318F
Small Business(Restricted), xrefs: 00AF315D
Personal, xrefs: 00AF31A9
SYSTEM\CurrentControlSet\Control\ProductOptions, xrefs: 00AF2FE6
ServerNT, xrefs: 00AF3054
ProductType, xrefs: 00AF3020
WinNT, xrefs: 00AF3031
Enterprise, xrefs: 00AF30F9
BackOffice, xrefs: 00AF3112
EmbeddedNT, xrefs: 00AF3176
Embedded(Restricted), xrefs: 00AF31D7
CommunicationServer, xrefs: 00AF312B
Compute Server, xrefs: 00AF321C

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT
API String ID: 1586453840-3149529848
Opcode ID: 5987c6c1b2c47a6734bfb1b3ca7e6f05ceb5e6dc7ea1348b9b291f30f2dc36e8
Instruction ID: 22b21827824b05026340ec9ef8b67e699cd217ad44a0b50e01f07a21411f3fd9
Opcode Fuzzy Hash: 5987c6c1b2c47a6734bfb1b3ca7e6f05ceb5e6dc7ea1348b9b291f30f2dc36e8
Instruction Fuzzy Hash: FA71F57270035D9BDF209BA4DD44BFEB265EB50344F1041B5FB06AB681EB34CE498B06

Function 00B14960 Relevance: 37.0, APIs: 2, Strings: 19, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Init_thread_footer.LIBCMT ref: 00B149DC

Part of subcall function 00B86618: EnterCriticalSection.KERNEL32(00C94CD8,?,?,009F9F67,00C95904,00C06640), ref: 00B86622
Part of subcall function 00B86618: LeaveCriticalSection.KERNEL32(00C94CD8,?,009F9F67,00C95904,00C06640), ref: 00B86655
Part of subcall function 00B86618: RtlWakeAllConditionVariable.NTDLL ref: 00B866CC

Part of subcall function 009F9B10: RtlAllocateHeap.NTDLL(?,00000000,?,BACC40AC,00000000,00BAD840,000000FF,?,?,00C89A1C,?,00B2BB18,80004005,BACC40AC), ref: 009F9B5A

Part of subcall function 00A02970: RaiseException.KERNEL32(?,?,00000000,00000000,00B85A3C,C000008C,00000001,?,00B85A6D,00000000,?,009F91C7,00000000,BACC40AC,00000001,?), ref: 00A0297C

__Init_thread_footer.LIBCMT ref: 00B14A2C

Part of subcall function 00B86662: EnterCriticalSection.KERNEL32(00C94CD8,?,?,?,009F9EF6,00C95904,BACC40AC,?,?,00BADE0D,000000FF,?,00B2BABC,BACC40AC), ref: 00B8666D
Part of subcall function 00B86662: LeaveCriticalSection.KERNEL32(00C94CD8,?,009F9EF6,00C95904,BACC40AC,?,?,00BADE0D,000000FF,?,00B2BABC,BACC40AC), ref: 00B866AA

Strings

SETUPEXEDIR, xrefs: 00B1654C
Windows 9x/ME/NT/2000/XP/Vista/Windows 7/Windows 8 x86/Windows 8.1 x86/Windows 10 x86, xrefs: 00B14B03
Shlwapi.dll, xrefs: 00B16877
Windows XP/Vista/Windows 7/Windows 8 x64/Windows 8.1 x64/Windows 10 x64/Windows 11 x64, xrefs: 00B14A64
System32Folder, xrefs: 00B1625D, 00B16272, 00B1627C
ProgramFiles, xrefs: 00B16960, 00B16975, 00B1697D
SystemFolder, xrefs: 00B1613F, 00B16154, 00B1615E
AppDataFolder, xrefs: 00B169C8, 00B16A05
APPDATA, xrefs: 00B16A57, 00B16A5F
WindowsVolume, xrefs: 00B16424, 00B16439, 00B16443
ProgramFiles64Folder, xrefs: 00B16008
shfolder.dll, xrefs: 00B166D6
SHGetFolderPathW, xrefs: 00B16707
TempFolder, xrefs: 00B164BF
PROGRAMFILES, xrefs: 00B16A3D
WindowsFolder, xrefs: 00B16344, 00B16359, 00B16363
ProgramFilesFolder, xrefs: 00B168E7
ProgramW6432, xrefs: 00B16064
Shell32.dll, xrefs: 00B168A3

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: CriticalSection$EnterInit_thread_footerLeave$AllocateConditionExceptionHeapRaiseVariableWake
String ID: APPDATA$AppDataFolder$PROGRAMFILES$ProgramFiles$ProgramFiles64Folder$ProgramFilesFolder$ProgramW6432$SETUPEXEDIR$SHGetFolderPathW$Shell32.dll$Shlwapi.dll$System32Folder$SystemFolder$TempFolder$Windows 9x/ME/NT/2000/XP/Vista/Windows 7/Windows 8 x86/Windows 8.1 x86/Windows 10 x86$Windows XP/Vista/Windows 7/Windows 8 x64/Windows 8.1 x64/Windows 10 x64/Windows 11 x64$WindowsFolder$WindowsVolume$shfolder.dll
API String ID: 2519272855-3044903971
Opcode ID: 952491e4481a326fbf2d8aaef76aa1f75c4074eed749efbc3f5ceaf3592787f2
Instruction ID: 36346926011833b92b22ddd1f6bde6b0b3a37d6c941c1b5da364f97fb17de986
Opcode Fuzzy Hash: 952491e4481a326fbf2d8aaef76aa1f75c4074eed749efbc3f5ceaf3592787f2
Instruction Fuzzy Hash: D4710570905206CBDF10EBA8C846BFFB3E1EF20310F9545A9E916972D5E731D985C791

Function 00AFDB40 Relevance: 29.9, APIs: 4, Strings: 13, Instructions: 167
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 00AFDC3A
GetForegroundWindow.USER32(?,?,?,00BEC4C5,000000FF), ref: 00AFDC4A
OutputDebugStringW.KERNEL32(?,BACC40AC,?,?,?,00BEC4C5,000000FF,?,00B304CF,?,?,?,00000000), ref: 00AFDCD8
SetForegroundWindow.USER32(00000000), ref: 00AFDC84

Part of subcall function 009F9E50: GetProcessHeap.KERNEL32 ref: 009F9EA5
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9ED7
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9F62

Strings

%s , xrefs: 00AFEA4C, 00AFED81
AI_INST_PRODCODES=%s AI_INTANCE_LOCATION="%s" AI_INST_MAJORUPGRADE=1 , xrefs: 00AFEB95
"%s" TRANSFORMS="%s;%s;%s" AI_INST_MAJORUPGRADE=1 AI_NEWINST=1 , xrefs: 00AFE7B2
.mst, xrefs: 00AFE797, 00AFE7FE, 00AFECBE
"%s" TRANSFORMS="%s;%s" AI_INST_MAJORUPGRADE=1 AI_NEWINST=1 , xrefs: 00AFE818
REINSTALL=ALL REINSTALLMODE=vomus , xrefs: 00AFED93
majorupgrade-content.mst, xrefs: 00AFE756, 00AFEC4F
TRANSFORMS=:%s.mst MSINEWINSTANCE=1 , xrefs: 00AFE910
MSINEWINSTANCE=1 , xrefs: 00AFE8E6
.msi, xrefs: 00AFE747, 00AFEC40
TRANSFORMS=":%s.mst;%s" MSINEWINSTANCE=1 , xrefs: 00AFE8FF
TRANSFORMS="%s" AI_INST_MAJORUPGRADE=1, xrefs: 00AFE8B7
"%s" TRANSFORMS="%s;%s;%s" AI_INST_PRODCODES=%s AI_INTANCE_LOCATION="%s" AI_INST_MAJORUPGRADE=1 , xrefs: 00AFECDF

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Window$ForegroundInit_thread_footer$ActiveDebugHeapOutputProcessString
String ID: "%s" TRANSFORMS="%s;%s" AI_INST_MAJORUPGRADE=1 AI_NEWINST=1 $ "%s" TRANSFORMS="%s;%s;%s" AI_INST_MAJORUPGRADE=1 AI_NEWINST=1 $ "%s" TRANSFORMS="%s;%s;%s" AI_INST_PRODCODES=%s AI_INTANCE_LOCATION="%s" AI_INST_MAJORUPGRADE=1 $ %s $ AI_INST_PRODCODES=%s AI_INTANCE_LOCATION="%s" AI_INST_MAJORUPGRADE=1 $ MSINEWINSTANCE=1 $ REINSTALL=ALL REINSTALLMODE=vomus $ TRANSFORMS="%s" AI_INST_MAJORUPGRADE=1$ TRANSFORMS=":%s.mst;%s" MSINEWINSTANCE=1 $ TRANSFORMS=:%s.mst MSINEWINSTANCE=1 $.msi$.mst$majorupgrade-content.mst
API String ID: 1401059542-743168453
Opcode ID: 0838409d292fba9d0dbf4b003c76e7b01ef3c1f2ee09349777332f9b11e8f6ac
Instruction ID: d30103f9a35d62f4c70359cb1701c4df678dcac8e84964bfd949d1c62a2375ed
Opcode Fuzzy Hash: 0838409d292fba9d0dbf4b003c76e7b01ef3c1f2ee09349777332f9b11e8f6ac
Instruction Fuzzy Hash: F651DF71A002099FDB15DFACC848BAEBBF5EF45324F14829DE9199B391DB319D01CBA1

Function 00B064D0 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 495
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009F9E50: GetProcessHeap.KERNEL32 ref: 009F9EA5
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9ED7
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9F62

GetTickCount.KERNEL32 ref: 00B06554
__Xtime_get_ticks.LIBCPMT ref: 00B0655C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B065A6
__Init_thread_footer.LIBCMT ref: 00B067A1
GetCurrentProcess.KERNEL32 ref: 00B06B06
OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00B06B16
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00B06B42
CloseHandle.KERNEL32(00000000), ref: 00B06B83

Strings

\/:*?"<>|, xrefs: 00B06763

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Init_thread_footerProcess$Token$CloseCountCurrentHandleHeapInformationOpenTickUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
String ID: \/:*?"<>|
API String ID: 3363527671-3830478854
Opcode ID: 5d91ae1ff62c0b7ec19974136abd862bd6f6f1b049f1e50c8d3ef391bf17048a
Instruction ID: 652145f7b36450f47128b4666f4f5478cf5cc93db3d35b3cbf702760512435b8
Opcode Fuzzy Hash: 5d91ae1ff62c0b7ec19974136abd862bd6f6f1b049f1e50c8d3ef391bf17048a
Instruction Fuzzy Hash: AC228D70900258DFDB10DFA8C859BAEBBB4EF45304F1481D9E509AB2D2DB74AE45CFA1

Function 00B2F7B0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 43
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(?,?,00B1181B,?,?,?,?,?), ref: 00B2F7C5

Strings

EndExtraction, xrefs: 00B2F829
GetTotalFilesSize, xrefs: 00B2F805
ExtractAllFiles, xrefs: 00B2F817
InitExtraction, xrefs: 00B2F7FD

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: LibraryLoad
String ID: EndExtraction$ExtractAllFiles$GetTotalFilesSize$InitExtraction
API String ID: 1029625771-3462492388
Opcode ID: 814202103dd352c2bfd080fc77fd296990428a8ca42261cb723d43476c131775
Instruction ID: 8609945c4ff79807e64bec71ff12aa73f940bf5ea6d76b1e1f8fc952c30053ea
Opcode Fuzzy Hash: 814202103dd352c2bfd080fc77fd296990428a8ca42261cb723d43476c131775
Instruction Fuzzy Hash: FB014C7A900621ABCB159B64BD08B5E7BB0F794315701407FE916A3272C6354816CF94

Function 00B85A9F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DecodePointer.KERNEL32(?,?,?,00B85DE5,00C94C90,?,?,?,00A500E6,?,BACC40AC,?,?,?,00A981B7), ref: 00B85AB1
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,00B85DE5,00C94C90,?,?,?,00A500E6,?,BACC40AC,?,?), ref: 00B85AC6
DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00A981B7), ref: 00B85B42

Strings

atlthunk.dll, xrefs: 00B85AC1
AtlThunk_DataToCode, xrefs: 00B85B05
AtlThunk_InitData, xrefs: 00B85AEE
AtlThunk_FreeData, xrefs: 00B85B1C
AtlThunk_AllocateData, xrefs: 00B85AD7

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: 79af6b933021900a9aae1c9b588e4e56aacf9f3b5d7c1d4bec3d40a2a9993da7
Instruction ID: e945bd81f57cdb4d646a05b54ac75322448ba665fa0eb82e3b3d76e1b4e77605
Opcode Fuzzy Hash: 79af6b933021900a9aae1c9b588e4e56aacf9f3b5d7c1d4bec3d40a2a9993da7
Instruction Fuzzy Hash: FF0184306427047EDA35BB209D07F8A7B959B21B49F0400E0B846773F2EAA1AD09C79A

Function 00B12810 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 224
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00B129D1
SetFilePointer.KERNEL32(?,7FFFFFFF,00000000,00000000,?), ref: 00B12A30
SetEndOfFile.KERNEL32(?), ref: 00B12A39
CloseHandle.KERNEL32(?), ref: 00B12A52

Strings

%sholder%d.aiph, xrefs: 00B129AD
Not enough disk space to extract file:, xrefs: 00B128DB

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: File$CloseCreateHandlePointer
String ID: %sholder%d.aiph$Not enough disk space to extract file:
API String ID: 22866420-929304071
Opcode ID: 9469138701e4edf25b35ef9cc42809434f51434750188c5e46b9d4d77a0e086f
Instruction ID: 6e06e7c12f2d792e924d4454b6d0873245c75c15bb522440588b19d7f4a9dd1d
Opcode Fuzzy Hash: 9469138701e4edf25b35ef9cc42809434f51434750188c5e46b9d4d77a0e086f
Instruction Fuzzy Hash: 6D81BF71A002099FDB10DF68CC45BAEBBE4EF45320F1446A9FA25E7291DB31AD51CB90

Function 00B2F2F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(?,-00000400,?,00000002,00000400,BACC40AC,?,?,?,?,?), ref: 00B2F396
GetLastError.KERNEL32(?,?,?,?), ref: 00B2F3A4
ReadFile.KERNEL32(?,00000000,00000400,000000FF,00000000,?,?,?,?), ref: 00B2F3BF

Strings

ADVINSTSFX, xrefs: 00B2F3F3, 00B2F4AE

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: File$ErrorLastPointerRead
String ID: ADVINSTSFX
API String ID: 64821003-4038163286
Opcode ID: 0bd2c1b12be742d745228a76fcdf6d169f5627d46598b5eef56de20528e4dce3
Instruction ID: 0ce06fa0f50df013d80bcf8fc45b24236f87f644852ec340ca25887d1949c6f9
Opcode Fuzzy Hash: 0bd2c1b12be742d745228a76fcdf6d169f5627d46598b5eef56de20528e4dce3
Instruction Fuzzy Hash: D861BF71A0012A9BDB10DF68D881BBFBBF6FF44720F2442B5E529A7381D7749942CB64

Function 00ADDDA0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,BACC40AC,?,?,?,00000000,?,Function_001BDD00,000000FF), ref: 00ADDDE3
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 00ADDE0C
RegCreateKeyExW.KERNEL32(?,00A07229,00000000,00000000,00000000,?,00000000,00000000,?,BACC40AC,?,?,?,00000000,?,Function_001BDD00), ref: 00ADDE59
RegCloseKey.ADVAPI32(00000000,?,?,?,00000000,?,Function_001BDD00,000000FF), ref: 00ADDE6C

Strings

Advapi32.dll, xrefs: 00ADDDDE
RegCreateKeyTransactedW, xrefs: 00ADDE06

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: AddressCloseCreateHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1765684683-2994018265
Opcode ID: 96f6a1d359655ba4eecbf144c193e4dac7e27967ca7b7062a9f00dd362425bbd
Instruction ID: 47552cab725c826d9d8695261b33a43a719b3f616094a55ad4df78cb9463eb9a
Opcode Fuzzy Hash: 96f6a1d359655ba4eecbf144c193e4dac7e27967ca7b7062a9f00dd362425bbd
Instruction Fuzzy Hash: 54318472604205FFEB248F44DC45FABBBA8FB54750F14852AF906DB290DB71E814C794

Function 00ABD900 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 86
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,BACC40AC,?,?,?,?,?,Function_001BDD00,000000FF,?,00AEEE1C,?,?,000000FF), ref: 00ABD943
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00ABD96C
RegOpenKeyExW.KERNEL32(?,BACC40AC,00000000,?,00000000,BACC40AC,?,?,?,?,?,Function_001BDD00,000000FF,?,00AEEE1C,?), ref: 00ABD9A5
RegCloseKey.ADVAPI32(00000000,?,?,?,Function_001BDD00,000000FF,?,00AEEE1C,?,?,000000FF), ref: 00ABD9B8

Strings

RegOpenKeyTransactedW, xrefs: 00ABD966
Advapi32.dll, xrefs: 00ABD93E

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: AddressCloseHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 823179699-3913318428
Opcode ID: 947711a4b4054eaa5f6fee2ed01c6840a8629f320e74376edc474f16515a37a1
Instruction ID: 016a1f0ed9acf35d43c2d9c66ba1621ec4147e5c4633ddc617c2ff78555f6bec
Opcode Fuzzy Hash: 947711a4b4054eaa5f6fee2ed01c6840a8629f320e74376edc474f16515a37a1
Instruction Fuzzy Hash: 4C21B032604209EFEB248F49DC45FAABBBCFB49750F00853AF819D7681E775A800CB60

Function 00B0D210 Relevance: 10.6, APIs: 7, Instructions: 74COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000002), ref: 00B0D230
GetWindowRect.USER32(00000000,?), ref: 00B0D246
ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00B0CFF7,?,00000000), ref: 00B0D25F
InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,00B0CFF7,?), ref: 00B0D26A
GetDlgItem.USER32(?,000003E9), ref: 00B0D27C
GetWindowRect.USER32(00000000,?), ref: 00B0D292
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206), ref: 00B0D2D8

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Window$Rect$Item$InvalidateShow
String ID:
API String ID: 2147159307-0
Opcode ID: 5b37912bfd4a97960341066acd8fe90aac369f3519606d520af0f3ff47ff5344
Instruction ID: 42bb5ce5d70b7497cf749511edf4d2eda04a0fb691cd946dc43fddc58ace61f0
Opcode Fuzzy Hash: 5b37912bfd4a97960341066acd8fe90aac369f3519606d520af0f3ff47ff5344
Instruction Fuzzy Hash: 05217A70614300AFD304DF64DC49F2ABBE8EF89718F00865DF8599A291D770ED46CB56

Function 00B10FF0 Relevance: 9.4, APIs: 6, Instructions: 354fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000,BACC40AC,?,?,00000002,?,?,?,?,?,?,00000000,00BF0932), ref: 00B11047
GetLastError.KERNEL32(?,00000002), ref: 00B112D9
GetLastError.KERNEL32(?,00000002), ref: 00B11383
GetLastError.KERNEL32(?,00000002,?,?,?,?,?,?,00000000,00BF0932,000000FF,?,00B0FF4A,00000010), ref: 00B11056

Part of subcall function 00AF2230: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,BACC40AC,00000008,00000000), ref: 00AF227B
Part of subcall function 00AF2230: GetLastError.KERNEL32 ref: 00AF2285

ReadFile.KERNEL32(?,00000000,00000008,80070057,00000000,?,00000002), ref: 00B11118
ReadFile.KERNEL32(?,BACC40AC,00000000,00000000,00000000,00000001,?,00000002), ref: 00B11195

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: ErrorLast$File$Read$FormatMessagePointer
String ID:
API String ID: 3903527278-0
Opcode ID: 36140f670ad955a7f1284addebb17f44c2dd3e9426ac6569bbb1aaedaa8d1dd1
Instruction ID: c53c94e50cb3346a0b24b21b380447c440f9676f5b44e7a4d66a8a2b5b16e7f0
Opcode Fuzzy Hash: 36140f670ad955a7f1284addebb17f44c2dd3e9426ac6569bbb1aaedaa8d1dd1
Instruction Fuzzy Hash: E0D19071D00209DFDB00DFA8D885BEEB7B5FF44314F1486A9E925AB292EB709945CB90

Function 00B31080 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 208COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,BACC40AC,BACC40AC,?,00C94C50,?,?,00B13989,?,BACC40AC,?,?,?,00000000,00BF10D5), ref: 00B310E5
GetFileVersionInfoW.KERNELBASE(?,?,00000000,?,00000000,?,00C94C50,?,?,00B13989,?,BACC40AC,?,?,?,00000000), ref: 00B31133

Strings

\StringFileInfo\%04x%04x\%s, xrefs: 00B3119D
\VarFileInfo\Translation, xrefs: 00B31167
ProductName, xrefs: 00B31193

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: FileInfoVersion$Size
String ID: ProductName$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
API String ID: 2104008232-2149928195
Opcode ID: c42390b2417be756556a992104394565cf66becdf54f2143afb31365e06f993f
Instruction ID: 1a33adfdc4073c7c28e3c2b978e0cf3fef625d5c45e91f6e85875b46222ead66
Opcode Fuzzy Hash: c42390b2417be756556a992104394565cf66becdf54f2143afb31365e06f993f
Instruction Fuzzy Hash: 0F717A719015099BDB14DFA8CC49BAFB7F8EF45315F2485AAE911E7291EB309D04CBA0

Function 00AF45A0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 344COMMON

Download Yara Rule

APIs

Part of subcall function 009F9E50: GetProcessHeap.KERNEL32 ref: 009F9EA5
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9ED7
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9F62

PathIsUNCW.SHLWAPI(?,?), ref: 00AF4736
_wcschr.LIBVCRUNTIME ref: 00AF4752

Strings

\\?\UNC\, xrefs: 00AF4631, 00AF46A9, 00AF46AF
\\?\, xrefs: 00AF4718, 00AF471E

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Init_thread_footer$HeapPathProcess_wcschr
String ID: \\?\$\\?\UNC\
API String ID: 660126660-3019864461
Opcode ID: 477527559dba1d76a86929b26e39567e5ab7b2351db9fb87d849f53d824f2893
Instruction ID: da673aca0d05f06c173897450aca1ee66f69f7738d1a01fb43ed9aba082fe3a0
Opcode Fuzzy Hash: 477527559dba1d76a86929b26e39567e5ab7b2351db9fb87d849f53d824f2893
Instruction Fuzzy Hash: 5BC19E71A006499FDB00DBA8C985BAEF7F9FF49310F148269E515EB2D1EB749904CBA0

Function 00B0DCC0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 326COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,BACC40AC,?,00000010,?), ref: 00B0DF8A

Part of subcall function 00B1EAB0: GetCurrentProcess.KERNEL32 ref: 00B1EAF8
Part of subcall function 00B1EAB0: OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00B1EB05
Part of subcall function 00B1EAB0: GetLastError.KERNEL32 ref: 00B1EB0F
Part of subcall function 00B1EAB0: CloseHandle.KERNEL32(00000000), ref: 00B1EBF0

Part of subcall function 009F9E50: GetProcessHeap.KERNEL32 ref: 009F9EA5
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9ED7
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9F62

Part of subcall function 009F9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00A069F0,-00000010,?,00A0AA9D,*.*), ref: 009F93B7

Strings

\\?\, xrefs: 00B0DF97
Extraction path set to:, xrefs: 00B0DFDD
[WindowsVolume], xrefs: 00B0DD50, 00B0DD62, 00B0DD6C

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Process$Init_thread_footer$CloseCurrentErrorFindHandleHeapLastOpenPathResourceToken
String ID: Extraction path set to:$[WindowsVolume]$\\?\
API String ID: 699919280-3538578949
Opcode ID: 8f8f3cfce56bd9d6acdeed0af5bb6e4bcbb5af0343ba8be1cc219cf6821b602f
Instruction ID: 6d5815eb067218a4cba9f92d54490a749e6f33bdbeced03acdbb1dc747501638
Opcode Fuzzy Hash: 8f8f3cfce56bd9d6acdeed0af5bb6e4bcbb5af0343ba8be1cc219cf6821b602f
Instruction Fuzzy Hash: 07C1A330A0064A9FDB14DFA8C945BAEFBF4EF44314F1482A8E525AB2D2DB70DD45CB91

Function 00B2C240 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 229filepipeCOMMON

Download Yara Rule

APIs

ConnectNamedPipe.KERNEL32(?,00000000,BACC40AC,?,000000FF,?,00000000,00BF62A6,000000FF,?,00B2C45A,000000FF,?,00000001), ref: 00B2C27A
GetLastError.KERNEL32(?,00B2C45A,000000FF,?,00000001), ref: 00B2C284

Part of subcall function 009F9E50: GetProcessHeap.KERNEL32 ref: 009F9EA5
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9ED7
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9F62

ReadFile.KERNEL32(?,?,00007F90,00000000,00000000,BACC40AC,?,000000FF,?,00000000,00BF62A6,000000FF,?,00B2C45A,000000FF,?), ref: 00B2C2C7

Strings

\\.\pipe\ToServer, xrefs: 00B2C4E4, 00B2C4F5, 00B2C4FF

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Init_thread_footer$ConnectErrorFileHeapLastNamedPipeProcessRead
String ID: \\.\pipe\ToServer
API String ID: 2973225359-63420281
Opcode ID: 32ee99a2eafad08faf2dd57ad2f2a0e4fc4a391942a5117f4747b23fa5ffdea5
Instruction ID: 55c72fbdb9987875d3c1b6f43360a14616af515ca6d234aad41d7ff89b0a4c7b
Opcode Fuzzy Hash: 32ee99a2eafad08faf2dd57ad2f2a0e4fc4a391942a5117f4747b23fa5ffdea5
Instruction Fuzzy Hash: E171B171604609EFDB10CF58D805BAEBBE4FF44724F10866DF9299B380DBB5A900CB94

Function 00B06200 Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,BACC40AC,?,00000010,?,00B09550,?), ref: 00B06266
SetFilePointer.KERNEL32(00000000,?,00000010,00000000), ref: 00B062AF
ReadFile.KERNEL32(00000000,BACC40AC,?,?,00000000,00000078,?), ref: 00B062ED
CloseHandle.KERNEL32(00000000), ref: 00B06339

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: File$CloseCreateHandlePointerRead
String ID:
API String ID: 4133201480-0
Opcode ID: 1e74f93bd3b2e7404118d16056195cdde8e4d1590b2156b6a5ea6ef6f2c1d461
Instruction ID: 87203e72032bfc75455a11f9457b4bc3b44223913cbd22f71f71835cc0ee81c6
Opcode Fuzzy Hash: 1e74f93bd3b2e7404118d16056195cdde8e4d1590b2156b6a5ea6ef6f2c1d461
Instruction Fuzzy Hash: 7A415D70900609EBDB11CB98CC89BEEFBF8EF45724F148299E411A72D1D7749D44CBA4

Function 00B9EF42 Relevance: 4.7, APIs: 3, Instructions: 202COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00B9F0F1

Part of subcall function 00B9DC17: RtlAllocateHeap.NTDLL(00000000,00000000,00B9D0E1,?,00B9EE85,?,00000000,?,00B8F625,00000000,00B9D0E1,?,?,?,?,00B9CEDB), ref: 00B9DC49

__freea.LIBCMT ref: 00B9F106
__freea.LIBCMT ref: 00B9F116

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: __freea$AllocateHeap
String ID:
API String ID: 2243444508-0
Opcode ID: 1f161428751471ff498f4d2b48ddeb23c4c84115b65b82c797bdea906200c191
Instruction ID: fac313fb5ce06b5dda3f1e435c3c6d3178ade2925454a0250ad6a1b1b76f8f1a
Opcode Fuzzy Hash: 1f161428751471ff498f4d2b48ddeb23c4c84115b65b82c797bdea906200c191
Instruction Fuzzy Hash: 3A518F72600217ABEF259F64CC82EBB7AE9EB05364F1541B9FC08E7151EB71CD5087A0

Function 00B10B10 Relevance: 4.7, APIs: 3, Instructions: 196fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000,BACC40AC,?,?), ref: 00B10B77
ReadFile.KERNEL32(?,00000000,00000018,?,00000000), ref: 00B10C84

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 73a1e83911c8e553c0b89c0e640a666ea5f2871dc9e8980cb11de9f7195aa444
Instruction ID: 2623ff423c09e70a5836996ad33d9ecf22f1e76411d62caa1531512026568875
Opcode Fuzzy Hash: 73a1e83911c8e553c0b89c0e640a666ea5f2871dc9e8980cb11de9f7195aa444
Instruction Fuzzy Hash: B8617D71D00609EFDB14DFA8C945BDDFBB4FB08720F10826AE925A7290DB75AA44CB90

Function 00B0E0A0 Relevance: 4.7, APIs: 3, Instructions: 183fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,BACC40AC,?,?,?,80004005,?,00000000), ref: 00B0E13E
GetLastError.KERNEL32(?,?,?,80004005,?,00000000), ref: 00B0E176
GetLastError.KERNEL32(?,?,?,?,80004005,?,00000000), ref: 00B0E20F

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: ErrorLast$CreateFile
String ID:
API String ID: 1722934493-0
Opcode ID: ed9d95a433fc0fb85da8ea63134c730be75881dab243dfbd88a25d4f01f70c29
Instruction ID: c4cc16a692cb7aeb738b623b246c04b582d615e4c9bc5833179bf6bf3e2922c2
Opcode Fuzzy Hash: ed9d95a433fc0fb85da8ea63134c730be75881dab243dfbd88a25d4f01f70c29
Instruction Fuzzy Hash: FA51E471A006059FDB20DF68DC45BAAFBF5FF44320F148AA9E525A73D0EB31A905CB90

Function 00AF4920 Relevance: 4.7, APIs: 3, Instructions: 177COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,BACC40AC,?,?,7622E010,00000000,00BEAAC5,000000FF,?,00B332A7,00000000,.part,00000005), ref: 00AF496B
CreateDirectoryW.KERNEL32(000000FF,00000000,?,?,00C22A4C,00000001,?), ref: 00AF4A2A
GetLastError.KERNEL32 ref: 00AF4A38

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: CreateDirectoryErrorLastPath
String ID:
API String ID: 953296794-0
Opcode ID: 38412932f70a00ec0c48667d9a5705d40836e77c4685df826f8d5cf649cbf193
Instruction ID: b6229df6c11e2da00dc5e2bc338e20e1ea0cb46c9cd4924839484dc95033f814
Opcode Fuzzy Hash: 38412932f70a00ec0c48667d9a5705d40836e77c4685df826f8d5cf649cbf193
Instruction Fuzzy Hash: 0C61B031E006099FDB10EFB8C985BAEFBF4EF58364F248259E525A72D1DB749904CB60

Function 00A9BDA0 Relevance: 4.6, APIs: 3, Instructions: 135windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000000,00000000,00000100,?), ref: 00A9BE43
LoadStringW.USER32(00AFDE11,00000000,00000100,?), ref: 00A9BEFC
MessageBoxW.USER32(00000000,00000000,00AFDE11,?), ref: 00A9BF19

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: LoadString$Message
String ID:
API String ID: 2278601591-0
Opcode ID: 175a07cea0e4b5ccb980241da46e0481765d24042193bd5e212135775f1d8cc6
Instruction ID: 19c53439689a3ac14761fd1e72354accf31cb8702e5390cbb988d453728ce824
Opcode Fuzzy Hash: 175a07cea0e4b5ccb980241da46e0481765d24042193bd5e212135775f1d8cc6
Instruction Fuzzy Hash: 194175B1A11209ABDF14DF59ED45BBEBBF8EB44714F10416EF919E3390E7758A008BA0

Function 00B9C63C Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00B9C636,?,00B8AD12,?,?,BACC40AC,00B8AD12,?), ref: 00B9C64D
TerminateProcess.KERNEL32(00000000,?,00B9C636,?,00B8AD12,?,?,BACC40AC,00B8AD12,?), ref: 00B9C654
ExitProcess.KERNEL32 ref: 00B9C666

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 1385e63f3ab2d6232dbe9184f3f96ba59e84ec41caae39aa3351d787f6254214
Instruction ID: 3915f5be3620aefbf4be7721098b799fc2ace5796ea333dcc422633bd4e28c8d
Opcode Fuzzy Hash: 1385e63f3ab2d6232dbe9184f3f96ba59e84ec41caae39aa3351d787f6254214
Instruction Fuzzy Hash: 97D09231000508AFCF012F64DD0DA5D3FAAEF44342B12A060BA8A4A032CF71A9A6DA98

Function 00B06660 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 312COMMON

Download Yara Rule

APIs

Part of subcall function 00B064D0: GetTickCount.KERNEL32 ref: 00B06554
Part of subcall function 00B064D0: __Xtime_get_ticks.LIBCPMT ref: 00B0655C
Part of subcall function 00B064D0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B065A6

Part of subcall function 00B2A240: GetUserNameW.ADVAPI32(00000000,?), ref: 00B2A2CE
Part of subcall function 00B2A240: GetLastError.KERNEL32 ref: 00B2A2D4
Part of subcall function 00B2A240: GetUserNameW.ADVAPI32(00000000,?), ref: 00B2A31C
Part of subcall function 00B2A240: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 00B2A352
Part of subcall function 00B2A240: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000,00000000,00000000), ref: 00B2A39C

__Init_thread_footer.LIBCMT ref: 00B067A1

Strings

\/:*?"<>|, xrefs: 00B06763

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: EnvironmentNameUserVariable$CountErrorInit_thread_footerLastTickUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
String ID: \/:*?"<>|
API String ID: 2099558200-3830478854
Opcode ID: ebd82fbad54f45bda032f415d13f1bcb867ecb4187bc94c1c407ff51c64e097e
Instruction ID: e071886d598a2a2131b06ab67c31f8cbde2134fc974acabbef65f92589c4d396
Opcode Fuzzy Hash: ebd82fbad54f45bda032f415d13f1bcb867ecb4187bc94c1c407ff51c64e097e
Instruction Fuzzy Hash: B7D19D70900258CFDB14EFA4C895BAEBBB0BF55304F1481D9D405AB2D2DB756E49CFA1

Function 00BA327C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BA2DAC: GetOEMCP.KERNEL32(00000000,?,?,?,?), ref: 00BA2DD7

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00BA30C3,?,00000000,?,?,?), ref: 00BA32DD
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00BA30C3,?,00000000,?,?,?), ref: 00BA331F

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 8351f2972e7aa315910deb7f4f1ab7e81b8c1681253933c80d8dc316e613a7ac
Instruction ID: 455dd17da11a53a7ae48b374a4f18376515b97145977582ea8b2f234e52484ad
Opcode Fuzzy Hash: 8351f2972e7aa315910deb7f4f1ab7e81b8c1681253933c80d8dc316e613a7ac
Instruction Fuzzy Hash: 0D511470A087459EDF21CF39C8816AEFBF5EF46700F1484AEE0968B252DB74DA46CB54

Function 00B318E0 Relevance: 3.1, APIs: 2, Instructions: 129COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00B31931
EndDialog.USER32(00000000,00000001), ref: 00B31940

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: DialogWindow
String ID:
API String ID: 2634769047-0
Opcode ID: fd0a26400b9e10b90355a2ee80765e22511c13e4b608c5adbbbee659c1b7ae80
Instruction ID: db026aaf1c145f2e273d52630542b583128b14450343b8a0a86d1e3dfca881a6
Opcode Fuzzy Hash: fd0a26400b9e10b90355a2ee80765e22511c13e4b608c5adbbbee659c1b7ae80
Instruction Fuzzy Hash: D5518A70A01A49DFD711CF6CC948B4AFBF8FF49310F2486ADD4559B2A1D770AA05CB91

Function 00B0CFA0 Relevance: 3.1, APIs: 2, Instructions: 80COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00B0C783,00000000), ref: 00B0CFA0
DestroyWindow.USER32(?), ref: 00B0D057

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: DestroyErrorLastWindow
String ID:
API String ID: 1182162058-0
Opcode ID: 6aae276b800b584cf905a3f9f26e0aef82f607ef686b3a958c83e85e7242cee4
Instruction ID: 602a7efdc3992bf77d0f43301759f6948b4241e047d26950eb918fc13fa4c4b1
Opcode Fuzzy Hash: 6aae276b800b584cf905a3f9f26e0aef82f607ef686b3a958c83e85e7242cee4
Instruction Fuzzy Hash: CB21B7B56101099BD7209F58EC05BAA7BA4EB54321F004267FD08C76D1D776EC65C7F1

Function 00B2F6D0 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000), ref: 00B2F735
CloseHandle.KERNEL32(?), ref: 00B2F789

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: CloseFreeHandleLibrary
String ID:
API String ID: 10933145-0
Opcode ID: 8d7e786c9e72fdcab3c589d68b4f8bc2fa3b66bb8d93d3876fe72e8f3da8923b
Instruction ID: 120856bf464f492bd67bd1b3252b5b8e177be9d4dd9e70bfaa17695d29adf015
Opcode Fuzzy Hash: 8d7e786c9e72fdcab3c589d68b4f8bc2fa3b66bb8d93d3876fe72e8f3da8923b
Instruction Fuzzy Hash: 7A218E71604A02AFD705CF69ED4CB5ABBF8FB04714F00426AE829C73A0DB79A914CF94

Function 009F86D0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00B83CF9: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00B83D05

CloseHandle.KERNEL32(04EC4EC4,BACC40AC,?,00000000,Function_001BD890,000000FF,?,map/set too long,009F7DCF,?,?,BACC40AC), ref: 009F8713

Strings

map/set too long, xrefs: 009F86D0

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: CloseHandlestd::invalid_argument::invalid_argument
String ID: map/set too long
API String ID: 563732297-558153379
Opcode ID: 3443ad80fcc39898c6442c81a9e34f9f432a695936096f1a02fb2d5a1d5e85b9
Instruction ID: 350574b39aa4f0dea61f33fb805cbe30513d5d0df8fe96d35913c66dbb1f27c0
Opcode Fuzzy Hash: 3443ad80fcc39898c6442c81a9e34f9f432a695936096f1a02fb2d5a1d5e85b9
Instruction Fuzzy Hash: DCF0F671644748ABD7219F08DC41B9ABBECEB05B10F10856AFD15D7780DBB5E900CBA8

Function 00AF0F40 Relevance: 3.0, APIs: 2, Instructions: 41windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF2350: LoadLibraryW.KERNEL32(ComCtl32.dll,BACC40AC,00000000,?,00000000), ref: 00AF238E
Part of subcall function 00AF2350: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00AF23B1
Part of subcall function 00AF2350: FreeLibrary.KERNEL32(00000000), ref: 00AF242F

SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00AF0F84
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00AF0F8F

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: LibraryMessageSend$AddressFreeLoadProc
String ID:
API String ID: 3032493519-0
Opcode ID: 6e84d8a0ee4b3698a90b27b5b0e1546008b5f2ba0a90bae741934c03740680e8
Instruction ID: c9c82ffb4470c45c8585f62e26fec81c920668d5f9c3b5fbbc1fae222e2575ba
Opcode Fuzzy Hash: 6e84d8a0ee4b3698a90b27b5b0e1546008b5f2ba0a90bae741934c03740680e8
Instruction Fuzzy Hash: F1F01C3278121C37F66421995C47F6BB64DD785B64E154266BB98AF2C2ECC67C0103D8

Function 00BA0308 Relevance: 3.0, APIs: 2, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringEx.KERNEL32(?,00B9F030,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00BA033C
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00B9F030,?,?,00000000,?,00000000), ref: 00BA035A

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 439e2c0ac8bd0d88434bce8f94b6ba7eb7f230cb79089970054aaa5ca60e1486
Instruction ID: 529e254cbce57db54194d1777892e91362d6629097f0aac735e665c5b45168a1
Opcode Fuzzy Hash: 439e2c0ac8bd0d88434bce8f94b6ba7eb7f230cb79089970054aaa5ca60e1486
Instruction Fuzzy Hash: AFF07A3250051ABBCF126F91DC05EDE3FA6FF48360F058160FA1865020CB32D971EB94

Function 00B9DBDD Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00BA221D,?,00000000,?,?,00BA24BE,?,00000007,?,?,00BA2B18,?,?), ref: 00B9DBF3
GetLastError.KERNEL32(?,?,00BA221D,?,00000000,?,?,00BA24BE,?,00000007,?,?,00BA2B18,?,?), ref: 00B9DBFE

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: da85b354ca942838f6cc0624828949d0c988a6971644a90f3131900c651e4b3c
Instruction ID: cd066adf2232794458e3596d1b56ba4ac56d7c95a0fb08bf1751e5ae5dda255b
Opcode Fuzzy Hash: da85b354ca942838f6cc0624828949d0c988a6971644a90f3131900c651e4b3c
Instruction Fuzzy Hash: DBE08631100614ABDF123FB5EC0DB5E7BE8EB00755F0580A1F609861B1DB709884C794

Function 00B13E40 Relevance: 1.7, APIs: 1, Instructions: 176COMMON

Download Yara Rule

APIs

EnumResourceLanguagesW.KERNEL32(?,00000010,00000001,00B14020,?), ref: 00B13E8B

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: EnumLanguagesResource
String ID:
API String ID: 4141015960-0
Opcode ID: 4e686bd24f45a38860ddd3ab2daf0e5a58ef0676b0659d278575224c45a88a62
Instruction ID: 04e89bc1925001e52b915d6e9da5e88cb6af3758b77d6a75ea23b6e3c7aef027
Opcode Fuzzy Hash: 4e686bd24f45a38860ddd3ab2daf0e5a58ef0676b0659d278575224c45a88a62
Instruction Fuzzy Hash: 1661907190060A9FDB14DF68C885BDEBBF4FF08704F5042A9E914AB681E771E985CBA0

Function 00BA2E80 Relevance: 1.6, APIs: 1, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(E8458D00,?,00BA30CF,00BA30C3,00000000), ref: 00BA2EB2

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: b34c06901c516d58e312b7d902889675672d48f0c66096ce1ced9ee1d26f82bf
Instruction ID: 3c4bd95d6c72b0061113999a9a49ccbe9e55f8778d8b57aaaf1bc09fd98981ca
Opcode Fuzzy Hash: b34c06901c516d58e312b7d902889675672d48f0c66096ce1ced9ee1d26f82bf
Instruction Fuzzy Hash: F45129715082589EDB218B28CD84BFA7BF8EB56704F2405EDE49AD7182D2319E46DF20

Function 00AF2890 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 00AF2B00: __Init_thread_footer.LIBCMT ref: 00AF2B76

Part of subcall function 00B86662: EnterCriticalSection.KERNEL32(00C94CD8,?,?,?,009F9EF6,00C95904,BACC40AC,?,?,00BADE0D,000000FF,?,00B2BABC,BACC40AC), ref: 00B8666D
Part of subcall function 00B86662: LeaveCriticalSection.KERNEL32(00C94CD8,?,009F9EF6,00C95904,BACC40AC,?,?,00BADE0D,000000FF,?,00B2BABC,BACC40AC), ref: 00B866AA

__Init_thread_footer.LIBCMT ref: 00AF2970

Part of subcall function 00B86618: EnterCriticalSection.KERNEL32(00C94CD8,?,?,009F9F67,00C95904,00C06640), ref: 00B86622
Part of subcall function 00B86618: LeaveCriticalSection.KERNEL32(00C94CD8,?,009F9F67,00C95904,00C06640), ref: 00B86655
Part of subcall function 00B86618: RtlWakeAllConditionVariable.NTDLL ref: 00B866CC

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: CriticalSection$EnterInit_thread_footerLeave$ConditionVariableWake
String ID:
API String ID: 984842325-0
Opcode ID: c22762ad3e76bc908c39a631c1178e14e79eb2d098365fc27bba392960e0d091
Instruction ID: 3c2dedd2fd0c06c6bdd46904f25d7a159c43ca9f27ee5c71c50dd719bad47de4
Opcode Fuzzy Hash: c22762ad3e76bc908c39a631c1178e14e79eb2d098365fc27bba392960e0d091
Instruction Fuzzy Hash: 6C31D1B1940648DFDB10DF84EC9ABA9B3F4F700758F20466AFA114B3E0D7B6A904CB44

Function 00B2F850 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,00B11B50,?,00000000,00000000,?,?), ref: 00B2F86D

Part of subcall function 009F9B10: RtlAllocateHeap.NTDLL(?,00000000,?,BACC40AC,00000000,00BAD840,000000FF,?,?,00C89A1C,?,00B2BB18,80004005,BACC40AC), ref: 009F9B5A

Part of subcall function 00B2F940: WaitForSingleObject.KERNEL32(?,000000FF,BACC40AC,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00B2F974

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: AllocateCreateFileHeapObjectSingleWait
String ID:
API String ID: 1261966429-0
Opcode ID: c5e90c8ee7f79b4a5e0e867ba67b6d9a82e49ee3c6f418954016f6635d7caeb6
Instruction ID: bcf25e2947f58cef27da6509be37b0ba393e8c47249963c79b250e8c02b3a53b
Opcode Fuzzy Hash: c5e90c8ee7f79b4a5e0e867ba67b6d9a82e49ee3c6f418954016f6635d7caeb6
Instruction Fuzzy Hash: FD31F534604B119FD324DF28E888B2AB7F0FF88704F20896DE59A9B360D731E990CB55

Function 00AD7FE0 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 00B86662: EnterCriticalSection.KERNEL32(00C94CD8,?,?,?,009F9EF6,00C95904,BACC40AC,?,?,00BADE0D,000000FF,?,00B2BABC,BACC40AC), ref: 00B8666D
Part of subcall function 00B86662: LeaveCriticalSection.KERNEL32(00C94CD8,?,009F9EF6,00C95904,BACC40AC,?,?,00BADE0D,000000FF,?,00B2BABC,BACC40AC), ref: 00B866AA

__Init_thread_footer.LIBCMT ref: 00AD8052

Part of subcall function 00B86618: EnterCriticalSection.KERNEL32(00C94CD8,?,?,009F9F67,00C95904,00C06640), ref: 00B86622
Part of subcall function 00B86618: LeaveCriticalSection.KERNEL32(00C94CD8,?,009F9F67,00C95904,00C06640), ref: 00B86655
Part of subcall function 00B86618: RtlWakeAllConditionVariable.NTDLL ref: 00B866CC

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID:
API String ID: 2296764815-0
Opcode ID: 4c3cd97a336808e907bfaa83f58c0bccad957b2599628294c6371a11ff7a92a1
Instruction ID: bf29d7b40f49f18dc279742966c25b77828b9aedb9844c0051a91cfb20618bce
Opcode Fuzzy Hash: 4c3cd97a336808e907bfaa83f58c0bccad957b2599628294c6371a11ff7a92a1
Instruction Fuzzy Hash: 3A0184B1948684DBCB24DB58D94AB4DB3A4EB04720F1047BAE416833D1DB35E904D655

Function 00AF2B00 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B86662: EnterCriticalSection.KERNEL32(00C94CD8,?,?,?,009F9EF6,00C95904,BACC40AC,?,?,00BADE0D,000000FF,?,00B2BABC,BACC40AC), ref: 00B8666D
Part of subcall function 00B86662: LeaveCriticalSection.KERNEL32(00C94CD8,?,009F9EF6,00C95904,BACC40AC,?,?,00BADE0D,000000FF,?,00B2BABC,BACC40AC), ref: 00B866AA

Part of subcall function 00AF2BA0: RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 00AF2C0E
Part of subcall function 00AF2BA0: RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 00AF2C55
Part of subcall function 00AF2BA0: RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 00AF2C74
Part of subcall function 00AF2BA0: RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 00AF2CA3
Part of subcall function 00AF2BA0: RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 00AF2D18

__Init_thread_footer.LIBCMT ref: 00AF2B76

Part of subcall function 00B86618: EnterCriticalSection.KERNEL32(00C94CD8,?,?,009F9F67,00C95904,00C06640), ref: 00B86622
Part of subcall function 00B86618: LeaveCriticalSection.KERNEL32(00C94CD8,?,009F9F67,00C95904,00C06640), ref: 00B86655
Part of subcall function 00B86618: RtlWakeAllConditionVariable.NTDLL ref: 00B866CC

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: CriticalQuerySectionValue$EnterLeave$ConditionInit_thread_footerOpenVariableWake
String ID:
API String ID: 3563064969-0
Opcode ID: fc60770e6374961dc0183ad238dc7cb7569e3e0eb27dba30c8f67ca18f58f9da
Instruction ID: 6975a909314e209b6784930b1c1787de672741884cb6ed1007c2face012685ac
Opcode Fuzzy Hash: fc60770e6374961dc0183ad238dc7cb7569e3e0eb27dba30c8f67ca18f58f9da
Instruction Fuzzy Hash: 0101D6B1A40648EFCB10EFA8DD4AB5973A4E704720F500369FD25977D4D734A9008B91

Function 009F9B10 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B87F9E: RaiseException.KERNEL32(E06D7363,00000001,00000003,BACC40AC,?,?,80004005,BACC40AC), ref: 00B87FFE

RtlAllocateHeap.NTDLL(?,00000000,?,BACC40AC,00000000,00BAD840,000000FF,?,?,00C89A1C,?,00B2BB18,80004005,BACC40AC), ref: 009F9B5A

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: AllocateExceptionHeapRaise
String ID:
API String ID: 3789339297-0
Opcode ID: db524b8162af74083e424c28019566e85efd5d454aa6cba699b812e6ee467ef5
Instruction ID: 93622bffa7158983643ea43a3ffddb8a077e035220021ccecd68acf0824779f3
Opcode Fuzzy Hash: db524b8162af74083e424c28019566e85efd5d454aa6cba699b812e6ee467ef5
Instruction Fuzzy Hash: 99F08271648648BFC7059F54DC01F5ABBA8E704B14F108569B915866A0DB76A810DB48

Function 00B9DC17 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,00B9D0E1,?,00B9EE85,?,00000000,?,00B8F625,00000000,00B9D0E1,?,?,?,?,00B9CEDB), ref: 00B9DC49

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d5bebced053103be0d9d721f9fa842672b553afb15b07a981430764f42fc26bd
Instruction ID: f79940a02fc62b01e8e303804eefd8966ff6504e14d5c696f7f30a9ffd251f1d
Opcode Fuzzy Hash: d5bebced053103be0d9d721f9fa842672b553afb15b07a981430764f42fc26bd
Instruction Fuzzy Hash: 8CE06D216446215ADF222B6B9D05B6B7AECDB413A1F1901F1AD559A1D0DBA0EC40C2A5

Function 00B9D049 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B9D050

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 59b7106b3f724d3478103f7dfb38eb07a785aa96ac0c80e26d1a623dd3b37b33
Instruction ID: f219d3543c983ff70ecaae75623971085254a31f1e1c097928863db9f2ed59d9
Opcode Fuzzy Hash: 59b7106b3f724d3478103f7dfb38eb07a785aa96ac0c80e26d1a623dd3b37b33
Instruction Fuzzy Hash: C3E075B2C0020E9ADF00EFD4C452AEEBBF8EB08310F504466A245E6141EA745744CBA1

Function 00B2BC20 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,BACC40AC,00000000,?,00000000,00BF6063,000000FF,?,00B0AC2C,?,00000000,00000000,?,0000000D,0000000E), ref: 00B2BC59

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 02cd562f3878bc53c0f92e3d426827119ddd299ab2b4c3fa5220b3ea194d42b3
Instruction ID: 01b12031851afdd1c554c1345737109ce563059535ce18e4279e3018d895a8bb
Opcode Fuzzy Hash: 02cd562f3878bc53c0f92e3d426827119ddd299ab2b4c3fa5220b3ea194d42b3
Instruction Fuzzy Hash: A2117071804A08DFD710CF68C944B5AB7F8FB05730F1087A9E425D76E0DB75A9048B80

Non-executed Functions

Function 009F2F40 Relevance: 170.0, Strings: 134, Instructions: 2486COMMON

Download Yara Rule

Strings

AI_XmlAttribute, xrefs: 009F5BDE, 009F6141
MsiConfigureServices, xrefs: 009F559D, 009F55C3
InstallODBC, xrefs: 009F51FC, 009F5282, 009F5308
RegisterFonts, xrefs: 009F517F
AI_InstallPrerequisite, xrefs: 009F5A2F
1500, xrefs: 009F4639, 009F46C4, 009F5BCB, 009F6133
ServiceInstall, xrefs: 009F553D
AI_XmlUninstall, xrefs: 009F609A, 009F6120
UnregisterComPlus, xrefs: 009F3FE3
RegisterComPlus, xrefs: 009F548C
Environment, xrefs: 009F47E3, 009F511F
AI_DownloadPrereq, xrefs: 009F5923
AI_UninstallTasks, xrefs: 009F5DAC
Feature, xrefs: 009F3E77, 009F57D2
3000, xrefs: 009F3AEF, 009F3DDE, 009F3E64, 009F3FF6, 009F431A, 009F43A0, 009F4426, 009F44AC, 009F4532, 009F45B8, 009F47D0, 009F4E06, 009F4F7D, 009F53A1, 009F54A4
120000, xrefs: 009F474A
AI_ScheduledTasks, xrefs: 009F6043
RemoveFolders, xrefs: 009F49CC
MsiUnpublishAssemblies, xrefs: 009F3C82
RemoveIniValues, xrefs: 009F462B, 009F46B1
CreateShortcuts, xrefs: 009F4D6D
InstallValidate, xrefs: 009F38BE
PatchFiles, xrefs: 009F4BE4
AI_CountRowAction, xrefs: 009F6223
RegisterTypeLibraries, xrefs: 009F538E
8000, xrefs: 009F407C, 009F4294, 009F5192, 009F5427
Complus, xrefs: 009F4009, 009F54B7
ProcessComponents, xrefs: 009F3AA0
~, xrefs: 009F5A99
FileCost, xrefs: 009F3514
AI_GxInstall, xrefs: 009F5C35
Feature_, xrefs: 009F3D20, 009F44D2, 009F4EA7, 009F5766, 009F595C, 009F59E2, 009F5A68, 009F5AEE
Extension, xrefs: 009F44BF, 009F4E96
100000, xrefs: 009F58B9
ServiceControl, xrefs: 009F3EFD, 009F3F83, 009F5649
RemoveShortcuts, xrefs: 009F4737
WriteEnvironmentStrings, xrefs: 009F50F9
File, xrefs: 009F3598, 009F48EF, 009F4B7F
ODBCDriver, xrefs: 009F4221, 009F532E
AI_ProcessGroups, xrefs: 009F5F23
UnregisterProgIdInfo, xrefs: 009F451F
20000, xrefs: 009F5636
RemoveRegistryValues, xrefs: 009F4307, 009F438D
StopServices, xrefs: 009F3ED7, 009F3F5D
Patch, xrefs: 009F4C0A
800, xrefs: 009F390D
3000000, xrefs: 009F510C
AI_XmlInstall, xrefs: 009F5B3B, 009F5BB8
DuplicateFile, xrefs: 009F4869, 009F4C90
100, xrefs: 009F4BF7, 009F4F00, 009F5E3C
RemoveFile, xrefs: 009F4975
MIME, xrefs: 009F45CB, 009F4F90
AI_InstallPostPrerequisite, xrefs: 009F5AB5
CostFinalize, xrefs: 009F36DC
InstallServices, xrefs: 009F5517
MsiPublishAssemblies, xrefs: 009F572F
RegisterExtensionInfo, xrefs: 009F4E70
AI_ExtractPrereq, xrefs: 009F59A9
UnpublishFeatures, xrefs: 009F3E4C
RemoveIniFile, xrefs: 009F4651
AI_GxUninstall, xrefs: 009F5E29
RemoveEnvironmentStrings, xrefs: 009F47BD
RemoveODBC, xrefs: 009F40EF, 009F4175, 009F41FB
AI_ProcessAccounts, xrefs: 009F5FA0
PatchSize, xrefs: 009F4C44
RemoveExistingProducts, xrefs: 009F2F64
15000, xrefs: 009F3EEA, 009F3F70, 009F4AEB, 009F4C7D, 009F4E83, 009F55B0, 009F57BF
AI_UserGroups, xrefs: 009F5D55, 009F5F49
RemoveDuplicateFiles, xrefs: 009F4843
AI_UninstallGroups, xrefs: 009F5D2F
IniFile, xrefs: 009F46D7, 009F5099
Location, xrefs: 009F5983, 009F5A09
WriteRegistryValues, xrefs: 009F4FED
5000, xrefs: 009F4D03
InstallFiles, xrefs: 009F4B5E
SelfRegModules, xrefs: 009F5414
RegisterMIMEInfo, xrefs: 009F4F6A
ODBCTranslator, xrefs: 009F419B, 009F52A8
2000, xrefs: 009F3185, 009F5C48, 009F5CC5, 009F5D42, 009F5DBF, 009F5F36, 009F5FB3, 009F6030
InstallInitialize, xrefs: 009F5829
MoveFiles, xrefs: 009F4AD8
AI_ProcessTasks, xrefs: 009F601D
Component, xrefs: 009F33B6, 009F377A, 009F395C, 009F3B3E
BindImage, xrefs: 009F4CF0, 009F4D16
500, xrefs: 009F5EB9
AI_UninstallAccounts, xrefs: 009F5CB2
200000, xrefs: 009F583C
AI_AppSearchEx, xrefs: 009F5EA6, 009F5ECC
Component_, xrefs: 009F3E04, 009F3F10, 009F3FA5, 009F401C, 009F4128, 009F41AE, 009F4248, 009F4340, 009F43C6, 009F4664, 009F46EA, 009F4770, 009F47F6, 009F487C, 009F4902, 009F4A05, 009F4A8B, 009F4B11, 009F4B97, 009F4CA3, 009F4DA6, 009F5026, 009F50AC, 009F5132, 009F5235, 009F52BB, 009F5346, 009F53C7, 009F54CA, 009F5550, 009F55E5, 009F565C, 009F56E2
PublishComponents, xrefs: 009F56A9
AI_UserAccounts, xrefs: 009F5CD8, 009F5FC6
InstallFinalize, xrefs: 009F58A6
1500000, xrefs: 009F552A
Font, xrefs: 009F42A7, 009F51A5
AppSearch, xrefs: 009F314B, 009F31D4
MsiAssembly, xrefs: 009F5755
AI_XmlElement, xrefs: 009F5B61, 009F60C0
AI_DefaultActionCost, xrefs: 009F62A0
AI_PreRequisite, xrefs: 009F5949, 009F59CF, 009F5A55, 009F5ADB
SelfReg, xrefs: 009F408F, 009F543A
Options, xrefs: 009F5A8F, 009F5B10
AI_Game, xrefs: 009F5C5B, 009F5E4F
Registry, xrefs: 009F432D, 009F5013
6000, xrefs: 009F5000
WriteIniValues, xrefs: 009F5073
PublishComponent, xrefs: 009F3DF1, 009F56CF
UnpublishComponents, xrefs: 009F3DCB
PublishFeatures, xrefs: 009F57AC
RemoveFiles, xrefs: 009F48C9, 009F494F
FileSize, xrefs: 009F4BBE
10000, xrefs: 009F56BC, 009F62B3
ODBCDataSource, xrefs: 009F4115, 009F5222
UnregisterMIMEInfo, xrefs: 009F45A5
1800, xrefs: 009F5B4E, 009F60AD
AppId, xrefs: 009F4439, 009F4E19
RemoveRegistry, xrefs: 009F43B3
StartServices, xrefs: 009F5623
30000, xrefs: 009F3CD1, 009F5086, 009F5742
UnregisterClassInfo, xrefs: 009F4413
RegisterClassInfo, xrefs: 009F4DF3
MoveFile, xrefs: 009F4AFE
ProgId, xrefs: 009F4545, 009F4F13
UnregisterExtensionInfo, xrefs: 009F4499
TypeLib, xrefs: 009F53B4
DuplicateFiles, xrefs: 009F4C6A
RegisterProgIdInfo, xrefs: 009F4EED
CostInitialize, xrefs: 009F332D
12000, xrefs: 009F4102, 009F4188, 009F420E, 009F4856, 009F48DC, 009F4962, 009F49DF, 009F4A65, 009F4D80, 009F520F, 009F5295, 009F531B
CreateFolder, xrefs: 009F49F2, 009F4A78
AI_ChainProductsPseudo, xrefs: 009F61A6
SelfUnregModules, xrefs: 009F4069
UnregisterFonts, xrefs: 009F4281
CreateFolders, xrefs: 009F4A52
Shortcut, xrefs: 009F475D, 009F4D93

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID:
String ID: 100$10000$100000$12000$120000$1500$15000$1500000$1800$2000$20000$200000$3000$30000$3000000$500$5000$6000$800$8000$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$AppSearch$BindImage$Complus$Component$Component_$CostFinalize$CostInitialize$CreateFolder$CreateFolders$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature_$File$FileCost$FileSize$Font$IniFile$InstallFiles$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$InstallValidate$Location$MIME$MoveFile$MoveFiles$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$MsiUnpublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$Patch$PatchFiles$PatchSize$ProcessComponents$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$RemoveDuplicateFiles$RemoveEnvironmentStrings$RemoveExistingProducts$RemoveFile$RemoveFiles$RemoveFolders$RemoveIniFile$RemoveIniValues$RemoveODBC$RemoveRegistry$RemoveRegistryValues$RemoveShortcuts$SelfReg$SelfRegModules$SelfUnregModules$ServiceControl$ServiceInstall$Shortcut$StartServices$StopServices$TypeLib$UnpublishComponents$UnpublishFeatures$UnregisterClassInfo$UnregisterComPlus$UnregisterExtensionInfo$UnregisterFonts$UnregisterMIMEInfo$UnregisterProgIdInfo$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$~
API String ID: 0-2910470256
Opcode ID: 5a181b063e75179eb9e893afcb10ef3eed322267aa33427089643cf1c8d545a2
Instruction ID: 0fa3e2f82dfac5bee5624dc4ed26f06854fe6cd104fcc5c11d779814e9822d9a
Opcode Fuzzy Hash: 5a181b063e75179eb9e893afcb10ef3eed322267aa33427089643cf1c8d545a2
Instruction Fuzzy Hash: 3F33FB70A553C9E9DF40E7B4991E76F39509B92748F6442BCF2A02B3E2CFB50B029359

Function 00A141B0 Relevance: 48.2, APIs: 16, Strings: 11, Instructions: 961memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00A1420A
VariantClear.OLEAUT32(?), ref: 00A1423C
VariantClear.OLEAUT32(?), ref: 00A1435F
VariantClear.OLEAUT32(?), ref: 00A1438E
SysFreeString.OLEAUT32(00000000), ref: 00A14395
SysAllocString.OLEAUT32(00000000), ref: 00A143E8
VariantClear.OLEAUT32(?), ref: 00A14476
VariantClear.OLEAUT32(?), ref: 00A144A8
VariantClear.OLEAUT32(?), ref: 00A14609
VariantClear.OLEAUT32(?), ref: 00A1463C
SysFreeString.OLEAUT32(00000000), ref: 00A14647
SysAllocString.OLEAUT32(00000000), ref: 00A1468A
SysFreeString.OLEAUT32(00000000), ref: 00A14845

Part of subcall function 00A15120: VariantClear.OLEAUT32(?), ref: 00A15129

VariantClear.OLEAUT32(?), ref: 00A147FB
VariantClear.OLEAUT32(?), ref: 00A14837
SysAllocString.OLEAUT32(00000000), ref: 00A14869

Strings

MsiEvaluateCondition, xrefs: 00A14A5C
MsiGetProperty, xrefs: 00A1499D
MsiGetBinaryPathIndirect, xrefs: 00A14C6C
MsiResolveFormatted, xrefs: 00A14AF7
GetFontHeight, xrefs: 00A15054
MsiSetProperty, xrefs: 00A148F0
MsiPublishEvents, xrefs: 00A14D34
MsiGetFormattedError, xrefs: 00A14FA1
MsiGetBytesCountText, xrefs: 00A14EC4
MsiGetBinaryPath, xrefs: 00A14BAA
MessageBox, xrefs: 00A14DFC

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: ClearVariant$String$AllocFree
String ID: GetFontHeight$MessageBox$MsiEvaluateCondition$MsiGetBinaryPath$MsiGetBinaryPathIndirect$MsiGetBytesCountText$MsiGetFormattedError$MsiGetProperty$MsiPublishEvents$MsiResolveFormatted$MsiSetProperty
API String ID: 1305860026-3153392536
Opcode ID: cb43d4466f3f0cf4edc63eaf8fc5420b838854dc2204f75014fef44ecbe0ff63
Instruction ID: 483b7b73046013c47a03ff30e85ba4d9c5f9a6d39124f5f0928a510ceb2574ab
Opcode Fuzzy Hash: cb43d4466f3f0cf4edc63eaf8fc5420b838854dc2204f75014fef44ecbe0ff63
Instruction Fuzzy Hash: E9924A70D10218DFDB20DFA8CC84BDEBBB4BF49314F104299E559A7291EB74AA85CF94

Function 00B277C0 Relevance: 44.3, APIs: 16, Strings: 9, Instructions: 514fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00C96078,C0000000,00000003,00000000,00000004,00000080,00000000,BACC40AC,00C96054,00C9606C,?), ref: 00B27837
GetLastError.KERNEL32 ref: 00B27854
OutputDebugStringW.KERNEL32(00000000,00000020), ref: 00B278CF
OutputDebugStringW.KERNEL32(00000000,?,0000001C), ref: 00B279CB
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0000001C), ref: 00B27A3C
WriteFile.KERNEL32(00000000,00C95920,00000000,00000000,00000000,?,0000001C), ref: 00B27A6C
WriteFile.KERNEL32(00000000,000000FF,?,00000000,00000000,00C158A8,00000002), ref: 00B27B17
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 00B27B20
FlushFileBuffers.KERNEL32(00000000,?,0000001C), ref: 00B27A71

Part of subcall function 009F9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00A069F0,-00000010,?,00A0AA9D,*.*), ref: 009F93B7

OutputDebugStringW.KERNEL32(00000000,?,0000001D), ref: 00B27C12
WriteFile.KERNEL32(00000000,00000000,00000002,?,00000000,?,0000001D), ref: 00B27C98
FlushFileBuffers.KERNEL32(00000000,?,0000001D), ref: 00B27CA3
WriteFile.KERNEL32(00000000,000000FF,?,00000000,00000000,00C158A8,00000002,?,?,CPU: ,00000005), ref: 00B27D17
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 00B27D20
WriteFile.KERNEL32(00000000,000000FF,?,00000000,00000000,00C158A8,00000002), ref: 00B27DA5
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 00B27DAE

Part of subcall function 009F9E50: GetProcessHeap.KERNEL32 ref: 009F9EA5
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9ED7
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9F62

Strings

x86, xrefs: 00B27AA8
LOGGER->failed to create LOG at:, xrefs: 00B2788A, 00B2789C, 00B278A6
CPU: , xrefs: 00B27B68, 00B27B7E, 00B27CAC
LOGGER->Reusing LOG file at:, xrefs: 00B27973, 00B27985, 00B2798F
server, xrefs: 00B27AC3, 00B27ACB
x64, xrefs: 00B27AB1, 00B27ABD
LOGGER->Creating LOG file at:, xrefs: 00B27BBA, 00B27BCC, 00B27BD6
workstation, xrefs: 00B27ABE
OS Version: %u.%u.%u SP%u (%s) [%s], xrefs: 00B27AE7

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: File$BuffersFlushWrite$DebugOutputString$Init_thread_footer$CreateErrorFindHeapLastPointerProcessResource
String ID: CPU: $LOGGER->Creating LOG file at:$LOGGER->Reusing LOG file at:$LOGGER->failed to create LOG at:$OS Version: %u.%u.%u SP%u (%s) [%s]$server$workstation$x64$x86
API String ID: 4051163352-1312762833
Opcode ID: 7755080779673285f46ce137680cc30d122a10e0d70c96f7003a33601dc8baad
Instruction ID: 89d4478f16ef9662dbb467f37c701349dadafbf5dcb1a711fe6c03b27c671922
Opcode Fuzzy Hash: 7755080779673285f46ce137680cc30d122a10e0d70c96f7003a33601dc8baad
Instruction Fuzzy Hash: 00128E70A01619DFDB00DF68DC49BAEBBB5FF44314F1482A8E819AB2A1DB70DD45CB94

Function 00A135A0 Relevance: 33.7, APIs: 22, Instructions: 727memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00A135FA
VariantClear.OLEAUT32(?), ref: 00A1362C
VariantClear.OLEAUT32(?), ref: 00A13726
VariantClear.OLEAUT32(?), ref: 00A13755
SysFreeString.OLEAUT32(00000000), ref: 00A1375C
SysAllocString.OLEAUT32(00000000), ref: 00A137A3
VariantClear.OLEAUT32(?), ref: 00A13827
VariantClear.OLEAUT32(?), ref: 00A13859
VariantClear.OLEAUT32(?), ref: 00A13959
VariantClear.OLEAUT32(?), ref: 00A1398C
SysFreeString.OLEAUT32(00000000), ref: 00A13997
SysAllocString.OLEAUT32(00000000), ref: 00A139DD
VariantClear.OLEAUT32(?), ref: 00A13A5A
VariantClear.OLEAUT32(?), ref: 00A13A8C
VariantClear.OLEAUT32(?), ref: 00A13BAC
VariantClear.OLEAUT32(?), ref: 00A13BDB
SysFreeString.OLEAUT32(00000000), ref: 00A13BE2
SysAllocString.OLEAUT32(00000000), ref: 00A13C35
VariantClear.OLEAUT32(?), ref: 00A13CBA
VariantClear.OLEAUT32(?), ref: 00A13CEC
VariantClear.OLEAUT32(?), ref: 00A13DDD
VariantClear.OLEAUT32(?), ref: 00A13E0A

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: ClearVariant$String$AllocFree
String ID:
API String ID: 1305860026-0
Opcode ID: bbb682fe40184fce6d2d11083d8816f98dd68c89e8d0bc1e8cdff74eb496b7e5
Instruction ID: 39fb668287ea18fa583646fb01dcd307f3c90b877eae23da50b5488b53b05e84
Opcode Fuzzy Hash: bbb682fe40184fce6d2d11083d8816f98dd68c89e8d0bc1e8cdff74eb496b7e5
Instruction Fuzzy Hash: 4E429E71900248DFCF10DFA8C948BEEBBB5FF48314F148269E415E7291EB74AA45CBA5

Function 009FF190 Relevance: 25.9, APIs: 17, Instructions: 374memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 009FF5F0: EnterCriticalSection.KERNEL32(00C96250,BACC40AC,00000000,?,?,?,?,?,?,009FEE50,00BAF68D,000000FF), ref: 009FF62D
Part of subcall function 009FF5F0: LoadCursorW.USER32(00000000,00007F00), ref: 009FF6A8
Part of subcall function 009FF5F0: LoadCursorW.USER32(00000000,00007F00), ref: 009FF74E

SysFreeString.OLEAUT32(00000000), ref: 009FF233
SysAllocString.OLEAUT32(00000000), ref: 009FF264
GetWindowLongW.USER32(?,000000EC), ref: 009FF33B
GetWindowLongW.USER32(?,000000EC), ref: 009FF34B
SetWindowLongW.USER32(?,000000EC,00000000), ref: 009FF356
NtdllDefWindowProc_W.NTDLL(?,?,00000001,?), ref: 009FF364
GetWindowLongW.USER32(?,000000EB), ref: 009FF372
GetWindowTextLengthW.USER32(?), ref: 009FF396
GetWindowTextW.USER32(?,00000000,00000001), ref: 009FF405
SetWindowTextW.USER32(?,00C1337C), ref: 009FF411
GlobalAlloc.KERNEL32(00000042,00000000), ref: 009FF448
GlobalLock.KERNEL32(00000000), ref: 009FF456
GlobalUnlock.KERNEL32(?), ref: 009FF47A
SetWindowLongW.USER32(?,000000EB,00000000), ref: 009FF501
SysFreeString.OLEAUT32(00000000), ref: 009FF516
NtdllDefWindowProc_W.NTDLL(?,?,?,00000000), ref: 009FF55D
SysFreeString.OLEAUT32(00000000), ref: 009FF585

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Window$Long$String$FreeGlobalText$AllocCursorLoadNtdllProc_$CriticalEnterLengthLockSectionUnlock
String ID:
API String ID: 4180494407-0
Opcode ID: 3fa99c9304e969b88f8b83ed01022c8a1462a83ce26b5b2654e52fe756145b10
Instruction ID: b23cb4ab21ee139af9fee57e7f1764f2d96cb8ff481fafe801403a3c85d0022f
Opcode Fuzzy Hash: 3fa99c9304e969b88f8b83ed01022c8a1462a83ce26b5b2654e52fe756145b10
Instruction Fuzzy Hash: F3D1B07190020AEFDB10DFA4CC58BBFBBB8EF45714F144169FA11A7290D7799A05CBA1

Function 00A08CD0 Relevance: 21.5, APIs: 14, Instructions: 520windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00A08D83
ShowWindow.USER32(00000000,?), ref: 00A08DA2
SetWindowLongW.USER32(?,000000EB,00000000), ref: 00A08DB0
GetWindowRect.USER32(00000000,?), ref: 00A08DC7
ShowWindow.USER32(00000000,?), ref: 00A08DE8
SetWindowLongW.USER32(?,000000EB,?), ref: 00A08DFF

Part of subcall function 00A02970: RaiseException.KERNEL32(?,?,00000000,00000000,00B85A3C,C000008C,00000001,?,00B85A6D,00000000,?,009F91C7,00000000,BACC40AC,00000001,?), ref: 00A0297C

ShowWindow.USER32(?,?), ref: 00A08F43
GetWindowLongW.USER32(?,000000EB), ref: 00A08F79
ShowWindow.USER32(?,?), ref: 00A08F96
GetWindowRect.USER32(?,?), ref: 00A08FBB
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00A090F8
GetWindowRect.USER32(?,?), ref: 00A091B5
GetWindowRect.USER32(?,?), ref: 00A09207
SendMessageW.USER32(00000000,0000000B,00000001,00000000), ref: 00A09243

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Window$LongRectShow$MessageSend$ExceptionRaise
String ID:
API String ID: 1022490566-0
Opcode ID: e2be5280794569ee3f80e12e52483295bddb6190f87ea92b7bff269e11fd839b
Instruction ID: 1e257ef807564ff85c3d5d073341e03abf42319ef888637783d7358c68828d83
Opcode Fuzzy Hash: e2be5280794569ee3f80e12e52483295bddb6190f87ea92b7bff269e11fd839b
Instruction Fuzzy Hash: 0F127C71604609AFDB25CF68E884BAEBBF5FF89304F004A1DF496972A1DB30E945CB51

Function 009FEBE0 Relevance: 19.8, APIs: 13, Instructions: 293nativememoryCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 009FECCB
GetWindowLongW.USER32(00000004,000000EC), ref: 009FECDB
SetWindowLongW.USER32(00000004,000000EC,00000000), ref: 009FECE6
NtdllDefWindowProc_W.NTDLL(00000004,?,00000001,?), ref: 009FECF4
GetWindowLongW.USER32(00000004,000000EB), ref: 009FED02
GetWindowTextLengthW.USER32(00000004), ref: 009FED26
GetWindowTextW.USER32(00000004,00000000,00000001), ref: 009FED95
SetWindowTextW.USER32(00000004,00C1337C), ref: 009FEDA1
GlobalAlloc.KERNEL32(00000042,00000000), ref: 009FEDD8
GlobalLock.KERNEL32(00000000), ref: 009FEDE6
GlobalUnlock.KERNEL32(?), ref: 009FEE0A
SetWindowLongW.USER32(00000004,000000EB,00000000), ref: 009FEE6F
NtdllDefWindowProc_W.NTDLL(00000004,?,00000000,00000000), ref: 009FEEBD

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Window$Long$GlobalText$NtdllProc_$AllocLengthLockUnlock
String ID:
API String ID: 2673961051-0
Opcode ID: fb47ab1ad208a21660169bd934257255b2857d5fd3a41a7b9b3ad1eefc9ecbf6
Instruction ID: 63f1e05e33bc768c50045f0d4a46e5ef8cecf63c1dc9e53fa1db13665a5e4c8e
Opcode Fuzzy Hash: fb47ab1ad208a21660169bd934257255b2857d5fd3a41a7b9b3ad1eefc9ecbf6
Instruction Fuzzy Hash: 45A1D071901209EBDB10DF68DC48BBFBBB9EF45310F144659FA15A72A1DB389901CBA1

Function 00AFC0B0 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 420fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009F9E50: GetProcessHeap.KERNEL32 ref: 009F9EA5
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9ED7
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9F62

FindFirstFileW.KERNEL32(?,?,?,00000001), ref: 00AFC452
FindClose.KERNEL32(00000000), ref: 00AFC480
FindClose.KERNEL32(00000000), ref: 00AFC509

Strings

No acceptable version found. It must be installed from package., xrefs: 00AFC8D6
An acceptable version was found., xrefs: 00AFC8CF
No acceptable version found. It must be downloaded., xrefs: 00AFC8DD
No acceptable version found. Operating System not supported., xrefs: 00AFC8EB
No acceptable version found. It is already downloaded and it will be installed., xrefs: 00AFC8F2
Not selected for install., xrefs: 00AFC900
No acceptable version found., xrefs: 00AFC8F9
No acceptable version found. It must be downloaded manually from a site., xrefs: 00AFC8E4

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Find$CloseInit_thread_footer$FileFirstHeapProcess
String ID: An acceptable version was found.$No acceptable version found.$No acceptable version found. It is already downloaded and it will be installed.$No acceptable version found. It must be downloaded manually from a site.$No acceptable version found. It must be downloaded.$No acceptable version found. It must be installed from package.$No acceptable version found. Operating System not supported.$Not selected for install.
API String ID: 544434140-749633484
Opcode ID: 81f26c1579a1c32cc182f5bcf8aaf14ff121340b3c3949b4713fb3e98bc94f40
Instruction ID: 0b3387f19b7e7e38c764ac6160733cf570bf9258bdaf7d632e70e72ec5da961c
Opcode Fuzzy Hash: 81f26c1579a1c32cc182f5bcf8aaf14ff121340b3c3949b4713fb3e98bc94f40
Instruction Fuzzy Hash: 9AF18B7090060D8FDB10DF69CA487AEFBB1EF45320F148698E559EB392EB349A44CF91

Function 00A4FA40 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 253windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00A4FC1B
SendMessageW.USER32(00000000,00000439,00000000,0000002C), ref: 00A4FC2B
SendMessageW.USER32(00000000,00000421,?,?), ref: 00A4FC40
SendMessageW.USER32(00000000,00000418,00000000,0000012C), ref: 00A4FC51
GetWindowTextLengthW.USER32(?), ref: 00A4FC54
SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 00A4FC64
GetWindowRect.USER32(?,?), ref: 00A4FC92

Part of subcall function 00A512B0: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,00A4FDEC,00000000,BACC40AC,?,?), ref: 00A51328

Part of subcall function 00A00DB0: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00A00DE6

SendMessageW.USER32(00000000,00000412,00000000), ref: 00A4FCF4
SendMessageW.USER32(00000000,00000411,00000001,0000002C), ref: 00A4FD04

Strings

,, xrefs: 00A4FBC1

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: MessageSend$Window$LengthLongRectText
String ID: ,
API String ID: 2970668393-3772416878
Opcode ID: 6702fc74a617cefbeabc9b28c8fc584e6dde79fd2be83d3ced11640dc0f4fd60
Instruction ID: a25d600da7da2b4f426479e1d307615dc49b60ea900ae38dc6ab1721b0989896
Opcode Fuzzy Hash: 6702fc74a617cefbeabc9b28c8fc584e6dde79fd2be83d3ced11640dc0f4fd60
Instruction Fuzzy Hash: D5A11671A002089FDB14DFA9CD95BAEBBF9FF48300F50462AE516EB291DB74A905CB50

Function 00A65570 Relevance: 13.1, APIs: 4, Strings: 3, Instructions: 895COMMON

Download Yara Rule

Strings

/, xrefs: 00A6636D
AI_BTN_HIDE_TEXT_, xrefs: 00A66020
, xrefs: 00A65698

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID:
String ID: $/$AI_BTN_HIDE_TEXT_
API String ID: 0-2260284092
Opcode ID: 1564908a637397765251322257ef243b910630d2bef1289f7d8af89fdfaedac3
Instruction ID: 6d60ddfcf254c2a480144e4a7be9e69f0ed381615929cc6b34c99d035b830c42
Opcode Fuzzy Hash: 1564908a637397765251322257ef243b910630d2bef1289f7d8af89fdfaedac3
Instruction Fuzzy Hash: 4D925970D00258CFDB15DFA8C955BDDBBB4AF55304F1482DAE4097B292EB706A88CFA1

Function 00B1A620 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 388COMMON

Download Yara Rule

APIs

Part of subcall function 009F9E50: GetProcessHeap.KERNEL32 ref: 009F9EA5
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9ED7
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9F62

_wcschr.LIBVCRUNTIME ref: 00B1A6D9
GetLogicalDriveStringsW.KERNEL32(00000064,?), ref: 00B1A82E
GetDriveTypeW.KERNEL32(?), ref: 00B1A84A
Wow64DisableWow64FsRedirection.KERNEL32(00000000,00000000), ref: 00B1AA37
Wow64RevertWow64FsRedirection.KERNEL32(00000000,00000000), ref: 00B1AAC1

Strings

]%!, xrefs: 00B1A7C9

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Wow64$DriveInit_thread_footerRedirection$DisableHeapLogicalProcessRevertStringsType_wcschr
String ID: ]%!
API String ID: 2638324580-1069524040
Opcode ID: a4b86265a82f46871f03d14ad0960c0a35f3f4b0a66e6fe44d6737f85c70404a
Instruction ID: bd2ddc4a24baefb93ed3fef33a89dcc3df16c3bd4a7bb388244ece2364c19f16
Opcode Fuzzy Hash: a4b86265a82f46871f03d14ad0960c0a35f3f4b0a66e6fe44d6737f85c70404a
Instruction Fuzzy Hash: 7EF1C030901659CFDB24DB68C884BEDB7F4EF44310F5482E9E45AAB291DB70AE84CF91

Function 00AD2A50 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 313windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00AD2C80
SendMessageW.USER32(?,00000443,00000000), ref: 00AD2CEA
MulDiv.KERNEL32(?,00000000), ref: 00AD2D21

Strings

Segoe UI, xrefs: 00AD2CF8
NumberValidationTipMsg, xrefs: 00AD2B8B
NumberValidationTipTitle, xrefs: 00AD2AC4

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: MessageSendWindow
String ID: NumberValidationTipMsg$NumberValidationTipTitle$Segoe UI
API String ID: 701072176-2319862951
Opcode ID: e32c96f0514b7faadad1cf2f3e5a97cc326a13fb806725141bf0a1e8609d99bb
Instruction ID: 3a59a016d11db60eb0063b5a58f7154e64bd55198e96bc2a15d1368bdb327001
Opcode Fuzzy Hash: e32c96f0514b7faadad1cf2f3e5a97cc326a13fb806725141bf0a1e8609d99bb
Instruction Fuzzy Hash: 52C1AD71A00709AFEB14DF64CC55BEEB7B1FF89300F008299E556A72D1DB74AA49CB90

Function 00BA3B80 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B9D836: GetLastError.KERNEL32(?,00000008,00B9F453), ref: 00B9D83A
Part of subcall function 00B9D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 00B9D8DC

GetACP.KERNEL32(?,?,?,?,?,?,00B993AE,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00BA3C41
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00B993AE,?,?,?,00000055,?,-00000050,?,?), ref: 00BA3C6C
_wcschr.LIBVCRUNTIME ref: 00BA3D00
_wcschr.LIBVCRUNTIME ref: 00BA3D0E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00BA3DCF

Strings

utf8, xrefs: 00BA3D3E

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: dfe319e4e7684dbde184fb8eac081bdfeb450694332fabeffd3a7c9accbf5a8e
Instruction ID: 64645dbcccfdbad9f1d295c7a913104de1ef59089b9a7b1dc85519b751cd8ccc
Opcode Fuzzy Hash: dfe319e4e7684dbde184fb8eac081bdfeb450694332fabeffd3a7c9accbf5a8e
Instruction Fuzzy Hash: 5B71D671A08305AADB24AB79CC86BAAB3E9EF46B50F1444BAF545D7181FB70DE40C760

Function 00BA8B95 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00BA8D79

Strings

1#IND, xrefs: 00BA8C9A
1#QNAN, xrefs: 00BA8CA8
1#SNAN, xrefs: 00BA8CA1
1#INF, xrefs: 00BA8CCB

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: b481e5488f695aae3bd4a800d0cd9c9dc6c283a0f868bd90f81b2a411148afba
Instruction ID: 1fb2c5ac144406488266c8818bbcaf1b9c413bcc7dafc8763f640966052f8bd7
Opcode Fuzzy Hash: b481e5488f695aae3bd4a800d0cd9c9dc6c283a0f868bd90f81b2a411148afba
Instruction Fuzzy Hash: 10D22771E082298FDB65CE28CD807EAB7F5EB46304F1445EAD44DE7240EB38AE859F51

Function 00B2FB20 Relevance: 9.2, APIs: 6, Instructions: 196fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,-00000010,?,BACC40AC,?,00000000,00000000), ref: 00B2FBF1
FindNextFileW.KERNEL32(?,00000000), ref: 00B2FC0C

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: 799d0c101d834913b369949587db09b0fedaaa418db4164097679267203c7dbd
Instruction ID: 5fe0e0786911eaf72160b039970db7e453831b79b37d1ed0d5fa8f1b0dd43fd8
Opcode Fuzzy Hash: 799d0c101d834913b369949587db09b0fedaaa418db4164097679267203c7dbd
Instruction Fuzzy Hash: E9716B7190164D9FDB10DFA8CD58BAEBBB4FF04314F2482A9E815AB291DB349A08CB51

Function 00B85CA1 Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,00B85BBD,00000000,?,00B85D55,00000000), ref: 00B85CA3
GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,?,00B85D55,00000000), ref: 00B85CCA
HeapAlloc.KERNEL32(00000000,?,00B85D55,00000000), ref: 00B85CD1
InitializeSListHead.KERNEL32(00000000,?,00B85D55,00000000), ref: 00B85CDE
GetProcessHeap.KERNEL32(00000000,00000000,?,00B85D55,00000000), ref: 00B85CF3
HeapFree.KERNEL32(00000000,?,00B85D55,00000000), ref: 00B85CFA

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
String ID:
API String ID: 1475849761-0
Opcode ID: f7cd711b5e23283011d7bc7a0b2996b735e478c8ca6250c885b9912547a7b3c3
Instruction ID: f37a66760675009e475e370a124ba29f68a4dbf5e9e88af55ccd040b7b1991ac
Opcode Fuzzy Hash: f7cd711b5e23283011d7bc7a0b2996b735e478c8ca6250c885b9912547a7b3c3
Instruction Fuzzy Hash: 67F06835641A019BD7605F69AC0CF1E77E8FB98716F028479FA82D3260DF70D405CB60

Function 00BA430F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00BA462D,00000002,00000000,?,?,?,00BA462D,?,00000000), ref: 00BA43A8
GetLocaleInfoW.KERNEL32(?,20001004,00BA462D,00000002,00000000,?,?,?,00BA462D,?,00000000), ref: 00BA43D1
GetACP.KERNEL32(?,?,00BA462D,?,00000000), ref: 00BA43E6

Strings

OCP, xrefs: 00BA4363
ACP, xrefs: 00BA432D

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: fc05bd5a9308f14b472db2f38b59241a4d6eee37e0d7c98d663a902d3a26c3e4
Instruction ID: de9cbb79ccdf222a1a77c4b7cdffa52ae952595c90b96fe21c632de3efff816e
Opcode Fuzzy Hash: fc05bd5a9308f14b472db2f38b59241a4d6eee37e0d7c98d663a902d3a26c3e4
Instruction Fuzzy Hash: 5421AF32608101ABDF349F94C941B9F72EAEFD6B54B5A84F4E94AD7200E7B2DD41C398

Function 00BA44E4 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B9D836: GetLastError.KERNEL32(?,00000008,00B9F453), ref: 00B9D83A
Part of subcall function 00B9D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 00B9D8DC

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00BA45F0
IsValidCodePage.KERNEL32(00000000), ref: 00BA4639
IsValidLocale.KERNEL32(?,00000001), ref: 00BA4648
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00BA4690
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00BA46AF

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: c79d9e366ef42a9f4662d297722e40c8ab09e75f0129cd860e8cec4757a6485c
Instruction ID: f62b534f1649c7459a52b55499f2039be98e221925eae541bb0c50beb054626e
Opcode Fuzzy Hash: c79d9e366ef42a9f4662d297722e40c8ab09e75f0129cd860e8cec4757a6485c
Instruction Fuzzy Hash: 5A516D71904205ABDF10DFA9CC85BAEB7F8FF9A700F1444A9E915E7191EBB09A04CB61

Function 00B9DD6A Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00B9DDF7

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 61616e26537ace8c997b701a72d866b1042ed0193a591e10dac063b8da873d44
Instruction ID: 60428563e496bedc178e36f34f1d42004f1d7e85a580dfe5304d9b0355a6c911
Opcode Fuzzy Hash: 61616e26537ace8c997b701a72d866b1042ed0193a591e10dac063b8da873d44
Instruction Fuzzy Hash: 38B12572A042459FDF25CF69C8827EEBBE5EF59340F1581FAE815AB242D274DD01CBA0

Function 00AF3A50 Relevance: 6.3, APIs: 4, Instructions: 321fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009F9E50: GetProcessHeap.KERNEL32 ref: 009F9EA5
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9ED7
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9F62

FindFirstFileW.KERNEL32(?,00000000,?,?,00000000), ref: 00AF3BA8
FindFirstFileW.KERNEL32(?,00000000,0000002A,?,00000000,?,?,00000000), ref: 00AF3C45
FindClose.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 00AF3C6B
FindClose.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 00AF3CB5

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Find$CloseFileFirstInit_thread_footer$HeapProcess
String ID:
API String ID: 3625725927-0
Opcode ID: ffb791c0f20d43b7e4537e09f516581654298eea583eb08518480c4ff890b218
Instruction ID: 4912e90d22f82deed922eb07ce9952082a9b11ee0d9fc6d658801998153144b2
Opcode Fuzzy Hash: ffb791c0f20d43b7e4537e09f516581654298eea583eb08518480c4ff890b218
Instruction Fuzzy Hash: 96A1C272A001099FDF14DFA8CC49BBEB7F4FF44324F14866AE915D7280E7B59A048B90

Function 00B1B3D0 Relevance: 6.2, APIs: 4, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec6551e537fb68310dbf9e1477edc96571fc23b8d09dd2e59f05f77b5be81245
Instruction ID: 33c3f042f9f5eee76f4e3848493532ee286ac177bee42a324377c3462743f324
Opcode Fuzzy Hash: ec6551e537fb68310dbf9e1477edc96571fc23b8d09dd2e59f05f77b5be81245
Instruction Fuzzy Hash: A7818B71901218DFDB60DF68CC89B99B7F4EF44314F5482D9E818AB292DB709E84CF91

Function 00A8AB40 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00000000,?,00000017,BACC40AC,?,?,?,?,?,?,00000000,Function_001C791D,000000FF), ref: 00A8AB88
LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,Function_001C791D,000000FF), ref: 00A8AB9B
LockResource.KERNEL32(00000000,?,?,?,?,?,?,00000000,Function_001C791D,000000FF), ref: 00A8ABAA
SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,Function_001C791D,000000FF), ref: 00A8ABBA

Part of subcall function 00AF1480: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,BACC40AC,00000000,00000000,?,?,00A8ABD5), ref: 00AF14D4

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Resource$ByteCharFindLoadLockMultiSizeofWide
String ID:
API String ID: 203124936-0
Opcode ID: cfe9bd7da6dbbbb014a3ee2d42e669d8d800f2c7fd33f878a92795b0d6faa24f
Instruction ID: 2b6cf15c843a72a4d9382c3e9a0412087450eae64e7ea79258feacedde823db6
Opcode Fuzzy Hash: cfe9bd7da6dbbbb014a3ee2d42e669d8d800f2c7fd33f878a92795b0d6faa24f
Instruction Fuzzy Hash: 8C31E6B1D04709ABE720AFB4DD45BAFF7B4EB54710F00462AE955A73C0EB70A904C7A1

Function 00B1B7D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00000000,?), ref: 00B1B88C
FindClose.KERNEL32(00000000), ref: 00B1B9D7

Part of subcall function 009F9B10: RtlAllocateHeap.NTDLL(?,00000000,?,BACC40AC,00000000,00BAD840,000000FF,?,?,00C89A1C,?,00B2BB18,80004005,BACC40AC), ref: 009F9B5A

Strings

%d.%d.%d.%d, xrefs: 00B1B969

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Find$AllocateCloseFileFirstHeap
String ID: %d.%d.%d.%d
API String ID: 1673784098-3491811756
Opcode ID: 06493c3c3110ec7240b4c8074344e8b25745c1fd9a713cb3cd421e7924d811d7
Instruction ID: 29e033b282acc05eda4a066eb142224e371c3d829cdc1f75d293e961ba324e91
Opcode Fuzzy Hash: 06493c3c3110ec7240b4c8074344e8b25745c1fd9a713cb3cd421e7924d811d7
Instruction Fuzzy Hash: AB615A71905219DFDF20DF68C849BADBBB4EF44314F1082D9E919AB291DB369A84CF90

Function 00A0E290 Relevance: 5.3, Strings: 4, Instructions: 346COMMON

Download Yara Rule

Strings

AI_CONTROL_VISUAL_STYLE, xrefs: 00A0E2F8
AI_NO_BORDER_NORMAL, xrefs: 00A0E360
AI_CONTROL_VISUAL_STYLE_EX, xrefs: 00A0E5B8
AI_NO_BORDER_HOVER, xrefs: 00A0E3DB

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID:
String ID: AI_CONTROL_VISUAL_STYLE$AI_CONTROL_VISUAL_STYLE_EX$AI_NO_BORDER_HOVER$AI_NO_BORDER_NORMAL
API String ID: 0-932585912
Opcode ID: 60ce9bf19a6b5ccfafba556a3d0cf30ee70513368a342d6a8886da5ecbbfe1d3
Instruction ID: 3f7ffe705899e4255b9d03e7b7a3a241f4a915c2250620adb7fc98ce370debd5
Opcode Fuzzy Hash: 60ce9bf19a6b5ccfafba556a3d0cf30ee70513368a342d6a8886da5ecbbfe1d3
Instruction Fuzzy Hash: 03D19F70D0021CDFDB04DFA9CC45BAEBBF1BF85304F1081A9E455AB285D778AA09DBA1

Function 00BA3F93 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00B9D836: GetLastError.KERNEL32(?,00000008,00B9F453), ref: 00B9D83A
Part of subcall function 00B9D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 00B9D8DC

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00BA3FE7
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00BA4031
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00BA40F7

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: e1058f5c84ceef2f5b314485f46abf21827b193557e9e9db9b1feca3799f74cf
Instruction ID: 0b63a2f0efe388d620e16eb8c447f6ee158babf7667e5345e51dedb633dd8f0c
Opcode Fuzzy Hash: e1058f5c84ceef2f5b314485f46abf21827b193557e9e9db9b1feca3799f74cf
Instruction Fuzzy Hash: 4861B3716181079FDF289F29CC82BBABBE8EF55300F1041FAE905D6681EBB4D981DB50

Function 00A63FC0 Relevance: 4.7, Strings: 3, Instructions: 907COMMON

Download Yara Rule

Strings

</a>, xrefs: 00A64308
<a>, xrefs: 00A642DD
&, xrefs: 00A64CB2

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Init_thread_footer
String ID: &$</a>$<a>
API String ID: 1385522511-4150034113
Opcode ID: d6bd4d0eb5a05cb74a977ff8e6446ec196ab8dae9b9f12b1b964b2a0b1fcdc98
Instruction ID: c1ebc5034264ffbe7e2c5155a94a2bd56a04196b89c3f0e1019234c99c26ad56
Opcode Fuzzy Hash: d6bd4d0eb5a05cb74a977ff8e6446ec196ab8dae9b9f12b1b964b2a0b1fcdc98
Instruction Fuzzy Hash: 78923570D012A9DFDB20DFA8C944BDDBBB4AF59304F1085E9E509B7291DB745A88CF60

Function 00A08890 Relevance: 4.6, APIs: 3, Instructions: 93COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000004), ref: 00A088DE
GetWindowLongW.USER32(00000004,000000FC), ref: 00A088F7
SetWindowLongW.USER32(00000004,000000FC,?), ref: 00A08909

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: b65b010cc837f1499d80880e09490995b799fa942f2c5fe6b7676cd9589323ad
Instruction ID: 282973cba63285f735865748ed4694be2b208f2c3858cd2093196a8f66c58deb
Opcode Fuzzy Hash: b65b010cc837f1499d80880e09490995b799fa942f2c5fe6b7676cd9589323ad
Instruction Fuzzy Hash: 2F419CB0600A46EFDB14DF64D908B5AFBF8FF04354F004269E464976E0DB7AE914CB91

Function 00A0C4F0 Relevance: 4.6, APIs: 3, Instructions: 87COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000003,000000FC), ref: 00A0C546
SetWindowLongW.USER32(00000003,000000FC,?), ref: 00A0C558
DeleteCriticalSection.KERNEL32(?,BACC40AC,?,?,?,?,00BB19C4,000000FF), ref: 00A0C583

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: LongWindow$CriticalDeleteSection
String ID:
API String ID: 1978754570-0
Opcode ID: 69d55fe34adf2e042a89df58986f926720044a62f7bf6807d5090cbb83b4c959
Instruction ID: 59dc2d16bf4d05edc5b9442372bbde34d6157f6f32dd11c3b26ba6a1c84652ed
Opcode Fuzzy Hash: 69d55fe34adf2e042a89df58986f926720044a62f7bf6807d5090cbb83b4c959
Instruction Fuzzy Hash: 1731CDB4A00646EBCF20DF28DD48B9EBBE8BB05320F104359F814A76E1D771EA15DB90

Function 00B8AD13 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00B8AE0B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00B8AE15
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00B8AE22

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 069c3cfe7c7acca903acefcd4328dd9e7449dc1b9662dc9a995d2599ddac8453
Instruction ID: c9a864bafdf4d9e17fd854b6bc59854cb58af944aced96543e21eec6b57a301f
Opcode Fuzzy Hash: 069c3cfe7c7acca903acefcd4328dd9e7449dc1b9662dc9a995d2599ddac8453
Instruction Fuzzy Hash: A031B375901218ABCB21EF64D88978DBBF8AF08310F6045EAE41CA7261EB709F85CF45

Function 00A01670 Relevance: 4.5, APIs: 3, Instructions: 28COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000FC), ref: 00A01689
SetWindowLongW.USER32(?,000000FC,?), ref: 00A01697
DestroyWindow.USER32(?,?,?,?,?,?,80004003,?,00000001,?,?,00000001,?,?,00C1383C), ref: 00A016C3

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Window$Long$Destroy
String ID:
API String ID: 3055081903-0
Opcode ID: f25919a08f2fd0f78dd0e3bfd1215d7421de6e08cdbf8a60cb0bfc8ca20167c2
Instruction ID: 00c8f6773a52a11ee8b9b5da6eb4bb0b653c9b55b8f54cb56186c0cc2a37c03b
Opcode Fuzzy Hash: f25919a08f2fd0f78dd0e3bfd1215d7421de6e08cdbf8a60cb0bfc8ca20167c2
Instruction Fuzzy Hash: BDF0B731004A119BDB655B28FD08F9ABAE5BB05721F148B1DF4AA825F0DB65E845DB10

Function 00A17630 Relevance: 3.3, APIs: 2, Instructions: 252windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000102B,00000000,?), ref: 00A1774D
SendMessageW.USER32(?,0000102B,0000009B,?), ref: 00A17932

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a063aec26a17ac55bb34a1c89c9131722f63b7c13caaf8c8fe28c7d001cb5a5e
Instruction ID: a4bc0afd9c7d04fd71278c9fff587625960e6088d244a268c7252115a00448bd
Opcode Fuzzy Hash: a063aec26a17ac55bb34a1c89c9131722f63b7c13caaf8c8fe28c7d001cb5a5e
Instruction Fuzzy Hash: 55A1E571A04206AFDB18DF24C995BEDFBF5FB14300F14826AE45ADB291D734EA85CB90

Function 00B0E3A0 Relevance: 3.1, APIs: 2, Instructions: 140fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,?,?,00000003,BACC40AC,00000000,?,00000000), ref: 00B0E48E
FindClose.KERNEL32(00000000,?,00000000), ref: 00B0E4D9

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 07b1ba457b4f4db39351ec778663cf97afe379e76edb8ef0eece2781acdf72c8
Instruction ID: ecdca90102d067ca79d5026b8b36896ffd4ebdcbadcac43e795ffcb90fee601e
Opcode Fuzzy Hash: 07b1ba457b4f4db39351ec778663cf97afe379e76edb8ef0eece2781acdf72c8
Instruction Fuzzy Hash: 4651707190060ADFDB21DF68C888BAEBBF4FF44318F104999E925AB381D7749A05CF91

Function 00AF2230 Relevance: 3.1, APIs: 2, Instructions: 105windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,BACC40AC,00000008,00000000), ref: 00AF227B
GetLastError.KERNEL32 ref: 00AF2285

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: c0312f9f8eef1e0eda5963ad5aac5713b8ae680b1ea208be4d89799e2a8c17f4
Instruction ID: bcace2c3a9c605975579406070bb134b1843ee78c5d1f39e46e97e19d20ac7b5
Opcode Fuzzy Hash: c0312f9f8eef1e0eda5963ad5aac5713b8ae680b1ea208be4d89799e2a8c17f4
Instruction Fuzzy Hash: BB319371A00219ABDB10DF99DC05BAEBBF8FB44714F10452EF518E73C0DBB599048B95

Function 00A50010 Relevance: 3.1, APIs: 2, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000FC), ref: 00A5007F
SetWindowLongW.USER32(00000000,000000FC,?), ref: 00A5008D

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 569cf7389cffa08b826aedf0933c9ab1e2c334b37596af82e6ec87b303e89454
Instruction ID: 5cbfed782a8d290c86444bee727e74850d03fb0cbb7bfdac4c4bef2a8e8823c5
Opcode Fuzzy Hash: 569cf7389cffa08b826aedf0933c9ab1e2c334b37596af82e6ec87b303e89454
Instruction Fuzzy Hash: E8315971900605EFCB20DF69D944F9EFBF4FB04320F148269E824A76E1D775A954CB90

Function 00B1E610 Relevance: 3.1, APIs: 2, Instructions: 71fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,BACC40AC,?,00000000,00000000,00000000,00BF351D,000000FF), ref: 00B1E678
FindClose.KERNEL32(00000000,?,BACC40AC,?,00000000,00000000,00000000,00BF351D,000000FF), ref: 00B1E6C2

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 4facbbe59ac1b0580de271f23a67f833a07d94c68cc926b03a46366fea754587
Instruction ID: 197e6907a3fd904f7d7c351d8d56b49c36ac5b551b00c02ebb082a436f8c757a
Opcode Fuzzy Hash: 4facbbe59ac1b0580de271f23a67f833a07d94c68cc926b03a46366fea754587
Instruction Fuzzy Hash: CD21A171900548DFDB10EF68DC49BAEB7B8EF84724F544269E825972D0DB309A08CB94

Function 00A252F0 Relevance: 1.9, Strings: 1, Instructions: 617COMMON

Download Yara Rule

Strings

2, xrefs: 00A25576

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: f80b93e4318b0e5d5462c18e1275ebe3d62dab458fe0826b170f3988e9eb9342
Instruction ID: 38e72257805320458cf97e2cb0a0354861f2fb4c6fa0b9327973e6e9bf4b24b0
Opcode Fuzzy Hash: f80b93e4318b0e5d5462c18e1275ebe3d62dab458fe0826b170f3988e9eb9342
Instruction Fuzzy Hash: 2F32BFB1A04B118BCB14DF29E98156BB7E6BF94308F14493EF5C6D7281EA34E948C793

Function 00BA41E6 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00B9D836: GetLastError.KERNEL32(?,00000008,00B9F453), ref: 00B9D83A
Part of subcall function 00B9D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 00B9D8DC

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00BA423A

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: c8e17042f07d394ebd2c4d521b2aafa980e45a871c37093ce5a03bd94b69a276
Instruction ID: 482f4f022000b74d64976e8cee4f4d9bf39794b578c2260a3908703f4cfd9b62
Opcode Fuzzy Hash: c8e17042f07d394ebd2c4d521b2aafa980e45a871c37093ce5a03bd94b69a276
Instruction Fuzzy Hash: B0218372528206AFDF28AE29DC42BBA77E8EF86310B1040BAFD05D6241EBB4DD05C750

Function 00BA3E6D Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B9D836: GetLastError.KERNEL32(?,00000008,00B9F453), ref: 00B9D83A
Part of subcall function 00B9D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 00B9D8DC

EnumSystemLocalesW.KERNEL32(00BA3F93,00000001,00000000,?,-00000050,?,00BA45C4,00000000,?,?,?,00000055,?), ref: 00BA3EDF

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 173514eac05684485e97a5c9c635487d378572b38f7cccd0da484e260b2470bd
Instruction ID: e56981762c910c45834d7031e874be40724555cd6f8feed8d6d95b9f03f0e8ad
Opcode Fuzzy Hash: 173514eac05684485e97a5c9c635487d378572b38f7cccd0da484e260b2470bd
Instruction Fuzzy Hash: 25112936A087019FDB189F39C89167ABBE2FF81758B14442DF98787A40E3716A42C740

Function 00BA4415 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00B9D836: GetLastError.KERNEL32(?,00000008,00B9F453), ref: 00B9D83A
Part of subcall function 00B9D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 00B9D8DC

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00BA4290,00000000,00000000,?), ref: 00BA4441

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: a33e5f4dead7a2173f81d9f527cf093736958a8d8dbec7af063905767fd6d4d7
Instruction ID: c49dfb220694c1625d5b9d38db633f0226e14477f4ebe7d88301a27f9af6d9ec
Opcode Fuzzy Hash: a33e5f4dead7a2173f81d9f527cf093736958a8d8dbec7af063905767fd6d4d7
Instruction Fuzzy Hash: 16F02D32914111BBDF285725CC457BE77E4EB85754F0544A4ED95A3240EFB4FE42C6A0

Function 00BA3D7B Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00B9D836: GetLastError.KERNEL32(?,00000008,00B9F453), ref: 00B9D83A
Part of subcall function 00B9D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 00B9D8DC

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00BA3DCF

Strings

utf8, xrefs: 00BA3D3E

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID: utf8
API String ID: 3736152602-905460609
Opcode ID: 721e5b5299229d14095b37e139842cdcdd840f9f76a839be7bd714715ef5c0e5
Instruction ID: e3020232857bf360a2ade23e06f9e27e0b24e6cf1c5f3eb9ac16f6a7e2e75ab9
Opcode Fuzzy Hash: 721e5b5299229d14095b37e139842cdcdd840f9f76a839be7bd714715ef5c0e5
Instruction Fuzzy Hash: 50F0C832A11105ABCB28AB39DC4ABBE73E8DF45750F1140B9BA46D7241EA74AD05C750

Function 00BA3F08 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B9D836: GetLastError.KERNEL32(?,00000008,00B9F453), ref: 00B9D83A
Part of subcall function 00B9D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 00B9D8DC

EnumSystemLocalesW.KERNEL32(00BA41E6,00000001,?,?,-00000050,?,00BA4588,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00BA3F52

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 7067eacbe44447b476d567fade0c6b20b4126978d7aaa69317b9ef8a5df96428
Instruction ID: 9957d0c733ac581706d78c4d07ac4b37c163c5db7eaa3b3a6f4a89ccfa47c7c2
Opcode Fuzzy Hash: 7067eacbe44447b476d567fade0c6b20b4126978d7aaa69317b9ef8a5df96428
Instruction Fuzzy Hash: CAF0F6366083046FDB245F399CC1A7ABBE5FF81B68F4584ACF9458B690D7B29D42C610

Function 00B9FC09 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B9A89A: EnterCriticalSection.KERNEL32(-00C95108,?,00B9CE16,009F9F56,00C89668,0000000C,00B9D0E1,?), ref: 00B9A8A9

EnumSystemLocalesW.KERNEL32(00B9FBFC,00000001,00C897A8,0000000C,00BA002B,00000000), ref: 00B9FC41

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 22f84db852cb6a85d5490c0272ad4c6be55be9d40386caf8fef5e6c39383222c
Instruction ID: 09079525762a0cd26508906aedc4cccb83d8bad8dca4f9e8d8cb4ba977df9e9b
Opcode Fuzzy Hash: 22f84db852cb6a85d5490c0272ad4c6be55be9d40386caf8fef5e6c39383222c
Instruction Fuzzy Hash: B3F037B6A50205EFDB00EFA8E842BACBBF0EB44721F1081AAF404DB2A1CB7549418B54

Function 00BA3E22 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B9D836: GetLastError.KERNEL32(?,00000008,00B9F453), ref: 00B9D83A
Part of subcall function 00B9D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 00B9D8DC

EnumSystemLocalesW.KERNEL32(00BA3D7B,00000001,?,?,?,00BA45E6,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00BA3E59

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: e96194a51f05354ac608ef0eb27685b0e6ec322bfa496dad958744708fbc58cc
Instruction ID: 9b8d5331b8e6c04a60c1b7ec6fad001117b9785f9f5ce091dc16e7abcb7a5413
Opcode Fuzzy Hash: e96194a51f05354ac608ef0eb27685b0e6ec322bfa496dad958744708fbc58cc
Instruction Fuzzy Hash: 47F0553A30020597CB04AF3AD84576ABFD0EFC2B50B0A40A9FA098B260C7319943C760

Function 00A115F0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,-00002000,?,?,00A0FD16,?,?,?,?,?,?,?,?,00A15411,?,?), ref: 00A11640

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 0e767cf8f8a72a3ea2423027c3ce6524426cf8a7a74c0e3044648026fb65fe3c
Instruction ID: 43825ad9f7cf21bd0ddb3ca9adb9f6a71e293aa2333c6b5ca28490df57f86d68
Opcode Fuzzy Hash: 0e767cf8f8a72a3ea2423027c3ce6524426cf8a7a74c0e3044648026fb65fe3c
Instruction Fuzzy Hash: 21F05830104181DEE3448F54C898BA9BBAAFB4538AF4C45F6E2A8C55A1C23A8E84DE10

Function 00BA0186 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00B99F14,?,20001004,00000000,00000002,?,?,00B99516), ref: 00BA01BA

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d8c69f2cbfc3df65b2e1db04e14c83a5da2cae9236d3bd778ba3af6d3f2efac0
Instruction ID: 46211ca3818ef02a6cf6b083794df1e1a895f5c1fa6c25347aa168f011c3ef97
Opcode Fuzzy Hash: d8c69f2cbfc3df65b2e1db04e14c83a5da2cae9236d3bd778ba3af6d3f2efac0
Instruction Fuzzy Hash: 1AE04F31515518BBCF123F61DC04BEE7EA5EF45760F018060FD45A5121CB318921AAD4

Function 00A46EE0 Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

1, xrefs: 00A472E7

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID:
String ID: 1
API String ID: 0-2212294583
Opcode ID: df452b81a4ae5ed29d11c32b08c81259c73d0d54b512e16dc1746d3661b90f98
Instruction ID: 5996ef7d5fbd8ad9226db8aae98e4e39c7d5dc9a3d603cd644cc3cf513efb332
Opcode Fuzzy Hash: df452b81a4ae5ed29d11c32b08c81259c73d0d54b512e16dc1746d3661b90f98
Instruction Fuzzy Hash: CAD104B0505B86EFE709CF64C5587CAFBF4BB05308F14824DD4685B281D3BAA658DBD1

Function 00ACB7A0 Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60179cadf2a73e4acb5adfe04ad106e66877190d97820f38112b7cb41a975170
Instruction ID: 2ba0bcf9ebc87c913e9441ad3293291bd188ff4d18c94946923e705833387d59
Opcode Fuzzy Hash: 60179cadf2a73e4acb5adfe04ad106e66877190d97820f38112b7cb41a975170
Instruction Fuzzy Hash: 7402C472A102159FDB18DF68C885BAEB7F5EB58310F15426EE815E7391EB31AD04CBA0

Function 00B8E64C Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8946584d937198e9c5ee5660420c7c1d59923a6e37ca30c4d153176cea3fa053
Instruction ID: 82451b4d27c3d81b5433b233ad9cc61b90abb4c3ef2df1c8e6cad334dc420d05
Opcode Fuzzy Hash: 8946584d937198e9c5ee5660420c7c1d59923a6e37ca30c4d153176cea3fa053
Instruction Fuzzy Hash: 4BE19B74A00606CFCB28EF68C580AAEB7F1FF45710B244699E4769B2B1E770ED42CB51

Function 00A21860 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d5ffbd466cba5f462ba001dc336896042cf0834f3aa64ecef15a2589dacdb26
Instruction ID: 09b6407c9087040c2143e4d43edfe650b9d596bdbfd71331d599e23a7594bfa2
Opcode Fuzzy Hash: 8d5ffbd466cba5f462ba001dc336896042cf0834f3aa64ecef15a2589dacdb26
Instruction Fuzzy Hash: 0CB1A571E001199FCB18DF5CC991AAEBBF5EF98340F548169E905EB395EB70AD01CB90

Function 00B8E2BE Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ca3fcc2ea209e883589c373435a2f6d4694b8531974e170d0edc7f5054e2973
Instruction ID: fea83af7c9b364608cf0a77e679362337de6ca814eb6f486a9d00e62b90e017d
Opcode Fuzzy Hash: 5ca3fcc2ea209e883589c373435a2f6d4694b8531974e170d0edc7f5054e2973
Instruction Fuzzy Hash: 6CC1DE70A00646CFCB25EF68C4906BEBBE1EF15314F2846A9E4A6973B2D730EC45CB55

Function 006D4F09 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2190220570.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, Offset: 006CC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6cc000_R2T8ccXCek.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b020bbd38188765a5bac1f25dbfdf7699e7eb530306fe0c68414d7b619941983
Instruction ID: b0ee60fee72e24e3e66cf59a6a3e26d66e8cbb6a6ad4aa410442c739ab04bdf9
Opcode Fuzzy Hash: b020bbd38188765a5bac1f25dbfdf7699e7eb530306fe0c68414d7b619941983
Instruction Fuzzy Hash: 0341456194E7C21FD7539B34A9AAB90BFB0AB13610F0D85DFC4C48F5E3D6946619C312

Function 009FF7C0 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 770715a4aa328dd82597caeaa001d758df78994585dc71d2706f6ad95872f071
Instruction ID: 0585820241df66ade7ddc355f183ef256e1c2fe77eb22debd57edde0e0fce1e1
Opcode Fuzzy Hash: 770715a4aa328dd82597caeaa001d758df78994585dc71d2706f6ad95872f071
Instruction Fuzzy Hash: BD71F8B0805B48DFE761CF68C95478ABFF0BB05314F108A5EC4A99B391D3B96648DF91

Function 00A97F20 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36310eb4a256f07c6cffaf1665b37ed3c8e5b7b74aba2bb3fdd12a255edd226e
Instruction ID: a57638fb3ad8aff5dbe0ee5b3014fa93ed27506be06c981e6e3f4551b8113af7
Opcode Fuzzy Hash: 36310eb4a256f07c6cffaf1665b37ed3c8e5b7b74aba2bb3fdd12a255edd226e
Instruction Fuzzy Hash: 2241F6B0905749EED704CF69C50878AFBF0BB19318F20865DD4589BB81D3BAA619CFD1

Function 00A08720 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00f682f24fc0d282d3410f6ebe71a78182bf7ee7f06324e3db12eb38bd27afa9
Instruction ID: 667822729b09c99e7248848dddc6370d0dd7fadfb953c4137c0df5aa8fb24bca
Opcode Fuzzy Hash: 00f682f24fc0d282d3410f6ebe71a78182bf7ee7f06324e3db12eb38bd27afa9
Instruction Fuzzy Hash: ED31D0B0405B84CFE721CF69C55878BBFF0BB05728F108A4DD4A64BB91D3BAA548CB91

Function 00A02250 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a3b87984966dad9e1141c5555a0e94b5a9be595ff7adcf0af53af22ed230ef6
Instruction ID: 385e47aef1bdf0263846f91bb7c756f4dc25de91a6975b32d9e818a2bc9d6b67
Opcode Fuzzy Hash: 2a3b87984966dad9e1141c5555a0e94b5a9be595ff7adcf0af53af22ed230ef6
Instruction Fuzzy Hash: 882158B0804788DFDB10CF58C944B8ABBF4FB09324F1186AED4559B791E3B9AA44CF94

Function 00A01C90 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c15df7e99a406af5ae0b203d7ab5be82be98657c85ed7ca4e88a543b6a0d9bdc
Instruction ID: ddf5ddbc7670376c870bd0b2fef04db56498631a71e402f996d2eec439e07dc2
Opcode Fuzzy Hash: c15df7e99a406af5ae0b203d7ab5be82be98657c85ed7ca4e88a543b6a0d9bdc
Instruction Fuzzy Hash: FF216DB0804788DFD710CF58C94478ABBF4FB0A324F11869ED455AB791E3B9AA44CF90

Function 00A1D320 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23331813631094e39c45ff29ef6c3485030f8f4af3782655994aa05615191d5d
Instruction ID: 01d18453b20a50036b35cdf956b8815f9945c4772ed173783e82a45a7ade4628
Opcode Fuzzy Hash: 23331813631094e39c45ff29ef6c3485030f8f4af3782655994aa05615191d5d
Instruction Fuzzy Hash: 691100B1905248DFCB44CF58C544789BBF4FB09728F20869EE8189B381D3769A06DF84

Function 00BA783E Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d55dbc7befab1462941653f93551db49e582fd117fd3c7d9640c03956ee69d
Instruction ID: 0f8d4ccbbe41463f568317951fa2745a6375a5ff6b75eb3bd6534f6777fddba4
Opcode Fuzzy Hash: 53d55dbc7befab1462941653f93551db49e582fd117fd3c7d9640c03956ee69d
Instruction Fuzzy Hash: EFE08C32919228EBCB14DB9AC908D8AF3ECEB46B10B1100AAF501D3200C674DE00C7D0

Function 00B9C66D Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 144c5401b694974f51f95ed054cfd58255e5e3608f4b0faf65206ff88c737fe7
Instruction ID: 4c2b46f80cc4abf1916e33858f91b01898967fb6bde9524ea8e10430e7f57f86
Opcode Fuzzy Hash: 144c5401b694974f51f95ed054cfd58255e5e3608f4b0faf65206ff88c737fe7
Instruction Fuzzy Hash: AFC08C7404690057CE298A2482713A433E4E3A2782F9024DCC4020BA42C91E9C82D788

Function 00B32F90 Relevance: 51.2, APIs: 26, Strings: 3, Instructions: 487timefilememoryCOMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(?,00000000,00000000,0000005C,Everyone,10000000,00000000,?,00000000), ref: 00B32FA9
LocalFree.KERNEL32(?,00000000,00000000,0000005C,Everyone,10000000,00000000,?,00000000), ref: 00B32FB9
GetLastError.KERNEL32(?,00000000), ref: 00B32FF7
LocalAlloc.KERNEL32(00000040,00000014,?,00000000), ref: 00B33036
GetLastError.KERNEL32(?,00000000), ref: 00B33050
LocalFree.KERNEL32(?,?,00000000), ref: 00B33061
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,BACC40AC,7622F530,?,?), ref: 00B33100
GetLastError.KERNEL32 ref: 00B3311E
GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 00B3314B
GetLastError.KERNEL32 ref: 00B33155
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B331DA
GetLastError.KERNEL32 ref: 00B331E4
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B3321C
SystemTimeToFileTime.KERNEL32(00000000,00C1341C), ref: 00B3323D
CompareFileTime.KERNEL32(00C1341C,?), ref: 00B3324F
PathFileExistsW.SHLWAPI(?,00000005), ref: 00B332EC
CreateFileW.KERNEL32(?,C0000000,00000000,0000000C,00000002,00000080,00000000,00000001,S-1-1-0,10000000,00000001), ref: 00B33387
GetLastError.KERNEL32 ref: 00B33397
CloseHandle.KERNEL32(00000000), ref: 00B3339F

Strings

S-1-1-0, xrefs: 00B33341
.part, xrefs: 00B33291
S-1-5-18, xrefs: 00B33352

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: FileTime$ErrorLast$Local$FreeSystem$Create$AllocCloseCompareExistsHandlePath
String ID: .part$S-1-1-0$S-1-5-18
API String ID: 1123205858-2727065896
Opcode ID: 854d81922872e0b99aacd496f49dd46e76a35582784837ea597cc5a2dc8bfba4
Instruction ID: 39cdcdb1b474b961572e496b5fac46f3932799f1e8c21e31f4405c2f2d419a1e
Opcode Fuzzy Hash: 854d81922872e0b99aacd496f49dd46e76a35582784837ea597cc5a2dc8bfba4
Instruction Fuzzy Hash: 14128B70A007449FDB21CF68C848BABBBF4FF44B04F24456DE552976A0DB71EA48CB50

Function 00B24B10 Relevance: 30.1, APIs: 9, Strings: 8, Instructions: 335COMMON

Download Yara Rule

Strings

Unable to find file , xrefs: 00B24B43
Unable to get a temp file for script output, temp path: , xrefs: 00B24C1F
Unable to retrieve PowerShell output from file: , xrefs: 00B24E6F
txt, xrefs: 00B24BE3
powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new, xrefs: 00B24C6F
Unable to retrieve exit code from process., xrefs: 00B24E92
ps1, xrefs: 00B24BB6, 00B24BC8, 00B24BD2
Unable to create process: , xrefs: 00B24D15

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID:
String ID: Unable to create process: $Unable to find file $Unable to get a temp file for script output, temp path: $Unable to retrieve PowerShell output from file: $Unable to retrieve exit code from process.$powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new$ps1$txt
API String ID: 0-4129021124
Opcode ID: 00cdb8993cbbf9a1645d9559e7be13fbb01de5eb08f160d2ccf4653d067a86d4
Instruction ID: c0cfb38eb3a230e80ac45e1af71c7d94e1e83c254672357615e3ac00a2aede0b
Opcode Fuzzy Hash: 00cdb8993cbbf9a1645d9559e7be13fbb01de5eb08f160d2ccf4653d067a86d4
Instruction Fuzzy Hash: C2C1CD70D00659EFDB10DBA8DD05BAEBBF4FF04314F108298E518AB691DB70AA44CF90

Function 00ADA2B0 Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 238libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 009F9E50: GetProcessHeap.KERNEL32 ref: 009F9EA5
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9ED7
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9F62

GetModuleHandleW.KERNEL32(kernel32,BACC40AC,?,?,00000000), ref: 00ADA3B3
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00ADA3FB
__Init_thread_footer.LIBCMT ref: 00ADA40E
GetProcAddress.KERNEL32(00000000,SetDllDirectory), ref: 00ADA456
__Init_thread_footer.LIBCMT ref: 00ADA469
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00ADA4B1
__Init_thread_footer.LIBCMT ref: 00ADA4C4

Part of subcall function 00AB1FB0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00AB1FF1
Part of subcall function 00AB1FB0: _wcschr.LIBVCRUNTIME ref: 00AB20AF

Strings

kernel32, xrefs: 00ADA3AE
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 00ADA327, 00ADA32F
SetDllDirectory, xrefs: 00ADA450
kernel32.dll, xrefs: 00ADA60D
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 00ADA340, 00ADA34F
SetDefaultDllDirectories, xrefs: 00ADA4AB
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 00ADA347
SetSearchPathMode, xrefs: 00ADA3F5
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 00ADA322

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Init_thread_footer$AddressProc$DirectoryHandleHeapModuleProcessSystem_wcschr
String ID: @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$SetDefaultDllDirectories$SetDllDirectory$SetSearchPathMode$kernel32$kernel32.dll
API String ID: 1258094593-3455668873
Opcode ID: 2e548cb771ed43b8c2d073620a4fe23f6c9d3cc6bd683e071bd708bdbd16ebfc
Instruction ID: 42d39686c59fd78aedafb885310ed93cf5ba490fcda60c298e64e107c267dbf0
Opcode Fuzzy Hash: 2e548cb771ed43b8c2d073620a4fe23f6c9d3cc6bd683e071bd708bdbd16ebfc
Instruction Fuzzy Hash: E5A13AF09082289FDF10DF54E989B9EBBB4FF01718F50429AE4196BB91D7B05948CFA1

Function 00B32A10 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 390libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Advapi32.dll,BACC40AC,00000000,00000000), ref: 00B32AA1
GetLastError.KERNEL32 ref: 00B32ACF

Part of subcall function 009F9B10: RtlAllocateHeap.NTDLL(?,00000000,?,BACC40AC,00000000,00BAD840,000000FF,?,?,00C89A1C,?,00B2BB18,80004005,BACC40AC), ref: 009F9B5A

GetProcAddress.KERNEL32(00000000,ConvertStringSidToSidW), ref: 00B32AE5
FreeLibrary.KERNEL32(00000000), ref: 00B32AFE
GetLastError.KERNEL32 ref: 00B32B0B
GetLastError.KERNEL32 ref: 00B32CF9
GetLastError.KERNEL32 ref: 00B32D5E

Strings

Advapi32.dll, xrefs: 00B32A9C
ConvertStringSidToSidW, xrefs: 00B32ADF

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: ErrorLast$Library$AddressAllocateFreeHeapLoadProc
String ID: Advapi32.dll$ConvertStringSidToSidW
API String ID: 3460774402-1129428314
Opcode ID: c4bc456bcf80f8651d7a6096f00f9db60ae6b9f7b1d26224c47a791ac033d53e
Instruction ID: 709dde68393a664bb49bff786420ec64f3cbaf04d3e91285c0e997ddf7af390e
Opcode Fuzzy Hash: c4bc456bcf80f8651d7a6096f00f9db60ae6b9f7b1d26224c47a791ac033d53e
Instruction Fuzzy Hash: 63F159B1C01219ABDF10DF94C945BEEBBF4FF08314F208269E915B7290D770AA59CBA1

Function 00A016D0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 359stringCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00A01770
lstrcmpW.KERNEL32(?,#32770), ref: 00A017D1
GetWindowLongW.USER32(?,000000F0), ref: 00A01871

Strings

#32770, xrefs: 00A017C8

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Window$Longlstrcmp
String ID: #32770
API String ID: 2734850466-463685578
Opcode ID: 085c151dafb6e680a4dfa04c7060f84a96a801504ec22b1ff4ad96d9811102df
Instruction ID: 6ae7430a8b6bd6c41126f0eb2b4bbf58f6d6911ce3838e570d21aff9776cd19a
Opcode Fuzzy Hash: 085c151dafb6e680a4dfa04c7060f84a96a801504ec22b1ff4ad96d9811102df
Instruction Fuzzy Hash: EBE17B70A01219EFDB15CFA8E988FEDBBB5AF49714F148159E801AB2E0D774AD44CB60

Function 00A2D6E0 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 246libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,BACC40AC,?,?,00000000,?,?,?,?,?,?,BACC40AC,00BB8E95,000000FF), ref: 00A2D74D
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00A2D753
LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?,?,?,?,?,BACC40AC,00BB8E95,000000FF,?,00A445FA,00C1B84C,BACC40AC,BACC40AC), ref: 00A2D783
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00A2D789

Strings

RoGetActivationFactory, xrefs: 00A2D743
.dll, xrefs: 00A2D8A6
combase.dll, xrefs: 00A2D748, 00A2D77E
DllGetActivationFactory, xrefs: 00A2D902
CoIncrementMTAUsage, xrefs: 00A2D779

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
API String ID: 2574300362-2454113998
Opcode ID: b5bf326511c977adb9b04cfee17185d38c5f81fd8af15df65d8a38c1c34899e9
Instruction ID: 2a7e312f58b506792d2054ccffdbac8bcefc02b50046856d4b25fd9904004490
Opcode Fuzzy Hash: b5bf326511c977adb9b04cfee17185d38c5f81fd8af15df65d8a38c1c34899e9
Instruction Fuzzy Hash: 8CA17871A00219EFDF15EFACD885BEDBBB4EF19310F144179E411A72A2EB749A44CB60

Function 00A4A430 Relevance: 21.2, APIs: 14, Instructions: 243COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000F0), ref: 00A4A49E
SetWindowLongW.USER32(00000000,000000F0,00C80000), ref: 00A4A4CC
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00A4A4E1
GetWindowLongW.USER32(00000000,000000EC), ref: 00A4A518
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A4A545
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00A4A559
GetWindowLongW.USER32(?,000000F0), ref: 00A4A57B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A4A592
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00A4A5A6
GetWindowRect.USER32(?,?), ref: 00A4A5F6
GetWindowLongW.USER32(?,000000EC), ref: 00A4A61C
GetWindowRect.USER32(?,?), ref: 00A4A66A
SetWindowPos.USER32(?,00000000,?,?,?,?,00000604,?,?), ref: 00A4A6A0
SetWindowTextW.USER32(?,?), ref: 00A4A6E1

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Window$Long$Rect$Text
String ID:
API String ID: 445026432-0
Opcode ID: c3fe515911e7775d3b94b38b9fda91e7ba175f356d4ddca3a679e0c6f91adfc4
Instruction ID: 367e501a17d756dc101b753fa9f77201040dc669467a56d65b5695a1614b4fdd
Opcode Fuzzy Hash: c3fe515911e7775d3b94b38b9fda91e7ba175f356d4ddca3a679e0c6f91adfc4
Instruction Fuzzy Hash: CC916D75A00609AFDB04DFA8DD49FEDBBB5FF48310F204229F426A72A4DB35A911CB50

Function 00A23400 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 222libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,BACC40AC,?,?,?,?,?,?,?,BACC40AC,00BB64A5,000000FF,?,00A2371A,00C174D0), ref: 00A23467
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00A2346D
LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?,?,?,?,BACC40AC,00BB64A5,000000FF,?,00A2371A,00C174D0,BACC40AC,BACC40AC), ref: 00A2349E
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00A234A4

Strings

RoGetActivationFactory, xrefs: 00A2345D
.dll, xrefs: 00A235A9
combase.dll, xrefs: 00A23462, 00A23499
DllGetActivationFactory, xrefs: 00A235E9
CoIncrementMTAUsage, xrefs: 00A23494

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
API String ID: 2574300362-2454113998
Opcode ID: e97c6f6b50e4ab41e4e2b8363181374432f63163005d1f7f23b3afa0a5d4bbbc
Instruction ID: f4110ab208947a07e5386f48bece6071f7f4c710e5638677c84a19999ef4e034
Opcode Fuzzy Hash: e97c6f6b50e4ab41e4e2b8363181374432f63163005d1f7f23b3afa0a5d4bbbc
Instruction Fuzzy Hash: 6C818F72900218EFDF15EFA8D885BEEBBB4EF0A310F144179E415B7291DB749A44CB60

Function 00B1EC20 Relevance: 19.7, APIs: 8, Strings: 3, Instructions: 413registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\JavaSoft\Java Development Kit\,00000000,?,?,BACC40AC,?,?), ref: 00B1EC83
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?), ref: 00B1EE19
RegQueryValueExW.ADVAPI32(?,JavaHome,00000000,00000000,00000000,?,?,?,?), ref: 00B1EE75
RegQueryValueExW.ADVAPI32(?,JavaHome,00000000,00000000,00000000,?), ref: 00B1EEC5
RegCloseKey.ADVAPI32(?), ref: 00B1EF05

Strings

Software\JavaSoft\Java Development Kit\, xrefs: 00B1EC75, 00B1EC7D
Software\JavaSoft\Java Runtime Environment\, xrefs: 00B1EC66
JavaHome, xrefs: 00B1EE6F, 00B1EEBA

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: OpenQueryValue$Close
String ID: JavaHome$Software\JavaSoft\Java Development Kit\$Software\JavaSoft\Java Runtime Environment\
API String ID: 2529929805-1079072530
Opcode ID: 4137147f854f499347925eac6c09f87bdf781bb1618578f07a09d56e0cdc4d26
Instruction ID: b8ea1b79c74305a6fc4cc62e2e5397158424f261e0a6ea0cb13d92446bb973e3
Opcode Fuzzy Hash: 4137147f854f499347925eac6c09f87bdf781bb1618578f07a09d56e0cdc4d26
Instruction Fuzzy Hash: C4026C709012699BDB20DF28CC88BEEB7B4EF44304F5042E9E819A7291DB75AEC5CF50

Function 00B281B0 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 302libraryloaderCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,BACC40AC,?,?,00C96054), ref: 00B281F8
LoadLibraryW.KERNEL32(Shell32.dll,?,00C96054), ref: 00B28207
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00B2821B
SHGetPathFromIDListW.SHELL32(?,00000000), ref: 00B2829A
SHGetMalloc.SHELL32(?), ref: 00B282D7
PathFileExistsW.SHLWAPI(?,ADVINST_LOGS,0000000C,?,00000000), ref: 00B2832A
CreateDirectoryW.KERNEL32(?,?,Everyone,10000000,00000000,?,00000000), ref: 00B283B5

Strings

SHGetSpecialFolderPathW, xrefs: 00B28215
ADVINST_LOGS, xrefs: 00B2831D
Everyone, xrefs: 00B28371
Shell32.dll, xrefs: 00B28202

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Path$AddressCreateDirectoryExistsFileFolderFromLibraryListLoadLocationMallocProcSpecial
String ID: ADVINST_LOGS$Everyone$SHGetSpecialFolderPathW$Shell32.dll
API String ID: 1254244429-1733115844
Opcode ID: cb1ef7ec99210fc36a210530f31fe67e75272f8393d12034fc7b1abd0d36b46b
Instruction ID: 8b732cabd856368ed91c1813daed2ad3932f187bac484b4e672f35543c95e32e
Opcode Fuzzy Hash: cb1ef7ec99210fc36a210530f31fe67e75272f8393d12034fc7b1abd0d36b46b
Instruction Fuzzy Hash: 00B1CD70D01619DFDB10DFA8D949BAEFBF4EF54310F248299E419B72A0EB749A04CB60

Function 00A1C7D0 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 229windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00A1C95F
SendMessageW.USER32(00000000,00000439,00000000,0000002C), ref: 00A1C973
SendMessageW.USER32(00000000,00000421,00000003,?), ref: 00A1C988
SendMessageW.USER32(00000000,00000418,00000000,0000012C), ref: 00A1C99D
GetWindowTextLengthW.USER32(?), ref: 00A1C9A4
SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 00A1C9B4

Part of subcall function 00A00DB0: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00A00DE6

GetWindowRect.USER32(?,?), ref: 00A1C9E6
SendMessageW.USER32(00000000,00000412,00000000), ref: 00A1CA48
SendMessageW.USER32(00000000,00000411,00000001,0000002C), ref: 00A1CA58

Strings

,, xrefs: 00A1C90E
tooltips_class32, xrefs: 00A1C855

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: MessageSend$Window$LengthLongRectText
String ID: ,$tooltips_class32
API String ID: 2970668393-3856767331
Opcode ID: 947d782bbb350096fa00f7bfae6ca9cd86d0145daaa897c309146373b1b1e8de
Instruction ID: e2459df71c66247a2ee09e09529b1e5179b67bebdeb31294099209bfdff1d828
Opcode Fuzzy Hash: 947d782bbb350096fa00f7bfae6ca9cd86d0145daaa897c309146373b1b1e8de
Instruction Fuzzy Hash: F1914C71A40208AFEB14DFA4DD99FEEBBF9FB08300F10452AE516EA290D774A905CB50

Function 00AF8440 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 223threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00C9611C,BACC40AC,?,?,00000000,?,?,?,?,?,00000000,00BEB407,000000FF), ref: 00AF84B3
EnterCriticalSection.KERNEL32(?,BACC40AC,?,?,00000000,?,?,?,?,?,00000000,00BEB407,000000FF), ref: 00AF84C5
GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,00000000,00BEB407,000000FF), ref: 00AF84D2
GetCurrentThread.KERNEL32 ref: 00AF84DD
GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,0000001F,00000000,?,00C1337C,00000000,?,?,?,?,?,00000000,00BEB407,000000FF), ref: 00AF86BE
LeaveCriticalSection.KERNEL32(?,00C1337C,00000000,?,?,?,?,?,00000000,00BEB407,000000FF), ref: 00AF879A

Strings

<--------------------MORE--FRAMES-------------------->, xrefs: 00AF8662
[0x%.8Ix] , xrefs: 00AF86C5
MODULE_BASE_ADDRESS, xrefs: 00AF870B
*** Stack Trace (x86) ***, xrefs: 00AF85B7

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: CriticalSection$Current$EnterHandleInitializeLeaveModuleProcessThread
String ID: *** Stack Trace (x86) ***$<--------------------MORE--FRAMES-------------------->$MODULE_BASE_ADDRESS$[0x%.8Ix]
API String ID: 3051236879-315745733
Opcode ID: 34000614f56cb0ab9fde1211d64405a54b6d042fce22a25bc127c656db0ce0b7
Instruction ID: edb69f701066f5670c56ae77cfb9bc0cc8406beae999d5487550f17783a44091
Opcode Fuzzy Hash: 34000614f56cb0ab9fde1211d64405a54b6d042fce22a25bc127c656db0ce0b7
Instruction Fuzzy Hash: E2A159719003889FDF25DFA4CC49BEE7BB8AF45308F404168FA49AB291DBB55B09CB51

Function 00B274C0 Relevance: 16.7, APIs: 11, Instructions: 192fileCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00C96054,BACC40AC,?,00000010), ref: 00B274FC

Part of subcall function 009F9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00A069F0,-00000010,?,00A0AA9D,*.*), ref: 009F93B7

EnterCriticalSection.KERNEL32(00000010,BACC40AC,?,00000010), ref: 00B27509
WriteFile.KERNEL32(00000000,?,?,000000FF,00000000), ref: 00B2753B
FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 00B27544
WriteFile.KERNEL32(00000000,00B13C07,6054B9EC,00BF500D,00000000,00C1334C,00000001,?,?,000000FF,00000000), ref: 00B275C6
FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 00B275CF
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 00B27605
FlushFileBuffers.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 00B2760E
WriteFile.KERNEL32(00000000,?,?,?,00000000,00C158A8,00000002,?,?,?,00000000,?,?,000000FF,00000000), ref: 00B2766F
FlushFileBuffers.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 00B27678
LeaveCriticalSection.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 00B276A8

Part of subcall function 009F9B10: RtlAllocateHeap.NTDLL(?,00000000,?,BACC40AC,00000000,00BAD840,000000FF,?,?,00C89A1C,?,00B2BB18,80004005,BACC40AC), ref: 009F9B5A

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: File$BuffersFlushWrite$CriticalSection$AllocateEnterFindHeapInitializeLeaveResource
String ID:
API String ID: 201293332-0
Opcode ID: 1c0be4991e00009ae7d38ac210fec8601231ea47643d3decbe1e45a262d82d0c
Instruction ID: b913b0cca7764c2e89d6a596aa1e26bd63590d6875b84750f09c268210e01d7e
Opcode Fuzzy Hash: 1c0be4991e00009ae7d38ac210fec8601231ea47643d3decbe1e45a262d82d0c
Instruction Fuzzy Hash: EB61CB30900644EFDB01DF68DC49BAEBBB4FF45314F1481A9F945A72A1DB709918DFA4

Function 00B1F880 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 296libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB1FB0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00AB1FF1
Part of subcall function 00AB1FB0: _wcschr.LIBVCRUNTIME ref: 00AB20AF

GetLastError.KERNEL32(BACC40AC,?,?,?,000000FF,?,00B04196,?,?), ref: 00B1F8ED
GetProcAddress.KERNEL32(00000000,GetPackagePath), ref: 00B1FA7A
GetProcAddress.KERNEL32(00000000,GetPackagePath), ref: 00B1FADE
FreeLibrary.KERNEL32(00000000,?,?,000000FF,?,00B04196,?,?), ref: 00B1FBD2

Strings

neutral, xrefs: 00B1F982
x86, xrefs: 00B1F938
x64, xrefs: 00B1F966
GetPackagePath, xrefs: 00B1FA74, 00B1FAD8
Kernel32.dll, xrefs: 00B1F8C1

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: AddressProc$DirectoryErrorFreeLastLibrarySystem_wcschr
String ID: GetPackagePath$Kernel32.dll$neutral$x64$x86
API String ID: 3734293021-4043905686
Opcode ID: ad98b27d5fa6e8a74cc0d6827988e6b36bbc8f2a322e35d467e089b7e67d6345
Instruction ID: bf4b4f9bec32e47740699e37deda24179f1adf17b8e099c2c52849c912e136a2
Opcode Fuzzy Hash: ad98b27d5fa6e8a74cc0d6827988e6b36bbc8f2a322e35d467e089b7e67d6345
Instruction Fuzzy Hash: 35C16E70A0120ADFDB04DFA8C894BAEBBF1FF49314F1482A9E515AB391DB749944CF90

Function 00B1D7C0 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 121COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 00B1D7F6

Strings

HKLM, xrefs: 00B1D825
HKEY_CLASSES_ROOT, xrefs: 00B1D891
HKCR, xrefs: 00B1D87D
HKEY_LOCAL_MACHINE, xrefs: 00B1D83D
HKCC, xrefs: 00B1D8A5
HKEY_CURRENT_USER, xrefs: 00B1D869
HKCU, xrefs: 00B1D855
HKEY_CURRENT_CONFIG, xrefs: 00B1D8B9

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: _wcschr
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKLM
API String ID: 2691759472-1956487666
Opcode ID: 084029de4866359f09f3700c6046948607ff5e9558403d83435f7c5c98badcbb
Instruction ID: e552cdd0c98cbdcf893da2e901600019dabdc54837aaef7b42b5f60b444b4028
Opcode Fuzzy Hash: 084029de4866359f09f3700c6046948607ff5e9558403d83435f7c5c98badcbb
Instruction Fuzzy Hash: A941C472E50615AFDF106B58DC02BAAB7F8EB00721F1406B9BC14E26D0EB71DD54DAA1

Function 009FF5F0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 119COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00C96250,BACC40AC,00000000,?,?,?,?,?,?,009FEE50,00BAF68D,000000FF), ref: 009FF62D
LoadCursorW.USER32(00000000,00007F00), ref: 009FF6A8
LoadCursorW.USER32(00000000,00007F00), ref: 009FF74E
LeaveCriticalSection.KERNEL32(00C96250), ref: 009FF7A3

Strings

WM_ATLGETHOST, xrefs: 009FF639
AtlAxWin140, xrefs: 009FF65F, 009FF6C3
AtlAxWinLic140, xrefs: 009FF70F, 009FF765
0, xrefs: 009FF733
WM_ATLGETCONTROL, xrefs: 009FF644

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: CriticalCursorLoadSection$EnterLeave
String ID: 0$AtlAxWin140$AtlAxWinLic140$WM_ATLGETCONTROL$WM_ATLGETHOST
API String ID: 3727441302-283551416
Opcode ID: 8bcc646fb071281436a9aa79d04c6fd38543dcfa0064d347943a3aa369f5559f
Instruction ID: f00537ccf97e06591b8b674248bc9cccd9f581ea55dd1cc83e1cdd3773ef8b51
Opcode Fuzzy Hash: 8bcc646fb071281436a9aa79d04c6fd38543dcfa0064d347943a3aa369f5559f
Instruction Fuzzy Hash: 805117B0D11359AFDB11DF94D958BEEBFF8EF08718F10412AE404B7290DBB55A498BA0

Function 00A22860 Relevance: 15.4, APIs: 10, Instructions: 404memorysynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 009F9E50: GetProcessHeap.KERNEL32 ref: 009F9EA5
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9ED7
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9F62

CreateThread.KERNEL32(00000000,00000000,00A229B0,00C17458,00000000,?), ref: 00A2292A
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00A22943
CloseHandle.KERNEL32(00000000), ref: 00A22959
CoInitializeEx.COMBASE(00000000,00000000), ref: 00A22A09
GetProcessHeap.KERNEL32(?,00000000), ref: 00A22B0B
HeapFree.KERNEL32(00000000,?,00000000), ref: 00A22B11
GetProcessHeap.KERNEL32(?,00000000), ref: 00A22B90
HeapFree.KERNEL32(00000000,?,00000000), ref: 00A22B96
CoUninitialize.COMBASE ref: 00A22CEA
Concurrency::cancel_current_task.LIBCPMT ref: 00A22D6B

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Heap$Process$FreeInit_thread_footer$CloseConcurrency::cancel_current_taskCreateHandleInitializeObjectSingleThreadUninitializeWait
String ID:
API String ID: 1779960141-0
Opcode ID: 4ff195c9319a7d34eb80230742fcde5effcbfabdf2c9bc02a707086b84b9b71e
Instruction ID: 6d6c15dd39257e26135dddb4abafa0bcda377e72ccf3ce187020d69dc62de62f
Opcode Fuzzy Hash: 4ff195c9319a7d34eb80230742fcde5effcbfabdf2c9bc02a707086b84b9b71e
Instruction Fuzzy Hash: B9F16D70D00258EFDF14DFA8D944BEEBBB8BF45304F248169E805AB291DB749A44CBA1

Function 00A13190 Relevance: 15.3, APIs: 10, Instructions: 339memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00A131EA
VariantClear.OLEAUT32(?), ref: 00A1321C
VariantClear.OLEAUT32(?), ref: 00A13316
VariantClear.OLEAUT32(?), ref: 00A13345
SysFreeString.OLEAUT32(00000000), ref: 00A1334C
SysAllocString.OLEAUT32(00000000), ref: 00A13393
VariantClear.OLEAUT32(?), ref: 00A1341A
VariantClear.OLEAUT32(?), ref: 00A1344C
VariantClear.OLEAUT32(?), ref: 00A13527
VariantClear.OLEAUT32(?), ref: 00A13556

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: ClearVariant$String$AllocFree
String ID:
API String ID: 1305860026-0
Opcode ID: dea92f1a408ed02225bf22fad21fe744ba31c1bd4a7d660aef012d920632a7a9
Instruction ID: 90fe4f83a7d741707370db89d2a9555fae7026e0399ae019a59334ba34039ecb
Opcode Fuzzy Hash: dea92f1a408ed02225bf22fad21fe744ba31c1bd4a7d660aef012d920632a7a9
Instruction Fuzzy Hash: 08C16C71A00249DFCF10DFA8C844BEEBBB4FF48314F148269E515E7291E778AA45CBA5

Function 00B904A0 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 487COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00B90878

Strings

p, xrefs: 00B905B9
:, xrefs: 00B9056B
f, xrefs: 00B905F8
p, xrefs: 00B905FF
f, xrefs: 00B90596
p, xrefs: 00B9059D
f, xrefs: 00B905B2

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: __aulldiv
String ID: :$f$f$f$p$p$p
API String ID: 3732870572-1434680307
Opcode ID: 1178b61a47e1ee776f98a502f026b2fc81aeec6fb9dce8e8658e4671826c8299
Instruction ID: 6bcdbeaa2a271d3f1ed8b8f1ad960cd9ff4c194980dee5d4a4fdfc9cd7424868
Opcode Fuzzy Hash: 1178b61a47e1ee776f98a502f026b2fc81aeec6fb9dce8e8658e4671826c8299
Instruction Fuzzy Hash: D602B035A20208DFDF20AFA9D4856EDBBF6FF51B14FA441A6D414BB281D7309E84CB60

Function 00A89C70 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 388memoryCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00A89E78
GetProcessHeap.KERNEL32(?,?,00000000,?,00000000,00000000,?,00000000,?,?,00000000,00000000,?), ref: 00A89F76
HeapFree.KERNEL32(00000000,?,?,00000000,?,00000000,00000000,?,00000000,?,?,00000000,00000000,?), ref: 00A89F7C
GetProcessHeap.KERNEL32(?,?,00000000,?,00000000,00000000,?,00000000,?,?,00000000,00000000,?), ref: 00A89FBB
HeapFree.KERNEL32(00000000,?,?,00000000,?,00000000,00000000,?,00000000,?,?,00000000,00000000,?), ref: 00A89FC1
__Init_thread_footer.LIBCMT ref: 00A8A0D1

Strings

Int32, xrefs: 00A89E41
StateImage%d, xrefs: 00A89D15

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Heap$FreeInit_thread_footerProcess
String ID: Int32$StateImage%d
API String ID: 901118941-2108925653
Opcode ID: 0b05593040c62f1257eb0094e096b98ff2adbe3ba3c387756c9d1b21462bfa2a
Instruction ID: 27943f2551a24621bf2e5534ea8dc1cfbc36d82b9adc9e956b8c2d6ba1816815
Opcode Fuzzy Hash: 0b05593040c62f1257eb0094e096b98ff2adbe3ba3c387756c9d1b21462bfa2a
Instruction Fuzzy Hash: C8029AB1D01248DFDB04DFA8C948BDEBBB4FF19314F24826AE415AB291D775AA04CF91

Function 00B22BC0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 343synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 009F9E50: GetProcessHeap.KERNEL32 ref: 009F9EA5
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9ED7
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9F62

ResetEvent.KERNEL32(?,?,?), ref: 00B22C4A
SetEvent.KERNEL32(?,?,?,?,?,00000001,08000000,?,?,?), ref: 00B22C83
ResetEvent.KERNEL32(?,?,?,?,?,00000001,08000000,?,?,?), ref: 00B22E19
SetEvent.KERNEL32(?,?,?,?,?,?,00000001,08000000,?,?,?), ref: 00B22E4B
ResetEvent.KERNEL32(?,?,?,?,?,?,00000001,08000000), ref: 00B22F26
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000001,08000000), ref: 00B22F43
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000001,08000000), ref: 00B22F4A

Strings

FTP Server, xrefs: 00B22CF6, 00B22D08, 00B22D12

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Event$Reset$Init_thread_footerObjectSingleWait$HeapProcess
String ID: FTP Server
API String ID: 3860647947-688436434
Opcode ID: 485d810e2c37f8c6de0e8b45f2e54d68bc2700c3f164266e477d8053980103af
Instruction ID: 69dca1e128d682c8d52172a9dcbf683bfe04fbfe7eff9e5c83f4ca6c02ccc126
Opcode Fuzzy Hash: 485d810e2c37f8c6de0e8b45f2e54d68bc2700c3f164266e477d8053980103af
Instruction Fuzzy Hash: B6D19D70900259EFDF00DF68D988BAEBBF5EF49314F1582A9E818EB291D774D905CB90

Function 00B42A80 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 282COMMON

Download Yara Rule

Strings

Progress, xrefs: 00B42ABD
Enabled, xrefs: 00B42BE0
PropertyValue, xrefs: 00B42CC9
Visible, xrefs: 00B42B6D
TimeRemaining, xrefs: 00B42C4F
Text, xrefs: 00B42AFA

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID:
String ID: Enabled$Progress$PropertyValue$Text$TimeRemaining$Visible
API String ID: 0-2691827946
Opcode ID: 3c7d0c4ca570215ddc0eb889fab398440235dfbaa199ee515af21bd9f0f21ee2
Instruction ID: 97c3038443289e0a1b0653682e6d9e84837d8c568801016d08e5ba078bea385c
Opcode Fuzzy Hash: 3c7d0c4ca570215ddc0eb889fab398440235dfbaa199ee515af21bd9f0f21ee2
Instruction Fuzzy Hash: 3FB17DB1A00344DFDB14DF48E944B9EBBF1FB85320F5086AEE8259B391D7759A00DB91

Function 00B24900 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 178fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009F9E50: GetProcessHeap.KERNEL32 ref: 009F9EA5
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9ED7
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9F62

Part of subcall function 009F9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00A069F0,-00000010,?,00A0AA9D,*.*), ref: 009F93B7

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,ps1,ps1,00000003,?,00B04998), ref: 00B249F3
WriteFile.KERNEL32(00000000,0000FEFF,00000002,?,00000000), ref: 00B24A37
WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 00B24A54
CloseHandle.KERNEL32(00000000), ref: 00B24A6E
CloseHandle.KERNEL32(00000000,?,?,00000000,00000000), ref: 00B24AAD

Strings

Unable to get temp file , xrefs: 00B249D4
ps1, xrefs: 00B24969, 00B2497B, 00B24985, 00B24996
Unable to save script file , xrefs: 00B24A7D

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: File$CloseHandleInit_thread_footerWrite$CreateFindHeapProcessResource
String ID: Unable to get temp file $Unable to save script file $ps1
API String ID: 2821137686-4253966538
Opcode ID: b36afc12d802ec329144dc529d880ff74e4df374389a91d9211d71995fd7f1b2
Instruction ID: 800157506c40557d685afe934db889257fca0dd611c04a0c2a0012debd660d15
Opcode Fuzzy Hash: b36afc12d802ec329144dc529d880ff74e4df374389a91d9211d71995fd7f1b2
Instruction Fuzzy Hash: 57510470A00659EFDB10CB68DD49BEEBBF8EF05314F148298E505AB6D2D7749E04CBA4

Function 00B13C80 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 150libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDefaultLangID.KERNEL32 ref: 00B13CBE
GetUserDefaultLangID.KERNEL32 ref: 00B13CCB
LoadLibraryW.KERNEL32(kernel32.dll), ref: 00B13CDD
GetProcAddress.KERNEL32(00000000,GetSystemDefaultUILanguage), ref: 00B13CF1
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00B13D06

Strings

GetSystemDefaultUILanguage, xrefs: 00B13CEB
kernel32.dll, xrefs: 00B13CD4
GetUserDefaultUILanguage, xrefs: 00B13D00

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: AddressDefaultLangProc$LibraryLoadSystemUser
String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll
API String ID: 667524283-3528650308
Opcode ID: 6ea4d5e14c689ef0286b0a2aad9b6412c9133e9aef30f17e6779e8bbd1625e89
Instruction ID: 1fdfec9e88e02c75f003ba46bd2ec92df95734077ae3bd5cae4a751661233d81
Opcode Fuzzy Hash: 6ea4d5e14c689ef0286b0a2aad9b6412c9133e9aef30f17e6779e8bbd1625e89
Instruction Fuzzy Hash: A541A1716043119BC744EF28E4907BAB7E1EF98745F91196EF886C7290EB34DA84CB52

Function 00B89810 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00B89847
___except_validate_context_record.LIBVCRUNTIME ref: 00B8984F
_ValidateLocalCookies.LIBCMT ref: 00B898D8
__IsNonwritableInCurrentImage.LIBCMT ref: 00B89903
_ValidateLocalCookies.LIBCMT ref: 00B89958
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00B8996E
___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00B89983

Strings

csm, xrefs: 00B898ED

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record___vcrt_initialize_locks___vcrt_uninitialize_locks
String ID: csm
API String ID: 1385549066-1018135373
Opcode ID: 6ab58b510bb2996fca97dea22067f030803ac6923d682ea9f68a163fee518b33
Instruction ID: b0c9adf9d6a2b96b53d1db787ea81a947b1a0245d3c9873945d34b89fdf0d6b7
Opcode Fuzzy Hash: 6ab58b510bb2996fca97dea22067f030803ac6923d682ea9f68a163fee518b33
Instruction Fuzzy Hash: E5419334A00209EBDF10FF68C881AAE7BE5EF46354F1881D5E815AB3B2D735D905DB91

Function 00A559B0 Relevance: 13.7, APIs: 9, Instructions: 170COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00A559F7
GetWindowRect.USER32(?,?), ref: 00A55A18
GetWindow.USER32(?,00000004), ref: 00A55A52
GetWindowRect.USER32(?,?), ref: 00A55A60
GetWindowLongW.USER32(00000000,000000F0), ref: 00A55A6D
MonitorFromWindow.USER32(?,00000002), ref: 00A55A85
GetMonitorInfoW.USER32(00000000,?), ref: 00A55A9F
SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015,?,00000004), ref: 00A55B4D

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Window$LongMonitorRect$FromInfo
String ID:
API String ID: 2882702216-0
Opcode ID: e43465d03594b12ae8938cae78dcb2621e6e83ad0e207374146e13fb9bbae52d
Instruction ID: 5cb0aa566de042ec1099a48e5880b3ac22b08e946e27d7e26642a2f8f86a8d5e
Opcode Fuzzy Hash: e43465d03594b12ae8938cae78dcb2621e6e83ad0e207374146e13fb9bbae52d
Instruction Fuzzy Hash: 26515C72D00519AFDB14CBB8CD49F9EBBB9FB48711F25422AE915B3294DB30AD05CB90

Function 00AD9FD0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 232fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?), ref: 00ADA069
CloseHandle.KERNEL32(00000000), ref: 00ADA090

Part of subcall function 009F9E50: GetProcessHeap.KERNEL32 ref: 009F9EA5
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9ED7
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9F62

Part of subcall function 00ADBC00: FindResourceW.KERNEL32(00000000,00000001,00000006,?,00000000,?,?,80070057,BACC40AC,?,?,00000000,00BAD670,000000FF,?,00B2338D), ref: 00ADBC3D
Part of subcall function 00ADBC00: WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,00000000,00000000,00000000,00000000,00000000), ref: 00ADBC6E

WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?), ref: 00ADA105
CloseHandle.KERNEL32(00000000), ref: 00ADA157

Part of subcall function 00ADBA20: WideCharToMultiByte.KERNEL32(00000003,00000000,00B03DCA,000000FF,00000000,00000000,00000000,00000000,?,?,?,00B03DCA,?,?), ref: 00ADBA3C
Part of subcall function 00ADBA20: WideCharToMultiByte.KERNEL32(00000003,00000000,00B03DCA,000000FF,?,-00000001,00000000,00000000,?,?,?,00B03DCA,?,?), ref: 00ADBA73

Strings

EXE, xrefs: 00ADA023
.bat, xrefs: 00ADA01E
open, xrefs: 00ADA183

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: ByteCharMultiWide$CloseFileHandleInit_thread_footer$CreateFindHeapProcessResourceWrite
String ID: .bat$EXE$open
API String ID: 4275363648-2898749727
Opcode ID: 3be365f88ae9202bc0457d38bfd41c1ec2707285f1168175b04607f859c2b0c1
Instruction ID: f1b6c18b3f27170855463c003c0b3d1737e9078f8a4c422f3d43a2020d739fda
Opcode Fuzzy Hash: 3be365f88ae9202bc0457d38bfd41c1ec2707285f1168175b04607f859c2b0c1
Instruction Fuzzy Hash: 41A17A70901648EFDB10CFA8CD48B9DFBB4FF55314F24829AE015AB2A1DB749A48CF51

Function 00A1B720 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 218windowstringCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000C5,?,00000000), ref: 00A1B771
SendMessageW.USER32(?,0000043A,00000000,00000074), ref: 00A1B7D5
lstrcpynW.KERNEL32(?,?,00000020), ref: 00A1B847
MulDiv.KERNEL32(?,00000048,00000000), ref: 00A1B884
SendMessageW.USER32(?,00000444,00000000,00000074), ref: 00A1B8B6

Strings

t, xrefs: 00A1B892
?, xrefs: 00A1B88A

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: MessageSend$lstrcpyn
String ID: ?$t
API String ID: 3928028829-1995845436
Opcode ID: d8ea4b4c8cba5478d629322369c382f2c3fc42ed3f3f2fe3fc897c645221ab48
Instruction ID: e6202a54aff2ab6d98fcb27941fe2d0a864fe20ba0f0a50e19985e19186580f0
Opcode Fuzzy Hash: d8ea4b4c8cba5478d629322369c382f2c3fc42ed3f3f2fe3fc897c645221ab48
Instruction Fuzzy Hash: 3E915E71614340AFE721DB64CC49F9EBBE8BF88300F044A2AF699D71A1DB74E545CB52

Function 00A06C00 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 148fileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00A06CEF

Part of subcall function 00B86618: EnterCriticalSection.KERNEL32(00C94CD8,?,?,009F9F67,00C95904,00C06640), ref: 00B86622
Part of subcall function 00B86618: LeaveCriticalSection.KERNEL32(00C94CD8,?,009F9F67,00C95904,00C06640), ref: 00B86655
Part of subcall function 00B86618: RtlWakeAllConditionVariable.NTDLL ref: 00B866CC

CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,?), ref: 00A06D43
CloseHandle.KERNEL32(00000000), ref: 00A06D92

Part of subcall function 00B86662: EnterCriticalSection.KERNEL32(00C94CD8,?,?,?,009F9EF6,00C95904,BACC40AC,?,?,00BADE0D,000000FF,?,00B2BABC,BACC40AC), ref: 00B8666D
Part of subcall function 00B86662: LeaveCriticalSection.KERNEL32(00C94CD8,?,009F9EF6,00C95904,BACC40AC,?,?,00BADE0D,000000FF,?,00B2BABC,BACC40AC), ref: 00B866AA

WriteFile.KERNEL32(00000000,00000000,?,?,00000000,00000000,?), ref: 00A06DF6
CloseHandle.KERNEL32(00000000,?), ref: 00A06E1C

Strings

aix, xrefs: 00A06D01
html, xrefs: 00A06CFC

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: CriticalSection$CloseEnterFileHandleLeave$ConditionCreateInit_thread_footerVariableWakeWrite
String ID: aix$html
API String ID: 2030708724-2369804267
Opcode ID: d6de319aadde462177ce52b0d6f342774662a7f1af2ce72855579adb5efbd742
Instruction ID: 55dceadb92a5ce52cbb9e2d84f10ce9d8525622cfbe72e91da6708e16f2de256
Opcode Fuzzy Hash: d6de319aadde462177ce52b0d6f342774662a7f1af2ce72855579adb5efbd742
Instruction Fuzzy Hash: 90517DB0900648DFDB10DFA4ED59B9EBBF4EB45708F1041A9E401AB3D1D7B56A09CB91

Function 00AD2470 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderwindowCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00AD2500

Part of subcall function 00B86618: EnterCriticalSection.KERNEL32(00C94CD8,?,?,009F9F67,00C95904,00C06640), ref: 00B86622
Part of subcall function 00B86618: LeaveCriticalSection.KERNEL32(00C94CD8,?,009F9F67,00C95904,00C06640), ref: 00B86655
Part of subcall function 00B86618: RtlWakeAllConditionVariable.NTDLL ref: 00B866CC

GetProcAddress.KERNEL32(SetWindowTheme), ref: 00AD253D
__Init_thread_footer.LIBCMT ref: 00AD2554
SendMessageW.USER32(000000EF,00001036,00010000,00010000), ref: 00AD257F

Part of subcall function 00B86662: EnterCriticalSection.KERNEL32(00C94CD8,?,?,?,009F9EF6,00C95904,BACC40AC,?,?,00BADE0D,000000FF,?,00B2BABC,BACC40AC), ref: 00B8666D
Part of subcall function 00B86662: LeaveCriticalSection.KERNEL32(00C94CD8,?,009F9EF6,00C95904,BACC40AC,?,?,00BADE0D,000000FF,?,00B2BABC,BACC40AC), ref: 00B866AA

Part of subcall function 00AB1FB0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00AB1FF1
Part of subcall function 00AB1FB0: _wcschr.LIBVCRUNTIME ref: 00AB20AF

Strings

SetWindowTheme, xrefs: 00AD2532
UxTheme.dll, xrefs: 00AD24D1
explorer, xrefs: 00AD2567

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: CriticalSection$EnterInit_thread_footerLeave$AddressConditionDirectoryMessageProcSendSystemVariableWake_wcschr
String ID: SetWindowTheme$UxTheme.dll$explorer
API String ID: 3852524043-3123591815
Opcode ID: 0c619fc15bb5780d8a3263289433d95a41bfb303620bc8a2807bc69d1af484d8
Instruction ID: 0e62b77c9fcc548d1f748d5508e19324fa2da361cb3f8601a69b459919229eda
Opcode Fuzzy Hash: 0c619fc15bb5780d8a3263289433d95a41bfb303620bc8a2807bc69d1af484d8
Instruction Fuzzy Hash: 2F21F7B1A40204EBCB20DF64ED0AF9DB7A4EB11B60F114327F521A73E8D775A901CB51

Function 00A24C60 Relevance: 12.2, APIs: 8, Instructions: 242memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 00A24D55
SysFreeString.OLEAUT32(00000000), ref: 00A24DCA
GetProcessHeap.KERNEL32(?,00000000,00000000), ref: 00A24E30
HeapFree.KERNEL32(00000000,?,00000000,00000000), ref: 00A24E36
GetProcessHeap.KERNEL32(?,00000000,?,00000000,00000000,00000000,BACC40AC,?,00000000), ref: 00A24E66
HeapFree.KERNEL32(00000000,?,00000000,?,00000000,00000000,00000000,BACC40AC,?,00000000), ref: 00A24E6C
SysFreeString.OLEAUT32(00000000), ref: 00A24E84
SysFreeString.OLEAUT32(?), ref: 00A24F2B

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Free$HeapString$Process
String ID:
API String ID: 1565486995-0
Opcode ID: bcd2914243332cf5569dd57a1dcd730292bfdd6dd70dcd46c91760ea652e4841
Instruction ID: 6712f74ec6ed469cee1b46127a8ca0024c4da95f8d30846c7fa0d90541d360ca
Opcode Fuzzy Hash: bcd2914243332cf5569dd57a1dcd730292bfdd6dd70dcd46c91760ea652e4841
Instruction Fuzzy Hash: DD917971D00269DFDF10DFA8D945BEEBBB8FF09710F144169E821A7291D7789A04CBA1

Function 00A097E0 Relevance: 12.1, APIs: 8, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A0980A
GetWindow.USER32(?,00000005), ref: 00A09817
GetWindow.USER32(00000000,00000002), ref: 00A09952

Part of subcall function 00A09660: GetWindowRect.USER32(?,?), ref: 00A0968C
Part of subcall function 00A09660: GetWindowRect.USER32(?,?), ref: 00A0969C

GetWindowRect.USER32(?,?), ref: 00A098AB
GetWindowRect.USER32(00000000,?), ref: 00A098BB
GetWindowRect.USER32(00000000,?), ref: 00A098D5

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Window$Rect
String ID:
API String ID: 3200805268-0
Opcode ID: 5dcb3da4ba8e3b39b11689585867520ff6a5ed4751f9952eba598e93cd88cb36
Instruction ID: 6366762408b6b1a6cff1246069c602762a54bb84f56dec9839cc4bc3c6f42318
Opcode Fuzzy Hash: 5dcb3da4ba8e3b39b11689585867520ff6a5ed4751f9952eba598e93cd88cb36
Instruction Fuzzy Hash: B7419E305047059BC721DF25D980E6BF7F9BF96704F504A1DF085936A2EB30E988CB52

Function 00B85BAB Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,00B85D55,00000000), ref: 00B85BCF
HeapAlloc.KERNEL32(00000000,?,00B85D55,00000000), ref: 00B85BD6

Part of subcall function 00B85CA1: IsProcessorFeaturePresent.KERNEL32(0000000C,00B85BBD,00000000,?,00B85D55,00000000), ref: 00B85CA3

InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,00B85D55,00000000), ref: 00B85BE6
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00B85D55,00000000), ref: 00B85C0D
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,00B85D55,00000000), ref: 00B85C21
InterlockedPopEntrySList.KERNEL32(00000000,?,00B85D55,00000000), ref: 00B85C34
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00B85D55,00000000), ref: 00B85C47

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
String ID:
API String ID: 2460949444-0
Opcode ID: 260da578c84ef6838c54e4185f3953e8fb0c03e1ff30eba1ffb14b2ffae4fa30
Instruction ID: b3e25648c0f4e447d558821ab931f9e11538adabcbea994a352cb05ff4702d83
Opcode Fuzzy Hash: 260da578c84ef6838c54e4185f3953e8fb0c03e1ff30eba1ffb14b2ffae4fa30
Instruction Fuzzy Hash: 74118271601F11ABD7312B64AC88F2E66DDEB44789F1644A2FA41E6260DE60CC04CFB4

Function 00B20260 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 454synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00B22140: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,00B2029A,?,BACC40AC,?,?,?,000000FF,?), ref: 00B22154
Part of subcall function 00B22140: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00B2029A,?,BACC40AC,?,?,?,000000FF,?,00B1FC64), ref: 00B22171
Part of subcall function 00B22140: GetLastError.KERNEL32(?,BACC40AC,?,?,?,000000FF,?,00B1FC64,?,?,00000000,00000000,BACC40AC,?,?), ref: 00B221D0

Part of subcall function 009F9E50: GetProcessHeap.KERNEL32 ref: 009F9EA5
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9ED7
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9F62

ResetEvent.KERNEL32(?,00000000,00BF38DD), ref: 00B2036A
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00B20389
WaitForSingleObject.KERNEL32(BACC40AC,000000FF), ref: 00B20390

Part of subcall function 009F9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00A069F0,-00000010,?,00A0AA9D,*.*), ref: 009F93B7

Strings

attachment, xrefs: 00B2059D
GET, xrefs: 00B202EA
filename, xrefs: 00B206E1

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Event$CreateInit_thread_footerObjectSingleWait$ErrorFindHeapLastProcessResetResource
String ID: GET$attachment$filename
API String ID: 818129584-3911147371
Opcode ID: 255b8a0b3c15ad513b8c74b6daf808a772c11f0c9593abb59a5a7999b0c349e6
Instruction ID: 57fcaafb4cbdf2e363f0c34f4e6f44a02f9f5ff63fac21f57d3a8ff99b4b8e82
Opcode Fuzzy Hash: 255b8a0b3c15ad513b8c74b6daf808a772c11f0c9593abb59a5a7999b0c349e6
Instruction Fuzzy Hash: 30029E70901259DFDB10EFA8D944BAEBBF4FF15314F1481A9E419AB292DB70AE04CF91

Function 00B36EA0 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 371COMMON

Download Yara Rule

APIs

Part of subcall function 009F9E50: GetProcessHeap.KERNEL32 ref: 009F9EA5
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9ED7
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9F62

_wcschr.LIBVCRUNTIME ref: 00B36F6B
_wcschr.LIBVCRUNTIME ref: 00B3701D
_wcschr.LIBVCRUNTIME ref: 00B3703C

Part of subcall function 009F9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00A069F0,-00000010,?,00A0AA9D,*.*), ref: 009F93B7

_wcschr.LIBVCRUNTIME ref: 00B370E2
GetTickCount.KERNEL32 ref: 00B3728A

Strings

0123456789AaBbCcDdEeFf, xrefs: 00B36F01, 00B36F13, 00B36F1D

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: _wcschr$Init_thread_footer$CountFindHeapProcessResourceTick
String ID: 0123456789AaBbCcDdEeFf
API String ID: 2181188311-3822820098
Opcode ID: 008c0f2d293d298e3a7547a0bae167b3a868f34e2644837e324ec5c790518d4b
Instruction ID: c5f1e7ad1110bb0447acf59129e9b6c77867f22f9701683d12534f54b95e547a
Opcode Fuzzy Hash: 008c0f2d293d298e3a7547a0bae167b3a868f34e2644837e324ec5c790518d4b
Instruction Fuzzy Hash: 1FD124B1A04A098FDB20CF68C888BAEB7F1FF45310F24869DE46597291DB34ED45CB90

Function 00AF09E0 Relevance: 10.8, APIs: 7, Instructions: 300fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,BACC40AC), ref: 00AF0A69
ReadFile.KERNEL32(00000000,00000000,00001000,?,00000000), ref: 00AF0AEC
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00AF0B39
GetFileSize.KERNEL32(00000000,00000000), ref: 00AF0B42
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00AF0BA5
CloseHandle.KERNEL32(00000000), ref: 00AF0CF7
ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00AF0D7F

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: File$Read$CloseCreateHandlePointerSize
String ID:
API String ID: 4181610692-0
Opcode ID: 06f40f44e9a08581b4a283550b3c1fc4812f9711a81aa0a3862a4fb248c6d0f2
Instruction ID: fbe5372be072a022f5cf4c21c15049964ccb7f4d3bb53ec79ce9c1feb31c959b
Opcode Fuzzy Hash: 06f40f44e9a08581b4a283550b3c1fc4812f9711a81aa0a3862a4fb248c6d0f2
Instruction Fuzzy Hash: 60C17C70E0130CDFDF24DFA4C944FAEBBB5AF44704F208259E555AB292DB74AA49CB90

Function 00B30BE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF29D0: __Init_thread_footer.LIBCMT ref: 00AF2AA2

GetTempPathW.KERNEL32(00000104,?), ref: 00B30CC9
GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?), ref: 00B30CFA
Wow64DisableWow64FsRedirection.KERNEL32(00000000,?), ref: 00B30D2D
CopyFileW.KERNEL32(?,?,00000000), ref: 00B30D4F
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00B30D7E

Strings

shim_clone, xrefs: 00B30CEE

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Wow64$FileRedirectionTemp$CopyDisableInit_thread_footerNamePathRevert
String ID: shim_clone
API String ID: 885488785-3944563459
Opcode ID: 2350cb0319933b660719a72d914a3045e33b872b72a1fc038c09737ce1d143ba
Instruction ID: 1ffb39a3d5590e93c099a0599e4c80ae597b72958f7b3203066902a421ce91a6
Opcode Fuzzy Hash: 2350cb0319933b660719a72d914a3045e33b872b72a1fc038c09737ce1d143ba
Instruction Fuzzy Hash: 4A512570A402189FDB24EF64CC65BAEB7F9EF84700F6481E9E905971C1DB70AE44CB94

Function 00B1E2C0 Relevance: 10.6, APIs: 7, Instructions: 108processsynchronizationCOMMON

Download Yara Rule

APIs

Wow64DisableWow64FsRedirection.KERNEL32(00000000,BACC40AC,?,?), ref: 00B1E307
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,BACC40AC,00BF344D), ref: 00B1E37F
GetLastError.KERNEL32 ref: 00B1E390
WaitForSingleObject.KERNEL32(00BF344D,000000FF), ref: 00B1E3AC
GetExitCodeProcess.KERNEL32(00BF344D,00000000), ref: 00B1E3BD
CloseHandle.KERNEL32(00BF344D), ref: 00B1E3C7
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00B1E3E2

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Wow64$ProcessRedirection$CloseCodeCreateDisableErrorExitHandleLastObjectRevertSingleWait
String ID:
API String ID: 1153077990-0
Opcode ID: 3e473abf3b367203464b2621d69c9e687127e1739781280c694aced24dc9820b
Instruction ID: 57e7b872de16263c1e56dd1b8ffc33c4927a1db15cf3aefe73b5ca6fb7e1bb91
Opcode Fuzzy Hash: 3e473abf3b367203464b2621d69c9e687127e1739781280c694aced24dc9820b
Instruction Fuzzy Hash: F9419D31E00389EBDB11CFA4DD047EEBBF8EF49304F14865AE864A7190DB749A84CB60

Function 00B30E90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Shlwapi.dll,?,00000010,?,00000000,00B16881,00000000,BACC40AC,?,00000010,00000000), ref: 00B30EAB
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00B30EC1
FreeLibrary.KERNEL32(00000000), ref: 00B30EFA
FreeLibrary.KERNEL32(00000000,?,00000010,?,00000000,00B16881,00000000,BACC40AC,?,00000010,00000000), ref: 00B30F16

Strings

Shlwapi.dll, xrefs: 00B30EAA
DllGetVersion, xrefs: 00B30EBB

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Library$Free$AddressLoadProc
String ID: DllGetVersion$Shlwapi.dll
API String ID: 1386263645-2240825258
Opcode ID: 9de0059d561d7c7627d458e6356138d599b0679b39c724ef1af42098f7a3d769
Instruction ID: 81ecb8ecafa4ae52d08adb7ba731f6712555dfc3b5a7010a837d2f17b7babbde
Opcode Fuzzy Hash: 9de0059d561d7c7627d458e6356138d599b0679b39c724ef1af42098f7a3d769
Instruction Fuzzy Hash: 5C2180766142018BC314BF29A88576FB7E4FFD9714F8105AEF889D3212EB25D80987A2

Function 00B9FDD2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00B9FEDF,00B9D0E1,0000000C,?,00000000,00000000,?,00BA0109,00000021,FlsSetValue,00C0CF80,00C0CF88,?), ref: 00B9FE93

Strings

api-ms-, xrefs: 00B9FE29
ext-ms-, xrefs: 00B9FE3D

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 2a88a206529bf7aa2e23096bd152ebdd863790d18ec4ef5ad6460b79675d15f5
Instruction ID: 1f3fe23f4ca24ae2bd88e1fdd561d90d35572f84051fc19819e71d15ced1ab7a
Opcode Fuzzy Hash: 2a88a206529bf7aa2e23096bd152ebdd863790d18ec4ef5ad6460b79675d15f5
Instruction Fuzzy Hash: 0D219375A01A16ABCF22AB649C44B6F3799EF41774F1501B0E915E72A2DB30ED05C6D0

Function 00AE5E10 Relevance: 9.4, APIs: 6, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0610cfe5c6a2870737ba03efd1d2a2f2cfd5d71993853fa9f5853a0b7c87e4b7
Instruction ID: dd8e8d3b6275295d63a39ab6f0699f5636e2a47c0903ca31b3211bc778a874e6
Opcode Fuzzy Hash: 0610cfe5c6a2870737ba03efd1d2a2f2cfd5d71993853fa9f5853a0b7c87e4b7
Instruction Fuzzy Hash: F1D1C1B1E00649DFCB14DF69C945BAEBBF4FB58310F148269E815AB391DB31AE01CB91

Function 00A1F780 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 369windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00A1F7CD

Strings

AiTabPage, xrefs: 00A1F9E3, 00A1FAEA
`Dialog_`=', xrefs: 00A1F900
' AND `Control_`=', xrefs: 00A1F947
ControlEvent, xrefs: 00A1FA59

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: MessageSend
String ID: ' AND `Control_`='$AiTabPage$ControlEvent$`Dialog_`='
API String ID: 3850602802-1655181372
Opcode ID: 8970ec894aff98bcbc4aae533f5f23f4f144874ae3831354e209b16ec47befa5
Instruction ID: 6ae68b0cfcc9ebf8019774864000578de37a7d1b55533434682c6d41fc904bbd
Opcode Fuzzy Hash: 8970ec894aff98bcbc4aae533f5f23f4f144874ae3831354e209b16ec47befa5
Instruction Fuzzy Hash: 53F17875900288DFDF04DF68C899BEEBBB1BF48304F1501A8ED159B292DB75AA45CB90

Function 00B03CC0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 288COMMON

Download Yara Rule

APIs

GetShortPathNameW.KERNEL32(BACC40AC,00000000,00000000), ref: 00B03D1F
GetShortPathNameW.KERNEL32(?,?,?), ref: 00B03D8D

Strings

neutral, xrefs: 00B03EE6
x86, xrefs: 00B03F4A
x64, xrefs: 00B03FAA

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: NamePathShort
String ID: neutral$x64$x86
API String ID: 1295925010-1541741584
Opcode ID: 0a244dc6ccf37a37eab3110ec6ee7b49672785fc217e6d5e63e10cc24b0e65ce
Instruction ID: e6be52c91a08acfd411fb8f3048c3787c7678126f8988556039c3e6eefb89fcd
Opcode Fuzzy Hash: 0a244dc6ccf37a37eab3110ec6ee7b49672785fc217e6d5e63e10cc24b0e65ce
Instruction Fuzzy Hash: BAB1B271A00208EFDB00DFA4C859BDEBFF4EF44324F148299E515AB2D1DB75AA44CBA0

Function 00A02420 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 240COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00C96250,BACC40AC,00000000,00C9626C), ref: 00A02573
LeaveCriticalSection.KERNEL32(00C96250), ref: 00A025D7
LoadCursorW.USER32(009F0000,?), ref: 00A02630
LeaveCriticalSection.KERNEL32(00C96250), ref: 00A026C8

Strings

ATL:%p, xrefs: 00A02650

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: CriticalSection$Leave$CursorEnterLoad
String ID: ATL:%p
API String ID: 2080323225-4171052921
Opcode ID: 12fa39c639e9b220206b94956ad1aa61df4a1b394ae736b99b9c8c04fc350e6e
Instruction ID: 997faabb1142f6d80c457c821023384fa68191d515d2f987c0811a0819cbd7f1
Opcode Fuzzy Hash: 12fa39c639e9b220206b94956ad1aa61df4a1b394ae736b99b9c8c04fc350e6e
Instruction Fuzzy Hash: AB91E171900B489FDB24CF69D948BAAF7F4FF48720F10862EE89597690E731B984CB50

Function 009F8890 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 238COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 009F8975
__Init_thread_footer.LIBCMT ref: 009F89EF

Strings

<a href=", xrefs: 009F8937
</a>, xrefs: 009F8AF9
<a>, xrefs: 009F8BA1

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Init_thread_footer
String ID: </a>$<a href="$<a>
API String ID: 1385522511-4210067781
Opcode ID: 4fd48e3166ddc69b5dbb78a2f3544d641d56fd16684775a17470020a6cb86306
Instruction ID: f0bf0c46959684d6fb241f07eef71dc02d9541db93f1c5c9b036508ed8337577
Opcode Fuzzy Hash: 4fd48e3166ddc69b5dbb78a2f3544d641d56fd16684775a17470020a6cb86306
Instruction Fuzzy Hash: 0FA1A3B0A00709EFCF44DF68D859BAEB7B5FF45314F10426AE511AB2E2EB70A945CB50

Function 00AF2450 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 195COMMON

Download Yara Rule

APIs

Part of subcall function 009F9E50: GetProcessHeap.KERNEL32 ref: 009F9EA5
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9ED7
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9F62

SHGetSpecialFolderLocation.SHELL32(00000000,00000011,?,?,BACC40AC,00000000,?), ref: 00AF266C
SHGetMalloc.SHELL32(?), ref: 00AF2695

Strings

%s, %.2u %s %.4u %.2u:%.2u:%.2u GMT, xrefs: 00AF2566
C:\FAKE_DIR\, xrefs: 00AF263A, 00AF2657
C:\, xrefs: 00AF2621

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Init_thread_footer$FolderHeapLocationMallocProcessSpecial
String ID: %s, %.2u %s %.4u %.2u:%.2u:%.2u GMT$C:\$C:\FAKE_DIR\
API String ID: 3216538967-785558474
Opcode ID: 932cd20ad2659b56aebab6bf0a44fdc894e71edc8253ebafd16d7e0e594ef4d5
Instruction ID: 11d69904e866178a66c628188376c8783e1a6f7936bf0e47b5d9721963f76cae
Opcode Fuzzy Hash: 932cd20ad2659b56aebab6bf0a44fdc894e71edc8253ebafd16d7e0e594ef4d5
Instruction Fuzzy Hash: 8F717CB1900258AFDF10DF94DC49BAEBBF8FF08704F00451AFA19AB691D7B4A904DB94

Function 00A00E10 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 194comCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(00C137FC,00000000,00000001,00C13E84,?), ref: 00A00EE0

Strings

:, xrefs: 00A00ECA
{, xrefs: 00A00F40

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: CreateInstance
String ID: :${
API String ID: 542301482-3766677574
Opcode ID: c58f854159cc556f9a402843e5f471d1869b32e7ab221fd465be69f5071d5a05
Instruction ID: 47fbd4541821e40feeaf968657dc35b6483c414c5c0f837cb1e1eaa6bb3a0191
Opcode Fuzzy Hash: c58f854159cc556f9a402843e5f471d1869b32e7ab221fd465be69f5071d5a05
Instruction Fuzzy Hash: 31619E74A0028A9BDF248FA8E854FFEB7B4AB09714F14446AE841FB2C0D775DD80DB60

Function 00B16820 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

APPDATA, xrefs: 00B16A57, 00B16A5F
PROGRAMFILES, xrefs: 00B16A3D
ProgramFilesFolder, xrefs: 00B168E7
AppDataFolder, xrefs: 00B169C8, 00B16A05

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID:
String ID: APPDATA$AppDataFolder$PROGRAMFILES$ProgramFilesFolder
API String ID: 0-3551742416
Opcode ID: f6a035532aae1b798d4a79a193f57378f7f900f3d121d69c9831f376c25da376
Instruction ID: 9ca9e493abc734cd627af533ae82254e5d2f4e0178ec2d03c66eb132ce4d3ab7
Opcode Fuzzy Hash: f6a035532aae1b798d4a79a193f57378f7f900f3d121d69c9831f376c25da376
Instruction Fuzzy Hash: 9121C332A001159BCB14AF68D844BFAB3E4FF55720F5046AAE916E7690EB31DD85C790

Function 00B8A78C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,00B8A84D,00000000,00000FA0,00C95084,00000000,?,00B8A978,00000004,InitializeCriticalSectionEx,00C0A0E0,00C0A0E8,00000000), ref: 00B8A81C

Strings

api-ms-, xrefs: 00B8A7DC

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 16aab3e3b73ca6fd6f3aa36805a1ee8ed0c8ee7fdefaa882ea7965f9f2c09c74
Instruction ID: c7ec40993a7d8e04aca752dc780aba35344849c432f77efdfbe8cb318ae5ad6e
Opcode Fuzzy Hash: 16aab3e3b73ca6fd6f3aa36805a1ee8ed0c8ee7fdefaa882ea7965f9f2c09c74
Instruction Fuzzy Hash: 6C11A735A41625ABEB226B689C4075E37E4DF01774F1541A2E911A71E0EB70ED05C7E2

Function 00B9C68F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BACC40AC,?,?,00000000,00C06426,000000FF,?,00B9C662,?,?,00B9C636,?), ref: 00B9C6C4
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B9C6D6
FreeLibrary.KERNEL32(00000000,?,00000000,00C06426,000000FF,?,00B9C662,?,?,00B9C636,?), ref: 00B9C6F8

Strings

mscoree.dll, xrefs: 00B9C6BD
CorExitProcess, xrefs: 00B9C6CE

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 11d89163d4eb15e36c71185f2cb1c0fe2ec695b85a22e91b1032349b6ae54502
Instruction ID: b9652de94d034f6f6a17bea97ac3cca951e5ec09ff7f7fa83145ac71a41cd613
Opcode Fuzzy Hash: 11d89163d4eb15e36c71185f2cb1c0fe2ec695b85a22e91b1032349b6ae54502
Instruction Fuzzy Hash: 9B016D31904619EFDB119F94DC45BBEBFB8FB04B15F018636E811E32D0DBB49904CA94

Function 00AF79C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00B86662: EnterCriticalSection.KERNEL32(00C94CD8,?,?,?,009F9EF6,00C95904,BACC40AC,?,?,00BADE0D,000000FF,?,00B2BABC,BACC40AC), ref: 00B8666D
Part of subcall function 00B86662: LeaveCriticalSection.KERNEL32(00C94CD8,?,009F9EF6,00C95904,BACC40AC,?,?,00BADE0D,000000FF,?,00B2BABC,BACC40AC), ref: 00B866AA

LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 00AF7A1E
GetProcAddress.KERNEL32(00000000), ref: 00AF7A25
__Init_thread_footer.LIBCMT ref: 00AF7A3C

Part of subcall function 00B86618: EnterCriticalSection.KERNEL32(00C94CD8,?,?,009F9F67,00C95904,00C06640), ref: 00B86622
Part of subcall function 00B86618: LeaveCriticalSection.KERNEL32(00C94CD8,?,009F9F67,00C95904,00C06640), ref: 00B86655
Part of subcall function 00B86618: RtlWakeAllConditionVariable.NTDLL ref: 00B866CC

Strings

SymFromAddr, xrefs: 00AF7A14
Dbghelp.dll, xrefs: 00AF7A19

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AddressConditionInit_thread_footerLibraryLoadProcVariableWake
String ID: Dbghelp.dll$SymFromAddr
API String ID: 3268644551-642441706
Opcode ID: 948700d20f71f5c1f49ee536e1dc2543b438a387241f7697a8465056ea938c2e
Instruction ID: 2fbbb40980657dac7f049b9cd2ab033e43d2d8f097b904ea33984400a139d4a4
Opcode Fuzzy Hash: 948700d20f71f5c1f49ee536e1dc2543b438a387241f7697a8465056ea938c2e
Instruction Fuzzy Hash: B101DFB1A40754EFC720DF98ED4AB1CB7A4EB08B30F11426AF815837E0D735A900CB11

Function 00AEBA70 Relevance: 7.8, APIs: 5, Instructions: 328COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD04
std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD24
std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD4C
std::_Facet_Register.LIBCPMT ref: 00AEBE2B
std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBE55

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 1df5357ca0f364ddcbf2b86c5bd62761aeaa4a19e7ba982df4346b1eb4b86026
Instruction ID: 1108d5254afbd8779e99f1fa0e5fc7b51e2e5b4f01eca616838bb01ae8a2695c
Opcode Fuzzy Hash: 1df5357ca0f364ddcbf2b86c5bd62761aeaa4a19e7ba982df4346b1eb4b86026
Instruction Fuzzy Hash: 74C1E571E10259DFDB18DF69C8847AEBBF5EF44710F148269E805AB391DB70AE05CBA0

Function 00A13E70 Relevance: 7.8, APIs: 5, Instructions: 254windowCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00A13ECD
VariantClear.OLEAUT32(?), ref: 00A13EFF
MessageBoxW.USER32(00000000,00000000,00000000,?), ref: 00A140C4
VariantClear.OLEAUT32(?), ref: 00A14117
VariantClear.OLEAUT32(?), ref: 00A14146

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: ClearVariant$Message
String ID:
API String ID: 167562128-0
Opcode ID: ddf1f6087e208ffbbaa8e943953275dc9d4969227f96d13069ef1f4d82aa4375
Instruction ID: 04d10a21c3d302ec8bc51b0c153808e5bcab34d4a8685d43ea8c670b85295137
Opcode Fuzzy Hash: ddf1f6087e208ffbbaa8e943953275dc9d4969227f96d13069ef1f4d82aa4375
Instruction Fuzzy Hash: 27A16875900219EFCB10DFA8C884BDEFBB5FF48314F258259E404AB391E774AA85CB95

Function 00A1DE90 Relevance: 7.7, APIs: 5, Instructions: 178windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000318,00000000,00000004), ref: 00A1DEF7
SendMessageW.USER32(?,00001304,00000000,00000000), ref: 00A1DF1F
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A1DF37
SendMessageW.USER32(?,0000130A,00000000,?), ref: 00A1DF68
SendMessageW.USER32(00000000,00000136,?,?), ref: 00A1E055

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 99ff4def138034691e3b0fb0991d7b26936880fd164b46a09b85bf1843a8abd3
Instruction ID: 37b49bd2b4c6b5f6990d165a83acfbc5a4a142e781582dd39a629492be2de160
Opcode Fuzzy Hash: 99ff4def138034691e3b0fb0991d7b26936880fd164b46a09b85bf1843a8abd3
Instruction Fuzzy Hash: 98611572910618AFDB159FE4DD49FEEBBB9FF48710F11011AF619AB2A0C7706A42CB50

Function 00B30810 Relevance: 7.7, APIs: 5, Instructions: 166threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,BACC40AC,?,?,00000000,?,?,?,?,00BF6FED,000000FF,?,00B11C3D), ref: 00B30850
CreateThread.KERNEL32(00000000,00000000,00B30BD0,?,00000000,?), ref: 00B30886
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00B3098F
GetExitCodeThread.KERNEL32(00000000,?), ref: 00B3099A
CloseHandle.KERNEL32(00000000), ref: 00B309BA

Part of subcall function 00A02970: RaiseException.KERNEL32(?,?,00000000,00000000,00B85A3C,C000008C,00000001,?,00B85A6D,00000000,?,009F91C7,00000000,BACC40AC,00000001,?), ref: 00A0297C

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: CreateThread$CloseCodeEventExceptionExitHandleObjectRaiseSingleWait
String ID:
API String ID: 3595790897-0
Opcode ID: b7a29616e40adb6652379d575eab5033891e92e0f2e42fd7d72e520ed84d7dd8
Instruction ID: 735c361a5c7316b79704dbd10e13bfc85d22f0eb4c82acb16e7a31000edb0c27
Opcode Fuzzy Hash: b7a29616e40adb6652379d575eab5033891e92e0f2e42fd7d72e520ed84d7dd8
Instruction Fuzzy Hash: F5517A74A00709DFDB20DF68C894BAEBBF4FF48714F2586A9E956A7351D730A844CB50

Function 00A16D90 Relevance: 7.6, APIs: 5, Instructions: 109windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000), ref: 00A16E08
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A16E50
SendMessageW.USER32(?,0000102C,000000FF,0000F000), ref: 00A16E73
SendMessageW.USER32(?,0000102B,000000FF,?), ref: 00A16E9F
SetFocus.USER32(00000000), ref: 00A16EB2

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: MessageSend$Focus
String ID:
API String ID: 3982298024-0
Opcode ID: 7752b7663e85c5b7a91977d118e0bded7df84c917ccb079c4c1c6a7eeaba5637
Instruction ID: eba64b0e96d5dee58e6214ec5b60dd5042a30dcfc1b78eb4696fcdffd5c53945
Opcode Fuzzy Hash: 7752b7663e85c5b7a91977d118e0bded7df84c917ccb079c4c1c6a7eeaba5637
Instruction Fuzzy Hash: 8B411C75900608DFDB24DF64CC45BAAB7F4FB48710F10466AE825977A1DB70A950CF50

Function 00A47A70 Relevance: 7.6, APIs: 5, Instructions: 100threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A47A99
CoInitializeEx.COMBASE(00000000,00000002), ref: 00A47AA9
SendMessageW.USER32(?,000005FA,?,00000000), ref: 00A47BC1

Part of subcall function 00A56040: EnterCriticalSection.KERNEL32(BACC40AC,BACC40AC), ref: 00A56080
Part of subcall function 00A56040: GetCurrentThreadId.KERNEL32 ref: 00A56093
Part of subcall function 00A56040: LeaveCriticalSection.KERNEL32(?), ref: 00A56111

Part of subcall function 00A50100: SetLastError.KERNEL32(0000000E,?,00A47B2F,?,?,00C1C530,00000000), ref: 00A50118

GetLastError.KERNEL32(?,?,00C1C530,00000000), ref: 00A47B33
ShowWindow.USER32(?,0000000A,?,?,00C1C530,00000000), ref: 00A47B45

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: CriticalCurrentErrorLastSectionThread$EnterInitializeLeaveMessageSendShowWindow
String ID:
API String ID: 2782539745-0
Opcode ID: 2c62411f4838b814d0ba613fa22d90917b8905dc2b7e4721fc40c667b92b815a
Instruction ID: cf7a3bb5b9090920e27a4e3c87063a0b31492d3c89405f87f5de6ff616f65ea7
Opcode Fuzzy Hash: 2c62411f4838b814d0ba613fa22d90917b8905dc2b7e4721fc40c667b92b815a
Instruction Fuzzy Hash: 2431EE71D00248EBDB10EFA4CD4ABDEBBB4FF50308F108259E411AB2D0DBB95A09CB91

Function 009FDB60 Relevance: 7.6, APIs: 5, Instructions: 81COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009FDBC2
VariantClear.OLEAUT32(?), ref: 009FDC1B
VariantClear.OLEAUT32(?), ref: 009FDC25
VariantClear.OLEAUT32(?), ref: 009FDC2F
VariantClear.OLEAUT32(?), ref: 009FDC3C

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Variant$Clear$Init
String ID:
API String ID: 3740757921-0
Opcode ID: 66e46c1a4fd966a19e8e9d48b0dabaa2d1e25f5bb4d19e58e0cbb3262a78cfe2
Instruction ID: 2a69506b5a288a2e40c03fe7c7a2b880d8de88c84a31a465e78d7fa3ead91c7b
Opcode Fuzzy Hash: 66e46c1a4fd966a19e8e9d48b0dabaa2d1e25f5bb4d19e58e0cbb3262a78cfe2
Instruction Fuzzy Hash: 79311A71D0524CEFDB05CFA8C944BDEBBF8EF49304F10859AE410A7290D7B5AA04CBA1

Function 00A246E0 Relevance: 7.6, APIs: 5, Instructions: 60memorywindowCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A2472A
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00A24730
FormatMessageW.KERNEL32(00001300,00000000,?,00000400,00000000,00000000,00000000), ref: 00A24753
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00BB6756,000000FF), ref: 00A2477B
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,00BB6756,000000FF), ref: 00A24781

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Heap$FreeProcess$FormatMessage
String ID:
API String ID: 1606019998-0
Opcode ID: 65a8cea1ca907cf4017bc152cd4b18db7641230d4d4d1cbff1be8db17f428b11
Instruction ID: 873b057e33431c1fbd0db0e58f1c62ec622d4579e61b16f453964d4910c40d44
Opcode Fuzzy Hash: 65a8cea1ca907cf4017bc152cd4b18db7641230d4d4d1cbff1be8db17f428b11
Instruction Fuzzy Hash: EC1182B1A04219ABEB10EF94DC06BAFBBFCEB04B04F100569F910AB2C1D7F5990487A1

Function 00B23F70 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 417COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 00B23FC9
_wcschr.LIBVCRUNTIME ref: 00B240A9

Strings

realm, xrefs: 00B2438D, 00B2439F

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: _wcschr
String ID: realm
API String ID: 2691759472-4204190682
Opcode ID: b8a61ec4023a5bab807a8b52e0b148273d413d5d0abdd0a4ebe3f7de20736e5f
Instruction ID: 3bdafcdbce4b697bdbab48e39bdaa3208653034103b8ca8c93d79ae8c0ab569f
Opcode Fuzzy Hash: b8a61ec4023a5bab807a8b52e0b148273d413d5d0abdd0a4ebe3f7de20736e5f
Instruction Fuzzy Hash: 37F19F31A00619DFDB00DFA8D848BAEBBF9EF55320F148299E8199B791DB74DD44CB90

Function 00A15E20 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 220windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009F9B10: RtlAllocateHeap.NTDLL(?,00000000,?,BACC40AC,00000000,00BAD840,000000FF,?,?,00C89A1C,?,00B2BB18,80004005,BACC40AC), ref: 009F9B5A

Part of subcall function 00AD2040: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,000000EF,?,00A10168,00000000,80004005), ref: 00AD20AB
Part of subcall function 00AD2040: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00AD20DB

SendMessageW.USER32(?,00001036,00000004,00000004), ref: 00A15FDC
SendMessageW.USER32(?,00001036,00000400,00000400), ref: 00A15FF3
SendMessageW.USER32(?,00001061,00000000,?), ref: 00A1604F

Strings

QuickSelectionList, xrefs: 00A15F15, 00A15F27, 00A15F31

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: MessageSend$AllocateHeapWindow
String ID: QuickSelectionList
API String ID: 3168177373-3633591268
Opcode ID: 56cf13956d1282458ebb6a3c5f4a87cb99af755ef94f07383f4b3fd0bd3db54b
Instruction ID: 1a5472787cf52b1cfcbbff51a5aaea5ca602be9d17c8b6359f6af05366f299eb
Opcode Fuzzy Hash: 56cf13956d1282458ebb6a3c5f4a87cb99af755ef94f07383f4b3fd0bd3db54b
Instruction Fuzzy Hash: 42818971A006099FCB14DF68C894BEEB7F5FF88324F10465DE556A7290DB71A944CFA0

Function 00A499D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 207threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF0F40: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00AF0F84
Part of subcall function 00AF0F40: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00AF0F8F

GetCurrentThreadId.KERNEL32 ref: 00A49B3C
SendMessageW.USER32(00000000,00000127,00030003,00000000), ref: 00A49BC5

Strings

AI_HIDE_CAPTION_ICON_AND_TEXT_ALL, xrefs: 00A49A69
AI_HIDE_CAPTION_ICON_AND_TEXT, xrefs: 00A49AE0

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: MessageSend$CurrentThread
String ID: AI_HIDE_CAPTION_ICON_AND_TEXT$AI_HIDE_CAPTION_ICON_AND_TEXT_ALL
API String ID: 2377075789-1831360935
Opcode ID: df9c13685bd18a91c2f3a863ba8d5b7060d0700bca0eac3a27258c65a1f2f0ff
Instruction ID: e5107f28b2c965b0a12e570f86783e5db1881791b86eedd862906fa6542b0080
Opcode Fuzzy Hash: df9c13685bd18a91c2f3a863ba8d5b7060d0700bca0eac3a27258c65a1f2f0ff
Instruction Fuzzy Hash: 8181B431A14208DFCF15EF74C995BAEBBB5FF44300F1441A9E905AB292DB70AE08CB91

Function 00A1DC60 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00A1DD72
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00A1DD7A

Part of subcall function 009F9B10: RtlAllocateHeap.NTDLL(?,00000000,?,BACC40AC,00000000,00BAD840,000000FF,?,?,00C89A1C,?,00B2BB18,80004005,BACC40AC), ref: 009F9B5A

Part of subcall function 00A1F780: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00A1F7CD

Strings

SysTabControl32, xrefs: 00A1DD55
TabHost, xrefs: 00A1DCE9, 00A1DCFB, 00A1DD05

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: MessageSend$AllocateHeap
String ID: SysTabControl32$TabHost
API String ID: 4003639188-2872506973
Opcode ID: cb5353f8dd53a2846d28e83b576714bbe5306ce09e7e68700b344999a6efe84e
Instruction ID: 14702517d7b4ed42fd5f274472e554a25ca1c331ac2b577848893c08d030f4b3
Opcode Fuzzy Hash: cb5353f8dd53a2846d28e83b576714bbe5306ce09e7e68700b344999a6efe84e
Instruction Fuzzy Hash: 71519D35A00605AFDB14DF68C844FAEBBF4FF89310F104269E915AB391DB75AC00CBA4

Function 00A4C4B0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 173COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A4C4EE
SetWindowPos.USER32(?,00000000,?,?,?,00000008,00000604), ref: 00A4C6C1

Strings

AiDlgHeight, xrefs: 00A4C5E1
AiDlgWeight, xrefs: 00A4C50C

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Window$Rect
String ID: AiDlgHeight$AiDlgWeight
API String ID: 3200805268-871102398
Opcode ID: c47cb7086387857f1193bb0613805b8e1e770003aa29d726f2d96a3aae3bdde8
Instruction ID: 25536d2b37f6281914065b6e17f4d62eb2c5ec5744fce6cc41bf6766b096e107
Opcode Fuzzy Hash: c47cb7086387857f1193bb0613805b8e1e770003aa29d726f2d96a3aae3bdde8
Instruction Fuzzy Hash: 03617D71D01209EFCF04DFA8C949B9EFBB5EF48314F148269E815AB291D774AA05CF91

Function 00B2F940 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 166synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,BACC40AC,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00B2F974

Part of subcall function 00AF5170: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,?,80004005,80004005,?,?,?,00000000,00BEA8AD,000000FF), ref: 00AF5188
Part of subcall function 00AF5170: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,?,?,80004005,80004005,?,?,?,00000000,00BEA8AD,000000FF), ref: 00AF51BB

Part of subcall function 00A02970: RaiseException.KERNEL32(?,?,00000000,00000000,00B85A3C,C000008C,00000001,?,00B85A6D,00000000,?,009F91C7,00000000,BACC40AC,00000001,?), ref: 00A0297C

Part of subcall function 009F9B10: RtlAllocateHeap.NTDLL(?,00000000,?,BACC40AC,00000000,00BAD840,000000FF,?,?,00C89A1C,?,00B2BB18,80004005,BACC40AC), ref: 009F9B5A

Strings

.pack, xrefs: 00B2FCB1
*.*, xrefs: 00B2F9EA, 00B2F9FC, 00B2FA04
.jar, xrefs: 00B2FDFC

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateExceptionHeapObjectRaiseSingleWait
String ID: *.*$.jar$.pack
API String ID: 2917691982-3892993289
Opcode ID: 24739bc2991c30020262dd0c2662d155acae6ba5796660ba715b0829e175a1e7
Instruction ID: 9211e341db5ce11453c26d042f3c6099728d81b3e5e2e72972093cc62ffb91b0
Opcode Fuzzy Hash: 24739bc2991c30020262dd0c2662d155acae6ba5796660ba715b0829e175a1e7
Instruction Fuzzy Hash: D7517170A0061A9FDB10DFA9D848BAEB7F4FF45314F1482B9E429EB291DB34D904CB90

Function 00A89A40 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00B86662: EnterCriticalSection.KERNEL32(00C94CD8,?,?,?,009F9EF6,00C95904,BACC40AC,?,?,00BADE0D,000000FF,?,00B2BABC,BACC40AC), ref: 00B8666D
Part of subcall function 00B86662: LeaveCriticalSection.KERNEL32(00C94CD8,?,009F9EF6,00C95904,BACC40AC,?,?,00BADE0D,000000FF,?,00B2BABC,BACC40AC), ref: 00B866AA

Part of subcall function 00A8B6E0: __Init_thread_footer.LIBCMT ref: 00A8B77E

__Init_thread_footer.LIBCMT ref: 00A89B3E

Part of subcall function 00B86618: EnterCriticalSection.KERNEL32(00C94CD8,?,?,009F9F67,00C95904,00C06640), ref: 00B86622
Part of subcall function 00B86618: LeaveCriticalSection.KERNEL32(00C94CD8,?,009F9F67,00C95904,00C06640), ref: 00B86655
Part of subcall function 00B86618: RtlWakeAllConditionVariable.NTDLL ref: 00B866CC

__Init_thread_footer.LIBCMT ref: 00A89C2B

Strings

String, xrefs: 00A89B0B
ImagePath, xrefs: 00A89B8E

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: CriticalSection$Init_thread_footer$EnterLeave$ConditionVariableWake
String ID: ImagePath$String
API String ID: 375937472-2295709137
Opcode ID: 00edd8af1d5a89591a410d824cebfbd327459e844ab7912b32af038ed63b2854
Instruction ID: 803c3b3713bdf7273b5b8ee3b92e23856494ddfce1acc3e7b3dfa241b41b4b7c
Opcode Fuzzy Hash: 00edd8af1d5a89591a410d824cebfbd327459e844ab7912b32af038ed63b2854
Instruction Fuzzy Hash: 006180B0C00249EFDB11EFA8DA497DEBBF4FB15704F144169E411A72D1D7755A08CB92

Function 00A24B50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoOriginateLanguageException), ref: 00A24B92
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00A24B98

Strings

RoOriginateLanguageException, xrefs: 00A24B88
combase.dll, xrefs: 00A24B8D

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoOriginateLanguageException$combase.dll
API String ID: 2574300362-3996158991
Opcode ID: 8fb0b2f9bd5fcc1b50e373d1758b1c6459f283e86de0ff8aa0e1090573b01ab6
Instruction ID: 5f03b7bbeecda44c9c922f4103dae6660f5e70470a395403d0df3e69e3ac51aa
Opcode Fuzzy Hash: 8fb0b2f9bd5fcc1b50e373d1758b1c6459f283e86de0ff8aa0e1090573b01ab6
Instruction Fuzzy Hash: 1F317C31904219EEDB14DFACD945BAEB7B4EB08310F10853AE825A62D0D7799B44CB51

Function 00B22140 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,00B2029A,?,BACC40AC,?,?,?,000000FF,?), ref: 00B22154
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00B2029A,?,BACC40AC,?,?,?,000000FF,?,00B1FC64), ref: 00B22171
GetLastError.KERNEL32(?,BACC40AC,?,?,?,000000FF,?,00B1FC64,?,?,00000000,00000000,BACC40AC,?,?), ref: 00B221D0

Strings

AdvancedInstaller, xrefs: 00B221B7

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: CreateEvent$ErrorLast
String ID: AdvancedInstaller
API String ID: 1131763895-1372594473
Opcode ID: 5b28933ffa2c765f49c042e341bc4443fb00e19236c778a2bfb151b4f412f17c
Instruction ID: f65fe6849d651b35c832b1f0f4bdeccf2c47ac152fba366165955d2b44c2421a
Opcode Fuzzy Hash: 5b28933ffa2c765f49c042e341bc4443fb00e19236c778a2bfb151b4f412f17c
Instruction Fuzzy Hash: A0118E71340612BBE724DB21EC89F5ABBE4FF44705F114425F609EB690CB70B861CBA4

Function 00A0FFD0 Relevance: 6.3, APIs: 4, Instructions: 292windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001037,00000000,00000000), ref: 00A10118
SendMessageW.USER32(?,00001036,00000000,00000000), ref: 00A1012D

Part of subcall function 009F9B10: RtlAllocateHeap.NTDLL(?,00000000,?,BACC40AC,00000000,00BAD840,000000FF,?,?,00C89A1C,?,00B2BB18,80004005,BACC40AC), ref: 009F9B5A

Part of subcall function 00AD2040: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,000000EF,?,00A10168,00000000,80004005), ref: 00AD20AB
Part of subcall function 00AD2040: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00AD20DB

SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00A1025E
SendMessageW.USER32(?,00001061,00000000,00000005), ref: 00A1035A

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: MessageSend$AllocateHeapWindow
String ID:
API String ID: 3168177373-0
Opcode ID: a4573cb0aa6b561c742aa060ea3370968cd0ec301e80d2644864017e26ed2ece
Instruction ID: 779a06fb2d9fc92f4ee17c26717afb14abef3eeafffdacf914df5d52ff7d372d
Opcode Fuzzy Hash: a4573cb0aa6b561c742aa060ea3370968cd0ec301e80d2644864017e26ed2ece
Instruction Fuzzy Hash: 29B19371A00209DFDB14DFA8C988FEEFBB5FF48314F104259E515AB290DBB5A984CB90

Function 00A18180 Relevance: 6.3, APIs: 4, Instructions: 266windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,?), ref: 00A18258
SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 00A18287
SendMessageW.USER32(?,0000110A,00000004,?), ref: 00A18443
SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 00A18466

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 441a39dbc671513344b38aaca18cccf7f037c60cc49650c7e583ba9d8a5b3068
Instruction ID: f1646418cfc2a8291b75152a009d34615bea43a523fc5facfb418b0831870a3e
Opcode Fuzzy Hash: 441a39dbc671513344b38aaca18cccf7f037c60cc49650c7e583ba9d8a5b3068
Instruction Fuzzy Hash: AEA16D72A00208DFCF15DF68C984BEEB7F5BF48710F194569E911AB291DB34E881CBA0

Function 00A66E20 Relevance: 6.2, APIs: 4, Instructions: 209COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00000000,00002781,00000017), ref: 00A66E7B
LoadResource.KERNEL32(00000000,00000000), ref: 00A66E89
LockResource.KERNEL32(00000000), ref: 00A66E94
SizeofResource.KERNEL32(00000000,00000000), ref: 00A66EA3

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 7d30e006de3aa604d898896679c44b51cb65bc66a5fed3da9edd07b63738afc9
Instruction ID: bdd8c123d449997ab91f24a5e2bc298aae5c83dc3d781613f6cd46a9f04af8df
Opcode Fuzzy Hash: 7d30e006de3aa604d898896679c44b51cb65bc66a5fed3da9edd07b63738afc9
Instruction Fuzzy Hash: 6B91AE70D05288EFDF01DFA8D949BDEBBF5EF55304F1480A9E405AB292DBB45A08CB61

Function 00A12F00 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00A12F5A
VariantClear.OLEAUT32(?), ref: 00A12F8C
VariantClear.OLEAUT32(?), ref: 00A130F5
VariantClear.OLEAUT32(?), ref: 00A13124

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 847bbcd4cb15ce5fe47ad280a12fc3f8e328ada7fc69c7d94f9547dbb934560c
Instruction ID: 2f4b95d05ef3084ad37d06c96f00ff75f8b29f43fcfca374be2536d1266619a3
Opcode Fuzzy Hash: 847bbcd4cb15ce5fe47ad280a12fc3f8e328ada7fc69c7d94f9547dbb934560c
Instruction Fuzzy Hash: B581CF71A00308DFDB10DFA8C944B9EFBB4EF49714F248269E815AB391E774AA45CB91

Function 00A04650 Relevance: 6.2, APIs: 4, Instructions: 194COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 00A046F0
SysFreeString.OLEAUT32(00000000), ref: 00A04731

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: a8a38cfc555fc016351c427cd81216dbba9498d1134da8b98b2a477ef87c0b10
Instruction ID: ed6f4ec79ede5e2585494f754c3f41dd57dd30ad95eceac566c58f49f1ccbac4
Opcode Fuzzy Hash: a8a38cfc555fc016351c427cd81216dbba9498d1134da8b98b2a477ef87c0b10
Instruction Fuzzy Hash: 09617E72A04249EFDB10CF58E844BAABBB8FB49721F10456AFD1597390D7769D10CBA0

Function 00AD2240 Relevance: 6.2, APIs: 4, Instructions: 155windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001036,00010000,00000000), ref: 00AD22AB
GetWindowRect.USER32(00000000), ref: 00AD2301

Part of subcall function 00A8FCF0: GetWindowRect.USER32(?,?), ref: 00A8FD8B
Part of subcall function 00A8FCF0: GetWindowRect.USER32(?,?), ref: 00A8FDA3

SendMessageW.USER32(?,00001026,00000000,000000FF), ref: 00AD2400
SendMessageW.USER32(?,0000108A,00000000,00000011), ref: 00AD2413

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: MessageRectSendWindow
String ID:
API String ID: 2814762282-0
Opcode ID: 2fb22eb2ed06a65dd060b18b374cbcefdef84fede8f35bc839f24d4895bd8351
Instruction ID: 36e4edd72de3d69470b761bfc23a8ef72f792daac50ede33b832aefd18325dec
Opcode Fuzzy Hash: 2fb22eb2ed06a65dd060b18b374cbcefdef84fede8f35bc839f24d4895bd8351
Instruction Fuzzy Hash: 7B513771D00748ABDB25DFA8CD49BDEBBF8EF59710F10431AE815A7291EB706A81CB50

Function 00A8FCF0 Relevance: 6.1, APIs: 4, Instructions: 131COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A8FD8B
GetWindowRect.USER32(?,?), ref: 00A8FDA3
GetWindowRect.USER32(?,?), ref: 00A8FE10
GetWindowLongW.USER32(?,000000EC), ref: 00A8FE34

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Window$Rect$Long
String ID:
API String ID: 3486571012-0
Opcode ID: c82276cf730e1715b86074afc9d7025202e73006803de02d09cb4c793de6e3e0
Instruction ID: 745a5e0fa1d8e1a10503f3fc6be89d3c038a900d0d9694532a9d959fb3cd73a6
Opcode Fuzzy Hash: c82276cf730e1715b86074afc9d7025202e73006803de02d09cb4c793de6e3e0
Instruction Fuzzy Hash: BF4169326083059FC714EF14D888F6BB7E8FF99704F054A2EF94597211EB30E9458B92

Function 009FFCE0 Relevance: 6.1, APIs: 4, Instructions: 120windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 009FFD30
GetDlgItem.USER32(?,?), ref: 009FFD55
SendMessageW.USER32(00000001,?,?,00000001), ref: 009FFE1F

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: ItemMessageSendWindow
String ID:
API String ID: 799199299-0
Opcode ID: 7659df62f7329e50bd065cadb4814e20cbdd5104859301f670a409b0a74a6849
Instruction ID: a046db4a09b838518e073d9c5ee09fa467d4340122e95a9e08aae81e566a6f63
Opcode Fuzzy Hash: 7659df62f7329e50bd065cadb4814e20cbdd5104859301f670a409b0a74a6849
Instruction Fuzzy Hash: 17418036300209DFC7198F68E8A8F76B7A9FF45311F04487AE64AC65A2D732EC55DB60

Function 00B0C6B0 Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,?,?,00000000,00000000), ref: 00B0C70F
GetLastError.KERNEL32(?,?,00000000,00000000), ref: 00B0C71C
WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00B0C739
WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00B0C75B

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 5c8d6f803e3677191dd002927af5ebf065c95560cebd50fc10ecfba6afe9091c
Instruction ID: cba99f4728ed07a55929f1cba6bb1647cea5a00f09003424dc17e0ce9c20cdb9
Opcode Fuzzy Hash: 5c8d6f803e3677191dd002927af5ebf065c95560cebd50fc10ecfba6afe9091c
Instruction Fuzzy Hash: F02125B67403067BE7205F54EC82F6A7F9DEF54B44F204229FA01571C0EBA17D198A64

Function 00AF5170 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,?,80004005,80004005,?,?,?,00000000,00BEA8AD,000000FF), ref: 00AF5188
MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,?,?,80004005,80004005,?,?,?,00000000,00BEA8AD,000000FF), ref: 00AF51BB
GetStdHandle.KERNEL32(000000F5,?,BACC40AC,00000000,00BAD840,000000FF,?,80070057,?,-00000001,?,?,80004005,80004005,?,?), ref: 00AF5226
SetConsoleTextAttribute.KERNEL32(00000000,?,BACC40AC,00000000,00BAD840,000000FF,?,80070057,?,-00000001,?,?,80004005,80004005,?,?), ref: 00AF522D

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: ByteCharMultiWide$AttributeConsoleHandleText
String ID:
API String ID: 3849414675-0
Opcode ID: a1f165946865aee43667b8c95f1b4df9160891d2e4ff7342c7b14c7472e6100c
Instruction ID: 3407dd06f76e5f5b9e17b6cf8fbdedeaec355eeef6ac45917c6eb679b196a4da
Opcode Fuzzy Hash: a1f165946865aee43667b8c95f1b4df9160891d2e4ff7342c7b14c7472e6100c
Instruction Fuzzy Hash: 9221A472704615AFD6109B98DC89F6EF769EF85720F208329F725D72D0CB316901CBA4

Function 00B312C0 Relevance: 6.0, APIs: 4, Instructions: 44threadsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000001,?,BACC40AC,?,?,00000000,00BAD670,000000FF,?,00B312A8,00000000,80004005,?,00C94C50,?,?), ref: 00B312F7
GetExitCodeThread.KERNEL32(00000001,80004005,?,?,00000000,00BAD670,000000FF,?,00B312A8,00000000), ref: 00B31311
TerminateThread.KERNEL32(00000001,00000000,?,?,00000000,00BAD670,000000FF,?,00B312A8,00000000), ref: 00B31329
CloseHandle.KERNEL32(00000001,?,?,00000000,00BAD670,000000FF,?,00B312A8,00000000,80004005,?,00C94C50,?,?,00B13989), ref: 00B31332

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Thread$CloseCodeExitHandleObjectSingleTerminateWait
String ID:
API String ID: 3774109050-0
Opcode ID: 6fc55ca722dc75614bf9313ac903634d993232635c30bc4f890514e49b93a5e0
Instruction ID: 015d226864f8168961fb345b9000db16c74891822c4414a3106ebc3ad942e3ea
Opcode Fuzzy Hash: 6fc55ca722dc75614bf9313ac903634d993232635c30bc4f890514e49b93a5e0
Instruction Fuzzy Hash: A5017171504B05EFDB208F58DC05B6AB7FCFB08714F108A6DE86692AA0DB75A804CB58

Function 00B866EA Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,00B86687,00000064), ref: 00B8670D
LeaveCriticalSection.KERNEL32(00C94CD8,?,?,00B86687,00000064,?,009F9EF6,00C95904,BACC40AC,?,?,00BADE0D,000000FF,?,00B2BABC,BACC40AC), ref: 00B86717
WaitForSingleObjectEx.KERNEL32(?,00000000,?,00B86687,00000064,?,009F9EF6,00C95904,BACC40AC,?,?,00BADE0D,000000FF,?,00B2BABC,BACC40AC), ref: 00B86728
EnterCriticalSection.KERNEL32(00C94CD8,?,00B86687,00000064,?,009F9EF6,00C95904,BACC40AC,?,?,00BADE0D,000000FF,?,00B2BABC,BACC40AC), ref: 00B8672F

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: 077cb3386533db05ec2e69e827085e03d888886d0199e90ab5ca078c92441ee9
Instruction ID: 219499dc444621266c300b8d1b8ec80253cc6d7a04b32113dcce063520b814cc
Opcode Fuzzy Hash: 077cb3386533db05ec2e69e827085e03d888886d0199e90ab5ca078c92441ee9
Instruction Fuzzy Hash: 22E01235542534BFCE152F95ED0DF9E3F28EB04B55B024061F94566170CF611825CBE4

Function 00B30320 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 244fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009F9E50: GetProcessHeap.KERNEL32 ref: 009F9EA5
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9ED7
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9F62

DeleteFileW.KERNEL32(?), ref: 00B303FA
DeleteFileW.KERNEL32(?,?,?,?,00000000), ref: 00B3052F

Part of subcall function 00B1F280: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,BACC40AC,00000001,75B4EB20,00000000), ref: 00B1F2CF
Part of subcall function 00B1F280: ReadFile.KERNEL32(00000000,?,000003FF,?,00000000,?,80000000,00000003,00000000,00000003,00000080,00000000,BACC40AC,00000001,75B4EB20,00000000), ref: 00B1F305

Part of subcall function 00B1C7E0: LoadStringW.USER32(000000A1,?,00000514,BACC40AC), ref: 00B1C836

Strings

--verbose --log-file="%s" --remove-pack-file "%s" "%s", xrefs: 00B303AE

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: File$DeleteInit_thread_footer$CreateHeapLoadProcessReadString
String ID: --verbose --log-file="%s" --remove-pack-file "%s" "%s"
API String ID: 3544038457-3685554107
Opcode ID: 93ed29a1b118d5c1f293380bac1e8a19ef225c5b01df404def330cd51519dab2
Instruction ID: 93c87a4d4e40cc4350fc83d02b4d2bdd9e55c7cd0ece58646dc77758329fd467
Opcode Fuzzy Hash: 93ed29a1b118d5c1f293380bac1e8a19ef225c5b01df404def330cd51519dab2
Instruction Fuzzy Hash: 4491B231A006099FDB00EF68C854BAEBBF5EF55314F1482A9E915DB2A2DB34DD04CF90

Function 00A5E970 Relevance: 5.4, APIs: 4, Instructions: 419memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 00A5EB86
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 00A5EB8C

Part of subcall function 00A60530: GetProcessHeap.KERNEL32(?,?,BACC40AC,00000000,?,00000000), ref: 00A605EA
Part of subcall function 00A60530: HeapFree.KERNEL32(00000000,?,?,BACC40AC,00000000,?,00000000), ref: 00A605F0

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A5ED97
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A5ED9D

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 9c5b9d6c39e69a7411703c387db8177d4cc8a062e0615d26625a3eb4af9eeea1
Instruction ID: 65d8225f487a7691fb4273973cf00c215f589cbe7f294a166a75fe581a9a8990
Opcode Fuzzy Hash: 9c5b9d6c39e69a7411703c387db8177d4cc8a062e0615d26625a3eb4af9eeea1
Instruction Fuzzy Hash: 47F17E70D00249DFDB18DFA8C945BEEBBB4FF15314F204199E811AB291DB74AE48CB91

Function 00B27150 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 009F9E50: GetProcessHeap.KERNEL32 ref: 009F9EA5
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9ED7
Part of subcall function 009F9E50: __Init_thread_footer.LIBCMT ref: 009F9F62

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00BF13BF,000000FF), ref: 00B272D3
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00BF13BF,000000FF), ref: 00B27361

Strings

<< Advanced Installer (x86) Log >>, xrefs: 00B2723F

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Init_thread_footer$CloseCriticalDeleteHandleHeapProcessSection
String ID: << Advanced Installer (x86) Log >>
API String ID: 3699736680-396061572
Opcode ID: 19e83ed10b5aae8e162732b87873b8dd81d0a919e7a82cff2a7bbc9d57eec8e5
Instruction ID: 6c8e4c37f63dcf4e74f7232697c109f2df3a8e715105e49bce61b86ba0e357f8
Opcode Fuzzy Hash: 19e83ed10b5aae8e162732b87873b8dd81d0a919e7a82cff2a7bbc9d57eec8e5
Instruction Fuzzy Hash: 9661FF70905689DFDB00CF68D98879EFBF0EF85714F1482ADE4099B391DB75AA08CB94

Function 00A3D130 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 00B86662: EnterCriticalSection.KERNEL32(00C94CD8,?,?,?,009F9EF6,00C95904,BACC40AC,?,?,00BADE0D,000000FF,?,00B2BABC,BACC40AC), ref: 00B8666D
Part of subcall function 00B86662: LeaveCriticalSection.KERNEL32(00C94CD8,?,009F9EF6,00C95904,BACC40AC,?,?,00BADE0D,000000FF,?,00B2BABC,BACC40AC), ref: 00B866AA

__Init_thread_footer.LIBCMT ref: 00A3D28D

Part of subcall function 00B86618: EnterCriticalSection.KERNEL32(00C94CD8,?,?,009F9F67,00C95904,00C06640), ref: 00B86622
Part of subcall function 00B86618: LeaveCriticalSection.KERNEL32(00C94CD8,?,009F9F67,00C95904,00C06640), ref: 00B86655
Part of subcall function 00B86618: RtlWakeAllConditionVariable.NTDLL ref: 00B866CC

Strings

Windows.UI.Xaml.Controls.ListViewItem, xrefs: 00A3D256
ItemData, xrefs: 00A3D2F2

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: ItemData$Windows.UI.Xaml.Controls.ListViewItem
API String ID: 2296764815-2445763458
Opcode ID: f3dcda0e5ce2aae1136063492d774e04619508d2406a11814f8b87fc7d23f918
Instruction ID: a57a2017c6a3eed6bba8395accf557ded12984a26252bfd3f3fb1ad3ae0a1f69
Opcode Fuzzy Hash: f3dcda0e5ce2aae1136063492d774e04619508d2406a11814f8b87fc7d23f918
Instruction Fuzzy Hash: 0271D270805289EFDB01CFA8D9047DEBBF0BF15304F148269E4156B2D1D7B99B08CBA2

Function 00AE3C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,BACC40AC,00000000,00000000), ref: 00AE3D11

Strings

\\?\, xrefs: 00AE3E0B, 00AE3E37
\\?\UNC\, xrefs: 00AE3D3C, 00AE3D9E

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Path
String ID: \\?\$\\?\UNC\
API String ID: 2875597873-3019864461
Opcode ID: e776a5bc2ae8b18a6e26038019e041adefa797b380ee249cbd0955ec224b4912
Instruction ID: 1b84f934c244dc86963863f70c537922daa7bd96d5ce8bdec2d161586054ac05
Opcode Fuzzy Hash: e776a5bc2ae8b18a6e26038019e041adefa797b380ee249cbd0955ec224b4912
Instruction Fuzzy Hash: 7451CF71D00644DBDF14DF69D889BAEB7F5FF84704F20851DE8016B291EB75AA48CBA0

Function 00B28550 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,BACC40AC,?,?,00C96054), ref: 00B2858F
CreateDirectoryW.KERNEL32(?,00000000,?,00C96054), ref: 00B285F0

Strings

ADVINST_LOGS, xrefs: 00B285C8

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: CreateDirectoryPathTemp
String ID: ADVINST_LOGS
API String ID: 2885754953-2492584244
Opcode ID: 6fcb303ddf67c8c5ea6e487ea7dd47087be8b47d55d947c06b277999e79832a9
Instruction ID: 9d67a48bd683a55292e1c07f7d3bbd18fbe7215ba5d7f7aec199d4667f3c509b
Opcode Fuzzy Hash: 6fcb303ddf67c8c5ea6e487ea7dd47087be8b47d55d947c06b277999e79832a9
Instruction Fuzzy Hash: AC51B275941229CBCB209F28D848BBAB3F4FF14714F2446EEE85997291EF748D81CB90

Function 00A07110 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000000,?,00000002,00C1337C,00000000,00000000,80000001,00000001,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033,BACC40AC), ref: 00A07280

Part of subcall function 00ADDDA0: GetModuleHandleW.KERNEL32(Advapi32.dll,BACC40AC,?,?,?,00000000,?,Function_001BDD00,000000FF), ref: 00ADDDE3

CloseHandle.KERNEL32(?,BACC40AC), ref: 00A072B9

Strings

AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 00A07178

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: CloseHandle$Module
String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current
API String ID: 1412095732-2431777889
Opcode ID: 41a6945232fcdd96377cf3d27d8a158ae3344f4052ea80921adc75691ca4ac17
Instruction ID: 32de59f877a60840e403e3fe1d80b407bee4a8814610231e6db7dfaf028fd612
Opcode Fuzzy Hash: 41a6945232fcdd96377cf3d27d8a158ae3344f4052ea80921adc75691ca4ac17
Instruction Fuzzy Hash: 98516870D1424CEADF20EFA4C959BEEFBB4BF14304F108199E455B7281DBB46A48CBA5

Function 00B30F70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B30BE0: GetTempPathW.KERNEL32(00000104,?), ref: 00B30CC9
Part of subcall function 00B30BE0: GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?), ref: 00B30CFA
Part of subcall function 00B30BE0: Wow64DisableWow64FsRedirection.KERNEL32(00000000,?), ref: 00B30D2D

GetLastError.KERNEL32(?,00000010), ref: 00B3102E
DeleteFileW.KERNEL32(?), ref: 00B31041

Strings

Shlwapi.dll, xrefs: 00B30F70, 00B30FA8

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: FileTempWow64$DeleteDisableErrorLastNamePathRedirection
String ID: Shlwapi.dll
API String ID: 145603228-1687636465
Opcode ID: 21f0040ec3b2d8502c62b6291b056fdabf34f9108d4f39ed44e576c1b90cd46f
Instruction ID: 1cf0419bbe350f45d70ce569fdc8f255d4be1ed070b0bbef7a3c83745c886c5b
Opcode Fuzzy Hash: 21f0040ec3b2d8502c62b6291b056fdabf34f9108d4f39ed44e576c1b90cd46f
Instruction Fuzzy Hash: 073161B1900249EBDB15DFA9D844BEEBBFCEF08350F24459AE801A3250DB359A45CBA1

Function 00B42050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

OpenEventW.KERNEL32(00000000,00000000,00000001,_pbl_evt,00000008,?,?,00C2A350,00000001,BACC40AC,?), ref: 00B420FE
CreateEventW.KERNEL32(00000000,00000001,00000001,?), ref: 00B4211B

Strings

_pbl_evt, xrefs: 00B420D2

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Event$CreateOpen
String ID: _pbl_evt
API String ID: 2335040897-4023232351
Opcode ID: df43acbed1169fd7bf01f55b39aacb10b1166d2e37d0cd147dd5ee11b5d81be3
Instruction ID: b7069a1af4763354480c1fb3285265d87b0240a4cb6d077455663143f16bcdfe
Opcode Fuzzy Hash: df43acbed1169fd7bf01f55b39aacb10b1166d2e37d0cd147dd5ee11b5d81be3
Instruction Fuzzy Hash: 48313871D00208EFDB10DFA8D955BEEB7F8EF08714F508169E911B7290DBB46A09CBA5

Function 00AE6870 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00AE689B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00AE68FE

Strings

bad locale name, xrefs: 00AE6921

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 7f0791dbaa69d66524e2fa8a49258b6eb95600e98173f3cadbfc5ee9856d6995
Instruction ID: 8e46e6bcf965303fc95e2a23f560669bfa6e42e986d79a86f9b503a5296aad97
Opcode Fuzzy Hash: 7f0791dbaa69d66524e2fa8a49258b6eb95600e98173f3cadbfc5ee9856d6995
Instruction Fuzzy Hash: FE21E070905784DFD720CF69C80475ABFE4AF15714F14869DE486C7B82D7B6EA04C7A1

Function 00A5DE10 Relevance: 5.3, APIs: 4, Instructions: 316memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?), ref: 00A5E08B
HeapFree.KERNEL32(00000000,?,?), ref: 00A5E091
GetProcessHeap.KERNEL32(?,?), ref: 00A5E160
HeapFree.KERNEL32(00000000,?,?), ref: 00A5E166

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: c00b688a89b3ee09ea4adc010a313da67641bdd455432c9726d511f632004049
Instruction ID: 381f7b7e01ffc1b790d652804b30dd6310869ec5e1f634192ca0579fb0bd37f9
Opcode Fuzzy Hash: c00b688a89b3ee09ea4adc010a313da67641bdd455432c9726d511f632004049
Instruction Fuzzy Hash: 4AD18E70900208DFDF14DFA8C954BEEFBB5BF55304F2442A9D805AB292DB74AE49CB91

Function 00AD1F50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD2470: __Init_thread_footer.LIBCMT ref: 00AD2500
Part of subcall function 00AD2470: GetProcAddress.KERNEL32(SetWindowTheme), ref: 00AD253D
Part of subcall function 00AD2470: __Init_thread_footer.LIBCMT ref: 00AD2554
Part of subcall function 00AD2470: SendMessageW.USER32(000000EF,00001036,00010000,00010000), ref: 00AD257F

SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00AD1FC0
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00AD1FC8

Part of subcall function 00A00DB0: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00A00DE6

Strings

SysListView32, xrefs: 00AD1F99

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: MessageSend$Init_thread_footer$AddressLongProcWindow
String ID: SysListView32
API String ID: 93031011-78025650
Opcode ID: e935f36ad9ac49b8232601bd4cd73f3a10eeeb86bd4ba6d8e3725f1e49c6d401
Instruction ID: cc3c4dee3447a1bfb437e86724c95135a9d2b378efec6b8a0ecca711ecddec32
Opcode Fuzzy Hash: e935f36ad9ac49b8232601bd4cd73f3a10eeeb86bd4ba6d8e3725f1e49c6d401
Instruction Fuzzy Hash: 42118B71301210BFE624AB15CC05F6BFBA9FFC9750F05421AFA45AB2A0C6B1AC00CBE1

Function 00AD29C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00AD2A23
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00AD2A2B

Part of subcall function 00A00DB0: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00A00DE6

Strings

RichEdit20W, xrefs: 00AD2A02

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID: RichEdit20W
API String ID: 312131281-4173859555
Opcode ID: fe2792e7c609372b064d2490e68e9d70b1a393306d0592dff751bfa12e3ac905
Instruction ID: 7eafaafab6b1a688b0fbbd83e5950910bf4e7b97d6b9773e5218d0af8f6a4dcd
Opcode Fuzzy Hash: fe2792e7c609372b064d2490e68e9d70b1a393306d0592dff751bfa12e3ac905
Instruction Fuzzy Hash: 93016D31301214BFD6149F15DC04F5BFBE9FBC9750F15421AFA48A73A0C6B1AC01CAA1

Function 00A31B70 Relevance: 5.3, APIs: 4, Instructions: 268memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?), ref: 00A31E5F
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 00A31E65
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?), ref: 00A31F0F
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 00A31F15

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 57c2b0615ab58ed9f9e08fd513f55d038dc4c1c4b1128f93c0ec22a44805e57d
Instruction ID: 60e9488d3fe6701c50630b7a47367359bada65ec95da7b67bc3ff8fa7ad1fa3b
Opcode Fuzzy Hash: 57c2b0615ab58ed9f9e08fd513f55d038dc4c1c4b1128f93c0ec22a44805e57d
Instruction Fuzzy Hash: 2AB17B71D00268DEDB20DB28CD45BEEBBB5EF51314F1042EAE419A7292DB749B84CF91

Function 00A307E0 Relevance: 5.2, APIs: 4, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,?), ref: 00A30A0F
HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 00A30A15
GetProcessHeap.KERNEL32(?,?,?,?,?,?), ref: 00A30ABF
HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 00A30AC5

Memory Dump Source

Source File: 00000000.00000002.2191336021.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.2191261202.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191555373.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191603888.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191616200.0000000000C94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_R2T8ccXCek.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 22f63c644bdb544d4152447847bd595f3fcef1999608c9070bfa4270792b40b7
Instruction ID: 5148a5fb79facafaed65838c6a588a54ea18e1d9d4c9e329acb41023a1ef27cc
Opcode Fuzzy Hash: 22f63c644bdb544d4152447847bd595f3fcef1999608c9070bfa4270792b40b7
Instruction Fuzzy Hash: DE916B70D01368DEEB20DB28CC55BDEBBB5AF51304F1442E9E409A7292DB749B88CF52

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report R2T8ccXCek.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\decoder.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: R2T8ccXCek.exePID: 6516, Parent PID: 4004

General

Chronological Activities

Disassembly

Analysis Process: R2T8ccXCek.exePID: 6516, Parent PID: 4004COMMON

Execution Graph

Graph

Executed Functions

Windows Analysis Report
R2T8ccXCek.exe

Function 00B2B350 Relevance: 26.8, APIs: 13, Strings: 2, Instructions: 551
COMMON

Function 00B1EAB0 Relevance: 16.6, APIs: 11, Instructions: 117
memoryCOMMON

Function 00B14050 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160
windowCOMMON

Function 00B2A240 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 159
COMMON

Function 00AF2BA0 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 247
registrylibraryloaderCOMMON

Function 00AF2F80 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 220
registryCOMMON

Function 00B14960 Relevance: 37.0, APIs: 2, Strings: 19, Instructions: 220
COMMON

Function 00AFDB40 Relevance: 29.9, APIs: 4, Strings: 13, Instructions: 167
COMMON

Function 00B064D0 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 495
COMMON

Function 00B2F7B0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 43
libraryCOMMON

Function 00B85A9F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58
libraryCOMMON

Function 00B12810 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 224
fileCOMMON

Function 00B2F2F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187
fileCOMMON

Function 00ADDDA0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96
registrylibraryloaderCOMMON

Function 00ABD900 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 86
registrylibraryloaderCOMMON