Edit tour

Windows Analysis Report
RFQ.exe

Overview

General Information

Sample name:	RFQ.exe
Analysis ID:	1568946
MD5:	3861b9e7e90136630ba57296db976c82
SHA1:	84ef76f15ad3f688c679c781edfa844206062db8
SHA256:	d92795d6430f0ef54455895006dd6bfe6924a02d1ee531f60ee6f3b93b876078
Tags:	exeRedLineStealeruser-julianmckein
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

RFQ.exe (PID: 1568 cmdline: "C:\Users\user\Desktop\RFQ.exe" MD5: 3861B9E7E90136630BA57296DB976C82)

RegSvcs.exe (PID: 5648 cmdline: "C:\Users\user\Desktop\RFQ.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

Ycdwx.exe (PID: 7136 cmdline: "C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 3536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Ycdwx.exe (PID: 5468 cmdline: "C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 4160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.elec-qatar.com", "Username": "mohammed.abrar@elec-qatar.com", "Password": "MHabrar2019@#"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3337432346.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3338726977.0000000003D71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000002.00000002.3338726977.0000000003D71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3339437325.0000000005230000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000002.00000002.3339437325.0000000005230000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3337432346.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3337432346.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3339308886.0000000005120000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000002.00000002.3339308886.0000000005120000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3337125429.000000000291E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000002.00000002.3337125429.000000000291E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3336154686.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 99 88 44 24 2B 88 44 24 2F B0 45 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000000.00000002.2120151998.0000000003B90000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 99 88 44 24 2B 88 44 24 2F B0 45 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
Process Memory Space: RegSvcs.exe PID: 5648	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5648	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
decrypted.memstr	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegSvcs.exe.3d76458.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.3d76458.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.295fb06.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.295fb06.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5230000.8.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.5230000.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 99 88 44 24 2B 88 44 24 2F B0 45 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.5120000.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.5120000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5230000.8.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.5230000.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3db4d90.4.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.3db4d90.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3db4d90.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.3db4d90.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3d75570.5.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.3d75570.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.RFQ.exe.3b90000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 99 88 44 24 2B 88 44 24 2F B0 45 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.3d76458.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.3d76458.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.295ec1e.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.295ec1e.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5230ee8.7.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.5230ee8.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 99 88 44 24 2B 88 44 24 2F B0 45 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.5230ee8.7.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.5230ee8.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.295ec1e.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.295ec1e.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.295fb06.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.295fb06.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5120000.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.5120000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3d75570.5.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.3d75570.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 30 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5648, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ycdwx

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 50.87.139.143, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 5648, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49705

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://mail.elec-qatar.com

Avira URL Cloud: Label: malware

Found malware configuration

Source: 2.2.RegSvcs.exe.5230000.8.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.elec-qatar.com", "Username": "mohammed.abrar@elec-qatar.com", "Password": "MHabrar2019@#"}

Multi AV Scanner detection for submitted file

Source: RFQ.exe	ReversingLabs: Detection: 44%
Source: RFQ.exe	Virustotal: Detection: 47%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: RFQ.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: /log.tmp
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <br>[
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: yyyy-MM-dd HH:mm:ss
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: ]<br>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <br>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Time:
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <br>User Name:
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <br>Computer Name:
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <br>OSFullName:
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <br>CPU:
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <br>RAM:
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <br>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: IP Address:
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <br>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <hr>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: New
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: IP Address:
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: true
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: https://api.ipify.org
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: false
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: false
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: false
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: false
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: false
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: false
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: true
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: false
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: mail.elec-qatar.com
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: mohammed.abrar@elec-qatar.com
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: MHabrar2019@#
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: davidsurly1@gmail.com
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: true
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: false
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: appdata
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Ycdwx
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Ycdwx.exe
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Ycdwx
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Type
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Software\Microsoft\Windows\CurrentVersion\Run
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <br>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <hr>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <br>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <b>[
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: ]</b> (
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: )<br>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {BACK}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {ALT+TAB}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {ALT+F4}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {TAB}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {ESC}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {Win}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {CAPSLOCK}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {KEYUP}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {KEYDOWN}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {KEYLEFT}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {KEYRIGHT}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {DEL}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {END}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {HOME}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {Insert}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {NumLock}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {PageDown}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {PageUp}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {ENTER}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {F1}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {F2}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {F3}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {F4}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {F5}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {F6}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {F7}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {F8}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {F9}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {F10}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {F11}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {F12}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: control
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {CTRL}
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: &
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: >
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: "
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <br><hr>Copied Text: <br>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <hr>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: logins
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: IE/Edge
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Windows Secure Note
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Windows Web Password Credential
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Windows Credential Picker Protector
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Web Credentials
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Windows Credentials
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Windows Domain Certificate Credential
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Windows Domain Password Credential
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Windows Extended Credential
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: 00000000-0000-0000-0000-000000000000
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: SchemaId
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: pResourceElement
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: pIdentityElement
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: pPackageSid
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: pAuthenticatorElement
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: IE/Edge
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: UC Browser
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: UCBrowser\
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Login Data
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: journal
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: wow_logins
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Safari for Windows
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \Apple Computer\Preferences\keychain.plist
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <array>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <dict>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <string>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: </string>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <string>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: </string>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <data>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: </data>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: -convert xml1 -s -o "
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \fixed_keychain.xml"
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \Microsoft\Credentials\
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \Microsoft\Credentials\
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \Microsoft\Credentials\
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \Microsoft\Credentials\
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \Microsoft\Protect\
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: credential
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: QQ Browser
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Tencent\QQBrowser\User Data
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \Default\EncryptedStorage
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Profile
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \EncryptedStorage
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: entries
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: category
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Password
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: str3
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: str2
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: blob0
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: password_value
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: IncrediMail
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: PopPassword
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: SmtpPassword
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Software\IncrediMail\Identities\
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \Accounts_New
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: PopPassword
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: SmtpPassword
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: SmtpServer
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: EmailAddress
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Eudora
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Software\Qualcomm\Eudora\CommandLine\
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: current
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Settings
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: SavePasswordText
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Settings
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: ReturnAddress
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Falkon Browser
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \falkon\profiles\
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: profiles.ini
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: startProfile=([A-z0-9\/\.\"]+)
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: profiles.ini
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \browsedata.db
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: autofill
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: ClawsMail
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \Claws-mail
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \clawsrc
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \clawsrc
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: passkey0
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: master_passphrase_salt=(.+)
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: master_passphrase_pbkdf2_rounds=(.+)
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \accountrc
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: smtp_server
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: address
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: account
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \passwordstorerc
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: {(.),(.)}(.*)
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Flock Browser
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: APPDATA
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \Flock\Browser\
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: signons3.txt
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: DynDns
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: ALLUSERSPROFILE
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Dyn\Updater\config.dyndns
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: username=
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: password=
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: https://account.dyn.com/
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: t6KzXhCh
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: ALLUSERSPROFILE
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Dyn\Updater\daemon.cfg
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: global
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: accounts
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: account.
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: username
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: account.
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: password
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Psi/Psi+
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: name
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: password
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Psi/Psi+
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: APPDATA
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \Psi\profiles
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: APPDATA
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \Psi+\profiles
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \accounts.xml
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \accounts.xml
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: OpenVPN
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Software\OpenVPN-GUI\configs\
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: username
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: auth-data
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: entropy
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: USERPROFILE
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \OpenVPN\config\
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: remote
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: remote
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: NordVPN
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: NordVPN
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: NordVpn.exe*
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: user.config
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: //setting[@name='Username']/value
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: //setting[@name='Password']/value
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: NordVPN
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Private Internet Access
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: %ProgramW6432%
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Private Internet Access\data
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: ProgramFiles(x86)
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \Private Internet Access\data
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \account.json
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: ."username":"(.?)"
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: ."password":"(.?)"
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Private Internet Access
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: privateinternetaccess.com
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: FileZilla
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: APPDATA
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: APPDATA
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <Server>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <Host>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <Host>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: </Host>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <Port>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: </Port>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <User>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <User>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: </User>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <Pass encoding="base64">
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <Pass encoding="base64">
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: </Pass>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <Pass>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <Pass encoding="base64">
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: </Pass>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: CoreFTP
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: SOFTWARE\FTPWare\COREFTP\Sites
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: User
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Host
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Port
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: hdfzpysvpzimorhk
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: WinSCP
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: HostName
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: UserName
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Password
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: PublicKeyFile
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: PortNumber
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: [PRIVATE KEY LOCATION: "{0}"]
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: WinSCP
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: ABCDEF
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Flash FXP
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: port
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: user
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: pass
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: quick.dat
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Sites.dat
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \FlashFXP\
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \FlashFXP\
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: FTP Navigator
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: SystemDrive
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \FTP Navigator\Ftplist.txt
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Server
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Password
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: No Password
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: User
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: SmartFTP
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: APPDATA
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: WS_FTP
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: appdata
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: HOST
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: PWD=
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: PWD=
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: FtpCommander
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: SystemDrive
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: SystemDrive
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: SystemDrive
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \cftp\Ftplist.txt
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: ;Password=
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: ;User=
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: ;Server=
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: ;Port=
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: ;Port=
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: ;Password=
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: ;User=
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: ;Anonymous=
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: FTPGetter
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \FTPGetter\servers.xml
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <server>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <server_ip>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <server_ip>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: </server_ip>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <server_port>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: </server_port>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <server_user_name>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <server_user_name>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: </server_user_name>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <server_user_password>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: <server_user_password>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: </server_user_password>
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: FTPGetter
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: The Bat!
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: appdata
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \The Bat!
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \Account.CFN
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \Account.CFN
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Becky!
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: DataDir
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Folder.lst
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \Mailbox.ini
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Account
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: PassWd
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Account
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: SMTPServer
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Account
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: MailAddress
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Becky!
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Outlook
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Email
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: IMAP Password
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: POP3 Password
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: HTTP Password
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: SMTP Password
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Email
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Email
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Email
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: IMAP Password
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: POP3 Password
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: HTTP Password
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: SMTP Password
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Server
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Windows Mail App
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Software\Microsoft\ActiveSync\Partners
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Email
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Server
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: SchemaId
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: pResourceElement
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: pIdentityElement
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: pPackageSid
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: pAuthenticatorElement
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: syncpassword
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: mailoutgoing
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: FoxMail
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Executable
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: FoxmailPath
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \Storage\
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \Storage\
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \mail
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \mail
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \Accounts\Account.rec0
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \Accounts\Account.rec0
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \Account.stg
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \Account.stg
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: POP3Host
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: SMTPHost
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: IncomingServer
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Account
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: MailAddress
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Password
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: POP3Password
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Opera Mail
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: opera:
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\\|';:,<>/?+=
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: PocoMail
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: appdata
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \Pocomail\accounts.ini
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Email
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: POPPass
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: SMTPPass
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: SMTP
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: eM Client
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: eM Client\accounts.dat
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: eM Client
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Accounts
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: "Username":"
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: "Secret":"
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: "ProviderName":"
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: o6806642kbM7c5
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Mailbird
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: SenderIdentities
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Accounts
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \Mailbird\Store\Store.db
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Server_Host
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Accounts
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Email
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Username
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: EncryptedPassword
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Mailbird
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: RealVNC 4.x
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Password
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: RealVNC 3.x
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: SOFTWARE\RealVNC\vncserver
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Password
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: RealVNC 4.x
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: SOFTWARE\RealVNC\WinVNC4
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Password
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: RealVNC 3.x
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Software\ORL\WinVNC3
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Password
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: TightVNC
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Software\TightVNC\Server
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Password
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: TightVNC
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Software\TightVNC\Server
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: PasswordViewOnly
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: TightVNC ControlPassword
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Software\TightVNC\Server
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: ControlPassword
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: TigerVNC
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Software\TigerVNC\Server
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: Password
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: UltraVNC
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: ProgramFiles(x86)
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: passwd
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: UltraVNC
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: ProgramFiles(x86)
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: passwd2
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: UltraVNC
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: ProgramFiles
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: passwd
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: UltraVNC
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: ProgramFiles
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: passwd2
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: UltraVNC
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: ProgramFiles
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: passwd
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: UltraVNC
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: ProgramFiles
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: passwd2
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: UltraVNC
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: ProgramFiles(x86)
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: passwd
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: UltraVNC
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: ProgramFiles(x86)
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: passwd2
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: JDownloader 2.0
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: JDownloader 2.0\cfg
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: org.jdownloader.settings.AccountSettings.accounts.ejs
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: JDownloader 2.0\cfg
Source: 2.2.RegSvcs.exe.5230000.8.unpack	String decryptor: jd.controlling.authentication.AuthenticationControllerSettings.list.ejs

Source: RFQ.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49704 version: TLS 1.2

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.3338726977.0000000003D71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3339437325.0000000005230000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3337125429.000000000291E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000002.00000002.3339655516.000000000556F000.00000004.00000020.00020000.00000000.sdmp, Ycdwx.exe, 00000003.00000000.2232635735.0000000000B02000.00000002.00000001.01000000.00000007.sdmp, Ycdwx.exe.2.dr
Source:	Binary string: wntdll.pdbUGP source: RFQ.exe, 00000000.00000003.2117748214.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, RFQ.exe, 00000000.00000003.2118377850.0000000003C30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RFQ.exe, 00000000.00000003.2117748214.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, RFQ.exe, 00000000.00000003.2118377850.0000000003C30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.3339655516.000000000556F000.00000004.00000020.00020000.00000000.sdmp, Ycdwx.exe, 00000003.00000000.2232635735.0000000000B02000.00000002.00000001.01000000.00000007.sdmp, Ycdwx.exe.2.dr

Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F8445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00F8445A
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F8C6D1 FindFirstFileW,FindClose,	0_2_00F8C6D1
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F8C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00F8C75C
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F8EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F8EF95
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F8F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F8F0F2
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F8F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F8F3F3
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F837EF
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F83B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F83B12
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F8BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F8BCBC

Source: global traffic

TCP traffic: 192.168.2.5:49705 -> 50.87.139.143:587

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 50.87.139.143 50.87.139.143

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.5:49705 -> 50.87.139.143:587

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F922EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00F922EE

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.elec-qatar.com

Source: RegSvcs.exe, 00000002.00000002.3337432346.0000000002DFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3339655516.00000000054E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegSvcs.exe, 00000002.00000002.3339655516.00000000054E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegSvcs.exe, 00000002.00000002.3337432346.0000000002DFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3336272889.0000000000C7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: RegSvcs.exe, 00000002.00000002.3337432346.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.elec-qatar.com
Source: RegSvcs.exe, 00000002.00000002.3337432346.0000000002DFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3339655516.00000000054E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegSvcs.exe, 00000002.00000002.3337432346.0000000002DFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3336272889.0000000000C7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: RegSvcs.exe, 00000002.00000002.3337432346.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.3337432346.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: RegSvcs.exe, 00000002.00000002.3337432346.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: RegSvcs.exe, 00000002.00000002.3337432346.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: RegSvcs.exe, 00000002.00000002.3337432346.0000000002DFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3336272889.0000000000C7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F94164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00F94164

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F94164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00F94164

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F93F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00F93F66

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F8001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00F8001C

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00FACABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00FACABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.RFQ.exe.3b90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.3336154686.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.2120151998.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\RFQ.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00F23B3A
Source: RFQ.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: RFQ.exe, 00000000.00000000.2086185553.0000000000FD4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_7f9d8e0e-f
Source: RFQ.exe, 00000000.00000000.2086185553.0000000000FD4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_19c9e9a3-9
Source: RFQ.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_bc231c7b-1
Source: RFQ.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_10234947-3

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: RFQ.exe

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F8A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00F8A1EF

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F78310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00F78310

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F851BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00F851BD

Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F2E6A0	0_2_00F2E6A0
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F4D975	0_2_00F4D975
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F2FCE0	0_2_00F2FCE0
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F421C5	0_2_00F421C5
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F562D2	0_2_00F562D2
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00FA03DA	0_2_00FA03DA
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F5242E	0_2_00F5242E
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F425FA	0_2_00F425FA
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F366E1	0_2_00F366E1
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F7E616	0_2_00F7E616
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F5878F	0_2_00F5878F
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F88889	0_2_00F88889
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00FA0857	0_2_00FA0857
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F56844	0_2_00F56844
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F38808	0_2_00F38808
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F4CB21	0_2_00F4CB21
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F56DB6	0_2_00F56DB6
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F36F9E	0_2_00F36F9E
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F33030	0_2_00F33030
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F4F1D9	0_2_00F4F1D9
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F43187	0_2_00F43187
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F21287	0_2_00F21287
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F41484	0_2_00F41484
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F35520	0_2_00F35520
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F47696	0_2_00F47696
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F35760	0_2_00F35760
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F41978	0_2_00F41978
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F59AB5	0_2_00F59AB5
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00FA7DDB	0_2_00FA7DDB
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F4BDA6	0_2_00F4BDA6
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F41D90	0_2_00F41D90
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F33FE0	0_2_00F33FE0
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F2DF00	0_2_00F2DF00
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_016EA260	0_2_016EA260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00408C60	2_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040DC11	2_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00407C3F	2_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418CCC	2_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00406CA0	2_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004028B0	2_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041A4BE	2_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418244	2_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00401650	2_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402F20	2_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004193C4	2_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418788	2_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402F89	2_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402B90	2_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004073A0	2_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_028DD2A0	2_2_028DD2A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_028DDEB8	2_2_028DDEB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_028D0FC0	2_2_028D0FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_028D1030	2_2_028D1030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_028DD5E8	2_2_028DD5E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_066A1400	2_2_066A1400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_066AC258	2_2_066AC258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_066A68A1	2_2_066A68A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_066A9EC8	2_2_066A9EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_066A0937	2_2_066A0937

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\RFQ.exe	Code function: String function: 00F27DE1 appears 35 times
Source: C:\Users\user\Desktop\RFQ.exe	Code function: String function: 00F48900 appears 42 times
Source: C:\Users\user\Desktop\RFQ.exe	Code function: String function: 00F40AE3 appears 70 times

Source: RFQ.exe, 00000000.00000003.2119001998.0000000003D53000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs RFQ.exe
Source: RFQ.exe, 00000000.00000003.2117435940.0000000003EAD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs RFQ.exe
Source: RFQ.exe, 00000000.00000002.2120151998.0000000003B90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename43d1e201-3b42-4ac8-8e2b-270e79cd58bc.exe4 vs RFQ.exe

Source: RFQ.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.RFQ.exe.3b90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.3336154686.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.2120151998.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: 2.2.RegSvcs.exe.5230ee8.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.5230ee8.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.3d76458.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.3d76458.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.3db4d90.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.3db4d90.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.5120000.6.raw.unpack, O.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5120000.6.raw.unpack, O.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.5120000.6.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5120000.6.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/6@2/2

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F8A06A GetLastError,FormatMessageW,

0_2_00F8A06A

Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F781CB AdjustTokenPrivileges,CloseHandle,		0_2_00F781CB
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F787E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00F787E1

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F8B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00F8B3FB

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F9EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00F9EE0D

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F983BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00F983BB

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F24E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00F24E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\Ycdwx

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3536:120:WilError_03

Source: C:\Users\user\Desktop\RFQ.exe

File created: C:\Users\user\AppData\Local\Temp\aut121F.tmp

Jump to behavior

Source: RFQ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RFQ.exe	ReversingLabs: Detection: 44%
Source: RFQ.exe	Virustotal: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\RFQ.exe "C:\Users\user\Desktop\RFQ.exe"
Source: C:\Users\user\Desktop\RFQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\RFQ.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe "C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe"
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe "C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe"
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\RFQ.exe"	Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: RFQ.exe

Static file information: File size 1191424 > 1048576

Source: RFQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: RFQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: RFQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: RFQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: RFQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: RFQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: RFQ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.3338726977.0000000003D71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3339437325.0000000005230000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3337125429.000000000291E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000002.00000002.3339655516.000000000556F000.00000004.00000020.00020000.00000000.sdmp, Ycdwx.exe, 00000003.00000000.2232635735.0000000000B02000.00000002.00000001.01000000.00000007.sdmp, Ycdwx.exe.2.dr
Source:	Binary string: wntdll.pdbUGP source: RFQ.exe, 00000000.00000003.2117748214.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, RFQ.exe, 00000000.00000003.2118377850.0000000003C30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RFQ.exe, 00000000.00000003.2117748214.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, RFQ.exe, 00000000.00000003.2118377850.0000000003C30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.3339655516.000000000556F000.00000004.00000020.00020000.00000000.sdmp, Ycdwx.exe, 00000003.00000000.2232635735.0000000000B02000.00000002.00000001.01000000.00000007.sdmp, Ycdwx.exe.2.dr

Source: RFQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: RFQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: RFQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: RFQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: RFQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 2.2.RegSvcs.exe.5230ee8.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.3d76458.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.3db4d90.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.5120000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.295fb06.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F24B37 LoadLibraryA,GetProcAddress,

0_2_00F24B37

Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F48945 push ecx; ret	0_2_00F48958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C40C push cs; iretd	2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00423149 push eax; ret	2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C50E push cs; iretd	2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004231C8 push eax; ret	2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040E21D push ecx; ret	2_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C6BE push ebx; ret	2_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041BFCD pushad ; ret	2_2_0041BFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_028D434D push esp; iretd	2_2_028D4361
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Code function: 3_2_011E0838 push ebx; retf	3_2_011E0842
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Code function: 3_2_011E089B push esp; retf	3_2_011E089E

Source: 2.2.RegSvcs.exe.5230ee8.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'A2rQAeJ04KrR1', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.3d76458.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'A2rQAeJ04KrR1', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.3db4d90.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'A2rQAeJ04KrR1', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.5120000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'A2rQAeJ04KrR1', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.295fb06.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'A2rQAeJ04KrR1', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ycdwx			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ycdwx			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00F248D7
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00FA5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00FA5376

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F43187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00F43187

Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\RFQ.exe

API/Special instruction interceptor: Address: 16E9E84

Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Memory allocated: 11E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Memory allocated: 2D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Memory allocated: 4D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Memory allocated: 2B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Memory allocated: 2D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Memory allocated: 2B50000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

2_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 5181			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1095			Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-105369

Source: C:\Users\user\Desktop\RFQ.exe

API coverage: 4.6 %

Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe TID: 3292	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe TID: 6428	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F8445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00F8445A
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F8C6D1 FindFirstFileW,FindClose,	0_2_00F8C6D1
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F8C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00F8C75C
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F8EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F8EF95
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F8F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F8F0F2
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F8F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F8F3F3
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F837EF
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F83B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F83B12
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F8BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F8BCBC

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F249A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99327	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99108	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98881	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98622	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98502	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97818	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97577	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RFQ.exe, 00000000.00000003.2086985090.0000000001552000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareworkstation.exe(
Source: RegSvcs.exe, 00000002.00000002.3339655516.00000000054E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!

Source: C:\Users\user\Desktop\RFQ.exe	API call chain: ExitProcess graph end node	graph_0-104199
Source: C:\Users\user\Desktop\RFQ.exe	API call chain: ExitProcess graph end node	graph_0-104423
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F93F09 BlockInput,

0_2_00F93F09

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F23B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F23B3A

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F55A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00F55A7C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

2_2_004019F0

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F24B37 LoadLibraryA,GetProcAddress,

0_2_00F24B37

Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_016EA150 mov eax, dword ptr fs:[00000030h]	0_2_016EA150
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_016EA0F0 mov eax, dword ptr fs:[00000030h]	0_2_016EA0F0
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_016E8AE0 mov eax, dword ptr fs:[00000030h]	0_2_016E8AE0

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F780A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00F780A9

Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F4A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F4A155
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F4A124 SetUnhandledExceptionFilter,	0_2_00F4A124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004123F1 SetUnhandledExceptionFilter,	2_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\RFQ.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\RFQ.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 8DB008

Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F787B1 LogonUserW,

0_2_00F787B1

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F23B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F23B3A

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00F248D7

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F84C7F mouse_event,

0_2_00F84C7F

Source: C:\Users\user\Desktop\RFQ.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\RFQ.exe"

Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F77CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00F77CAF

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F7874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00F7874B

Source: RFQ.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RFQ.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F4862B cpuid

0_2_00F4862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

2_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Queries volume information: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Queries volume information: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F54E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00F54E87

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F61E06 GetUserNameW,

0_2_00F61E06

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F53F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00F53F3A

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 0_2_00F249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F249A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RFQ.exe, 00000000.00000002.2119769921.0000000001552000.00000004.00000020.00020000.00000000.sdmp, RFQ.exe, 00000000.00000003.2086865893.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, RFQ.exe, 00000000.00000003.2086985090.0000000001552000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: msmpeng.exe

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000002.00000002.3337432346.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3337432346.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5648, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 2.2.RegSvcs.exe.3d76458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.295fb06.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5230000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5120000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5230000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3db4d90.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3db4d90.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d75570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d76458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.295ec1e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5230ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5230ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.295ec1e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.295fb06.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5120000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d75570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3338726977.0000000003D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3339437325.0000000005230000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3339308886.0000000005120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3337125429.000000000291E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.RegSvcs.exe.3d76458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.295fb06.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5230000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5120000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5230000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3db4d90.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3db4d90.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d75570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d76458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.295ec1e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5230ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5230ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.295ec1e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.295fb06.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5120000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d75570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3338726977.0000000003D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3339437325.0000000005230000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3339308886.0000000005120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3337125429.000000000291E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: RFQ.exe	Binary or memory string: WIN_81
Source: RFQ.exe	Binary or memory string: WIN_XP
Source: RFQ.exe	Binary or memory string: WIN_XPe
Source: RFQ.exe	Binary or memory string: WIN_VISTA
Source: RFQ.exe	Binary or memory string: WIN_7
Source: RFQ.exe	Binary or memory string: WIN_8
Source: RFQ.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 00000002.00000002.3337432346.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5648, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000002.00000002.3337432346.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3337432346.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5648, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 2.2.RegSvcs.exe.3d76458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.295fb06.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5230000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5120000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5230000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3db4d90.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3db4d90.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d75570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d76458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.295ec1e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5230ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5230ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.295ec1e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.295fb06.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5120000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d75570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3338726977.0000000003D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3339437325.0000000005230000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3339308886.0000000005120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3337125429.000000000291E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.RegSvcs.exe.3d76458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.295fb06.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5230000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5120000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5230000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3db4d90.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3db4d90.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d75570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d76458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.295ec1e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5230ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5230ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.295ec1e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.295fb06.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5120000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d75570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3338726977.0000000003D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3339437325.0000000005230000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3339308886.0000000005120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3337125429.000000000291E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F96283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00F96283
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_00F96747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00F96747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 Software Packing	NTDS	148 System Information Discovery	Distributed Component Object Model	21 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	261 Security Software Discovery	SSH	3 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	1 Masquerading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	212 Process Injection	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Hidden Files and Directories	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RFQ.exe	45%	ReversingLabs	Win32.Trojan.AutoitInject
RFQ.exe	47%	Virustotal		Browse
RFQ.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://mail.elec-qatar.com	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.12.205	true	false		high
mail.elec-qatar.com	50.87.139.143	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://mail.elec-qatar.com	RegSvcs.exe, 00000002.00000002.3337432346.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	RegSvcs.exe, 00000002.00000002.3337432346.0000000002DFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3336272889.0000000000C7F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.ipify.org	RegSvcs.exe, 00000002.00000002.3337432346.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	RegSvcs.exe, 00000002.00000002.3337432346.0000000002DFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3336272889.0000000000C7F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	RegSvcs.exe, 00000002.00000002.3337432346.0000000002DFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3336272889.0000000000C7F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.ipify.org/t	RegSvcs.exe, 00000002.00000002.3337432346.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.3337432346.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
50.87.139.143	mail.elec-qatar.com	United States		46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1568946
Start date and time:	2024-12-05 09:17:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RFQ.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/6@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 96% Number of executed functions: 56 Number of non-executed functions: 270
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Ycdwx.exe, PID 5468 because it is empty
Execution Graph export aborted for target Ycdwx.exe, PID 7136 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:18:07	API Interceptor	31x Sleep call for process: RegSvcs.exe modified
09:18:08	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Ycdwx C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe
09:18:16	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Ycdwx C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	Ransomware Mallox.exe	Get hash	malicious	Targeted Ransomware	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	api.ipify.org/
	perfcc.elf	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	hloRQZmlfg.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
50.87.139.143	231210-01-AgentTesla-2eba02.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Heur.18737.25106.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe	Get hash	malicious	AgentTesla	Browse
	NEW ORDER 98540-0.exe	Get hash	malicious	AgentTesla	Browse
	Documents of shipment 3-2024.exe	Get hash	malicious	AgentTesla	Browse
	SHIPPING DOC.exe	Get hash	malicious	AgentTesla	Browse
	Order 19A20060.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Proforma Invoice.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	SHIPPING DOC.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	venomderek.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	Documenti di spedizione.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	Order NO 000293988494948595850000595995000.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	Employee_Bonus_Notlce.pdf	Get hash	malicious	Unknown	Browse	172.67.74.152
	Employee_Important_Message.pdf	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	v58HgfB8Af.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	zwW6sDt6hU.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.12.205
	e7lGwhCp7r.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Svku9pKypu.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.12.205
	pR65xo6sud.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
mail.elec-qatar.com	231210-01-AgentTesla-2eba02.exe	Get hash	malicious	AgentTesla	Browse	50.87.139.143
	SecuriteInfo.com.Heur.18737.25106.exe	Get hash	malicious	AgentTesla	Browse	50.87.139.143
	SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe	Get hash	malicious	AgentTesla	Browse	50.87.139.143
	NEW ORDER 98540-0.exe	Get hash	malicious	AgentTesla	Browse	50.87.139.143
	Documents of shipment 3-2024.exe	Get hash	malicious	AgentTesla	Browse	50.87.139.143
	SHIPPING DOC.exe	Get hash	malicious	AgentTesla	Browse	50.87.139.143
	Order 19A20060.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.139.143
	Proforma Invoice.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.139.143
	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.139.143
	SHIPPING DOC.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.139.143

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	BACS190027-01.pdf	Get hash	malicious	Unknown	Browse	172.66.42.208
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Nymaim, Stealc, Vidar	Browse	172.67.181.44
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	172.65.9.47
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	maybecreatebesthingswithgreatnicewhichgivenbreakingthingstobe.hta	Get hash	malicious	Cobalt Strike, FormBook, HTMLPhisher	Browse	104.21.31.249
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
UNIFIEDLAYER-AS-1US	BACS190027-01.pdf	Get hash	malicious	Unknown	Browse	50.116.113.32
	https://iemetodista.com.br/?data=c2VydmljZUBqcHBsdXMuY29t	Get hash	malicious	Unknown	Browse	108.179.252.197
	http://voicemaaila.3utilities.com	Get hash	malicious	Unknown	Browse	192.185.179.156
	Danellarealty 1052.html	Get hash	malicious	Unknown	Browse	69.49.245.172
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	98.130.22.65
	Documenti di spedizione.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	192.185.13.234
	Order NO 000293988494948595850000595995000.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	192.185.13.234
	teste.sh4.elf	Get hash	malicious	Gafgyt, Mirai, Moobot, Okiru	Browse	98.130.22.47
	MGj3hwACvs.html	Get hash	malicious	HTMLPhisher, ReCaptcha Phish	Browse	192.185.77.66
	https://ublypwgeo.turismoalperu.com/	Get hash	malicious	Captcha Phish	Browse	192.185.153.249

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	31#U544a.exe	Get hash	malicious	CobaltStrike	Browse	104.26.12.205
	R7bv9d6gTH.dll	Get hash	malicious	Unknown	Browse	104.26.12.205
	Patch.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	104.26.12.205
	RuntimeBroker.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	104.26.12.205
	Qsgtknmtt.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	Fzcaaz.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	Ekyrfzxogk.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	EHak.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	Qsgtknmtt.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	Fzcaaz.exe	Get hash	malicious	Unknown	Browse	104.26.12.205

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	AWB#150332.exe	Get hash	malicious	AgentTesla	Browse
	SOA_9828392091.exe	Get hash	malicious	AgentTesla	Browse
	ngPebbPhbp.exe	Get hash	malicious	RHADAMANTHYS	Browse
	Pi648je050.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	shipping documents.exe	Get hash	malicious	AgentTesla	Browse
	Termination_List_November_2024_pdf.exe	Get hash	malicious	AgentTesla	Browse
	Payment_Advice_USD_48,054.40_.exe	Get hash	malicious	AgentTesla	Browse
	M1Y6kc9FpE.exe	Get hash	malicious	FormBook	Browse
	mJIvCBk5vF.exe	Get hash	malicious	FormBook	Browse
	1aG5DoOsAW.exe	Get hash	malicious	FormBook	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ycdwx.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\Milburt

Download File

Process:	C:\Users\user\Desktop\RFQ.exe
File Type:	data
Category:	dropped
Size (bytes):	266752
Entropy (8bit):	7.887835213727865
Encrypted:	false
SSDEEP:	6144:rAOMygGPOyrFG69ZtMOFmvzG7unEaKkwkd4okzi2myizd3vvFX:rAJOVc2fkvzGKnEEjKzi2JizdXV
MD5:	8909607617266BC36A98B7BA93D82EE0
SHA1:	FC88D5CC6491B16291DBB80B31DC0D6DB9EB4035
SHA-256:	76ACF3941E3A486ACB9BFA551A9421D6EA3C59CC64348F3F68808E0D02A4D04D
SHA-512:	B227691B700E3485F45CE01C3D3832D5A14B339316C8B098F6A4A76AC214511C7AC890E3DE87B5656918EC95B44C631328D6A11564CA63ED41804661847129AC
Malicious:	false
Reputation:	low
Preview:	...TQLEJ@IFW..O2.Z3TRLEJ.IFWFXO2GZ3TRLEJDIFWFXO2GZ3TRLEJDIFW.XO2IE.ZR.L.e.G..y.Z.).$ #"8%$f4'6!]3zQ1r>0$d (w....5W1\|AH@`IFWFXO2/J.y~=.4h8.)j).LuyLm=.4O..)m).Lk+..=.4vj()Z).LuyZ.=.4vj=)k).L.3P<~=.4DIFWFXO2GZ3TRLEJ...3FXO2..3T.MAJ0.F.FXO2GZ3T.LfKOHOWF.N2G,1TRLEJk.FWFHO2G.2TRL.JDYFWFZO2BZ3TRLEJAIFWFXO2G:7TRHEJ.rDWDXO.GZ#TR\EJDIVWFHO2GZ3TBLEJDIFWFXO2.O1T.LEJD)DW:.N2GZ3TRLEJDIFWFXO2GZ3TRLEJ..GWZXO2GZ3TRLEJDIFWFXO2GZ3TRLEJ.DDW.XO2GZ3TRLEJD.GW.YO2GZ3TRLEJDIFWFXO2GZ3TRLEJj=#/2XO2_.2TR\EJD.GWF\O2GZ3TRLEJDIFWfXORi(W5&-EJ.$FWF.N2G43TR.DJDIFWFXO2GZ3T.LE.j-'#'XO2.j3TRlGJD_FWFRM2GZ3TRLEJDIFW.XO.i(@&1LEJ8.GWF8M2G.2TRlGJDIFWFXO2GZ3T.LE.DIFWFXO2GZ3TRLEJDIFWFXO2GZ3TRLEJDIFWFXO2GZ3TRLEJDIFWFXO2GZ3TRLEJDIFWFXO2GZ3TRLEJDIFWFXO2GZ3TRLEJDIFWFXO2GZ3TRLEJDIFWFXO2GZ3TRLEJDIFWFXO2GZ3TRLEJDIFWFXO2GZ3TRLEJDIFWFXO2GZ3TRLEJDIFWFXO2GZ3TRLEJDIFWFXO2GZ3TRLEJDIFWFXO2GZ3TRLEJDIFWFXO2GZ3TRLEJDIFWFXO2GZ3TRLEJDIFWFXO2GZ3TRLEJDIFWFXO2GZ3TRLEJDIFWFXO2GZ3TRLEJDIFWFXO2GZ3TRLEJDIFWFXO2GZ3TRLEJDIFWFXO2GZ3TRLEJDIFWFXO2GZ3TRLEJ

C:\Users\user\AppData\Local\Temp\aut121F.tmp

Download File

Process:	C:\Users\user\Desktop\RFQ.exe
File Type:	data
Category:	dropped
Size (bytes):	261450
Entropy (8bit):	7.974676733284304
Encrypted:	false
SSDEEP:	6144:cfar14rOpKLSjzVeLOyIZm9JFssqKpmIN/YHYZn:cfax4rOpKao96Sy5Kh/kun
MD5:	66D24154A56AD0A6395AA4D99308838C
SHA1:	95498ED38AF5DF46B0800CF5804C026125D740DA
SHA-256:	2B35CA52CB5C94F660022F1009B916822C77A559C901385EA1D8688555A44D14
SHA-512:	82583828E5F2B3A663E1A61C0C3EC85204DC50F379B24134B829E9283F297771D1126304F78DC71D4590A5BB07A7BAEFC3F42F0F7F91BB1016574F6BA6D0CC0E
Malicious:	false
Reputation:	low
Preview:	EA06.....@4uJ.2.J.Rh.}..2..uJ......(.\|..!. .....)4\Mj...a..<o.y.....A#.N$.K4.O6..fw....>.I,..E....D.SZ...A.P,........._4.N5..T.KL..i..h..O.u.6....+.J......(......!Oe6...+3.O......+.......~gT.Sh4...... ..f........N.Q......@)....d. AiTJ...Z..@....0ju7.T..ZV..D..+.....#.T..".X........:\|....e4J..SN.P.0..=^....y(.J.....=_.Y.0.mS...d. W.. ..th.z5p...V).+L..5.Kh........P.@...D.P."T.,.-.........@[(..%\|...S@.>....i.P$....q..p'....d.a.............<..^...Qi.M.z{F....~.N.W..H.:<.sM....c=....\Vo.........'L.b.T;..sX......R....w{`..s".z.....S....V.2.{(Z....I.[75z7bm5...z.n..E.^)>.5o...V.}I]..G.m.:.5_.C.Up.J....Rx...B.2.iy.J..iH....L..a2...U8.....A..z.3.F..Y.E...\|M.....Ui\.-..I...<......r..%^.sp1....p.....@.."..{5...;...{5.Z.2.J...L.o9...fuN.........z.gi..7EU..20+.rg>..:..d.....&4.vW..L.....".W.T...-_.]...e..F.......E..)..i....^..-S.O<Z.W2...Q..j.;.G...E..K.......5..d+...(....<.5...........K..H.7L.aS.\|...K...x..uB...Y...]...8.8m..F..4...%..P84* ..E.

C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	45984
Entropy (8bit):	6.16795797263964
Encrypted:	false
SSDEEP:	768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
MD5:	9D352BC46709F0CB5EC974633A0C3C94
SHA1:	1969771B2F022F9A86D77AC4D4D239BECDF08D07
SHA-256:	2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
SHA-512:	13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: AWB#150332.exe, Detection: malicious, Browse Filename: SOA_9828392091.exe, Detection: malicious, Browse Filename: ngPebbPhbp.exe, Detection: malicious, Browse Filename: Pi648je050.exe, Detection: malicious, Browse Filename: shipping documents.exe, Detection: malicious, Browse Filename: Termination_List_November_2024_pdf.exe, Detection: malicious, Browse Filename: Payment_Advice_USD_48,054.40_.exe, Detection: malicious, Browse Filename: M1Y6kc9FpE.exe, Detection: malicious, Browse Filename: mJIvCBk5vF.exe, Detection: malicious, Browse Filename: 1aG5DoOsAW.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.442398121585593
Encrypted:	false
SSDEEP:	24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
MD5:	6FB4D27A716A8851BC0505666E7C7A10
SHA1:	AD2A232C6E709223532C4D1AB892303273D8C814
SHA-256:	1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
SHA-512:	3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.173077477595768
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RFQ.exe
File size:	1'191'424 bytes
MD5:	3861b9e7e90136630ba57296db976c82
SHA1:	84ef76f15ad3f688c679c781edfa844206062db8
SHA256:	d92795d6430f0ef54455895006dd6bfe6924a02d1ee531f60ee6f3b93b876078
SHA512:	30a3396d67ab0511183181d9148017663f9125dcc53ea3db51b366bb39cdf2646bce098a4665fd8b033bced4dd137743516c9a9f77dd2bc51618790534606b6c
SSDEEP:	24576:eu6J33O0c+JY5UZ+XC0kGso6FalpKWZfQe0zXbNhBWY:wu0c++OCvkGs9FalpK2f0YY
TLSH:	1C45CF22B3DDC360CB669173BF69B7016EBF78614630B85B2F880D7DA950172162D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6750EE07 [Thu Dec 5 00:04:23 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FA0A11059CAh
jmp 00007FA0A10F8794h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FA0A10F891Ah
cmp edi, eax
jc 00007FA0A10F8C7Eh
bt dword ptr [004C31FCh], 01h
jnc 00007FA0A10F8919h
rep movsb
jmp 00007FA0A10F8C2Ch
cmp ecx, 00000080h
jc 00007FA0A10F8AE4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FA0A10F8920h
bt dword ptr [004BE324h], 01h
jc 00007FA0A10F8DF0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007FA0A10F8ABDh
test edi, 00000003h
jne 00007FA0A10F8ACEh
test esi, 00000003h
jne 00007FA0A10F8AADh
bt edi, 02h
jnc 00007FA0A10F891Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FA0A10F8923h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FA0A10F8975h
bt esi, 03h
jnc 00007FA0A10F89C8h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x5a5e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x122000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x5a5e0	0x5a600	2a355dae68ccc21094706991740dc2a9	False	0.9278478345435685	data	7.893373974188122	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x122000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x518a7	data			1.0003323442847263
RT_GROUP_ICON	0x121060	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1210d8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1210ec	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x121100	0x14	data	English	Great Britain	1.25
RT_VERSION	0x121114	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x1211f0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2024 09:18:06.210355043 CET	49704	443	192.168.2.5	104.26.12.205
Dec 5, 2024 09:18:06.210393906 CET	443	49704	104.26.12.205	192.168.2.5
Dec 5, 2024 09:18:06.210467100 CET	49704	443	192.168.2.5	104.26.12.205
Dec 5, 2024 09:18:06.216805935 CET	49704	443	192.168.2.5	104.26.12.205
Dec 5, 2024 09:18:06.216820955 CET	443	49704	104.26.12.205	192.168.2.5
Dec 5, 2024 09:18:07.431632996 CET	443	49704	104.26.12.205	192.168.2.5
Dec 5, 2024 09:18:07.431706905 CET	49704	443	192.168.2.5	104.26.12.205
Dec 5, 2024 09:18:07.435863972 CET	49704	443	192.168.2.5	104.26.12.205
Dec 5, 2024 09:18:07.435873985 CET	443	49704	104.26.12.205	192.168.2.5
Dec 5, 2024 09:18:07.436093092 CET	443	49704	104.26.12.205	192.168.2.5
Dec 5, 2024 09:18:07.481178045 CET	49704	443	192.168.2.5	104.26.12.205
Dec 5, 2024 09:18:07.492579937 CET	49704	443	192.168.2.5	104.26.12.205
Dec 5, 2024 09:18:07.539333105 CET	443	49704	104.26.12.205	192.168.2.5
Dec 5, 2024 09:18:07.871265888 CET	443	49704	104.26.12.205	192.168.2.5
Dec 5, 2024 09:18:07.871320963 CET	443	49704	104.26.12.205	192.168.2.5
Dec 5, 2024 09:18:07.871400118 CET	49704	443	192.168.2.5	104.26.12.205
Dec 5, 2024 09:18:07.876604080 CET	49704	443	192.168.2.5	104.26.12.205
Dec 5, 2024 09:18:08.713423014 CET	49705	587	192.168.2.5	50.87.139.143
Dec 5, 2024 09:18:08.833177090 CET	587	49705	50.87.139.143	192.168.2.5
Dec 5, 2024 09:18:08.836838007 CET	49705	587	192.168.2.5	50.87.139.143
Dec 5, 2024 09:18:10.025178909 CET	587	49705	50.87.139.143	192.168.2.5
Dec 5, 2024 09:18:10.025374889 CET	49705	587	192.168.2.5	50.87.139.143
Dec 5, 2024 09:18:10.145406008 CET	587	49705	50.87.139.143	192.168.2.5
Dec 5, 2024 09:18:10.402276039 CET	587	49705	50.87.139.143	192.168.2.5
Dec 5, 2024 09:18:10.402642965 CET	49705	587	192.168.2.5	50.87.139.143
Dec 5, 2024 09:18:10.522397995 CET	587	49705	50.87.139.143	192.168.2.5
Dec 5, 2024 09:18:10.783085108 CET	587	49705	50.87.139.143	192.168.2.5
Dec 5, 2024 09:18:10.785145998 CET	49705	587	192.168.2.5	50.87.139.143
Dec 5, 2024 09:18:10.905009985 CET	587	49705	50.87.139.143	192.168.2.5
Dec 5, 2024 09:18:11.170154095 CET	587	49705	50.87.139.143	192.168.2.5
Dec 5, 2024 09:18:11.170171022 CET	587	49705	50.87.139.143	192.168.2.5
Dec 5, 2024 09:18:11.170201063 CET	587	49705	50.87.139.143	192.168.2.5
Dec 5, 2024 09:18:11.170311928 CET	49705	587	192.168.2.5	50.87.139.143
Dec 5, 2024 09:18:11.170314074 CET	587	49705	50.87.139.143	192.168.2.5
Dec 5, 2024 09:18:11.170346022 CET	49705	587	192.168.2.5	50.87.139.143
Dec 5, 2024 09:18:11.361989975 CET	587	49705	50.87.139.143	192.168.2.5
Dec 5, 2024 09:18:11.393311977 CET	49705	587	192.168.2.5	50.87.139.143
Dec 5, 2024 09:18:11.513087034 CET	587	49705	50.87.139.143	192.168.2.5
Dec 5, 2024 09:18:11.770287991 CET	587	49705	50.87.139.143	192.168.2.5
Dec 5, 2024 09:18:11.783282042 CET	49705	587	192.168.2.5	50.87.139.143
Dec 5, 2024 09:18:11.903539896 CET	587	49705	50.87.139.143	192.168.2.5
Dec 5, 2024 09:18:11.903589964 CET	49705	587	192.168.2.5	50.87.139.143

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2024 09:18:06.067688942 CET	56374	53	192.168.2.5	1.1.1.1
Dec 5, 2024 09:18:06.205092907 CET	53	56374	1.1.1.1	192.168.2.5
Dec 5, 2024 09:18:08.326958895 CET	57344	53	192.168.2.5	1.1.1.1
Dec 5, 2024 09:18:08.709327936 CET	53	57344	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 5, 2024 09:18:06.067688942 CET	192.168.2.5	1.1.1.1	0x5ccd	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Dec 5, 2024 09:18:08.326958895 CET	192.168.2.5	1.1.1.1	0xc13d	Standard query (0)	mail.elec-qatar.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 5, 2024 09:18:06.205092907 CET	1.1.1.1	192.168.2.5	0x5ccd	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Dec 5, 2024 09:18:06.205092907 CET	1.1.1.1	192.168.2.5	0x5ccd	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Dec 5, 2024 09:18:06.205092907 CET	1.1.1.1	192.168.2.5	0x5ccd	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Dec 5, 2024 09:18:08.709327936 CET	1.1.1.1	192.168.2.5	0xc13d	No error (0)	mail.elec-qatar.com	50.87.139.143	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	104.26.12.205	443	5648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 08:18:07 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-12-05 08:18:07 UTC	424	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 08:18:07 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8ed29a8e2fea43da-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1556&min_rtt=1541&rtt_var=608&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2821&recv_bytes=769&delivery_rate=1757977&cwnd=203&unsent_bytes=0&cid=d52c6b9a792f1751&ts=448&x=0"
2024-12-05 08:18:07 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38 Data Ascii: 8.46.123.228

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Dec 5, 2024 09:18:10.025178909 CET	587	49705	50.87.139.143	192.168.2.5	220-box2248.bluehost.com ESMTP Exim 4.96.2 #2 Thu, 05 Dec 2024 01:18:09 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Dec 5, 2024 09:18:10.025374889 CET	49705	587	192.168.2.5	50.87.139.143	EHLO 066656
Dec 5, 2024 09:18:10.402276039 CET	587	49705	50.87.139.143	192.168.2.5	250-box2248.bluehost.com Hello 066656 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Dec 5, 2024 09:18:10.402642965 CET	49705	587	192.168.2.5	50.87.139.143	STARTTLS
Dec 5, 2024 09:18:10.783085108 CET	587	49705	50.87.139.143	192.168.2.5	220 TLS go ahead

Target ID:	0
Start time:	03:18:01
Start date:	05/12/2024
Path:	C:\Users\user\Desktop\RFQ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RFQ.exe"
Imagebase:	0xf20000
File size:	1'191'424 bytes
MD5 hash:	3861B9E7E90136630BA57296DB976C82
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.2120151998.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:18:04
Start date:	05/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RFQ.exe"
Imagebase:	0x7e0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3337432346.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.3338726977.0000000003D71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3338726977.0000000003D71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.3339437325.0000000005230000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3339437325.0000000005230000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3337432346.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3337432346.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.3339308886.0000000005120000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3339308886.0000000005120000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.3337125429.000000000291E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3337125429.000000000291E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.3336154686.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	03:18:16
Start date:	05/12/2024
Path:	C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe"
Imagebase:	0xb00000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:18:16
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:18:24
Start date:	05/12/2024
Path:	C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe"
Imagebase:	0xb50000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:18:24
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	1.3%
Signature Coverage:	6.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	177

Executed Functions

Function 00F23B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F23B68
IsDebuggerPresent.KERNEL32 ref: 00F23B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,00FE52F8,00FE52E0,?,?), ref: 00F23BEB

Part of subcall function 00F27BCC: _memmove.LIBCMT ref: 00F27C06

Part of subcall function 00F3092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00F23C14,00FE52F8,?,?,?), ref: 00F3096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00F23C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00FD7770,00000010), ref: 00F5D281
SetCurrentDirectoryW.KERNEL32(?,00FE52F8,?,?,?), ref: 00F5D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00FD4260,00FE52F8,?,?,?), ref: 00F5D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 00F5D346

Part of subcall function 00F23A46: GetSysColorBrush.USER32(0000000F), ref: 00F23A50
Part of subcall function 00F23A46: LoadCursorW.USER32(00000000,00007F00), ref: 00F23A5F
Part of subcall function 00F23A46: LoadIconW.USER32(00000063), ref: 00F23A76
Part of subcall function 00F23A46: LoadIconW.USER32(000000A4), ref: 00F23A88
Part of subcall function 00F23A46: LoadIconW.USER32(000000A2), ref: 00F23A9A
Part of subcall function 00F23A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F23AC0
Part of subcall function 00F23A46: RegisterClassExW.USER32(?), ref: 00F23B16

Part of subcall function 00F239D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F23A03
Part of subcall function 00F239D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F23A24
Part of subcall function 00F239D5: ShowWindow.USER32(00000000,?,?), ref: 00F23A38
Part of subcall function 00F239D5: ShowWindow.USER32(00000000,?,?), ref: 00F23A41

Part of subcall function 00F2434A: _memset.LIBCMT ref: 00F24370
Part of subcall function 00F2434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F24415

Strings

runas, xrefs: 00F5D33A
This is a third-party compiled AutoIt script., xrefs: 00F5D279

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 5cfa2d455ae0448bbc4ae4299449176d5194732c73c7c79c5df7e9ab7b409b48
Instruction ID: 7268924045bfaa19d4a59ca6bed0db8874595c227ad474a493835aaa0abfdc50
Opcode Fuzzy Hash: 5cfa2d455ae0448bbc4ae4299449176d5194732c73c7c79c5df7e9ab7b409b48
Instruction Fuzzy Hash: 67513971D0826CAECF11FBF4FC45AED7B79AF45B14F004065F511AA1A2CA789605FB21

Function 00F249A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00F249CD

Part of subcall function 00F27BCC: _memmove.LIBCMT ref: 00F27C06

GetCurrentProcess.KERNEL32(?,00FAFAEC,00000000,00000000,?), ref: 00F24A9A
IsWow64Process.KERNEL32(00000000), ref: 00F24AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00F24AE7
FreeLibrary.KERNEL32(00000000), ref: 00F24AF2
GetSystemInfo.KERNEL32(00000000), ref: 00F24B23
GetSystemInfo.KERNEL32(00000000), ref: 00F24B2F

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 8bee4d4e1d0f44227015887f603de61eb5f983c6936e4b85c1f542e2e440d653
Instruction ID: 78aff291b308dce128b93a31cb72a938260cb0e3674d8b068568c98016fc2ebd
Opcode Fuzzy Hash: 8bee4d4e1d0f44227015887f603de61eb5f983c6936e4b85c1f542e2e440d653
Instruction Fuzzy Hash: 5B91063198A7D0DEC731DB78A4502AAFFF4AF2A311B0449ADD0CB83A01D264F50CEB59

Function 00F24E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00F24D8E,?,?,00000000,00000000), ref: 00F24E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F24D8E,?,?,00000000,00000000), ref: 00F24EB0
LoadResource.KERNEL32(?,00000000,?,?,00F24D8E,?,?,00000000,00000000,?,?,?,?,?,?,00F24E2F), ref: 00F5D937
SizeofResource.KERNEL32(?,00000000,?,?,00F24D8E,?,?,00000000,00000000,?,?,?,?,?,?,00F24E2F), ref: 00F5D94C
LockResource.KERNEL32(00F24D8E,?,?,00F24D8E,?,?,00000000,00000000,?,?,?,?,?,?,00F24E2F,00000000), ref: 00F5D95F

Strings

SCRIPT, xrefs: 00F24EA6

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: bbe88b14d822582d6fd98f902a1545bdb3aed690b18c0fc9f205a28331271a75
Instruction ID: 31c61e8cb2b32800c880dbb7e097db5a0037cefbfc16e4178916f64b96884276
Opcode Fuzzy Hash: bbe88b14d822582d6fd98f902a1545bdb3aed690b18c0fc9f205a28331271a75
Instruction Fuzzy Hash: B8115EB5641704BFE7218BA5EC48F677BBAFBC6B11F104268F4058A250DBA1EC04AA60

Function 00F2FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: eae20e7045e1093ed31976a105671283ccc4822db306391ce2430aea70a9857a
Instruction ID: e70e1550e442a7b2ec70be62140cad93824a02dafa89895dede967170d130aad
Opcode Fuzzy Hash: eae20e7045e1093ed31976a105671283ccc4822db306391ce2430aea70a9857a
Instruction Fuzzy Hash: CF928E71A083418FD724DF14C490B2ABBF1BF85324F14896DE89A8B352DB75EC45EB92

Function 00F8445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00F5E398), ref: 00F8446A
FindFirstFileW.KERNELBASE(?,?), ref: 00F8447B
FindClose.KERNEL32(00000000), ref: 00F8448B

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 23d8fa105ebd6f6b07fe925250af65e21e8e130cf2394acffb6475253ec5f39f
Instruction ID: 74b5928d2591ce3ae7f2b2f578d5766c6ebbebd3a8c55674cd71f845bab2cb7d
Opcode Fuzzy Hash: 23d8fa105ebd6f6b07fe925250af65e21e8e130cf2394acffb6475253ec5f39f
Instruction Fuzzy Hash: 64E0D873810505674210BB78EC0D5E97B9C9E06335F100715FC36C10E0E7B46D04B695

Function 00F2E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00F63E62

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 70c832054f47ada76d737c79f320c03e44e272faa0acc41720377ce97e4e88f4
Instruction ID: 883dcb24275a881c7a78c773414d1ece71a9869c87d4f8fedacca77af6a4856b
Opcode Fuzzy Hash: 70c832054f47ada76d737c79f320c03e44e272faa0acc41720377ce97e4e88f4
Instruction Fuzzy Hash: 46A28C75E00229CFCB24CF54E880AAAB7B1FF59320F748069E915AB351D775ED42EB90

Function 00F309D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F30A5B
timeGetTime.WINMM ref: 00F30D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F30E53
Sleep.KERNEL32(0000000A), ref: 00F30E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00F30EFA
DestroyWindow.USER32 ref: 00F30F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F30F20
Sleep.KERNEL32(0000000A,?,?), ref: 00F64E83
TranslateMessage.USER32(?), ref: 00F65C60
DispatchMessageW.USER32(?), ref: 00F65C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F65C82

Strings

@COM_EVENTOBJ, xrefs: 00F654F0
@GUI_WINHANDLE, xrefs: 00F64F8F
@TRAY_ID, xrefs: 00F6578F
@GUI_CTRLID, xrefs: 00F64F3A
@GUI_CTRLHANDLE, xrefs: 00F64FE4

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 6e004723bb457841f99bad54654c057b9dbcc8fe83e615d37654429985ea1431
Instruction ID: a669ab38f91045ae92e25e122a2b40622bbbb464e75356220a5ea95840a9716f
Opcode Fuzzy Hash: 6e004723bb457841f99bad54654c057b9dbcc8fe83e615d37654429985ea1431
Instruction Fuzzy Hash: 63B20470A08741DFD724DF24C894BAAB7E0BF85724F14491EF4899B2A1CB75E884FB52

Function 00F89155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F88F5F: __time64.LIBCMT ref: 00F88F69

Part of subcall function 00F24EE5: _fseek.LIBCMT ref: 00F24EFD

__wsplitpath.LIBCMT ref: 00F89234

Part of subcall function 00F440FB: __wsplitpath_helper.LIBCMT ref: 00F4413B

_wcscpy.LIBCMT ref: 00F89247
_wcscat.LIBCMT ref: 00F8925A
__wsplitpath.LIBCMT ref: 00F8927F
_wcscat.LIBCMT ref: 00F89295
_wcscat.LIBCMT ref: 00F892A8

Part of subcall function 00F88FA5: _memmove.LIBCMT ref: 00F88FDE
Part of subcall function 00F88FA5: _memmove.LIBCMT ref: 00F88FED

_wcscmp.LIBCMT ref: 00F891EF

Part of subcall function 00F89734: _wcscmp.LIBCMT ref: 00F89824
Part of subcall function 00F89734: _wcscmp.LIBCMT ref: 00F89837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00F89452
_wcsncpy.LIBCMT ref: 00F894C5
DeleteFileW.KERNEL32(?,?), ref: 00F894FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F89511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F89522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F89534

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 0050c357ebf9289375aaa194f00e3b1d53f75133e045a17fa79182c4843e68e1
Instruction ID: b109fbda7f0564dba50e542d915746ffaf735ee068482c2d2ce509508903f706
Opcode Fuzzy Hash: 0050c357ebf9289375aaa194f00e3b1d53f75133e045a17fa79182c4843e68e1
Instruction Fuzzy Hash: A5C15FB1D04119AADF21EF94CC81AEEBBBDEF45310F0440A6F609E7141EB749A449F65

Function 00F23015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F23074
RegisterClassExW.USER32(00000030), ref: 00F2309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F230AF
InitCommonControlsEx.COMCTL32(?), ref: 00F230CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F230DC
LoadIconW.USER32(000000A9), ref: 00F230F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F23101

Strings

0, xrefs: 00F23056
TaskbarCreated, xrefs: 00F230A4
AutoIt v3 GUI, xrefs: 00F23090
+, xrefs: 00F2305D

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 30c550b2a377cbb9af1a2a6372783cb807671fb248c07cdd3ea34b0cacf62dd2
Instruction ID: f28aaf30dd3bf911240aa3191eb4a6cbb29aa39263b93e6497ac165e8d58e7ab
Opcode Fuzzy Hash: 30c550b2a377cbb9af1a2a6372783cb807671fb248c07cdd3ea34b0cacf62dd2
Instruction Fuzzy Hash: 223129B18413499FDB10CFE4D885A99BBF0FB0A714F14452EE580EA2A0D3B50549DF51

Function 00F23041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F23074
RegisterClassExW.USER32(00000030), ref: 00F2309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F230AF
InitCommonControlsEx.COMCTL32(?), ref: 00F230CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F230DC
LoadIconW.USER32(000000A9), ref: 00F230F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F23101

Strings

0, xrefs: 00F23056
TaskbarCreated, xrefs: 00F230A4
AutoIt v3 GUI, xrefs: 00F23090
+, xrefs: 00F2305D

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: d6930044428889f58b7e2f646563281c433c4e0e38296a2b01a6c1827db936cf
Instruction ID: 3a8966bf26676e157e3d900fd9912feac8cb96941e60960bf6fe13841ff0c204
Opcode Fuzzy Hash: d6930044428889f58b7e2f646563281c433c4e0e38296a2b01a6c1827db936cf
Instruction Fuzzy Hash: 3621C8B1D1125CAFDB10DFD4EC89B9DBBF4FB09704F00812AF611AA2A0D7B14548AF95

Function 00F2708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F24706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00FE52F8,?,00F237AE,?), ref: 00F24724

Part of subcall function 00F4050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00F27165), ref: 00F4052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F271A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F5E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F5E909
RegCloseKey.ADVAPI32(?), ref: 00F5E947
_wcscat.LIBCMT ref: 00F5E9A0

Strings

\, xrefs: 00F5E9C3
\Include\, xrefs: 00F27165
Include, xrefs: 00F5E8BF, 00F5E900
Software\AutoIt v3\AutoIt, xrefs: 00F2719E

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: edb74618d526885d669a75a52eb2b685f594303f9548fdc05436aa065fea971a
Instruction ID: 8f018cf05af6cb5924aeeac25a62749f801253b8c115f5db7652ae53650ea265
Opcode Fuzzy Hash: edb74618d526885d669a75a52eb2b685f594303f9548fdc05436aa065fea971a
Instruction Fuzzy Hash: 4871CF719083599EC704EF25EC8199BBBE8FF94390B40052EF644CB1B0DB349948EB92

Function 00F23A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F23A50
LoadCursorW.USER32(00000000,00007F00), ref: 00F23A5F
LoadIconW.USER32(00000063), ref: 00F23A76
LoadIconW.USER32(000000A4), ref: 00F23A88
LoadIconW.USER32(000000A2), ref: 00F23A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F23AC0
RegisterClassExW.USER32(?), ref: 00F23B16

Part of subcall function 00F23041: GetSysColorBrush.USER32(0000000F), ref: 00F23074
Part of subcall function 00F23041: RegisterClassExW.USER32(00000030), ref: 00F2309E
Part of subcall function 00F23041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F230AF
Part of subcall function 00F23041: InitCommonControlsEx.COMCTL32(?), ref: 00F230CC
Part of subcall function 00F23041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F230DC
Part of subcall function 00F23041: LoadIconW.USER32(000000A9), ref: 00F230F2
Part of subcall function 00F23041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F23101

Strings

0, xrefs: 00F23AF4
#, xrefs: 00F23AFB
AutoIt v3, xrefs: 00F23B05

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: e2735347111a16339b9b3222d695b98d446f202d9b1f6b6e5afa18bc99e79e7d
Instruction ID: 9f34a08de38b83adb21c1e8473b502782d657991be622684a91162131b9ed454
Opcode Fuzzy Hash: e2735347111a16339b9b3222d695b98d446f202d9b1f6b6e5afa18bc99e79e7d
Instruction Fuzzy Hash: 72214DB1D0135CAFEB10DFA4EC89B9D7BB4FB09B19F000129E600AE2A1D3B55544AF95

Function 00F23633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00F236D2
KillTimer.USER32(?,00000001), ref: 00F236FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F2371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F2372A
CreatePopupMenu.USER32 ref: 00F2373E
PostQuitMessage.USER32(00000000), ref: 00F2374D

Strings

TaskbarCreated, xrefs: 00F23725

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: f8a40d6c19030b381a31fd80104f16ab83ba2fabd489a1a335230a113e0be6a7
Instruction ID: 8ca9cd4e02c476a894fce541cd3a2d38d4c9d4b501cfd8a89feec49588189943
Opcode Fuzzy Hash: f8a40d6c19030b381a31fd80104f16ab83ba2fabd489a1a335230a113e0be6a7
Instruction Fuzzy Hash: BD417AF260455DBBDF246FA4FC49F793B58EB01715F100125FA02CA2B2CA6D9E09B761

Function 00F23766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteLine, xrefs: 00F238A7
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00F237AE
/AutoIt3OutputDebug, xrefs: 00F23892
CMDLINE, xrefs: 00F23822
CMDLINERAW, xrefs: 00F237FB
/AutoIt3ExecuteScript, xrefs: 00F238BC
/ErrorStdOut, xrefs: 00F2387D

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 586892d9ba6f2bcbcb1a41f0bf05eac19eb566cfebf69456168701e7a2e72142
Instruction ID: a008ce2e4f4df65e8824aa0100851cfc8d4f3f63b6893aa91319640c020accca
Opcode Fuzzy Hash: 586892d9ba6f2bcbcb1a41f0bf05eac19eb566cfebf69456168701e7a2e72142
Instruction Fuzzy Hash: 4BA16FB2D0062D9ADF04EBE0EC91AEEB779BF15710F440429F515B7191DF78AA08EB60

Function 016E9240 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 016E9311
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 016E9537

Memory Dump Source

Source File: 00000000.00000002.2119923407.00000000016E6000.00000040.00000020.00020000.00000000.sdmp, Offset: 016E6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e6000_RFQ.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction ID: e811d57c7c4c94d9da0ad8d00df453114f5e5d4fe024bf22f6fa36e57711ed71
Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction Fuzzy Hash: 15A10A74E02209EBDB14CFA4C898BEEBBB5BF48308F208259E505BB381D7759A45CF55

Function 00F239D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F23A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F23A24
ShowWindow.USER32(00000000,?,?), ref: 00F23A38
ShowWindow.USER32(00000000,?,?), ref: 00F23A41

Strings

edit, xrefs: 00F23A1E
AutoIt v3, xrefs: 00F239FB, 00F23A00, 00F23A01

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 654942755ef675d4dbfac3aad0e1c3499163482c1eda2b478a355bbece41b7f1
Instruction ID: 10dc9837debf63646ad7827a2c02767445bc3d045bed1513612a6a52d518d34e
Opcode Fuzzy Hash: 654942755ef675d4dbfac3aad0e1c3499163482c1eda2b478a355bbece41b7f1
Instruction Fuzzy Hash: 99F03AB06012D87EEB3057A3AC88E7B3E7DD7C7F54B00002ABB00AA171C2610840EAB0

Function 016E9020 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 016E8F10: Sleep.KERNELBASE(000001F4), ref: 016E8F21

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 016E912F

Strings

GZ3TRLEJDIFWFXO2, xrefs: 016E9192, 016E9195

Memory Dump Source

Source File: 00000000.00000002.2119923407.00000000016E6000.00000040.00000020.00020000.00000000.sdmp, Offset: 016E6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e6000_RFQ.jbxd

Similarity

API ID: CreateFileSleep
String ID: GZ3TRLEJDIFWFXO2
API String ID: 2694422964-3145963012
Opcode ID: 77132aca0bc992af26709ddc114db02279ca6d5814d0ae99fd1c4d9f1947acae
Instruction ID: 7b7388b64ffcf9cd6e18ddf230cdfaf4e5388982a8dab007099a5dcfcc2c3359
Opcode Fuzzy Hash: 77132aca0bc992af26709ddc114db02279ca6d5814d0ae99fd1c4d9f1947acae
Instruction Fuzzy Hash: DF519370D05249EAEF11DBA4CC48BEEBBB5AF15304F00419DE608BB2C0D7795B49CB65

Function 00F2407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F5D3D7

Part of subcall function 00F27BCC: _memmove.LIBCMT ref: 00F27C06

_memset.LIBCMT ref: 00F240FC
_wcscpy.LIBCMT ref: 00F24150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F24160

Strings

Line: , xrefs: 00F5D400

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: e81e9cc80306d2237b6bb39758899e0ed819188778526a832e8c84c3f3844b27
Instruction ID: 60e105ad8c737f1b8fba964b9d8c3ec6085884669c59fd5dcd1a229c6380a0ae
Opcode Fuzzy Hash: e81e9cc80306d2237b6bb39758899e0ed819188778526a832e8c84c3f3844b27
Instruction Fuzzy Hash: 4931F371408354AFD721EB60EC46FDB77E8AF44714F10451EF6858A0A1EB78A648E793

Function 00F4541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00F4547B
_memcpy_s.LIBCMT ref: 00F454ED
__read_nolock.LIBCMT ref: 00F4554B
__filbuf.LIBCMT ref: 00F4556E
_memset.LIBCMT ref: 00F455B2

Part of subcall function 00F48B28: __getptd_noexit.LIBCMT ref: 00F48B28

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: 36b9030249516e7753f96c6d53ded7254f40c430b08644668573469e4b8e72ba
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: 2151D971E00B059BDB24EEA5DC4067E7FB2AF40B35F288729FC259A2D2D7749D50AB40

Function 00F2686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00F24DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00FE52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F24E0F

_free.LIBCMT ref: 00F5E263
_free.LIBCMT ref: 00F5E2AA

Part of subcall function 00F26A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00F26BAD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00F5E039
Bad directive syntax error, xrefs: 00F5E292

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 4baf16a7020d91735abd417e99c43338b6195c4b40401203a87fd2b5225c9249
Instruction ID: d8bba779fe42d544a0e02b9587850c96d2b534fd77b12b324b1b13ecc003af16
Opcode Fuzzy Hash: 4baf16a7020d91735abd417e99c43338b6195c4b40401203a87fd2b5225c9249
Instruction Fuzzy Hash: 1E917171D042299FCF08EFA4DC419EDB7B4FF19310F14442AF915AB2A1DB78AA19EB50

Function 00F235B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00F235A1,SwapMouseButtons,00000004,?), ref: 00F235D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00F235A1,SwapMouseButtons,00000004,?,?,?,?,00F22754), ref: 00F235F5
RegCloseKey.KERNELBASE(00000000,?,?,00F235A1,SwapMouseButtons,00000004,?,?,?,?,00F22754), ref: 00F23617

Strings

Control Panel\Mouse, xrefs: 00F235D2

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 70641f0e8ec752213c37f14ffcbfadf0087686f12714f85280a3ad350fb6ed86
Instruction ID: 1b7708b71c86be629124d0dfb966f7065feec0f436cadfdd488c7cf8db3115b7
Opcode Fuzzy Hash: 70641f0e8ec752213c37f14ffcbfadf0087686f12714f85280a3ad350fb6ed86
Instruction Fuzzy Hash: F9115EB1910218BFDB208FA4EC40EAFBBBCEF05750F018469F805D7210D2719F44A760

Function 016E7F10 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 016E873D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 016E8761
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 016E8783

Memory Dump Source

Source File: 00000000.00000002.2119923407.00000000016E6000.00000040.00000020.00020000.00000000.sdmp, Offset: 016E6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e6000_RFQ.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
Instruction ID: 17c859ccc04e3ee072dc841acef9b1f93fa266e1a9893f14b57d732722a2836d
Opcode Fuzzy Hash: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
Instruction Fuzzy Hash: A7621930A15258DAEB24CFA4CC44BEEB776EF58300F1091A9D50DEB390E7769E81CB59

Function 00F8955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00F24EE5: _fseek.LIBCMT ref: 00F24EFD

Part of subcall function 00F89734: _wcscmp.LIBCMT ref: 00F89824
Part of subcall function 00F89734: _wcscmp.LIBCMT ref: 00F89837

_free.LIBCMT ref: 00F896A2
_free.LIBCMT ref: 00F896A9
_free.LIBCMT ref: 00F89714

Part of subcall function 00F42D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00F49A24), ref: 00F42D69
Part of subcall function 00F42D55: GetLastError.KERNEL32(00000000,?,00F49A24), ref: 00F42D7B

_free.LIBCMT ref: 00F8971C

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: 05ae458246f1e73cd22ef7d20675e96b93dbefc8a746c37e61cbe8170d566134
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: 66515FB1D04218AFDF249F64DC81AEEBBB9EF48310F1404AEF609A7241DB755A80DF58

Function 00F4470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F447A0
__flush.LIBCMT ref: 00F447C0
__write.LIBCMT ref: 00F447F3
__flsbuf.LIBCMT ref: 00F44821

Part of subcall function 00F48B28: __getptd_noexit.LIBCMT ref: 00F48B28

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: c135e471234d94a450564b615919a1a71b7c869286d77b695a9102c8779dfbc3
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 0741A275E007469BDB188F69C880BAE7FA5AF41374B24853DEC15E7680EB74ED42AB40

Function 00F244A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F244CF

Part of subcall function 00F2407C: _memset.LIBCMT ref: 00F240FC
Part of subcall function 00F2407C: _wcscpy.LIBCMT ref: 00F24150
Part of subcall function 00F2407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F24160

KillTimer.USER32(?,00000001,?,?), ref: 00F24524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F24533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F5D4B9

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 7c42ec5cf68346d803c7f3d6f1fda159183e617a29c62584966001cc617b6e23
Instruction ID: 80331a0766228090049ca612086770d2f615942af5cc46cf08dde9a25cda4362
Opcode Fuzzy Hash: 7c42ec5cf68346d803c7f3d6f1fda159183e617a29c62584966001cc617b6e23
Instruction Fuzzy Hash: 4E21D7B19057949FE732CB24DC56BE6BBEC9F06319F04009DEBDE5A141C3B42988EB51

Function 00F27285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F5EA39
GetOpenFileNameW.COMDLG32(?), ref: 00F5EA83

Part of subcall function 00F24750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F24743,?,?,00F237AE,?), ref: 00F24770

Part of subcall function 00F40791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F407B0

Strings

X, xrefs: 00F5EA51

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: ad1577035cd697239f959acce13d216b61013a647f60c26479064e473bb9c4e7
Instruction ID: 08790c760c06beaf18bbb9c46ca8051d7483a0a873fe5c287904980b79ba9200
Opcode Fuzzy Hash: ad1577035cd697239f959acce13d216b61013a647f60c26479064e473bb9c4e7
Instruction Fuzzy Hash: FE21F331A002589BCB01DF94DC45BEE7BF9AF49311F00401AE908EB241DBB8598DAFA1

Function 00F88D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F88DAC
__fread_nolock.LIBCMT ref: 00F88DC1

Strings

EA06, xrefs: 00F88DF3

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: c3fb460435d9dcb54da087ebcc1f13d5900604332bb950123dc7350df5d38bdf
Instruction ID: 1fd03f48ca8247819a79851309bd0e14e7523b375a699df3e0d8d272044787b4
Opcode Fuzzy Hash: c3fb460435d9dcb54da087ebcc1f13d5900604332bb950123dc7350df5d38bdf
Instruction Fuzzy Hash: DF01F972C042187FDB18DBA8CC16EFE7BF8DB11711F00419BF552D2281E878E6049760

Function 00F898E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00F898F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00F8990F

Strings

aut, xrefs: 00F89909

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: f40821baddb8f70b9322987b279ef45d6f58609321e8e0dba30f1db063f1f066
Instruction ID: 1da4206ef980fcce9b92928d7158e3e3dce41676e3c85015a5ab9b9796bda10d
Opcode Fuzzy Hash: f40821baddb8f70b9322987b279ef45d6f58609321e8e0dba30f1db063f1f066
Instruction Fuzzy Hash: 4ED05EB958030DABDB509BE0DC0EFDA777CE704701F0002B1BA94951A1EAB09599AB91

Function 00F9CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fc3cbb8c9ceaea407ced62866595cc85e93dbba587ffbbb57757b8cc0e49b1a
Instruction ID: 908a2f5276013c8cd5bc457f03d678d37383cb67656e83156f2d725beb4983fa
Opcode Fuzzy Hash: 9fc3cbb8c9ceaea407ced62866595cc85e93dbba587ffbbb57757b8cc0e49b1a
Instruction Fuzzy Hash: 2BF17B71A083009FDB14DF28C880A6ABBE5FF89314F54892EF8998B351D734E945DF82

Function 00F2F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F40162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F40193
Part of subcall function 00F40162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F4019B
Part of subcall function 00F40162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F401A6
Part of subcall function 00F40162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F401B1
Part of subcall function 00F40162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F401B9
Part of subcall function 00F40162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F401C1

Part of subcall function 00F360F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00F2F930), ref: 00F36154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F2F9CD
OleInitialize.OLE32(00000000), ref: 00F2FA4A
CloseHandle.KERNEL32(00000000), ref: 00F645C8

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 4266ea91a236228e73531dc0567a11329ad916952b191c2ced551c5fc7a9b618
Instruction ID: 534b792b82cae8f78eb389ded095ba1df609634a186f55a420c0558920f0241a
Opcode Fuzzy Hash: 4266ea91a236228e73531dc0567a11329ad916952b191c2ced551c5fc7a9b618
Instruction Fuzzy Hash: 1A81A2B0901BCDCEC784DF69ADA06597BE6FB48B0E754812A9119CF2B2E7744484BF11

Function 00F2434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F24370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F24415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F24432

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 09c706e267a8a9c7b39759a689f71bc7e1c3f485c0eb479f33146987f516aaf3
Instruction ID: 9844d76353c89e044947ff76894a231e8a56d72f42c5697bb3b197f19b6ae583
Opcode Fuzzy Hash: 09c706e267a8a9c7b39759a689f71bc7e1c3f485c0eb479f33146987f516aaf3
Instruction Fuzzy Hash: F531A7B0904711CFD721DF74E88469BBBF8FB48718F00092EFA9A86251D7B57944EB52

Function 00F4571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00F45733

Part of subcall function 00F4A16B: __NMSG_WRITE.LIBCMT ref: 00F4A192
Part of subcall function 00F4A16B: __NMSG_WRITE.LIBCMT ref: 00F4A19C

__NMSG_WRITE.LIBCMT ref: 00F4573A

Part of subcall function 00F4A1C8: GetModuleFileNameW.KERNEL32(00000000,00FE33BA,00000104,?,00000001,00000000), ref: 00F4A25A
Part of subcall function 00F4A1C8: ___crtMessageBoxW.LIBCMT ref: 00F4A308

Part of subcall function 00F4309F: ___crtCorExitProcess.LIBCMT ref: 00F430A5
Part of subcall function 00F4309F: ExitProcess.KERNEL32 ref: 00F430AE

Part of subcall function 00F48B28: __getptd_noexit.LIBCMT ref: 00F48B28

RtlAllocateHeap.NTDLL(01450000,00000000,00000001,00000000,?,?,?,00F40DD3,?), ref: 00F4575F

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: a64271dc4cc41c4c3ec70ed97dac42bfe6fa6b6b11ed1113777ea121a684fa9a
Instruction ID: 655a654b0c05fbf1e73956f859bc35ae908e92c1c7072652239928ace4d1b64a
Opcode Fuzzy Hash: a64271dc4cc41c4c3ec70ed97dac42bfe6fa6b6b11ed1113777ea121a684fa9a
Instruction Fuzzy Hash: 6F019236640A0ADFE6103B78AC8AB6E7F589F82B71F100535FD559B183DE789C017A61

Function 00F898A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00F89548,?,?,?,?,?,00000004), ref: 00F898BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00F89548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00F898D1
CloseHandle.KERNEL32(00000000,?,00F89548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00F898D8

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 1639f25513139322ea92babe708f29023efa2f9f36beabe8549b1ecffd4d1547
Instruction ID: 3c31b88b1cd179190f4e795f64cf859e77ab4c48519dedafbe3c4f6bd94d6f4e
Opcode Fuzzy Hash: 1639f25513139322ea92babe708f29023efa2f9f36beabe8549b1ecffd4d1547
Instruction Fuzzy Hash: 13E08632240218BBDB312B94EC09FDA7B19AB07770F144120FB546D0E087B11515A798

Function 00F88D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F88D1B

Part of subcall function 00F42D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00F49A24), ref: 00F42D69
Part of subcall function 00F42D55: GetLastError.KERNEL32(00000000,?,00F49A24), ref: 00F42D7B

_free.LIBCMT ref: 00F88D2C
_free.LIBCMT ref: 00F88D3E

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 4928b61a7d792f2532eef0a07ccd600483eec09604c0cd5c9e284f84c824c777
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 48E012A2E0160146DB64B578AD40AD367EC4F583E2F94092DBC0DD7186DE68F883A224

Function 00F2A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00F5FC01

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 25ae6bca25eb83d761c0a470e63bb3d390e4e2a5fd8bb97809e7423cee271658
Instruction ID: 3911720595b6af67cd31563688410df1fc2ed80e2c122aca3db6a518deaaf9fd
Opcode Fuzzy Hash: 25ae6bca25eb83d761c0a470e63bb3d390e4e2a5fd8bb97809e7423cee271658
Instruction Fuzzy Hash: 66225B71908311DFC724DF14D894B2ABBE1BF84310F14896DE99A8B362DB75EC45EB82

Function 00F24C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F24CBA

Strings

EA06, xrefs: 00F5D8CC

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 55c9153117ac0282489358c99aebde71b4cd3f66771090d2959a47eaa49bb6b5
Instruction ID: 57af9b8545bb9544c6d462654a2b29b78b697766759b478eecb306acd248c776
Opcode Fuzzy Hash: 55c9153117ac0282489358c99aebde71b4cd3f66771090d2959a47eaa49bb6b5
Instruction Fuzzy Hash: 69417C32E0417857DF229B64FC517BE7FA29B45310FA84464EC82DB287D6B4BD44B3A1

Function 00F27A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F27AAB
_memmove.LIBCMT ref: 00F27B16

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
Instruction ID: b9aa283ec74f9502e3f4fe0f0890a782e53e97004b9f6f8186bb4b45ceacfe1b
Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
Instruction Fuzzy Hash: 5331C9B2604616AFC704DF68D8D1E69B3A5FF483207148629E919CB391DB34E950DB90

Function 00F247D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00F24834

Part of subcall function 00F4336C: __lock.LIBCMT ref: 00F43372
Part of subcall function 00F4336C: DecodePointer.KERNEL32(00000001,?,00F24849,00F77C74), ref: 00F4337E
Part of subcall function 00F4336C: EncodePointer.KERNEL32(?,?,00F24849,00F77C74), ref: 00F43389

Part of subcall function 00F248FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00F24915
Part of subcall function 00F248FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F2492A

Part of subcall function 00F23B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F23B68
Part of subcall function 00F23B3A: IsDebuggerPresent.KERNEL32 ref: 00F23B7A
Part of subcall function 00F23B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00FE52F8,00FE52E0,?,?), ref: 00F23BEB
Part of subcall function 00F23B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00F23C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F24874

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 1fc4ba7dfc19653d0d97283410d1f2077312b12f11f9a904abf3cc9dc55d1dba
Instruction ID: 40f5c4dee90cbb87c4d8c098409e9a24cb501f2ad04f6dd4106519810c0acef3
Opcode Fuzzy Hash: 1fc4ba7dfc19653d0d97283410d1f2077312b12f11f9a904abf3cc9dc55d1dba
Instruction Fuzzy Hash: 7F11DF718093999FC700EF68EC8594ABFE8EF99B54F10451EF5408B2B1DBB49508EB82

Function 00F40DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F4571C: __FF_MSGBANNER.LIBCMT ref: 00F45733
Part of subcall function 00F4571C: __NMSG_WRITE.LIBCMT ref: 00F4573A
Part of subcall function 00F4571C: RtlAllocateHeap.NTDLL(01450000,00000000,00000001,00000000,?,?,?,00F40DD3,?), ref: 00F4575F

std::exception::exception.LIBCMT ref: 00F40DEC
__CxxThrowException@8.LIBCMT ref: 00F40E01

Part of subcall function 00F4859B: RaiseException.KERNEL32(?,?,?,00FD9E78,00000000,?,?,?,?,00F40E06,?,00FD9E78,?,00000001), ref: 00F485F0

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 19f072291f05b2487f0dc00ed651cc2a32844d08b3543cddb51960984aa7e236
Instruction ID: 931d50d8ad15a28c167495ebdaa94005c3f4b95c6e260bae332b49877d9b811d
Opcode Fuzzy Hash: 19f072291f05b2487f0dc00ed651cc2a32844d08b3543cddb51960984aa7e236
Instruction Fuzzy Hash: FFF0C83190431E66CB10FAA9EC019DF7FBC9F05361F10082AFE0496292DFB49A55F6D1

Function 00F455FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F4562C
__lock_file.LIBCMT ref: 00F4564D

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 832750978e4e4f1c3b2583dd04314d53ce4d36b1a53249b6ddb5c5c11e909272
Instruction ID: 8a9b23c57f114af0c659d81e8fbf3be73f91600c3067ccfe56a4e17c186cd92d
Opcode Fuzzy Hash: 832750978e4e4f1c3b2583dd04314d53ce4d36b1a53249b6ddb5c5c11e909272
Instruction Fuzzy Hash: A901F771C01A08EBCF12BFA48C0649E7F71AF92B61F454115FC141B192DB398A52FF92

Function 00F453A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F48B28: __getptd_noexit.LIBCMT ref: 00F48B28

__lock_file.LIBCMT ref: 00F453EB

Part of subcall function 00F46C11: __lock.LIBCMT ref: 00F46C34

__fclose_nolock.LIBCMT ref: 00F453F6

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: ca3597e26b3233154a58c3d35f04f3137a31f66b2a8e371e1fe8b48bab06a838
Instruction ID: 97ae9fcf4d7e8ad9a1c9ca2e0074af1326a3ac7efb423b7977ca65bdaa79d78b
Opcode Fuzzy Hash: ca3597e26b3233154a58c3d35f04f3137a31f66b2a8e371e1fe8b48bab06a838
Instruction Fuzzy Hash: 3CF09631C01A049BDB11BF659C057BD7EA16F41BB5F248105AC64AB1C2CBBC8946BB52

Function 016E7F0D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 016E873D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 016E8761
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 016E8783

Memory Dump Source

Source File: 00000000.00000002.2119923407.00000000016E6000.00000040.00000020.00020000.00000000.sdmp, Offset: 016E6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e6000_RFQ.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction ID: e6dae1c1f70e5c26a19a9ba460333d73cb32cdf806c0ed22a0ffc021ff25cccf
Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction Fuzzy Hash: 9412EE20E24658C6EB24DF64D8507DEB272EF68300F1091E9910DEB7A5E77A4F81CF5A

Function 00F2750F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F275EA

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 5d0d18f021392680568856eb7cd6bad9056389dd402f537116c8c5f556646942
Instruction ID: 26f632b36e6d113964277f6c8f6f464d3c1bce9dc9e9578234dc7da96b3b3f83
Opcode Fuzzy Hash: 5d0d18f021392680568856eb7cd6bad9056389dd402f537116c8c5f556646942
Instruction Fuzzy Hash: A331A775608B129FC714EF19D451A22F7B0FF09320718C569E98A8B751DB30E891EB84

Function 00F40C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00F40CB7

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 31721ba04f4a8413c91dbf0e88335dd1e56b6faa20f76c1c9751526bee5e985b
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 2D31C071A00106DBD718DF58D4C4A69FBB6FB99310B6486A5EA0ACB351DA31EDC1EBC0

Function 00F5FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00F5FCB7

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1ce5f48c605a1b6dfe84373a340d416284c82325fe6685162d042091d8425a92
Instruction ID: c076d583ac90f65ab9b44ad081f5b9e4160f5968849c991c99be48c4a65a531d
Opcode Fuzzy Hash: 1ce5f48c605a1b6dfe84373a340d416284c82325fe6685162d042091d8425a92
Instruction Fuzzy Hash: 304138749083518FDB24DF24C444B1ABBE0BF45314F0988ACE9998B362C735EC49DF52

Function 00F27B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F27BB3

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: ef202d80b6ee415e9c96598684154b05afc0aafba1fbc4e658cc03fc3b0b689e
Instruction ID: 44cb84651851600702e5f230a477ec11d5fb0e99067dc1a3fc40de10ea5a7a48
Opcode Fuzzy Hash: ef202d80b6ee415e9c96598684154b05afc0aafba1fbc4e658cc03fc3b0b689e
Instruction Fuzzy Hash: C8214172A04B19EBDB189F21FC417AA7BB4FB54352F20842EE986C50A0EB30C2D4F741

Function 00F406FE Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F407B0

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: f65a85b0e33d6ec83d75462d6ee50944f4570b4a64ac6ba1b0b9d44d7317595e
Instruction ID: d94cbd5393499c822466e1d4538ac683231dd58725c0dbf8160a3c85d74f6037
Opcode Fuzzy Hash: f65a85b0e33d6ec83d75462d6ee50944f4570b4a64ac6ba1b0b9d44d7317595e
Instruction Fuzzy Hash: D5113B7E0063019FC322AB75DC42AD6BBD4FF81710B06809EFC4547812CB705D66EB91

Function 00F24DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F24BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00F24BEF

Part of subcall function 00F4525B: __wfsopen.LIBCMT ref: 00F45266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00FE52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F24E0F

Part of subcall function 00F24B6A: FreeLibrary.KERNEL32(00000000), ref: 00F24BA4

Part of subcall function 00F24C70: _memmove.LIBCMT ref: 00F24CBA

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: a0a4a1be3a355404276e52e0acbfc38d6797c3a8d244183aef8b89825ebe5731
Instruction ID: c19bcf08a823c9ed10121d815dd4a0a241fd8a0dc73f32bbc6469becd92148f5
Opcode Fuzzy Hash: a0a4a1be3a355404276e52e0acbfc38d6797c3a8d244183aef8b89825ebe5731
Instruction Fuzzy Hash: 40110A32600616ABDF20FF70DC16FAD77A8AF84710F108429F941AB181DBF9AA04BB51

Function 00F5FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00F5FD91

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: f0d57ae95e90d209b797d5b7e0f5bb0995bba4574619f2e6d5edecba60307907
Instruction ID: 20ab8bf0c669aa7c11cc567739bd38668e03415d24442e52439ad12d691f2f2a
Opcode Fuzzy Hash: f0d57ae95e90d209b797d5b7e0f5bb0995bba4574619f2e6d5edecba60307907
Instruction Fuzzy Hash: 892125B4908311DFCB14DF64D844B1ABBE1BF88314F05896CF98A5B722D735E819EB92

Function 00F44863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00F448A6

Part of subcall function 00F48B28: __getptd_noexit.LIBCMT ref: 00F48B28

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 2a17bd2e95f006d0f3616854aa722eca517283bc04a2f87b9eceed7dd6e9d0c5
Instruction ID: e33532d8d3c068948f9faf5184cb1e0062640dfea8ecb22df209b6c7c8a35989
Opcode Fuzzy Hash: 2a17bd2e95f006d0f3616854aa722eca517283bc04a2f87b9eceed7dd6e9d0c5
Instruction Fuzzy Hash: D0F0AF31D01609ABDF11AFA48C067EE3EA1AF01366F158414BC24AA192CBBC9952FB52

Function 00F24E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00FE52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F24E7E

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 58b557bf9a706a3219cd5135c25dbea86904ed46dcdf8a69a553eaa7afa947b3
Instruction ID: 74aef5c00bc3348cf4eeba9147c24a858232c1365f6897c9b80afdb7b5bb8df4
Opcode Fuzzy Hash: 58b557bf9a706a3219cd5135c25dbea86904ed46dcdf8a69a553eaa7afa947b3
Instruction Fuzzy Hash: 98F03071501B21CFDB349F64E494812BBE1BF14339311893EE1D682610C7B1A844EF40

Function 00F40791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F407B0

Part of subcall function 00F27BCC: _memmove.LIBCMT ref: 00F27C06

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 96c06bb91f9bd58ade712dee0fd84f769648f9c3ad415205112c1fbe195743fd
Instruction ID: 7b27c3d274b2727d5dde519bd046d4e87115396847c4e5414eb387cc7cbee273
Opcode Fuzzy Hash: 96c06bb91f9bd58ade712dee0fd84f769648f9c3ad415205112c1fbe195743fd
Instruction Fuzzy Hash: 84E07D329012281BC720E2989C05FEA73DCEFC83A1F0401B5FC0CC7208D964AC8086D0

Function 00F88E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00F88EC1

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: 40ee7a6068690eba4e95c852b192073c3011d6924d9a1df2c22ec2afcc623c49
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: D6E092B0504B045BD7389A24D800BE377E1AB05314F04081DF6AA93242EB6278429759

Function 00F4525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00F45266

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: fca3b726430174ceb7858023a365da14cbe7ba74c518cc41b0d703133ccc82ea
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 0DB0927644020C77CE012A82EC02A493F199B42B64F408021FF0C18162A6B7A664AA89

Function 016E8F0C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 016E8F21

Memory Dump Source

Source File: 00000000.00000002.2119923407.00000000016E6000.00000040.00000020.00020000.00000000.sdmp, Offset: 016E6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e6000_RFQ.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 501e16321a267d958605d7faa4ce87aa9aeb9048fb237e62ec2a2617b464d653
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 4AE0BF7494510DEFDB00EFA8D94D6DE7BB4EF04301F1006A1FD05D7681DB309E548A62

Function 016E8F10 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 016E8F21

Memory Dump Source

Source File: 00000000.00000002.2119923407.00000000016E6000.00000040.00000020.00020000.00000000.sdmp, Offset: 016E6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e6000_RFQ.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 57ca3ded23b12c09c6dd420b20ac8a88275048b1512b6536c96f2303c0961d96
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: B8E0BF7494510D9FDB00EFA8D94D69E7BB4EF04301F100261FD0192281D6309D508A62

Non-executed Functions

Function 00FACABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00F22612: GetWindowLongW.USER32(?,000000EB), ref: 00F22623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00FACB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FACB95
GetWindowLongW.USER32(?,000000F0), ref: 00FACBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FACC00
SendMessageW.USER32 ref: 00FACC29
_wcsncpy.LIBCMT ref: 00FACC95
GetKeyState.USER32(00000011), ref: 00FACCB6
GetKeyState.USER32(00000009), ref: 00FACCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FACCD9
GetKeyState.USER32(00000010), ref: 00FACCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FACD0C
SendMessageW.USER32 ref: 00FACD33
SendMessageW.USER32(?,00001030,?,00FAB348), ref: 00FACE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00FACE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00FACE60
SetCapture.USER32(?), ref: 00FACE69
ClientToScreen.USER32(?,?), ref: 00FACECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00FACEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FACEF5
ReleaseCapture.USER32 ref: 00FACF00
GetCursorPos.USER32(?), ref: 00FACF3A
ScreenToClient.USER32(?,?), ref: 00FACF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 00FACFA3
SendMessageW.USER32 ref: 00FACFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00FAD00E
SendMessageW.USER32 ref: 00FAD03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00FAD05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00FAD06D
GetCursorPos.USER32(?), ref: 00FAD08D
ScreenToClient.USER32(?,?), ref: 00FAD09A
GetParent.USER32(?), ref: 00FAD0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 00FAD123
SendMessageW.USER32 ref: 00FAD154
ClientToScreen.USER32(?,?), ref: 00FAD1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00FAD1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 00FAD20C
SendMessageW.USER32 ref: 00FAD22F
ClientToScreen.USER32(?,?), ref: 00FAD281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00FAD2B5

Part of subcall function 00F225DB: GetWindowLongW.USER32(?,000000EB), ref: 00F225EC

GetWindowLongW.USER32(?,000000F0), ref: 00FAD351

Strings

@GUI_DRAGID, xrefs: 00FACE9C
F, xrefs: 00FAD235

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 69a60de2381d280ce36eca0f6d1116268847807c434d5677b2611304e7d4966e
Instruction ID: 83078ff80939538f611852d639b98d916169360468ea144ceb7015ee6cb23f39
Opcode Fuzzy Hash: 69a60de2381d280ce36eca0f6d1116268847807c434d5677b2611304e7d4966e
Instruction Fuzzy Hash: 5942D0B4504384AFDB24CF64C884BAABBE5FF8A760F140519F5958B2B1C731E944FBA1

Function 00F36F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F371C3
_memset.LIBCMT ref: 00F37539
_memmove.LIBCMT ref: 00F376AC

Strings

DEFINE, xrefs: 00F72103
\b(?<=\w), xrefs: 00F73773
Q\E, xrefs: 00F37FCB
[:<:]], xrefs: 00F37479
[:>:]], xrefs: 00F37492
\b(?=\w), xrefs: 00F73769

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 65845905be90c04d79c252b141d7973722e1fc628403bc076a8481f68b6f6d96
Instruction ID: a66675e8a8122841c4c60e19d23b284d053b5c7b29fc4adb1820bbdff14f9693
Opcode Fuzzy Hash: 65845905be90c04d79c252b141d7973722e1fc628403bc076a8481f68b6f6d96
Instruction Fuzzy Hash: F493A471E04319DBDB24DF58C881BADB7B1FF48320F24816BE949AB281E7749D81EB51

Function 00F248D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00F248DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F5D665
IsIconic.USER32(?), ref: 00F5D66E
ShowWindow.USER32(?,00000009), ref: 00F5D67B
SetForegroundWindow.USER32(?), ref: 00F5D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F5D69B
GetCurrentThreadId.KERNEL32 ref: 00F5D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F5D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F5D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F5D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 00F5D6CF
SetForegroundWindow.USER32(?), ref: 00F5D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F5D6E7
keybd_event.USER32(00000012,00000000), ref: 00F5D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F5D6FC
keybd_event.USER32(00000012,00000000), ref: 00F5D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F5D70A
keybd_event.USER32(00000012,00000000), ref: 00F5D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F5D719
keybd_event.USER32(00000012,00000000), ref: 00F5D71E
SetForegroundWindow.USER32(?), ref: 00F5D721
AttachThreadInput.USER32(?,?,00000000), ref: 00F5D748

Strings

Shell_TrayWnd, xrefs: 00F5D660

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: a948a22bdb63b8be771604aaf951bd86ca068211ae0cb770d963c0265fd5cab2
Instruction ID: bc132b1747c165955f94700f27a809fa8fcf983327569466891bb80d2ef8a409
Opcode Fuzzy Hash: a948a22bdb63b8be771604aaf951bd86ca068211ae0cb770d963c0265fd5cab2
Instruction Fuzzy Hash: 0F3180B1A4131CBFEB306BA19C49F7F3E6CEB45B61F144025FA04EA1D1C6B05905BAA1

Function 00F78310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00F787E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F7882B
Part of subcall function 00F787E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F78858
Part of subcall function 00F787E1: GetLastError.KERNEL32 ref: 00F78865

_memset.LIBCMT ref: 00F78353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00F783A5
CloseHandle.KERNEL32(?), ref: 00F783B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00F783CD
GetProcessWindowStation.USER32 ref: 00F783E6
SetProcessWindowStation.USER32(00000000), ref: 00F783F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00F7840A

Part of subcall function 00F781CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F78309), ref: 00F781E0
Part of subcall function 00F781CB: CloseHandle.KERNEL32(?,?,00F78309), ref: 00F781F2

Strings

, xrefs: 00F78362
winsta0, xrefs: 00F783C8
default, xrefs: 00F78405

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: e901f4d01a3bf7bc5f181bbecbeb3c4038fc8dd0faae64d530fe2eddb135f343
Instruction ID: b22c9e5b73916deed2d5c683400ffc471b1c981d41f01ac5adc2319716966a9a
Opcode Fuzzy Hash: e901f4d01a3bf7bc5f181bbecbeb3c4038fc8dd0faae64d530fe2eddb135f343
Instruction Fuzzy Hash: B28191B1C4020DAFDF11DFA4CC49AEE7B79EF04364F18806AF818A6261DB358E15EB11

Function 00F8C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F8C78D
FindClose.KERNEL32(00000000), ref: 00F8C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F8C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F8C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 00F8C844
__swprintf.LIBCMT ref: 00F8C890
__swprintf.LIBCMT ref: 00F8C8D3

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

__swprintf.LIBCMT ref: 00F8C927

Part of subcall function 00F43698: __woutput_l.LIBCMT ref: 00F436F1

__swprintf.LIBCMT ref: 00F8C975

Part of subcall function 00F43698: __flsbuf.LIBCMT ref: 00F43713
Part of subcall function 00F43698: __flsbuf.LIBCMT ref: 00F4372B

__swprintf.LIBCMT ref: 00F8C9C4
__swprintf.LIBCMT ref: 00F8CA13
__swprintf.LIBCMT ref: 00F8CA62

Strings

%02d, xrefs: 00F8C91B, 00F8C925, 00F8C973, 00F8C9C2, 00F8CA11, 00F8CA60
%4d%02d%02d%02d%02d%02d, xrefs: 00F8C88A
%4d, xrefs: 00F8C8CD

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 278821226e7dd89082e8348eb781b82d49e93edcef9d3ef7ad493369e68f0bc6
Instruction ID: 60fec12469dabfbc21b0e864ca454ca4bb1a501fdab8d47e283e31e1eb3e94a1
Opcode Fuzzy Hash: 278821226e7dd89082e8348eb781b82d49e93edcef9d3ef7ad493369e68f0bc6
Instruction Fuzzy Hash: 8DA12BB2408315ABC704EFA4DC86DAFB7ECBF95700F400929F58587191EB78DA48DB62

Function 00F8EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00F8EFB6
_wcscmp.LIBCMT ref: 00F8EFCB
_wcscmp.LIBCMT ref: 00F8EFE2
GetFileAttributesW.KERNEL32(?), ref: 00F8EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 00F8F00E
FindNextFileW.KERNEL32(00000000,?), ref: 00F8F026
FindClose.KERNEL32(00000000), ref: 00F8F031
FindFirstFileW.KERNEL32(*.*,?), ref: 00F8F04D
_wcscmp.LIBCMT ref: 00F8F074
_wcscmp.LIBCMT ref: 00F8F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 00F8F09D
SetCurrentDirectoryW.KERNEL32(00FD8920), ref: 00F8F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F8F0C5
FindClose.KERNEL32(00000000), ref: 00F8F0D2
FindClose.KERNEL32(00000000), ref: 00F8F0E4

Strings

*.*, xrefs: 00F8F048

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: acfa6ab76ac80dbeaa6f79845d7d29391bf2316026503adbef4068d604623c45
Instruction ID: 6ee319be5fffb52015b28890b0017ff1dfa02476a60d40864a7f5ee7d56b64f7
Opcode Fuzzy Hash: acfa6ab76ac80dbeaa6f79845d7d29391bf2316026503adbef4068d604623c45
Instruction Fuzzy Hash: 5731E27290020D6EDB14ABA4DC48BEE77EC9F49360F140276E841E21A1DB70DA88EB61

Function 00FA0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FA0953
RegCreateKeyExW.ADVAPI32(?,?,00000000,00FAF910,00000000,?,00000000,?,?), ref: 00FA09C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00FA0A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00FA0A92
RegCloseKey.ADVAPI32(?), ref: 00FA0DB2
RegCloseKey.ADVAPI32(00000000), ref: 00FA0DBF

Strings

REG_QWORD, xrefs: 00FA0D00
REG_MULTI_SZ, xrefs: 00FA0B7A
REG_SZ, xrefs: 00FA0AD0
REG_EXPAND_SZ, xrefs: 00FA0A2F
REG_BINARY, xrefs: 00FA0D4D
REG_DWORD, xrefs: 00FA0C83

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 6fc8e3e4ac2f6ccdcf25883b1648e40021d10f7682018c46143965ccda922922
Instruction ID: a74a0b6c75f24dec4adf2550e0bdfb61331f84172ab444a818abdec7b4fba347
Opcode Fuzzy Hash: 6fc8e3e4ac2f6ccdcf25883b1648e40021d10f7682018c46143965ccda922922
Instruction Fuzzy Hash: CE0280756046119FCB14EF14D841E6AB7E5FF8A320F08846CF8899B362DB78ED45EB81

Function 00F8F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00F8F113
_wcscmp.LIBCMT ref: 00F8F128
_wcscmp.LIBCMT ref: 00F8F13F

Part of subcall function 00F84385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00F843A0

FindNextFileW.KERNEL32(00000000,?), ref: 00F8F16E
FindClose.KERNEL32(00000000), ref: 00F8F179
FindFirstFileW.KERNEL32(*.*,?), ref: 00F8F195
_wcscmp.LIBCMT ref: 00F8F1BC
_wcscmp.LIBCMT ref: 00F8F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 00F8F1E5
SetCurrentDirectoryW.KERNEL32(00FD8920), ref: 00F8F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F8F20D
FindClose.KERNEL32(00000000), ref: 00F8F21A
FindClose.KERNEL32(00000000), ref: 00F8F22C

Strings

*.*, xrefs: 00F8F190

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 5d5188e52c5e97c7e4fc1e40bd9730bea98f28cc7d85a746a510e8d8e506676c
Instruction ID: 1f8946d12b70cb4c50bb079f2ae78c0864673860ca9497be603c3bf0173d450b
Opcode Fuzzy Hash: 5d5188e52c5e97c7e4fc1e40bd9730bea98f28cc7d85a746a510e8d8e506676c
Instruction Fuzzy Hash: 0631E77690021E6EDF10BBA4EC59BEE77AC9F45370F140171E800E61A0DB30DE89EB65

Function 00F8A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F8A20F
__swprintf.LIBCMT ref: 00F8A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 00F8A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00F8A293
_memset.LIBCMT ref: 00F8A2B2
_wcsncpy.LIBCMT ref: 00F8A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00F8A323
CloseHandle.KERNEL32(00000000), ref: 00F8A32E
RemoveDirectoryW.KERNEL32(?), ref: 00F8A337
CloseHandle.KERNEL32(00000000), ref: 00F8A341

Strings

\??\%s, xrefs: 00F8A22B
\, xrefs: 00F8A247
:, xrefs: 00F8A252

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: a4c0ca40a08546dc1b64a7bbba0f51a4ffe1ec6ffb6847c31e034da786e9a635
Instruction ID: bd842af9427f43700e0da1b6cc3f96f4dcb62bd59935e06bfbd2e4a45340c753
Opcode Fuzzy Hash: a4c0ca40a08546dc1b64a7bbba0f51a4ffe1ec6ffb6847c31e034da786e9a635
Instruction Fuzzy Hash: 2F31C5B1900209ABEB21DFA0DC49FEB37BCEF89750F1041B6FA09D6160EB7597449B25

Function 00F77CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F78202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F7821E
Part of subcall function 00F78202: GetLastError.KERNEL32(?,00F77CE2,?,?,?), ref: 00F78228
Part of subcall function 00F78202: GetProcessHeap.KERNEL32(00000008,?,?,00F77CE2,?,?,?), ref: 00F78237
Part of subcall function 00F78202: HeapAlloc.KERNEL32(00000000,?,00F77CE2,?,?,?), ref: 00F7823E
Part of subcall function 00F78202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F78255

Part of subcall function 00F7829F: GetProcessHeap.KERNEL32(00000008,00F77CF8,00000000,00000000,?,00F77CF8,?), ref: 00F782AB
Part of subcall function 00F7829F: HeapAlloc.KERNEL32(00000000,?,00F77CF8,?), ref: 00F782B2
Part of subcall function 00F7829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00F77CF8,?), ref: 00F782C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F77D13
_memset.LIBCMT ref: 00F77D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F77D47
GetLengthSid.ADVAPI32(?), ref: 00F77D58
GetAce.ADVAPI32(?,00000000,?), ref: 00F77D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F77DB1
GetLengthSid.ADVAPI32(?), ref: 00F77DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00F77DDD
HeapAlloc.KERNEL32(00000000), ref: 00F77DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F77E05
CopySid.ADVAPI32(00000000), ref: 00F77E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F77E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F77E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F77E77

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 76b2520324400d1b081eff8b062129e6b306a1444ac057bb4c6e5ad2d9c91ca6
Instruction ID: c295b94ed745e517a12fb88a733fe0be1e3923d7cc06324ac0d980476269e488
Opcode Fuzzy Hash: 76b2520324400d1b081eff8b062129e6b306a1444ac057bb4c6e5ad2d9c91ca6
Instruction Fuzzy Hash: 26616D71900209AFDF10DFA0DC44AEEBB79FF05310F04C16AF819AB291DB359A15EB61

Function 00F366E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON

Download Yara Rule

Strings

NO_START_OPT), xrefs: 00F7114F
LIMIT_RECURSION=, xrefs: 00F711FC
UCP), xrefs: 00F7110D
NO_AUTO_POSSESS), xrefs: 00F7112E
ANY), xrefs: 00F712DE
CRLF), xrefs: 00F712C1
LF), xrefs: 00F712A4
CR), xrefs: 00F71287
BSR_ANYCRLF), xrefs: 00F7131E
UTF), xrefs: 00F710FA
UTF16), xrefs: 00F710CF
LIMIT_MATCH=, xrefs: 00F71170
BSR_UNICODE), xrefs: 00F71338
ANYCRLF), xrefs: 00F712FB

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 2682425fb2d8b3e145c6fc6064691a6879c8ef2dfd8580c355902ea9dcccaef8
Instruction ID: 56b84d628fc48fa74b194127e9236b4b2347c78e4e4daec40138b0ccca2b9188
Opcode Fuzzy Hash: 2682425fb2d8b3e145c6fc6064691a6879c8ef2dfd8580c355902ea9dcccaef8
Instruction Fuzzy Hash: A7726171E00219DBDF24CF58C8807AEB7B5FF48720F24C16AE849EB291DB749945EB91

Function 00F8001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00F80097
SetKeyboardState.USER32(?), ref: 00F80102
GetAsyncKeyState.USER32(000000A0), ref: 00F80122
GetKeyState.USER32(000000A0), ref: 00F80139
GetAsyncKeyState.USER32(000000A1), ref: 00F80168
GetKeyState.USER32(000000A1), ref: 00F80179
GetAsyncKeyState.USER32(00000011), ref: 00F801A5
GetKeyState.USER32(00000011), ref: 00F801B3
GetAsyncKeyState.USER32(00000012), ref: 00F801DC
GetKeyState.USER32(00000012), ref: 00F801EA
GetAsyncKeyState.USER32(0000005B), ref: 00F80213
GetKeyState.USER32(0000005B), ref: 00F80221

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4b2d1fc1c04607bf6c510b10124ee169458c035b0e7137864bc33c6f1780cde0
Instruction ID: fe87d7e031d8639df942ccc3d8dddcbbdeab0faac9bfbd506e90393ba4486172
Opcode Fuzzy Hash: 4b2d1fc1c04607bf6c510b10124ee169458c035b0e7137864bc33c6f1780cde0
Instruction Fuzzy Hash: 8A51EE20E047881DFB75FBA088557EABFB49F023A0F88459DD5C15A1C3DEA49B8CE761

Function 00FA03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F9FDAD,?,?), ref: 00FA0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FA04AC

Part of subcall function 00F29837: __itow.LIBCMT ref: 00F29862
Part of subcall function 00F29837: __swprintf.LIBCMT ref: 00F298AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00FA054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00FA05E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00FA0822
RegCloseKey.ADVAPI32(00000000), ref: 00FA082F

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 609214dd39175cacc8116ab3c6a1a629cd91f1f7da36dc4b119191f746903795
Instruction ID: 8661a4d7ff9a50ec8a18d8af56cfdcbdf585c8fca131845610eb21b0fcd71b8f
Opcode Fuzzy Hash: 609214dd39175cacc8116ab3c6a1a629cd91f1f7da36dc4b119191f746903795
Instruction Fuzzy Hash: 1BE17E71604214AFCB14DF24DC85E6ABBE4FF8A314F04856DF84ADB261DA34EC05DB92

Function 00F983BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F29837: __itow.LIBCMT ref: 00F29862
Part of subcall function 00F29837: __swprintf.LIBCMT ref: 00F298AC

CoInitialize.OLE32 ref: 00F98403
CoUninitialize.OLE32 ref: 00F9840E
CoCreateInstance.OLE32(?,00000000,00000017,00FB2BEC,?), ref: 00F9846E
IIDFromString.OLE32(?,?), ref: 00F984E1
VariantInit.OLEAUT32(?), ref: 00F9857B
VariantClear.OLEAUT32(?), ref: 00F985DC

Strings

Failed to create object, xrefs: 00F98479, 00F9852F
NULL Pointer assignment, xrefs: 00F984B3
Invalid parameter, xrefs: 00F984FA

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 908276cb0fea627d17ea557a0a3a7ff5b4d829b265a26c5db56d02412c40ac4d
Instruction ID: 95796a2143633e00e18e266b8d6edfe73f9759f2880c1bc09756a8a06aa10dca
Opcode Fuzzy Hash: 908276cb0fea627d17ea557a0a3a7ff5b4d829b265a26c5db56d02412c40ac4d
Instruction Fuzzy Hash: E26125716083129FEB10DF24C844F5EB7E4AF4A7A4F04441DF9859B291CB74ED4AEB92

Function 00F94164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00F9418B
EmptyClipboard.USER32 ref: 00F94191
GlobalAlloc.KERNEL32(00000002,?), ref: 00F941A6
CloseClipboard.USER32 ref: 00F94245

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: b7d1085e2a51d433451025f06725d470eb8bedd613b95f8838dd3f6f480d15b7
Instruction ID: 57b4108e4eeba433a9747610e2efcc48f47176486f334d8103664dc2eae6867e
Opcode Fuzzy Hash: b7d1085e2a51d433451025f06725d470eb8bedd613b95f8838dd3f6f480d15b7
Instruction Fuzzy Hash: 3F21D1756006149FEB11AFA0EC09F6D7BA8FF55720F14802AF946DB2A1CB74AC42EB44

Function 00F837EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F24750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F24743,?,?,00F237AE,?), ref: 00F24770

Part of subcall function 00F84A31: GetFileAttributesW.KERNEL32(?,00F8370B), ref: 00F84A32

FindFirstFileW.KERNEL32(?,?), ref: 00F838A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00F8394B
MoveFileW.KERNEL32(?,?), ref: 00F8395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00F8397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F8399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00F839B9

Strings

\*.*, xrefs: 00F8384E, 00F83857, 00F8386C

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: ec4c3ab8fdd3dfd87654535f8912b6fe0f4a0396221fa3f2af126ae09a7aa16b
Instruction ID: ec8d5f85b45945a92fa2a71ba4676fda641483996e5b44aab6bcb7e012f0e67a
Opcode Fuzzy Hash: ec4c3ab8fdd3dfd87654535f8912b6fe0f4a0396221fa3f2af126ae09a7aa16b
Instruction Fuzzy Hash: F651903180515DAACF05FBA0ED929EDB779AF11310F600069E402B71A1EF796F0DEB61

Function 00F8F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00F8F440
Sleep.KERNEL32(0000000A), ref: 00F8F470
_wcscmp.LIBCMT ref: 00F8F484
_wcscmp.LIBCMT ref: 00F8F49F
FindNextFileW.KERNEL32(?,?), ref: 00F8F53D
FindClose.KERNEL32(00000000), ref: 00F8F553

Strings

*.*, xrefs: 00F8F425

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: d29239ab2b4abc430c2c7123944440f43456ebedfe1377b2a105abba20d71cf5
Instruction ID: e0793d0f67e1d8e7b582705adbd3864f0c78f10d86066d5682a3fc2edef50713
Opcode Fuzzy Hash: d29239ab2b4abc430c2c7123944440f43456ebedfe1377b2a105abba20d71cf5
Instruction Fuzzy Hash: A5417E71D0021A9FCF14EFA4DC45AEEBBB4FF05320F14446AE815A7191DB349A89EB50

Function 00F35760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F358A5
_memmove.LIBCMT ref: 00F358F5
_memmove.LIBCMT ref: 00F3595B

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 97439f99cd0adbccb6b6a9730678095c21a2cc1978a92e54bcae5a4ee577267f
Instruction ID: 279a4cd9304e542fe8dbff8b234f1e1058c2b6c3072353f2021a6382d107b55e
Opcode Fuzzy Hash: 97439f99cd0adbccb6b6a9730678095c21a2cc1978a92e54bcae5a4ee577267f
Instruction Fuzzy Hash: 5812AE70E00619DFCF04DFA4D981AAEB7F5FF88310F10852AE806A7250EB39A915EB51

Function 00F83B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F24750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F24743,?,?,00F237AE,?), ref: 00F24770

Part of subcall function 00F84A31: GetFileAttributesW.KERNEL32(?,00F8370B), ref: 00F84A32

FindFirstFileW.KERNEL32(?,?), ref: 00F83B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00F83BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F83BEA
FindClose.KERNEL32(00000000), ref: 00F83C01
FindClose.KERNEL32(00000000), ref: 00F83C0A

Strings

\*.*, xrefs: 00F83B5B

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 09afd596098fb3366349b624311542488962b84f8a110655982f21f8fb758aaa
Instruction ID: c64fe2b74daa3c34a1a299c3a6744a9bd59c630378d3efb35c7553de7b1898e2
Opcode Fuzzy Hash: 09afd596098fb3366349b624311542488962b84f8a110655982f21f8fb758aaa
Instruction Fuzzy Hash: EA317C710083959BC700FF64EC919EFB7E8AE92710F44092DF4D5961A1EB24DA0DEB62

Function 00F851BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00F787E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F7882B
Part of subcall function 00F787E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F78858
Part of subcall function 00F787E1: GetLastError.KERNEL32 ref: 00F78865

ExitWindowsEx.USER32(?,00000000), ref: 00F851F9

Strings

, xrefs: 00F851E7
@, xrefs: 00F851EC
SeShutdownPrivilege, xrefs: 00F851C9

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 7e9b284406a2cd7f42ec1df3233df70ddee3823171d22e4b575a5050ba7185d8
Instruction ID: cf4c40b1b1d9aeed8633505282044dbeccbbe1d5fbb56a9809b66cb35cab6c07
Opcode Fuzzy Hash: 7e9b284406a2cd7f42ec1df3233df70ddee3823171d22e4b575a5050ba7185d8
Instruction Fuzzy Hash: 94017B32B916156BFB2872689C8BFFB7258EB05F90F240461F803E60D2DE501C05B390

Function 00F96283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00F962DC
WSAGetLastError.WSOCK32(00000000), ref: 00F962EB
bind.WSOCK32(00000000,?,00000010), ref: 00F96307
listen.WSOCK32(00000000,00000005), ref: 00F96316
WSAGetLastError.WSOCK32(00000000), ref: 00F96330
closesocket.WSOCK32(00000000,00000000), ref: 00F96344

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 83b03de094a2209663d5c5a24d48fbd6fef4d2510904f71611cefc511edb99a4
Instruction ID: 373a4ad4df688be1ff84eccf335ee0d487a632875a61a27431b6893b9f5d8669
Opcode Fuzzy Hash: 83b03de094a2209663d5c5a24d48fbd6fef4d2510904f71611cefc511edb99a4
Instruction Fuzzy Hash: 4921DB71600214AFDF10AFA4DC85E6EB7A8EF49720F188169E816EB3D1CB74AD05EB51

Function 00F35520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00F40DB6: std::exception::exception.LIBCMT ref: 00F40DEC
Part of subcall function 00F40DB6: __CxxThrowException@8.LIBCMT ref: 00F40E01

_memmove.LIBCMT ref: 00F70258
_memmove.LIBCMT ref: 00F7036D
_memmove.LIBCMT ref: 00F70414

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 66c6ac0e7655596e5f6dff9508b8d4c5b2c07a6a10cf8a13fed0ee3e4c90fbbb
Instruction ID: 9b5169ad92ea7070e583757dca3a731821c8e7ba83929860d531edc8ee5ccf36
Opcode Fuzzy Hash: 66c6ac0e7655596e5f6dff9508b8d4c5b2c07a6a10cf8a13fed0ee3e4c90fbbb
Instruction Fuzzy Hash: 3E02B0B1E00209DBCF04DF64D981AAEBBB5EF84310F54C06AE80ADB255EF35D954EB91

Function 00F21287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00F22612: GetWindowLongW.USER32(?,000000EB), ref: 00F22623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00F219FA
GetSysColor.USER32(0000000F), ref: 00F21A4E
SetBkColor.GDI32(?,00000000), ref: 00F21A61

Part of subcall function 00F21290: DefDlgProcW.USER32(?,00000020,?), ref: 00F212D8

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 52e2fc4fdaebfd24b7c65bc65c084427b3d3aea0fd87cb8c077ce9075f25031b
Instruction ID: b843ac8ffadef114fc8f528d2e17b49df55cea69e5cd6c3edb8709b8c8985776
Opcode Fuzzy Hash: 52e2fc4fdaebfd24b7c65bc65c084427b3d3aea0fd87cb8c077ce9075f25031b
Instruction Fuzzy Hash: B3A1AFB2502579BEE7389B286C44F7F355CFF62362B140119FA02D5192CB2E9D01FAB9

Function 00F8BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F8BCE6
_wcscmp.LIBCMT ref: 00F8BD16
_wcscmp.LIBCMT ref: 00F8BD2B
FindNextFileW.KERNEL32(00000000,?), ref: 00F8BD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00F8BD6C

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 9682f4c52f4d3941dcfcb3d67d03f2a96b0e0919b28c4d4a1b805ca5638fd15a
Instruction ID: df4b9a8eed5ba242f2f53b0be4bf47b00983e31bcec0dfc305fe6f84368b84f7
Opcode Fuzzy Hash: 9682f4c52f4d3941dcfcb3d67d03f2a96b0e0919b28c4d4a1b805ca5638fd15a
Instruction Fuzzy Hash: 3E51A076A04702AFC714EF68D890EDAB7E4EF49320F04461DE9568B3A1DB34ED05EB91

Function 00F96747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00F97DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00F9679E
WSAGetLastError.WSOCK32(00000000), ref: 00F967C7
bind.WSOCK32(00000000,?,00000010), ref: 00F96800
WSAGetLastError.WSOCK32(00000000), ref: 00F9680D
closesocket.WSOCK32(00000000,00000000), ref: 00F96821

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 4b61939dac6fc9721685a798e3ed3960845f463d9a6d3003ce19dc49baede24e
Instruction ID: 3f1ba5061cb0eb9198e8071e7f34a831b694e11102f8c8824c9d8426a5f88ed7
Opcode Fuzzy Hash: 4b61939dac6fc9721685a798e3ed3960845f463d9a6d3003ce19dc49baede24e
Instruction Fuzzy Hash: 7841E575A00224AFEB10BF649C86F7E77A8DF05754F44845CF915AB3C2CA789D01A791

Function 00FA5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00FA53C5
IsWindowEnabled.USER32 ref: 00FA53D3
GetForegroundWindow.USER32(?,?,00000001), ref: 00FA53E0
IsIconic.USER32 ref: 00FA53EE
IsZoomed.USER32 ref: 00FA53FC

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: e400c1719eb26ddf84d0fc137a5e120f6aec7273c4acb4e5540e215507aae324
Instruction ID: c4ca0d6a94a7026567d5e5e16731d5fbd315de283b27989d4fa6744ed2cda2fc
Opcode Fuzzy Hash: e400c1719eb26ddf84d0fc137a5e120f6aec7273c4acb4e5540e215507aae324
Instruction Fuzzy Hash: 1D1127B2B00A256FDF205F66DC44B6E7B9DFF86BA1B444038F845D7241CBB4DC01A6A0

Function 00F780A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F780C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F780CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F780D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F780E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F780F6

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 888de06b6de3beb5a78099284189a681d4a63a740281d7e0d33d0714531bb119
Instruction ID: 445e9324317b1d1a9f7cac6b9d0da6e0266497e467b6db3a8fc1745bd83e852f
Opcode Fuzzy Hash: 888de06b6de3beb5a78099284189a681d4a63a740281d7e0d33d0714531bb119
Instruction Fuzzy Hash: 16F06271240308AFEB100FA5EC8DE673BACEF4A7A5B404026F949CA150CBA19C46EA61

Function 00F24B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F24AD0), ref: 00F24B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F24B57

Strings

kernel32.dll, xrefs: 00F24B40
GetNativeSystemInfo, xrefs: 00F24B51

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 6b46dc9997c96479b77d2b7f429eb5a79c0663bd5c5497dd076d8dcfabe631a3
Instruction ID: db4497f2dc6be9650829d4a2afbe8599a34488979be3a4f1d12e60e204290f78
Opcode Fuzzy Hash: 6b46dc9997c96479b77d2b7f429eb5a79c0663bd5c5497dd076d8dcfabe631a3
Instruction Fuzzy Hash: CED02BB4E10327CFC7209FB1EC18B0272E4AF82390B10C83ED4C2CA150D7B0E484EA24

Function 00F33030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 3f57fec65c8bd254178ede153fadb64a9469a5d6f4f21b20447efe7c108546ae
Instruction ID: 6abd226df5d5a0cec386ec2b2e67c9094653dc43c7910486290f3df8cb4891af
Opcode Fuzzy Hash: 3f57fec65c8bd254178ede153fadb64a9469a5d6f4f21b20447efe7c108546ae
Instruction Fuzzy Hash: AD22BE72A083109FC724DF24D881B6FB7E4BF84720F14492DF89A97291DB75E944EB92

Function 00F9EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00F9EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 00F9EE4B

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

Process32NextW.KERNEL32(00000000,?), ref: 00F9EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00F9EF1A

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 4a333aafc36e342039511a0c67db26c8b0b68828140a413718d26463439eb139
Instruction ID: da23091962ed2c9583ace763e9f842101a837a44dfc68524abce32a1d6767e35
Opcode Fuzzy Hash: 4a333aafc36e342039511a0c67db26c8b0b68828140a413718d26463439eb139
Instruction Fuzzy Hash: 9951AF71508315AFD710EF20DC82EABB7E8EF95710F40482DF595972A2EB74E908DB92

Function 00F7E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00F7E628

Strings

|, xrefs: 00F7E658
(, xrefs: 00F7E66E

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: d3998763eda6d735a0b99cf1472eb42f04b3b8a40f1e87e64b50f1f8d40f6330
Instruction ID: 650161fca60246141556b53e098da69c98b1c72cf069390959cc7a9d84b00eaf
Opcode Fuzzy Hash: d3998763eda6d735a0b99cf1472eb42f04b3b8a40f1e87e64b50f1f8d40f6330
Instruction Fuzzy Hash: 20321575A007059FD728CF19C481A6AB7F1FF48320B15C4AFE99ADB3A1EB70A941DB41

Function 00F922EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00F9180A,00000000), ref: 00F923E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00F92418

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: cb4ba1db892d481a793fa1aba1eefbd56e2c24e9e4b8ece9f92d98147ce1e02d
Instruction ID: 3391c8f0adbb050ad8de4b8f9b8aa74aa710a79caa0e65d183e738fcb15178ff
Opcode Fuzzy Hash: cb4ba1db892d481a793fa1aba1eefbd56e2c24e9e4b8ece9f92d98147ce1e02d
Instruction Fuzzy Hash: 3D41D372904209FFFF60DE99DC81FBBB7BCEB40724F10402AFA45A6141DA759E41BA60

Function 00F8B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F8B40B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00F8B465
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00F8B4B2

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 3432b51d1bb88b7ab2661c898fa5f57cbc991c458c949c93f1d09da666b843c3
Instruction ID: a49555a3b03f1eb840da8cd46a826b59dedc55b822de1c16e11e4ade56da0c9b
Opcode Fuzzy Hash: 3432b51d1bb88b7ab2661c898fa5f57cbc991c458c949c93f1d09da666b843c3
Instruction Fuzzy Hash: 1A21A175A00118EFCB00EFA5EC81AEDBBB8FF49310F1480AAE905EB361CB359915DB50

Function 00F787E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00F40DB6: std::exception::exception.LIBCMT ref: 00F40DEC
Part of subcall function 00F40DB6: __CxxThrowException@8.LIBCMT ref: 00F40E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F7882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F78858
GetLastError.KERNEL32 ref: 00F78865

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 5eeb51f0b8377aeab4d37f3c41aea37c3f66da53de13516957b3baea18795136
Instruction ID: 3af6b87ccd1fd56771b706c06c3e5ad667c5210ce7ba3ab78fa3d60b0a3480db
Opcode Fuzzy Hash: 5eeb51f0b8377aeab4d37f3c41aea37c3f66da53de13516957b3baea18795136
Instruction Fuzzy Hash: AA119DB2814204AFE718DFA4DC89D2BBBB8EB05350B20C52EE45987201EE30AC059B61

Function 00F7874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00F78774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00F7878B
FreeSid.ADVAPI32(?), ref: 00F7879B

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: b0cb2cb67e6e5c9a0898ecf271971554faac007f9689f3c1c4b94440115367ac
Instruction ID: db791f2f7af8fc3e59bceeaa7c45b01b88344d23c37a81e26c73eb43ee982429
Opcode Fuzzy Hash: b0cb2cb67e6e5c9a0898ecf271971554faac007f9689f3c1c4b94440115367ac
Instruction Fuzzy Hash: 43F04F7595130CBFDF04DFF4DC89AAEB7BCEF08311F108469A501E6181E6715A089B50

Function 00F84C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00F84CB3

Strings

DOWN, xrefs: 00F84C98

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: eab23cf47b921a8af90ed7a4f807b9d2d23e4b8e1bd847d7008308dc1555026c
Instruction ID: 90d913ca6ca3704e70b4a37eaad0c108d67ea32ff201e76aa084ba190a3ba5ae
Opcode Fuzzy Hash: eab23cf47b921a8af90ed7a4f807b9d2d23e4b8e1bd847d7008308dc1555026c
Instruction Fuzzy Hash: 73E046665997223DA9482918BC07EF72A8C8B13331B550216FC10E55C1EE94BC8236B9

Function 00F8C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F8C6FB
FindClose.KERNEL32(00000000), ref: 00F8C72B

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ef771f65ef5c88eb0028425af1d3f9c03a900715f09c3f539469e7e7d7174ed1
Instruction ID: 4889df333f1d185553aa24f3effc3dc8f784dd68b207ae420b93f6346f08db87
Opcode Fuzzy Hash: ef771f65ef5c88eb0028425af1d3f9c03a900715f09c3f539469e7e7d7174ed1
Instruction Fuzzy Hash: 8F118E726046049FDB10EF29DC45A6AF7E8EF85324F04851EF8AACB290DB74AC05DB91

Function 00F8A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00F99468,?,00FAFB84,?), ref: 00F8A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00F99468,?,00FAFB84,?), ref: 00F8A0A9

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: a332bf6a7591f80724618dc42b4c8e39d64d4f0889cabd8ca268c492ba4b036a
Instruction ID: 5c58dfe13c99532ca052c401b5cd07ac30b3a5bc31d8ba5b805a9e5799855ef6
Opcode Fuzzy Hash: a332bf6a7591f80724618dc42b4c8e39d64d4f0889cabd8ca268c492ba4b036a
Instruction Fuzzy Hash: 1AF0E23610422DABDB20AFA4CC49FEA736CFF09362F004166F908D6180D630A904DBA1

Function 00F781CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F78309), ref: 00F781E0
CloseHandle.KERNEL32(?,?,00F78309), ref: 00F781F2

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: ec7beeaf85e402ad1018e2e3b01ae8ea7e966bee9a85e26fa17d1d1959eea4fc
Instruction ID: c18903d4ce0201495effc92cb3ff67f633b760b4276d58e546201233fc7d7578
Opcode Fuzzy Hash: ec7beeaf85e402ad1018e2e3b01ae8ea7e966bee9a85e26fa17d1d1959eea4fc
Instruction Fuzzy Hash: 57E0EC76010611AFEB252B61EC09D777BEEEF04361714C92DF9A684470DB76ACA1EB10

Function 00F4A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00F48D57,?,?,?,00000001), ref: 00F4A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00F4A163

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: fa74ac5cc1ea0c61e317eb2ce11f9446103b56a4e3c3914b004e2acb3b72b1a0
Instruction ID: 643fa0f9b326218c407c3d6f0842ff21c94da5a8835f60af4fe11f689f181ce6
Opcode Fuzzy Hash: fa74ac5cc1ea0c61e317eb2ce11f9446103b56a4e3c3914b004e2acb3b72b1a0
Instruction Fuzzy Hash: 76B0927505430CABCF002BD1EC59B883F68EB46AA2F404020F60D88060CBA25454AA91

Function 00F4F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37151cef7fd2fe39ad7e5f140dcb289fe048f547f964478f90990aff33c87b01
Instruction ID: 16c30021069663d222251002db04c3b5f6c0e68f9d3b210a9fe3783a681dc566
Opcode Fuzzy Hash: 37151cef7fd2fe39ad7e5f140dcb289fe048f547f964478f90990aff33c87b01
Instruction Fuzzy Hash: 3032F322D29F054DDB239634DCA2335A648AFF73D4F15D737EC1AB59AAEB28C4836500

Function 00F5242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 262a18bc9e9986582f89867f3a29354ec16422deceed94033acc75674612620a
Instruction ID: ff2832aa45e30c7cd395f38759e1a920b39f5bb25c31a00d7e74249c580a6b79
Opcode Fuzzy Hash: 262a18bc9e9986582f89867f3a29354ec16422deceed94033acc75674612620a
Instruction Fuzzy Hash: 21B10230E2AF444DD32396398871336BA9CAFBB2D5F55D71BFC2670D22EB2285836541

Function 00F88889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00F8889B

Part of subcall function 00F4520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00F88F6E,00000000,?,?,?,?,00F8911F,00000000,?), ref: 00F45213
Part of subcall function 00F4520A: __aulldiv.LIBCMT ref: 00F45233

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: c6cbb490d38ff04b652fbf91749a9561b05f3900b97a4a8e3adc370a8ac7bc0d
Instruction ID: 52f55ed3aee2054a2d73d2702fc1f12dc5f69f797dd43b53e5b9b785ac0b441c
Opcode Fuzzy Hash: c6cbb490d38ff04b652fbf91749a9561b05f3900b97a4a8e3adc370a8ac7bc0d
Instruction Fuzzy Hash: F421B432A356148BC729CF25D881A92B3E1EFA5321B688E6CD1F5CF2D0CB74B905DB54

Function 00F787B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00F78389), ref: 00F787D1

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 86e095a651ff71abbf44ca03665f6390f638aa3467b8ef7a661bbb79112fe874
Instruction ID: 4f91b27d977764da0f1c24cc08dacaa73b1002abf02f7cd186ba5dd5785196b8
Opcode Fuzzy Hash: 86e095a651ff71abbf44ca03665f6390f638aa3467b8ef7a661bbb79112fe874
Instruction Fuzzy Hash: 41D05E322A050EABEF018EA4DC01EAE3B69EB04B01F40C111FE15C50A1C775D835AB60

Function 00F4A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00F4A12A

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7cb2c4d247dfffaa79dde1946eeeb76003b2bfa205871bc937836e0ff40ee971
Instruction ID: 55719b4cf4560e1f0d296f8555da48c5ef775f3a9481120a3c7a938d082283f0
Opcode Fuzzy Hash: 7cb2c4d247dfffaa79dde1946eeeb76003b2bfa205871bc937836e0ff40ee971
Instruction Fuzzy Hash: CDA0113000020CAB8F002B82EC08888BFACEA022A0B008020F80C880228B32A820AA80

Function 00F38808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8575dff8759557118a6eca048f912c28048ace92fe2acb9120953f6f77449a4
Instruction ID: 08780a3171d5816ba8d0f80d46de1668c9ae270c6dfec58212795ae1fc325e5c
Opcode Fuzzy Hash: e8575dff8759557118a6eca048f912c28048ace92fe2acb9120953f6f77449a4
Instruction Fuzzy Hash: 32224831D0434ADBCF288A24C49477C77A1BB01BB4F24806BF54ACB592DBBC9D92F652

Function 00F421C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 65de15032a1a9519c43cf0bddade5d2834f8d49b91f699cbbd0ffc5eb0844cb8
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 35C19672A050930ADF6D8639843413EFEB16EA27B135A077DECB3CB1D5EE10C965E620

Function 00F425FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: c9aa65240430b80156cb60e0b542f35ce6da220c03519136d979de4fcdaab076
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 3EC19473A0519309DF6D463A843413EBEA16EA27F135A077DECB2DB1D4EE20C964F620

Function 00F41978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 457cfbbacbb604626c25d754bd6ad713e3f773ad209cc29662764ae619798618
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 3CC17272A4519309DF2D4639C47417EBFA16EA27B131A076DDCB2CB2D4FE20C9A5E620

Function 00F97806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00F9785B
DeleteObject.GDI32(00000000), ref: 00F9786D
DestroyWindow.USER32 ref: 00F9787B
GetDesktopWindow.USER32 ref: 00F97895
GetWindowRect.USER32(00000000), ref: 00F9789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00F979DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00F979ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F97A35
GetClientRect.USER32(00000000,?), ref: 00F97A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00F97A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F97A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F97AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F97ABB
GlobalLock.KERNEL32(00000000), ref: 00F97AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F97AD3
GlobalUnlock.KERNEL32(00000000), ref: 00F97ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F97AE3
GlobalFree.KERNEL32(00000000), ref: 00F97AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F97B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00FB2CAC,00000000), ref: 00F97B16
GlobalFree.KERNEL32(00000000), ref: 00F97B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00F97B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00F97B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F97B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F97D7A

Strings

static, xrefs: 00F97A75, 00F97BCC
DISPLAY, xrefs: 00F97BDD
, xrefs: 00F97D00
AutoIt v3, xrefs: 00F97A2D

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 1921982947d263551c8cd1f6c851e9e3dcc19e5073519ce6a65366672779f8f8
Instruction ID: 84a2c6d214e2af3c5a65001ed0567f06228a14c717bf16a33c5b89a23d2998ba
Opcode Fuzzy Hash: 1921982947d263551c8cd1f6c851e9e3dcc19e5073519ce6a65366672779f8f8
Instruction Fuzzy Hash: 27027BB1910219EFDF14DFA4DC89EAE7BB9EF49310F148158F905AB2A1C774AD01EB60

Function 00FA356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00FAF910), ref: 00FA3627
IsWindowVisible.USER32(?), ref: 00FA364B

Strings

FINDSTRING, xrefs: 00FA3776
ISVISIBLE, xrefs: 00FA3637
TABLEFT, xrefs: 00FA3687
GETLINE, xrefs: 00FA399B
ISCHECKED, xrefs: 00FA3839
GETLINECOUNT, xrefs: 00FA38C6
EDITPASTE, xrefs: 00FA395F
CURRENTTAB, xrefs: 00FA36BD
GETSELECTED, xrefs: 00FA38A3
UNCHECK, xrefs: 00FA3883
CHECK, xrefs: 00FA386D
GETCURRENTCOL, xrefs: 00FA3928
SELECTSTRING, xrefs: 00FA3806
ISENABLED, xrefs: 00FA366B
SENDCOMMANDID, xrefs: 00FA39DA
DELSTRING, xrefs: 00FA3749
GETCURRENTLINE, xrefs: 00FA38ED
ADDSTRING, xrefs: 00FA3716
SHOWDROPDOWN, xrefs: 00FA36E0
SETCURRENTSELECTION, xrefs: 00FA37B6
HIDEDROPDOWN, xrefs: 00FA3700
TABRIGHT, xrefs: 00FA369D
GETCURRENTSELECTION, xrefs: 00FA37E3

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 25e7e7ce5d809bac47964652419a6cefe899da99458c5b467accc759a073cdeb
Instruction ID: ea9ec73f8d311fa8f38daf53102ec9bbe8acff2d5938dd8134a075671aa89ae7
Opcode Fuzzy Hash: 25e7e7ce5d809bac47964652419a6cefe899da99458c5b467accc759a073cdeb
Instruction Fuzzy Hash: 1CD1B6712083119BCB04EF10C855A6E7BA2AF96354F184459F8865B3A3CF79DE0AFB81

Function 00FAA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00FAA630
GetSysColorBrush.USER32(0000000F), ref: 00FAA661
GetSysColor.USER32(0000000F), ref: 00FAA66D
SetBkColor.GDI32(?,000000FF), ref: 00FAA687
SelectObject.GDI32(?,00000000), ref: 00FAA696
InflateRect.USER32(?,000000FF,000000FF), ref: 00FAA6C1
GetSysColor.USER32(00000010), ref: 00FAA6C9
CreateSolidBrush.GDI32(00000000), ref: 00FAA6D0
FrameRect.USER32(?,?,00000000), ref: 00FAA6DF
DeleteObject.GDI32(00000000), ref: 00FAA6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 00FAA731
FillRect.USER32(?,?,00000000), ref: 00FAA763
GetWindowLongW.USER32(?,000000F0), ref: 00FAA78E

Part of subcall function 00FAA8CA: GetSysColor.USER32(00000012), ref: 00FAA903
Part of subcall function 00FAA8CA: SetTextColor.GDI32(?,?), ref: 00FAA907
Part of subcall function 00FAA8CA: GetSysColorBrush.USER32(0000000F), ref: 00FAA91D
Part of subcall function 00FAA8CA: GetSysColor.USER32(0000000F), ref: 00FAA928
Part of subcall function 00FAA8CA: GetSysColor.USER32(00000011), ref: 00FAA945
Part of subcall function 00FAA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FAA953
Part of subcall function 00FAA8CA: SelectObject.GDI32(?,00000000), ref: 00FAA964
Part of subcall function 00FAA8CA: SetBkColor.GDI32(?,00000000), ref: 00FAA96D
Part of subcall function 00FAA8CA: SelectObject.GDI32(?,?), ref: 00FAA97A
Part of subcall function 00FAA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00FAA999
Part of subcall function 00FAA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FAA9B0
Part of subcall function 00FAA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00FAA9C5
Part of subcall function 00FAA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FAA9ED

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 4a8c71d342106af5bc4090fb5dae0d379762027ce3c7ea7560da371eee6ae84e
Instruction ID: c60bd833bebb39ae19b997f863758997283a8b71423779d4b7988e3509c25423
Opcode Fuzzy Hash: 4a8c71d342106af5bc4090fb5dae0d379762027ce3c7ea7560da371eee6ae84e
Instruction Fuzzy Hash: 279181B2408305EFC7109FA4DC08A5B7BA9FF4A331F144B29F962DA1A0D735D948EB52

Function 00F22C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00F22CA2
DeleteObject.GDI32(00000000), ref: 00F22CE8
DeleteObject.GDI32(00000000), ref: 00F22CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00F22CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00F22D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00F5C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00F5C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00F5C89D

Part of subcall function 00F21B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F22036,?,00000000,?,?,?,?,00F216CB,00000000,?), ref: 00F21B9A

SendMessageW.USER32(?,00001053), ref: 00F5C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00F5C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00F5C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00F5C912

Strings

0, xrefs: 00F5C731

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 7df8996cdf8de4195f3ff3ee5683587db4c71de74ecdd83426ba58c975a2b85d
Instruction ID: 81836462ab0a29ca11cbe3df6672acc61a0b3a751910964ccd616447a4424acc
Opcode Fuzzy Hash: 7df8996cdf8de4195f3ff3ee5683587db4c71de74ecdd83426ba58c975a2b85d
Instruction Fuzzy Hash: 5C129130904311EFDB14CF24D884B69B7E1FF09322F584569FA96DB662C731E84AEB91

Function 00F974AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00F974DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00F9759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00F975DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00F975ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00F97633
GetClientRect.USER32(00000000,?), ref: 00F9763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00F97683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00F97692
GetStockObject.GDI32(00000011), ref: 00F976A2
SelectObject.GDI32(00000000,00000000), ref: 00F976A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00F976B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F976BF
DeleteDC.GDI32(00000000), ref: 00F976C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00F976F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 00F9770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00F97746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00F9775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 00F9776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00F9779B
GetStockObject.GDI32(00000011), ref: 00F977A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00F977B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00F977BB

Strings

static, xrefs: 00F9767D, 00F97795
DISPLAY, xrefs: 00F97688
msctls_progress32, xrefs: 00F9773C
AutoIt v3, xrefs: 00F9762B

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 560ebf8fbde9b42c1ea098e836bb8705e727144cd325543f5bb93b92a306650f
Instruction ID: 0c8fec539a6ea76939c96a86b1b2d04a9fc3ac05f7e7acc383c86dc22b73dba7
Opcode Fuzzy Hash: 560ebf8fbde9b42c1ea098e836bb8705e727144cd325543f5bb93b92a306650f
Instruction Fuzzy Hash: 20A190B1A00619BFEB14DBA4DC4AFAE7BB9EF09714F044114FA15AB2E0C774AD04DB64

Function 00F8AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F8AD1E
GetDriveTypeW.KERNEL32(?,00FAFAC0,?,\\.\,00FAF910), ref: 00F8ADFB
SetErrorMode.KERNEL32(00000000,00FAFAC0,?,\\.\,00FAF910), ref: 00F8AF59

Strings

SSD, xrefs: 00F8AE86
SSA, xrefs: 00F8AEE2
1394, xrefs: 00F8AEDB
Removable, xrefs: 00F8AE4D
SAS, xrefs: 00F8AF05
RAID, xrefs: 00F8AEF7
ATA, xrefs: 00F8AED4
ATAPI, xrefs: 00F8AECD
Virtual, xrefs: 00F8AF21
Fixed, xrefs: 00F8AE43
PhysicalDrive, xrefs: 00F8ADA7
FileBackedVirtual, xrefs: 00F8AF28
Fibre, xrefs: 00F8AEE9
CDROM, xrefs: 00F8AE2F
\\.\, xrefs: 00F8AD70
SATA, xrefs: 00F8AF0C
Network, xrefs: 00F8AE39
MMC, xrefs: 00F8AF1A
iSCSI, xrefs: 00F8AEFE
USB, xrefs: 00F8AEF0
Unknown, xrefs: 00F8AE1B, 00F8AEBF
RAMDisk, xrefs: 00F8AE25
SCSI, xrefs: 00F8AEC6

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 024c55109d2250d4d1e972ecadc897afd342ade09e193735012944970c53961a
Instruction ID: be9e884fe95d271a98655cd5573ec9b94175d85900309331fffe7f44b5edcc40
Opcode Fuzzy Hash: 024c55109d2250d4d1e972ecadc897afd342ade09e193735012944970c53961a
Instruction Fuzzy Hash: E451C2B1A48209AB9B00FB10CD82DFD73A2EB48750B284457E507AB394DAB4DD02FB43

Function 00F268DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00F26931
__wcsnicmp.LIBCMT ref: 00F26949
__wcsnicmp.LIBCMT ref: 00F26961
__wcsnicmp.LIBCMT ref: 00F26979
__wcsnicmp.LIBCMT ref: 00F26991
__wcsnicmp.LIBCMT ref: 00F269A9
__wcsnicmp.LIBCMT ref: 00F269C1
__wcsnicmp.LIBCMT ref: 00F269D5
__wcsnicmp.LIBCMT ref: 00F26A16
__wcsnicmp.LIBCMT ref: 00F26A2A
__wcsnicmp.LIBCMT ref: 00F26A3E
__wcsnicmp.LIBCMT ref: 00F26A52

Strings

Cannot parse #include, xrefs: 00F5E3F0
#requireadmin, xrefs: 00F2695B
#ce, xrefs: 00F26A4C
#notrayicon, xrefs: 00F26943
#cs, xrefs: 00F269CF, 00F26A24
#OnAutoItStartRegister, xrefs: 00F26973
#pragma compile, xrefs: 00F2692B
#comments-start, xrefs: 00F269BB, 00F26A10
#comments-end, xrefs: 00F26A38
Unterminated group of comments, xrefs: 00F5E403
#include, xrefs: 00F269A3
#include-once, xrefs: 00F2698B
Bad directive syntax error, xrefs: 00F5E31A

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 292e2405b7d16bdf2079c2254a607805d4344ac4aec91771af9f74f95a3d8ee2
Instruction ID: f80beb729e74e6cdc3d8b507b29c352316f2e9ebce336ee9b15d726cbd364c05
Opcode Fuzzy Hash: 292e2405b7d16bdf2079c2254a607805d4344ac4aec91771af9f74f95a3d8ee2
Instruction Fuzzy Hash: B9813BB1A002156ACB15AF60FC83FAF3B68AF05710F044025FD45EB192EB79DE49F661

Function 00FA9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00FA9AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00FA9B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00FA9BA7

Strings

0, xrefs: 00FA9BE4

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 50f27171c8532b8ebb0314ccd53d96b75778c12c1c5dcfbf128f734cf46293df
Instruction ID: 73c99848287ee4d0a6d985341a2ef4fc169c3b66d03e054d3511e5cd3df01c25
Opcode Fuzzy Hash: 50f27171c8532b8ebb0314ccd53d96b75778c12c1c5dcfbf128f734cf46293df
Instruction Fuzzy Hash: 4002E2B1508301AFDB25CF14CC88BAABBE5FF86324F04852DF995DA2A1C7B4D944EB51

Function 00FAA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00FAA903
SetTextColor.GDI32(?,?), ref: 00FAA907
GetSysColorBrush.USER32(0000000F), ref: 00FAA91D
GetSysColor.USER32(0000000F), ref: 00FAA928
CreateSolidBrush.GDI32(?), ref: 00FAA92D
GetSysColor.USER32(00000011), ref: 00FAA945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FAA953
SelectObject.GDI32(?,00000000), ref: 00FAA964
SetBkColor.GDI32(?,00000000), ref: 00FAA96D
SelectObject.GDI32(?,?), ref: 00FAA97A
InflateRect.USER32(?,000000FF,000000FF), ref: 00FAA999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FAA9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00FAA9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FAA9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00FAAA14
InflateRect.USER32(?,000000FD,000000FD), ref: 00FAAA32
DrawFocusRect.USER32(?,?), ref: 00FAAA3D
GetSysColor.USER32(00000011), ref: 00FAAA4B
SetTextColor.GDI32(?,00000000), ref: 00FAAA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00FAAA67
SelectObject.GDI32(?,00FAA5FA), ref: 00FAAA7E
DeleteObject.GDI32(?), ref: 00FAAA89
SelectObject.GDI32(?,?), ref: 00FAAA8F
DeleteObject.GDI32(?), ref: 00FAAA94
SetTextColor.GDI32(?,?), ref: 00FAAA9A
SetBkColor.GDI32(?,?), ref: 00FAAAA4

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 358f589efce3e345f2979abdf1c7cfabe1bbe32b9a67213f625b4dbb36e23998
Instruction ID: 5b836c60ab90bed90ab0dd22c45adf9c4660dbd66c77e16cabc86dbc53eb14b2
Opcode Fuzzy Hash: 358f589efce3e345f2979abdf1c7cfabe1bbe32b9a67213f625b4dbb36e23998
Instruction Fuzzy Hash: A1513DB1D00208FFDB119FA4DC48EAE7BB9EF0A320F154625F911AB2A1D7759944EF90

Function 00FA89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00FA8AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FA8AD2
CharNextW.USER32(0000014E), ref: 00FA8B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00FA8B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00FA8B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FA8B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00FA8B86
SetWindowTextW.USER32(?,0000014E), ref: 00FA8BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00FA8BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FA8C1F
_memset.LIBCMT ref: 00FA8C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00FA8C8D
_memset.LIBCMT ref: 00FA8CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00FA8D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00FA8D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00FA8E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00FA8E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00FA8E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00FA8EB4
DrawMenuBar.USER32(?), ref: 00FA8EC3
SetWindowTextW.USER32(?,0000014E), ref: 00FA8EEB

Strings

0, xrefs: 00FA8E55

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 24efd96c69525f7a7ecf1a188e07b6e3cb90ce6ab3c4c46ee696fbe79eded42a
Instruction ID: 09098b20235f20c0e9c7358f0e00a9c7286ddb28aa39974320ffe38468da4a2c
Opcode Fuzzy Hash: 24efd96c69525f7a7ecf1a188e07b6e3cb90ce6ab3c4c46ee696fbe79eded42a
Instruction Fuzzy Hash: D0E183B1900209AFDF20DF50CC84EEE7B79EF06760F148156F915AB290DBB49A85EF60

Function 00FA488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00FA49CA
GetDesktopWindow.USER32 ref: 00FA49DF
GetWindowRect.USER32(00000000), ref: 00FA49E6
GetWindowLongW.USER32(?,000000F0), ref: 00FA4A48
DestroyWindow.USER32(?), ref: 00FA4A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00FA4A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FA4ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00FA4AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00FA4AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00FA4B09
IsWindowVisible.USER32(?), ref: 00FA4B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00FA4B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00FA4B58
GetWindowRect.USER32(?,?), ref: 00FA4B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00FA4B96
GetMonitorInfoW.USER32(00000000,?), ref: 00FA4BB0
CopyRect.USER32(?,?), ref: 00FA4BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00FA4C32

Strings

tooltips_class32, xrefs: 00FA4A96
(, xrefs: 00FA4BA3
0, xrefs: 00FA4975

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 0d094906ddc8408b4b0d0e8ac24adc51d2287392611e0af17c5ce748c3461bb8
Instruction ID: 9298115bcfd8a8d465860a99c17ba82731f77fd1cf08b7d8c30752aada8b9096
Opcode Fuzzy Hash: 0d094906ddc8408b4b0d0e8ac24adc51d2287392611e0af17c5ce748c3461bb8
Instruction Fuzzy Hash: 76B18BB1608350AFDB04DF64D844B6BBBE4BF8A314F00891CF5999B2A1D7B4EC05EB95

Function 00F8449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00F844AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00F844D2
_wcscpy.LIBCMT ref: 00F84500
_wcscmp.LIBCMT ref: 00F8450B
_wcscat.LIBCMT ref: 00F84521
_wcsstr.LIBCMT ref: 00F8452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00F84548
_wcscat.LIBCMT ref: 00F84591
_wcscat.LIBCMT ref: 00F84598
_wcsncpy.LIBCMT ref: 00F845C3

Strings

%u.%u.%u.%u, xrefs: 00F84626
DefaultLangCodepage, xrefs: 00F845AB
\VarFileInfo\Translation, xrefs: 00F84540
04090000, xrefs: 00F8457E
StringFileInfo\, xrefs: 00F8451B

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: ae852877b5d5d5852b6776791d332788d5c1146c826f90307beb3aebefada8b0
Instruction ID: cd61e46c692194ceb95fa8c35843f0c75edf6fb3fd2d39ba6c9835c08edbab34
Opcode Fuzzy Hash: ae852877b5d5d5852b6776791d332788d5c1146c826f90307beb3aebefada8b0
Instruction Fuzzy Hash: 3241B872A002057BD710BAB48C47EFF7B7CDF42720F04046AFD05E6182EA38EA11B6A5

Function 00F227D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F228BC
GetSystemMetrics.USER32(00000007), ref: 00F228C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F228EF
GetSystemMetrics.USER32(00000008), ref: 00F228F7
GetSystemMetrics.USER32(00000004), ref: 00F2291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F22939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00F22949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F2297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F22990
GetClientRect.USER32(00000000,000000FF), ref: 00F229AE
GetStockObject.GDI32(00000011), ref: 00F229CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F229D5

Part of subcall function 00F22344: GetCursorPos.USER32(?), ref: 00F22357
Part of subcall function 00F22344: ScreenToClient.USER32(00FE57B0,?), ref: 00F22374
Part of subcall function 00F22344: GetAsyncKeyState.USER32(00000001), ref: 00F22399
Part of subcall function 00F22344: GetAsyncKeyState.USER32(00000002), ref: 00F223A7

SetTimer.USER32(00000000,00000000,00000028,00F21256), ref: 00F229FC

Strings

AutoIt v3 GUI, xrefs: 00F22974

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 4dc08b69649aa19a53f2d5c1f80e776dae1b95381544feb2e582c045c0e26472
Instruction ID: 5e4273cf77f9aff3a76aa96eadc884be397d59d8d7d1ceb1f442375c585fb5d7
Opcode Fuzzy Hash: 4dc08b69649aa19a53f2d5c1f80e776dae1b95381544feb2e582c045c0e26472
Instruction Fuzzy Hash: 26B19071A0021AEFDB14DFA8DC85BAD7BB4FB08715F104229FA16EB290DB74D854EB50

Function 00F7A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00F7A47A
__swprintf.LIBCMT ref: 00F7A51B
_wcscmp.LIBCMT ref: 00F7A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00F7A583
_wcscmp.LIBCMT ref: 00F7A5BF
GetClassNameW.USER32(?,?,00000400), ref: 00F7A5F6
GetDlgCtrlID.USER32(?), ref: 00F7A648
GetWindowRect.USER32(?,?), ref: 00F7A67E
GetParent.USER32(?), ref: 00F7A69C
ScreenToClient.USER32(00000000), ref: 00F7A6A3
GetClassNameW.USER32(?,?,00000100), ref: 00F7A71D
_wcscmp.LIBCMT ref: 00F7A731
GetWindowTextW.USER32(?,?,00000400), ref: 00F7A757
_wcscmp.LIBCMT ref: 00F7A76B

Part of subcall function 00F4362C: _iswctype.LIBCMT ref: 00F43634

Strings

%s%u, xrefs: 00F7A515

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: cf81fe767297b27c9eef1d70a6bf20f49a3ed1638e01fbe7e0b41025006b28cb
Instruction ID: b6d6881223808541a1f6767dcb5e01105774954676b6a2a3166a780f12d5d426
Opcode Fuzzy Hash: cf81fe767297b27c9eef1d70a6bf20f49a3ed1638e01fbe7e0b41025006b28cb
Instruction Fuzzy Hash: 30A1D371604206ABC718DF64C884FAEB7E8FF84320F05862AF99DC6150D734E956EB93

Function 00F7AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00F7AF18
_wcscmp.LIBCMT ref: 00F7AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 00F7AF51
CharUpperBuffW.USER32(?,00000000), ref: 00F7AF6E
_wcscmp.LIBCMT ref: 00F7AF8C
_wcsstr.LIBCMT ref: 00F7AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00F7AFD5
_wcscmp.LIBCMT ref: 00F7AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 00F7B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 00F7B055
_wcscmp.LIBCMT ref: 00F7B065
GetClassNameW.USER32(00000010,?,00000400), ref: 00F7B08D
GetWindowRect.USER32(00000004,?), ref: 00F7B0F6

Strings

ThumbnailClass, xrefs: 00F7AFE0, 00F7B060
@, xrefs: 00F7AEF9

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 0ed70b3e95fd36fb2fb1fca1485e91f02f972eff31739c3385d30c0c0e65d50b
Instruction ID: 6ed7cf83e1ddad1ff50ef7a97db34d547671de90b1417f347b948679d2f3c9d6
Opcode Fuzzy Hash: 0ed70b3e95fd36fb2fb1fca1485e91f02f972eff31739c3385d30c0c0e65d50b
Instruction Fuzzy Hash: B681B1715083099BDB04DF10C885FAA7BE8EF85724F04C46AFD898A096DB34DD49EB62

Function 00F7ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00F7AC33

Strings

[HANDLE:, xrefs: 00F7AC3F
[CLASS:, xrefs: 00F7AC83
CLASSNAME=, xrefs: 00F7AC70
[REGEXPTITLE:, xrefs: 00F7AC5B
[ACTIVE, xrefs: 00F7AC20
ACTIVE, xrefs: 00F7AC0E
ALL, xrefs: 00F7ACC7
[ALL, xrefs: 00F7ACD9
REGEXP=, xrefs: 00F7AC48
LAST, xrefs: 00F7ABF8
HANDLE=, xrefs: 00F7AC2C
[LAST, xrefs: 00F7ACE0

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: bdba824e0814a3d9f2870a3fb4a638a32a1a80f7f056aa7cf5790b147616f44c
Instruction ID: 4c8fb23ce46ba3696631fa769917dbf49af87a40bd667800e3c4c26d073a7e24
Opcode Fuzzy Hash: bdba824e0814a3d9f2870a3fb4a638a32a1a80f7f056aa7cf5790b147616f44c
Instruction Fuzzy Hash: 5C31D031948319BADB11FA60ED03EAE7765AB10720F64402AF805791E5FA69EF04B653

Function 00F94FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00F95013
LoadCursorW.USER32(00000000,00007F00), ref: 00F9501E
LoadCursorW.USER32(00000000,00007F03), ref: 00F95029
LoadCursorW.USER32(00000000,00007F8B), ref: 00F95034
LoadCursorW.USER32(00000000,00007F01), ref: 00F9503F
LoadCursorW.USER32(00000000,00007F81), ref: 00F9504A
LoadCursorW.USER32(00000000,00007F88), ref: 00F95055
LoadCursorW.USER32(00000000,00007F80), ref: 00F95060
LoadCursorW.USER32(00000000,00007F86), ref: 00F9506B
LoadCursorW.USER32(00000000,00007F83), ref: 00F95076
LoadCursorW.USER32(00000000,00007F85), ref: 00F95081
LoadCursorW.USER32(00000000,00007F82), ref: 00F9508C
LoadCursorW.USER32(00000000,00007F84), ref: 00F95097
LoadCursorW.USER32(00000000,00007F04), ref: 00F950A2
LoadCursorW.USER32(00000000,00007F02), ref: 00F950AD
LoadCursorW.USER32(00000000,00007F89), ref: 00F950B8
GetCursorInfo.USER32(?), ref: 00F950C8

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 770d74529191e0d3f0b7cc591d97d8cb248d9899f3078056eabdd47173413097
Instruction ID: ddf025af31afebcce869ed98940e7b1b215da9ea47a2e90ed5586621efe7b69a
Opcode Fuzzy Hash: 770d74529191e0d3f0b7cc591d97d8cb248d9899f3078056eabdd47173413097
Instruction Fuzzy Hash: 7E3115B1D0831E6ADF119FB68C8999FBFE8FF04750F50452AE50CE7280DA78A5049F91

Function 00FAA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FAA259
DestroyWindow.USER32(?,?), ref: 00FAA2D3

Part of subcall function 00F27BCC: _memmove.LIBCMT ref: 00F27C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00FAA34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00FAA36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FAA382
DestroyWindow.USER32(00000000), ref: 00FAA3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F20000,00000000), ref: 00FAA3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FAA3F4
GetDesktopWindow.USER32 ref: 00FAA40D
GetWindowRect.USER32(00000000), ref: 00FAA414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FAA42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00FAA444

Part of subcall function 00F225DB: GetWindowLongW.USER32(?,000000EB), ref: 00F225EC

Strings

0, xrefs: 00FAA26F
tooltips_class32, xrefs: 00FAA346, 00FAA3D4

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 224dce6202061203cd9b44d7c3de864bfe23119d4534ab6b72f7c8eb139b1e4b
Instruction ID: 625f57886465376db6b4968e9d29bea74edbe3561d1b0dfb6205e01f6546b709
Opcode Fuzzy Hash: 224dce6202061203cd9b44d7c3de864bfe23119d4534ab6b72f7c8eb139b1e4b
Instruction Fuzzy Hash: EB71BEB1540344AFD720DF28CC48F6A77E6FB8A714F04451DF9858B2A0C775E90AEB52

Function 00FAC5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F22612: GetWindowLongW.USER32(?,000000EB), ref: 00F22623

DragQueryPoint.SHELL32(?,?), ref: 00FAC627

Part of subcall function 00FAAB37: ClientToScreen.USER32(?,?), ref: 00FAAB60
Part of subcall function 00FAAB37: GetWindowRect.USER32(?,?), ref: 00FAABD6
Part of subcall function 00FAAB37: PtInRect.USER32(?,?,00FAC014), ref: 00FAABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 00FAC690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00FAC69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00FAC6BE
_wcscat.LIBCMT ref: 00FAC6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00FAC705
SendMessageW.USER32(?,000000B0,?,?), ref: 00FAC71E
SendMessageW.USER32(?,000000B1,?,?), ref: 00FAC735
SendMessageW.USER32(?,000000B1,?,?), ref: 00FAC757
DragFinish.SHELL32(?), ref: 00FAC75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00FAC851

Strings

@GUI_DRAGID, xrefs: 00FAC7C9
@GUI_DRAGFILE, xrefs: 00FAC800
@GUI_DROPID, xrefs: 00FAC77E

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: acaa07479b31e7af8845c7cbc0b7c5177ca98ebf060379da8fce62a1af47a4c5
Instruction ID: 414b1509445d62960dffbf34e1dca431ffa011e478f07ae50b6a68ba8425644f
Opcode Fuzzy Hash: acaa07479b31e7af8845c7cbc0b7c5177ca98ebf060379da8fce62a1af47a4c5
Instruction Fuzzy Hash: 5961A071108304AFC701EF64DC85D9FBBE8EF89750F04092EF595962A1DB70A949EB92

Function 00FA4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FA4424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FA446F

Strings

EXISTS, xrefs: 00FA44D8
COLLAPSE, xrefs: 00FA44B5
ISCHECKED, xrefs: 00FA45F2
GETTOTALCOUNT, xrefs: 00FA4456
SELECT, xrefs: 00FA4620
GETITEMCOUNT, xrefs: 00FA4551
GETTEXT, xrefs: 00FA45C2
GETSELECTED, xrefs: 00FA457F
UNCHECK, xrefs: 00FA464B
CHECK, xrefs: 00FA448F
EXPAND, xrefs: 00FA4521

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: b2fbf53f49a9523b2fff4cfb8a77b03351c426b4f0639a3f911fcb3a2ba00de6
Instruction ID: 0d6c0dd3962f2b2597d8b09c1b44c8a14a0cd75796f90ea2e508eab7e553cbca
Opcode Fuzzy Hash: b2fbf53f49a9523b2fff4cfb8a77b03351c426b4f0639a3f911fcb3a2ba00de6
Instruction Fuzzy Hash: 699182716047119FCB04EF10C851A6EB7A1AF96350F48846DFC965B3A2CBB8FD09EB91

Function 00FAB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00FAB8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00FA91C2), ref: 00FAB910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FAB949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00FAB98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FAB9C3
FreeLibrary.KERNEL32(?), ref: 00FAB9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FAB9DF
DestroyIcon.USER32(?,?,?,?,?,00FA91C2), ref: 00FAB9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00FABA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00FABA17

Part of subcall function 00F42EFD: __wcsicmp_l.LIBCMT ref: 00F42F86

Strings

.dll, xrefs: 00FAB86D
.icl, xrefs: 00FAB82A
.exe, xrefs: 00FAB84A

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 61f21eb9bf84252cbb118b094fb86039ec530163c1858cdd8d9684ac15bdd422
Instruction ID: 0c76b94b5ba203fa1df19ee58292e2abfce62d102fb68049732e06997cf687d1
Opcode Fuzzy Hash: 61f21eb9bf84252cbb118b094fb86039ec530163c1858cdd8d9684ac15bdd422
Instruction Fuzzy Hash: 6C61F1B1900219BAEB14DF64CC41FBE7BACEF0A721F104116FD15DA1D2DB789A90E7A0

Function 00F8DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00F8DCDC
SystemTimeToFileTime.KERNEL32(?,?), ref: 00F8DCEC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00F8DCF8
__wsplitpath.LIBCMT ref: 00F8DD56
_wcscat.LIBCMT ref: 00F8DD6E
_wcscat.LIBCMT ref: 00F8DD80
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F8DD95
SetCurrentDirectoryW.KERNEL32(?), ref: 00F8DDA9
SetCurrentDirectoryW.KERNEL32(?), ref: 00F8DDDB
SetCurrentDirectoryW.KERNEL32(?), ref: 00F8DDFC
_wcscpy.LIBCMT ref: 00F8DE08
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00F8DE47

Strings

*.*, xrefs: 00F8DE02

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 38d16b5f96e37479ee8bda89239fc11ec5f7675d00750ac91386388ee1f96947
Instruction ID: 627edf0a0abc9eb0e842e8feed2d263e586ec84a83e2896d5d785a981609923d
Opcode Fuzzy Hash: 38d16b5f96e37479ee8bda89239fc11ec5f7675d00750ac91386388ee1f96947
Instruction Fuzzy Hash: 72618C725082059FCB10EF60D844AEEB3E8FF89320F04492DF989C7291DB79E945DB92

Function 00F89C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00F89C7F

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00F89CA0
__swprintf.LIBCMT ref: 00F89CF9
__swprintf.LIBCMT ref: 00F89D12
_wprintf.LIBCMT ref: 00F89DB9
_wprintf.LIBCMT ref: 00F89DD7

Strings

Error: , xrefs: 00F89D81
Line %d (File "%s"):, xrefs: 00F89CF3, 00F89D0C
"%s" (%d) : ==> %s:%s%s, xrefs: 00F89DB4
"%s" (%d) : ==> %s:, xrefs: 00F89DD2
^ ERROR , xrefs: 00F89D4E
Incorrect parameters to object property !, xrefs: 00F89D5B

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 8836f8d94766e7fcc28ae3e8978d539965adf5efff0668f5cd98aa5bb2a8b539
Instruction ID: 695d604a32ccfd4003a7efc1fe4f763ce0e111956a8b1318da57b50167e07344
Opcode Fuzzy Hash: 8836f8d94766e7fcc28ae3e8978d539965adf5efff0668f5cd98aa5bb2a8b539
Instruction Fuzzy Hash: F951D43290061AAACF14FBE0ED46EEEB778AF04300F540065F50576161EB396F49FB61

Function 00F8A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00F29837: __itow.LIBCMT ref: 00F29862
Part of subcall function 00F29837: __swprintf.LIBCMT ref: 00F298AC

CharLowerBuffW.USER32(?,?), ref: 00F8A3CB
GetDriveTypeW.KERNEL32 ref: 00F8A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F8A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F8A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F8A4C5

Part of subcall function 00F27BCC: _memmove.LIBCMT ref: 00F27C06

Strings

close, xrefs: 00F8A3D1
open , xrefs: 00F8A427
type cdaudio alias cd wait, xrefs: 00F8A443
close cd wait, xrefs: 00F8A4B0
open, xrefs: 00F8A3F2
set cd door , xrefs: 00F8A466
wait, xrefs: 00F8A482
closed, xrefs: 00F8A3DF, 00F8A3E8

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: d8f138040bdd515ababe6e43f625a2086947bc12e516270ddf1c4974ebab5937
Instruction ID: 53805285490749cc4a71eb3c17c64b8a1ea2b9bf355174b60558b7bd11762aea
Opcode Fuzzy Hash: d8f138040bdd515ababe6e43f625a2086947bc12e516270ddf1c4974ebab5937
Instruction Fuzzy Hash: C9519E711083159FC700EF20DC919AAB3E4EF84758F04882EF88A57261DB35ED0AEB82

Function 00F7F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00F5E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00F7F8DF
LoadStringW.USER32(00000000,?,00F5E029,00000001), ref: 00F7F8E8

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

GetModuleHandleW.KERNEL32(00000000,00FE5310,?,00000FFF,?,?,00F5E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00F7F90A
LoadStringW.USER32(00000000,?,00F5E029,00000001), ref: 00F7F90D
__swprintf.LIBCMT ref: 00F7F95D
__swprintf.LIBCMT ref: 00F7F96E
_wprintf.LIBCMT ref: 00F7FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F7FA2E

Strings

Line %d:, xrefs: 00F7F968
^ ERROR, xrefs: 00F7F9C3
%s (%d) : ==> %s: %s %s, xrefs: 00F7FA12
Line %d (File "%s"):, xrefs: 00F7F957
Error: , xrefs: 00F7F9E5

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 0dc5b04cb2d71078059f383ab8275335b4884de1494815a25dd49c332ae96917
Instruction ID: 0c3193ee6db92b575963e444d76fc0788128e82a14bf8fb53fe74a7e803641b7
Opcode Fuzzy Hash: 0dc5b04cb2d71078059f383ab8275335b4884de1494815a25dd49c332ae96917
Instruction Fuzzy Hash: 8C41307280421DAACF04FFE0ED86DEE7778AF54340F500065B509B6192EA396F4DEB61

Function 00FABA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00FA9207,?,?), ref: 00FABA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00FA9207,?,?,00000000,?), ref: 00FABA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00FA9207,?,?,00000000,?), ref: 00FABA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00FA9207,?,?,00000000,?), ref: 00FABA85
GlobalLock.KERNEL32(00000000), ref: 00FABA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00FA9207,?,?,00000000,?), ref: 00FABA9D
GlobalUnlock.KERNEL32(00000000), ref: 00FABAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00FA9207,?,?,00000000,?), ref: 00FABAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00FA9207,?,?,00000000,?), ref: 00FABABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00FB2CAC,?), ref: 00FABAD7
GlobalFree.KERNEL32(00000000), ref: 00FABAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 00FABB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00FABB36
DeleteObject.GDI32(00000000), ref: 00FABB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00FABB74

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 578604257eab56d5de5fcb99cfd86647e2c3c8fb6756d469aaaf230704cd124e
Instruction ID: e4f1079d76331e442e54f43258df606a80bfdd04cd12b96d22623cc5e63e5f73
Opcode Fuzzy Hash: 578604257eab56d5de5fcb99cfd86647e2c3c8fb6756d469aaaf230704cd124e
Instruction Fuzzy Hash: 49413DB5600208EFDB119FA5DC48EAB7BB8FF8A721F104068F906DB261D7349D05EB60

Function 00F8D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00F8DA10
_wcscat.LIBCMT ref: 00F8DA28
_wcscat.LIBCMT ref: 00F8DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F8DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 00F8DA63
GetFileAttributesW.KERNEL32(?), ref: 00F8DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 00F8DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 00F8DAA7

Strings

*.*, xrefs: 00F8DAE6

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 3b6322d8c22d1b621faf7b1ef07811179a21d89a74fb53ff401601f7f352504c
Instruction ID: 3ecf7fb7fa48c5802e67bfdd6ce18ca99bc438b156de47dc4c5eeb574d650e85
Opcode Fuzzy Hash: 3b6322d8c22d1b621faf7b1ef07811179a21d89a74fb53ff401601f7f352504c
Instruction Fuzzy Hash: A28184729042459FCB24EF64C845AEAB7E4BF85324F18482EF889C7291E734DD45EB52

Function 00FAC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F22612: GetWindowLongW.USER32(?,000000EB), ref: 00F22623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FAC1FC
GetFocus.USER32 ref: 00FAC20C
GetDlgCtrlID.USER32(00000000), ref: 00FAC217
_memset.LIBCMT ref: 00FAC342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00FAC36D
GetMenuItemCount.USER32(?), ref: 00FAC38D
GetMenuItemID.USER32(?,00000000), ref: 00FAC3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00FAC3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00FAC41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FAC454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00FAC489

Strings

0, xrefs: 00FAC33A

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: b7812d316589713c80da19d40d37efdbcbdbf8aa490c96beaee31bb6f880d99d
Instruction ID: 14d2a7f99dbf6fed66d3f729d377d5d0449035ee87e92f9015d48a4fde0d22e0
Opcode Fuzzy Hash: b7812d316589713c80da19d40d37efdbcbdbf8aa490c96beaee31bb6f880d99d
Instruction Fuzzy Hash: 1881B1B1A083059FDB10CF54C894A7BBBE8FF8A724F00492DF99597291C730D905EBA2

Function 00F9731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F9738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00F9739B
CreateCompatibleDC.GDI32(?), ref: 00F973A7
SelectObject.GDI32(00000000,?), ref: 00F973B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00F97408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00F97444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00F97468
SelectObject.GDI32(00000006,?), ref: 00F97470
DeleteObject.GDI32(?), ref: 00F97479
DeleteDC.GDI32(00000006), ref: 00F97480
ReleaseDC.USER32(00000000,?), ref: 00F9748B

Strings

(, xrefs: 00F97410

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: e70c68882b4482d0da072b948b2a99cbf9dd44b770fcf6a791c2768f9c4fbd71
Instruction ID: ed8b6267649a6441d262c3f642db6dd621893a4cf68e00d7eeff4e1e1c4b264c
Opcode Fuzzy Hash: e70c68882b4482d0da072b948b2a99cbf9dd44b770fcf6a791c2768f9c4fbd71
Instruction Fuzzy Hash: 50515CB5904309EFDB14DFA9CC84EAEBBB9EF49310F14842DF95A97211C731A944DB50

Function 00F26A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00F40957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00F26B0C,?,00008000), ref: 00F40973

Part of subcall function 00F24750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F24743,?,?,00F237AE,?), ref: 00F24770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00F26BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00F26CFA

Part of subcall function 00F2586D: _wcscpy.LIBCMT ref: 00F258A5

Part of subcall function 00F4363D: _iswctype.LIBCMT ref: 00F43645

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00F5E496
AU3!, xrefs: 00F26B61
Bad directive syntax error, xrefs: 00F5E79D
EA06, xrefs: 00F5E452
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00F5E421
Error opening the file, xrefs: 00F5E43D, 00F5E4B8
Unterminated string, xrefs: 00F5E7E4

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: c8e0cbb72b2928584f180bedc7dae6fd30d867f1526c9d0e24398b4978013215
Instruction ID: f7aa308ca019ae3264b16e41a9ec06037f89a28cda5196290cf4ce4473c933e5
Opcode Fuzzy Hash: c8e0cbb72b2928584f180bedc7dae6fd30d867f1526c9d0e24398b4978013215
Instruction Fuzzy Hash: 1B02ED315083419FC714EF20DC81AAFBBE5EF99354F14482DF989972A1DB38DA49EB42

Function 00F82D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F82D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00F82DDD
GetMenuItemCount.USER32(00FE5890), ref: 00F82E66
DeleteMenu.USER32(00FE5890,00000005,00000000,000000F5,?,?), ref: 00F82EF6
DeleteMenu.USER32(00FE5890,00000004,00000000), ref: 00F82EFE
DeleteMenu.USER32(00FE5890,00000006,00000000), ref: 00F82F06
DeleteMenu.USER32(00FE5890,00000003,00000000), ref: 00F82F0E
GetMenuItemCount.USER32(00FE5890), ref: 00F82F16
SetMenuItemInfoW.USER32(00FE5890,00000004,00000000,00000030), ref: 00F82F4C
GetCursorPos.USER32(?), ref: 00F82F56
SetForegroundWindow.USER32(00000000), ref: 00F82F5F
TrackPopupMenuEx.USER32(00FE5890,00000000,?,00000000,00000000,00000000), ref: 00F82F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F82F7E

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 0dbef6b81b930748dd03a1e1fd3b30fadfd4b47e278b5852d2b18f3b69628ae6
Instruction ID: edf1227bf9d6409af4ddf1268c7ec38deceec1ce82cf18657558e24773f481d1
Opcode Fuzzy Hash: 0dbef6b81b930748dd03a1e1fd3b30fadfd4b47e278b5852d2b18f3b69628ae6
Instruction Fuzzy Hash: 9771D271A00209BEEB61AF54DC89FEABF64FF05724F140216F625AA1E1C7B17810FB94

Function 00F777DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F27BCC: _memmove.LIBCMT ref: 00F27C06

_memset.LIBCMT ref: 00F7786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00F778A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00F778BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00F778D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00F77902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00F7792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F77935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F7793A

Strings

SOFTWARE\Classes\, xrefs: 00F7780C
\IPC$, xrefs: 00F77882
\CLSID, xrefs: 00F77822

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 86e5fb359d9775b4aaa628dd8ad7eb405e150344f4f281f85df83564731c6030
Instruction ID: 3928328abe9da5821228182095fccfbbd6894ae7f6a6b4407c48bba5b494d1cd
Opcode Fuzzy Hash: 86e5fb359d9775b4aaa628dd8ad7eb405e150344f4f281f85df83564731c6030
Instruction Fuzzy Hash: 74410872C1422DABCF11FFA4EC85DEEB778BF04710F44442AE905A7261EA349D08EB91

Function 00FA0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F9FDAD,?,?), ref: 00FA0E31

Strings

HKEY_CURRENT_USER, xrefs: 00FA0F10
HKLM, xrefs: 00FA0EAF
HKEY_LOCAL_MACHINE, xrefs: 00FA0E9A
HKCC, xrefs: 00FA0EFF
HKU, xrefs: 00FA0F43
HKEY_CURRENT_CONFIG, xrefs: 00FA0EEE
HKEY_CLASSES_ROOT, xrefs: 00FA0EC4
HKEY_USERS, xrefs: 00FA0F32
HKCU, xrefs: 00FA0F21
HKCR, xrefs: 00FA0ED9

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: c73b06763563606eb2aaf137b3db5f8bedd3da9c6cce855de4ca04424eb1d628
Instruction ID: 1d19fbaf6f7f04da10e9617f98dee2cd007002b2808b430ea6d420ce5d7937fb
Opcode Fuzzy Hash: c73b06763563606eb2aaf137b3db5f8bedd3da9c6cce855de4ca04424eb1d628
Instruction Fuzzy Hash: 97416A7254424A8FCF10EF50ECA1AEE3765EF12350F184415FC552B292DF78A91AFBA0

Function 00F7F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00F5E2A0,00000010,?,Bad directive syntax error,00FAF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00F7F7C2
LoadStringW.USER32(00000000,?,00F5E2A0,00000010), ref: 00F7F7C9

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

_wprintf.LIBCMT ref: 00F7F7FC
__swprintf.LIBCMT ref: 00F7F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00F7F88D

Strings

Line %d:, xrefs: 00F7F818
%s (%d) : ==> %s.: %s %s, xrefs: 00F7F7F7
Line %d (File "%s"):, xrefs: 00F7F833
., xrefs: 00F7F873
Error: , xrefs: 00F7F85B

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: f95d5df408de0806af6466dbc95871a7f97edae2cc1e8a4b042485c22291d770
Instruction ID: a648f9d78355a1e8712225f1b21bc53c57dd36d621f5569c6d77ba6dbbea7645
Opcode Fuzzy Hash: f95d5df408de0806af6466dbc95871a7f97edae2cc1e8a4b042485c22291d770
Instruction Fuzzy Hash: 0D21803294021EEBCF11EFA0DC4AEEE7739BF18300F044466F509661A1EA75A61CFB52

Function 00F852C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00F27BCC: _memmove.LIBCMT ref: 00F27C06

Part of subcall function 00F27924: _memmove.LIBCMT ref: 00F279AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00F85330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00F85346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F85357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00F85369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00F8537A

Strings

open , xrefs: 00F852DF
alias PlayMe, xrefs: 00F85309
play PlayMe wait, xrefs: 00F85364
close PlayMe, xrefs: 00F85341, 00F8536E
status PlayMe mode, xrefs: 00F8532B
play PlayMe, xrefs: 00F85375

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 147ed119f808204509e159e814a05c5aacaaad517fe5c99ab01b953f3da2d375
Instruction ID: 088939a52b70d15f158be8d986f8d46fbe3ac2b81c16d3a01226090cb227caf0
Opcode Fuzzy Hash: 147ed119f808204509e159e814a05c5aacaaad517fe5c99ab01b953f3da2d375
Instruction Fuzzy Hash: 2B119431E5022D7AD720B775DC4ADFF7B7DEB92F90F04042AB401A21D1DEA08D45E6A1

Function 00F846B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00F846D2
gethostname.WSOCK32(?,00000100), ref: 00F846EC
gethostbyname.WSOCK32(?), ref: 00F846F9
_wcscpy.LIBCMT ref: 00F84721
_memmove.LIBCMT ref: 00F84734
inet_ntoa.WSOCK32(?), ref: 00F8473F
_strcat.LIBCMT ref: 00F8474D
_wcscpy.LIBCMT ref: 00F84764
WSACleanup.WSOCK32 ref: 00F84772
_wcscpy.LIBCMT ref: 00F84780

Strings

0.0.0.0, xrefs: 00F8471B

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: efff43e7c104766a82db75ac984d91b0860e2a28aa4988457172d501dee9c842
Instruction ID: fcf8ce577f857dd1d718e1961e7ebfd966e5606c1068b5561aadc3efbbbebb53
Opcode Fuzzy Hash: efff43e7c104766a82db75ac984d91b0860e2a28aa4988457172d501dee9c842
Instruction Fuzzy Hash: EB11D571D001196BCB20BB709C4AEEE7BBCEF02721F0401B6F94596091EF789985AB55

Function 00F84F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00F84F7A

Part of subcall function 00F4049F: timeGetTime.WINMM(?,75A8B400,00F30E7B), ref: 00F404A3

Sleep.KERNEL32(0000000A), ref: 00F84FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00F84FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00F84FEC
SetActiveWindow.USER32 ref: 00F8500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00F85019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00F85038
Sleep.KERNEL32(000000FA), ref: 00F85043
IsWindow.USER32 ref: 00F8504F
EndDialog.USER32(00000000), ref: 00F85060

Strings

BUTTON, xrefs: 00F84FDE

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 058c9b6f548a7fa431260393041882b539ae13a9d5581d7e38353d8570b06c39
Instruction ID: 5e2d09e6b0b4d2140a057ceb96d097de92ece91e3779588a9c63eaea95daa285
Opcode Fuzzy Hash: 058c9b6f548a7fa431260393041882b539ae13a9d5581d7e38353d8570b06c39
Instruction Fuzzy Hash: E521A7B0A0074EAFE7106F60ECC9B763BA9EB15B95F0C1029F102CA2B5DB719D04B761

Function 00F8D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F29837: __itow.LIBCMT ref: 00F29862
Part of subcall function 00F29837: __swprintf.LIBCMT ref: 00F298AC

CoInitialize.OLE32(00000000), ref: 00F8D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00F8D67D
SHGetDesktopFolder.SHELL32(?), ref: 00F8D691
CoCreateInstance.OLE32(00FB2D7C,00000000,00000001,00FD8C1C,?), ref: 00F8D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00F8D74C
CoTaskMemFree.OLE32(?,?), ref: 00F8D7A4
_memset.LIBCMT ref: 00F8D7E1
SHBrowseForFolderW.SHELL32(?), ref: 00F8D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00F8D840
CoTaskMemFree.OLE32(00000000), ref: 00F8D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00F8D87E
CoUninitialize.OLE32(00000001,00000000), ref: 00F8D880

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 7f524925c6a66a4aea1efcc4ad37744d9989c9a4b7eb3dfdbc0ae1e8cb81fa20
Instruction ID: b96148f142b1755b682e0ed628ad04aec3041f22b816922ab2c59bffcec8504e
Opcode Fuzzy Hash: 7f524925c6a66a4aea1efcc4ad37744d9989c9a4b7eb3dfdbc0ae1e8cb81fa20
Instruction Fuzzy Hash: EEB10975A00119AFDB04EFA4CC88DAEBBB9FF49314F148069E909EB261DB34ED45DB50

Function 00F7C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00F7C283
GetWindowRect.USER32(00000000,?), ref: 00F7C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00F7C2F3
GetDlgItem.USER32(?,00000002), ref: 00F7C2FE
GetWindowRect.USER32(00000000,?), ref: 00F7C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00F7C364
GetDlgItem.USER32(?,000003E9), ref: 00F7C372
GetWindowRect.USER32(00000000,?), ref: 00F7C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00F7C3C6
GetDlgItem.USER32(?,000003EA), ref: 00F7C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00F7C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00F7C3FE

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: d62a840b8a52bbb55c249faef55824f19376e8cc29a2b3b4a63904f9a3c860f4
Instruction ID: f413bc29111624c4bf2133dddaf3c6ad9a817b088a4a884a2338bc749675843c
Opcode Fuzzy Hash: d62a840b8a52bbb55c249faef55824f19376e8cc29a2b3b4a63904f9a3c860f4
Instruction Fuzzy Hash: 715153B1F00209AFDB18CFA9DD85A6DBBB6EF88310F14812DF519D7290D7709D049B50

Function 00F2201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F21B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F22036,?,00000000,?,?,?,?,00F216CB,00000000,?), ref: 00F21B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00F220D3
KillTimer.USER32(-00000001,?,?,?,?,00F216CB,00000000,?,?,00F21AE2,?,?), ref: 00F2216E
DestroyAcceleratorTable.USER32(00000000), ref: 00F5BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F216CB,00000000,?,?,00F21AE2,?,?), ref: 00F5BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F216CB,00000000,?,?,00F21AE2,?,?), ref: 00F5BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F216CB,00000000,?,?,00F21AE2,?,?), ref: 00F5BD0A
DeleteObject.GDI32(00000000), ref: 00F5BD1C

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 841e5687b2e3c22cc4e63d87dcb46208d51ccd2cac4bdfaeaa35ae568ded00dd
Instruction ID: de94315261def64256cc3a1a822a4d541e186da57dd4dcda11b5b0d82e5e2f87
Opcode Fuzzy Hash: 841e5687b2e3c22cc4e63d87dcb46208d51ccd2cac4bdfaeaa35ae568ded00dd
Instruction Fuzzy Hash: 5561AF32900A64EFCB35DF14E988B25B7F1FF41726F108529EA424E570C774A994FB80

Function 00F221A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00F225DB: GetWindowLongW.USER32(?,000000EB), ref: 00F225EC

GetSysColor.USER32(0000000F), ref: 00F221D3

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 5c6615dea411bb451a3f0a963417dc3f99b3ae248814750bd70fb64743cd9a5e
Instruction ID: dd85d5ae566cd4f7e9d808ea9b3d8385cf1962981b01b827f6ce7e012f36036b
Opcode Fuzzy Hash: 5c6615dea411bb451a3f0a963417dc3f99b3ae248814750bd70fb64743cd9a5e
Instruction Fuzzy Hash: 97419F31400554EBEB655F68EC88BB93B65EB06331F184365FE659E1E2C7328C46FB21

Function 00F8A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00FAF910), ref: 00F8A90B
GetDriveTypeW.KERNEL32(00000061,00FD89A0,00000061), ref: 00F8A9D5
_wcscpy.LIBCMT ref: 00F8A9FF

Strings

removable, xrefs: 00F8A93D
network, xrefs: 00F8A969
fixed, xrefs: 00F8A953
all, xrefs: 00F8A911
unknown, xrefs: 00F8A996
ramdisk, xrefs: 00F8A97F
cdrom, xrefs: 00F8A927

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 6968413e31efd21beef5b0e6f52187fb5d526b4b633375c8fb013f7ac604d7b1
Instruction ID: 8fcca76723c78381b29312620de27b29112956506c05d9379fd9e3cc4dd2f3d1
Opcode Fuzzy Hash: 6968413e31efd21beef5b0e6f52187fb5d526b4b633375c8fb013f7ac604d7b1
Instruction Fuzzy Hash: 3451CC315083019BD304FF14DC92AAFB7A5EF84750F48482EF999572A2DB74D909EB93

Function 00F29837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00F29862
__swprintf.LIBCMT ref: 00F298AC
__i64tow.LIBCMT ref: 00F5F5E6

Strings

True, xrefs: 00F5F5A7
%.15g, xrefs: 00F298A6
0x%p, xrefs: 00F5F5C8
False, xrefs: 00F5F5AE

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 2ce99cbe5f6a8a9b94f63f27540916c27404b90ae24a9edcef7f9f5829e7144c
Instruction ID: 548e6c4c23c7aa24c1649cda6d0ed0a4bd2836173f4919b58840e4f5337ad0f2
Opcode Fuzzy Hash: 2ce99cbe5f6a8a9b94f63f27540916c27404b90ae24a9edcef7f9f5829e7144c
Instruction Fuzzy Hash: 4241F532904205AFDB24DF34DC42EBA77E8EF05310F6844BEEA49D7291EA759949BB10

Function 00FA7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FA716A
CreateMenu.USER32 ref: 00FA7185
SetMenu.USER32(?,00000000), ref: 00FA7194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FA7221
IsMenu.USER32(?), ref: 00FA7237
CreatePopupMenu.USER32 ref: 00FA7241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FA726E
DrawMenuBar.USER32 ref: 00FA7276

Strings

0, xrefs: 00FA7160
F, xrefs: 00FA7262

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 12c03ccc3771083b57676c02b48d518ef97370a657320e9f38f2597bdfbed4e4
Instruction ID: bf3a504c2853fac65d8c95c761e181bd44f3dcf962f42ca0dc29f3825726a009
Opcode Fuzzy Hash: 12c03ccc3771083b57676c02b48d518ef97370a657320e9f38f2597bdfbed4e4
Instruction Fuzzy Hash: E84114B5A01209AFDB20EFA4DD84F9ABBF5FB4A310F144029F9459B361D731A914EF90

Function 00FA74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00FA755E
CreateCompatibleDC.GDI32(00000000), ref: 00FA7565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00FA7578
SelectObject.GDI32(00000000,00000000), ref: 00FA7580
GetPixel.GDI32(00000000,00000000,00000000), ref: 00FA758B
DeleteDC.GDI32(00000000), ref: 00FA7594
GetWindowLongW.USER32(?,000000EC), ref: 00FA759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00FA75B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00FA75BE

Strings

static, xrefs: 00FA74F6

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: de3bc62de002b97bd98d0678fa8c20d6c6fd3703b6601169bac303cb6d1486dc
Instruction ID: bcdc8068c9fe1231eb5327285629bb3844bb1a46f1289ae0270a680d3488cbb6
Opcode Fuzzy Hash: de3bc62de002b97bd98d0678fa8c20d6c6fd3703b6601169bac303cb6d1486dc
Instruction Fuzzy Hash: E9318FB2904218BFDF11AFA4DC08FDB3B69FF0A320F154224FA559A1A0C735D815EBA4

Function 00F46E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F46E3E

Part of subcall function 00F48B28: __getptd_noexit.LIBCMT ref: 00F48B28

__gmtime64_s.LIBCMT ref: 00F46ED7
__gmtime64_s.LIBCMT ref: 00F46F0D
__gmtime64_s.LIBCMT ref: 00F46F2A
__allrem.LIBCMT ref: 00F46F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F46F9C
__allrem.LIBCMT ref: 00F46FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F46FD1
__allrem.LIBCMT ref: 00F46FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F47006
__invoke_watson.LIBCMT ref: 00F47077

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 44f71f522405d168b39e5bae17931ce48c1ca162568e2640d5c397b04a30d1cb
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 16712476E00716ABE714AE6CCC41BAABBF8AF01374F144229FD14D6281F778ED44A791

Function 00F82527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F82542
GetMenuItemInfoW.USER32(00FE5890,000000FF,00000000,00000030), ref: 00F825A3
SetMenuItemInfoW.USER32(00FE5890,00000004,00000000,00000030), ref: 00F825D9
Sleep.KERNEL32(000001F4), ref: 00F825EB
GetMenuItemCount.USER32(?), ref: 00F8262F
GetMenuItemID.USER32(?,00000000), ref: 00F8264B
GetMenuItemID.USER32(?,-00000001), ref: 00F82675
GetMenuItemID.USER32(?,?), ref: 00F826BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F82700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F82714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F82735

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 7da5319d62de36cc08043c6864e94bdef228fdd0e8af8f92d9eda55577cd22ab
Instruction ID: 3177cf605d2e65eada4683c86216f3194bea464b0ac4ec1d9f92c9b5b7323d35
Opcode Fuzzy Hash: 7da5319d62de36cc08043c6864e94bdef228fdd0e8af8f92d9eda55577cd22ab
Instruction Fuzzy Hash: 656190B1900249AFDF51EFA4DC88EFE7BB8EB01314F140059E842AB251E735BD05EB21

Function 00FA6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00FA6FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00FA6FA8
GetWindowLongW.USER32(?,000000F0), ref: 00FA6FCC
_memset.LIBCMT ref: 00FA6FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FA6FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00FA7067

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 20370b9d614205ccbce4728059010c1d4e8dc0fe76339b31b7d9b218136ecb90
Instruction ID: 6928710658254dae7371647a7b05c6ceaeddf5250ebf8b1c88e3ee685ea13cb2
Opcode Fuzzy Hash: 20370b9d614205ccbce4728059010c1d4e8dc0fe76339b31b7d9b218136ecb90
Instruction Fuzzy Hash: AA61ACB5900248AFDB11DFA4CC81EEE77F8EB09710F144169FA04EB2A1C775AE45EB90

Function 00F76B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00F76BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00F76C18
VariantInit.OLEAUT32(?), ref: 00F76C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00F76C4A
VariantCopy.OLEAUT32(?,?), ref: 00F76C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00F76CB1
VariantClear.OLEAUT32(?), ref: 00F76CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00F76CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F76CDC
VariantClear.OLEAUT32(?), ref: 00F76CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F76CF9

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 6ad2468c17ab87079141689dd5603c3f9a3f4e97a96e735abe933efc7c841eb9
Instruction ID: 74ebd6ae8963fb196b20d35d61e4d068a0a056a5357e4286f6478ee7c30b0a93
Opcode Fuzzy Hash: 6ad2468c17ab87079141689dd5603c3f9a3f4e97a96e735abe933efc7c841eb9
Instruction Fuzzy Hash: 5B416071A0021D9FCF00DFA8DC449EEBBB9EF48350F00C069E955EB261DB35A949EB91

Function 00F95732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00F95793
inet_addr.WSOCK32(?,?,?), ref: 00F957D8
gethostbyname.WSOCK32(?), ref: 00F957E4
IcmpCreateFile.IPHLPAPI ref: 00F957F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00F95862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00F95878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00F958ED
WSACleanup.WSOCK32 ref: 00F958F3

Strings

Ping, xrefs: 00F95816

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 03d53c393cc34095ea507dc26b2e6f6417c2634e64ee9183fcb8d2e9d188d07a
Instruction ID: 3e8d267b1928df0795ddc9af623a83eb20a16c1c413e861cd1c7a887e805aa39
Opcode Fuzzy Hash: 03d53c393cc34095ea507dc26b2e6f6417c2634e64ee9183fcb8d2e9d188d07a
Instruction Fuzzy Hash: 1A51A171A04700DFEB11EF64DC45B2A77E4EF45B20F044929F956DB2A1DB74E904EB42

Function 00F8B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F8B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00F8B546
GetLastError.KERNEL32 ref: 00F8B550
SetErrorMode.KERNEL32(00000000,READY), ref: 00F8B5BD

Strings

READY, xrefs: 00F8B596
INVALID, xrefs: 00F8B58F
UNKNOWN, xrefs: 00F8B575
READONLY, xrefs: 00F8B588
NOTREADY, xrefs: 00F8B57C

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 6edb9ed45998b69fabed8012fc87f72bdddd07363bf6b4621da3dae190c9407d
Instruction ID: df033936e670d3cf1c847d1404cfe4f05a8f67318c3c5ec819f02f630ea38b73
Opcode Fuzzy Hash: 6edb9ed45998b69fabed8012fc87f72bdddd07363bf6b4621da3dae190c9407d
Instruction Fuzzy Hash: E631AF75A002099FCB10FBA8DC85EEE7BB4FF49310F184026E505DB295DB749A46EB81

Function 00F78F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

Part of subcall function 00F7AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F7AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00F79014
GetDlgCtrlID.USER32 ref: 00F7901F
GetParent.USER32 ref: 00F7903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F7903E
GetDlgCtrlID.USER32(?), ref: 00F79047
GetParent.USER32(?), ref: 00F79063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00F79066

Strings

ListBox, xrefs: 00F78FD1
ComboBox, xrefs: 00F78F9C

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 89986cc3e0c8dcb2e09c2ca4fda3ae0321da3d8a2f8052c4469320ff48b64004
Instruction ID: d0e6b2131598c77ecc6039100b6ce8d56514d3c09b7b5114540915b94f216e0a
Opcode Fuzzy Hash: 89986cc3e0c8dcb2e09c2ca4fda3ae0321da3d8a2f8052c4469320ff48b64004
Instruction Fuzzy Hash: E321F870A00208BBDF04ABB0CC85EFEBB75EF4A310F104116F925972A1DB799819FB61

Function 00F7907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

Part of subcall function 00F7AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F7AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00F790FD
GetDlgCtrlID.USER32 ref: 00F79108
GetParent.USER32 ref: 00F79124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F79127
GetDlgCtrlID.USER32(?), ref: 00F79130
GetParent.USER32(?), ref: 00F7914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 00F7914F

Strings

ListBox, xrefs: 00F790BC
ComboBox, xrefs: 00F79087

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 65b50fcfd911281aad5b5242cfd22f28149ebc84e2449417e104882074e354ba
Instruction ID: e194e45f2c2b1a9beb053413928a6ae02467a4957e9a682cd227b9d9f21f547c
Opcode Fuzzy Hash: 65b50fcfd911281aad5b5242cfd22f28149ebc84e2449417e104882074e354ba
Instruction Fuzzy Hash: 0B21F874A00208BBDF10ABA0CC85EFEBB78EF45300F504016B515972A1DB799419FB21

Function 00F79163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00F7916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00F79184
_wcscmp.LIBCMT ref: 00F79196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00F79211

Strings

details, xrefs: 00F791BF
list, xrefs: 00F791F3
smallicons, xrefs: 00F791D9
largeicons, xrefs: 00F791A5
SHELLDLL_DefView, xrefs: 00F79190

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 3f08e47314108752691932db077db3bb9e3b6bef8dfc95b28139cedd4536c998
Instruction ID: e026296899f76a85fdb8ce64634c70db29d1b002e745723921909ec4b0deee51
Opcode Fuzzy Hash: 3f08e47314108752691932db077db3bb9e3b6bef8dfc95b28139cedd4536c998
Instruction Fuzzy Hash: AE110A7768C307BAFA113624EC16EA73B9D9B15730B204027FD04E81D2FEE1A951B597

Function 00F988AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F988D7
CoInitialize.OLE32(00000000), ref: 00F98904
CoUninitialize.OLE32 ref: 00F9890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00F98A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00F98B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00FB2C0C), ref: 00F98B6F
CoGetObject.OLE32(?,00000000,00FB2C0C,?), ref: 00F98B92
SetErrorMode.KERNEL32(00000000), ref: 00F98BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00F98C25
VariantClear.OLEAUT32(?), ref: 00F98C35

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 022867290e95f89ca28c3afb234ad606bd3af93d2f46acc360e33abaf019e56d
Instruction ID: b781549c47cc2671d3adae329e793b222ebc0172bce9aa8838659008e240c8ae
Opcode Fuzzy Hash: 022867290e95f89ca28c3afb234ad606bd3af93d2f46acc360e33abaf019e56d
Instruction Fuzzy Hash: 43C158B1608305AFDB00DF64C88492BB7E9FF8A388F04491DF8899B251DB75ED06DB52

Function 00F87990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00F87A6C

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 2641ddce5357a92a5ae23ae768e4e828b98ee1ebc796a34f4db49eb5df236d0f
Instruction ID: dbcc628473bed3e1300a381218cad54dcf9f39dbf1d352cc3cead61e71b3d668
Opcode Fuzzy Hash: 2641ddce5357a92a5ae23ae768e4e828b98ee1ebc796a34f4db49eb5df236d0f
Instruction Fuzzy Hash: 98B15E719082199FDB00FFA4C885BFEBBB5EF49321F244429E901EB251D778E945EB90

Function 00F811CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F811F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00F80268,?,00000001), ref: 00F81204
GetWindowThreadProcessId.USER32(00000000), ref: 00F8120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F80268,?,00000001), ref: 00F8121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F8122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F80268,?,00000001), ref: 00F81245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F80268,?,00000001), ref: 00F81257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00F80268,?,00000001), ref: 00F8129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00F80268,?,00000001), ref: 00F812B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00F80268,?,00000001), ref: 00F812BC

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 3dff9cf6a9def4f38974db2c6e8403e2882bbc4ec45f5fe16f021001ac6ac986
Instruction ID: d8aa97e4606f4cb659e2956c6f8dd839553e97a1789000379bcdc718abdf3bff
Opcode Fuzzy Hash: 3dff9cf6a9def4f38974db2c6e8403e2882bbc4ec45f5fe16f021001ac6ac986
Instruction Fuzzy Hash: 223193B5A0024CFBDB60AF54EC88FA977AEFB65361F104215F904CA2A0E7B49D45AB50

Function 00F2FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F2FAA6
OleUninitialize.OLE32(?,00000000), ref: 00F2FB45
UnregisterHotKey.USER32(?), ref: 00F2FC9C
DestroyWindow.USER32(?), ref: 00F645D6
FreeLibrary.KERNEL32(?), ref: 00F6463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F64668

Strings

close all, xrefs: 00F2FAA1

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 1e594ebdf28672b8d09dceef625ede98224e962e264713fd006aae45c7ffd7f2
Instruction ID: 46fdb008e793673ebf53be824ce6d40fb6af464a3c20aed801a9dbf063279d64
Opcode Fuzzy Hash: 1e594ebdf28672b8d09dceef625ede98224e962e264713fd006aae45c7ffd7f2
Instruction Fuzzy Hash: 53A18C31B01226CFCB19EF14D994A69F764BF05720F5442BDE80AAB261CB35ED1AEF50

Function 00F7A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00F7A439), ref: 00F7A377

Strings

NAME, xrefs: 00F7A1A9
TEXT, xrefs: 00F7A2AE
CLASS, xrefs: 00F7A0F6
CLASSNN, xrefs: 00F7A119
INSTANCE, xrefs: 00F7A285
REGEXPCLASS, xrefs: 00F7A13C

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 220626e58e249e2d25636c602ee3d6506d1a8a602a2a816dda0018ade0ad59c8
Instruction ID: 8629ea948f18bf92e837be205124aff02856f2e662afb9ffa8a496bf4b95041c
Opcode Fuzzy Hash: 220626e58e249e2d25636c602ee3d6506d1a8a602a2a816dda0018ade0ad59c8
Instruction Fuzzy Hash: 94910331A00606AACB08EFA0C841BEDFB75BF44310F55C11BE84DA7252DF356999FB92

Function 00F22E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00F22EAE

Part of subcall function 00F21DB3: GetClientRect.USER32(?,?), ref: 00F21DDC
Part of subcall function 00F21DB3: GetWindowRect.USER32(?,?), ref: 00F21E1D
Part of subcall function 00F21DB3: ScreenToClient.USER32(?,?), ref: 00F21E45

GetDC.USER32 ref: 00F5CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F5CD45
SelectObject.GDI32(00000000,00000000), ref: 00F5CD53
SelectObject.GDI32(00000000,00000000), ref: 00F5CD68
ReleaseDC.USER32(?,00000000), ref: 00F5CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F5CDFB

Strings

U, xrefs: 00F5CCD0

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 89665e7084b83d94795ffadf77c8cbce871e920950a760f6e8eb4f869cae7399
Instruction ID: b6f12209a1a8586c23cfbcf11360ca27b78c1c9f0e3a5b3b1cfb7fe26d0dd349
Opcode Fuzzy Hash: 89665e7084b83d94795ffadf77c8cbce871e920950a760f6e8eb4f869cae7399
Instruction Fuzzy Hash: A871C531900309EFCF218F64DC84AAA7BB5FF49365F14427AEE569A266C7309C45FB90

Function 00F91A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F91A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00F91A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00F91ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00F91AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F91AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00F91B10
InternetCloseHandle.WININET(00000000), ref: 00F91B57

Part of subcall function 00F92483: GetLastError.KERNEL32(?,?,00F91817,00000000,00000000,00000001), ref: 00F92498
Part of subcall function 00F92483: SetEvent.KERNEL32(?,?,00F91817,00000000,00000000,00000001), ref: 00F924AD

Strings

, xrefs: 00F91B01

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 1b27c24d0acf8d4fe85336f5bcf6ae5016206d6bbffd8cd19c39326102cd383d
Instruction ID: 27dad6667123578f4b44a11d2658cf92ce7ebc2f353fd70d090ca474ccc4f076
Opcode Fuzzy Hash: 1b27c24d0acf8d4fe85336f5bcf6ae5016206d6bbffd8cd19c39326102cd383d
Instruction Fuzzy Hash: CC4171B190121ABFFF118F50CC85FBA7BADFF49354F004126F9059A141E7749E44ABA0

Function 00F98C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00FAF910), ref: 00F98D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00FAF910), ref: 00F98D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00F98ED6
SysFreeString.OLEAUT32(?), ref: 00F98F00

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 44089a24daccf94ffcdd0c85ac64ca2384a4c7c12105d0029c1cfea949efcc8e
Instruction ID: d1a37f47126862dadba919a7a75ef99ccd9a22de39635eeb59e996eafde56d57
Opcode Fuzzy Hash: 44089a24daccf94ffcdd0c85ac64ca2384a4c7c12105d0029c1cfea949efcc8e
Instruction Fuzzy Hash: C0F16B71A00209EFEF04DFA4C884EAEB7B9FF49354F108458F915AB251DB71AE46EB50

Function 00F9F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F9F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F9F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F9F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F9F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F9F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F9FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00F9FA7C
CloseHandle.KERNEL32(?), ref: 00F9FAAB
CloseHandle.KERNEL32(?), ref: 00F9FB22

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 91b3034a0efea8b795bed614b5d1a61fd6f037a089c6cd31105c389d9a575435
Instruction ID: 270ca4347268c6db236d608f04492f953325d76827f3c575d7fb38e713b4b1fd
Opcode Fuzzy Hash: 91b3034a0efea8b795bed614b5d1a61fd6f037a089c6cd31105c389d9a575435
Instruction Fuzzy Hash: 34E1D4316043019FDB14EF24CC81B6ABBE1EF85364F18856DF8998B2A1CB35DC49EB52

Function 00F84CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F8466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F83697,?), ref: 00F8468B

Part of subcall function 00F8466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F83697,?), ref: 00F846A4

Part of subcall function 00F84A31: GetFileAttributesW.KERNEL32(?,00F8370B), ref: 00F84A32

lstrcmpiW.KERNEL32(?,?), ref: 00F84D40
_wcscmp.LIBCMT ref: 00F84D5A
MoveFileW.KERNEL32(?,?), ref: 00F84D75

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 7688d130454d61fcd28ad746cd2371dfd27149a2170343e6a202a298fec88c51
Instruction ID: 07250c56c298435a5b51d24df7a225f133edad95a11cfc7a3d4c2ea12a947a99
Opcode Fuzzy Hash: 7688d130454d61fcd28ad746cd2371dfd27149a2170343e6a202a298fec88c51
Instruction Fuzzy Hash: A25161B25083459BC724EBA0DC819DFB7ECAF85310F40092EB689D3151EF38B688D766

Function 00FA8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00FA86FF

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: ca6572bf540eecfaf335f27d5a843979ab8adc6ab6dd6d3b15add1f0b9d734ba
Instruction ID: d8fc057db104afab9bf9c0d54609cf71e8dec280460db3b7ef1c204796d5610d
Opcode Fuzzy Hash: ca6572bf540eecfaf335f27d5a843979ab8adc6ab6dd6d3b15add1f0b9d734ba
Instruction Fuzzy Hash: 6251D4B0900254BEEB249B64DC85FAD3B65EB077A0F600121F951D62E1CFF5AD81FB50

Function 00F22B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00F5C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F5C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F5C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00F5C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F5C370
DestroyIcon.USER32(00000000), ref: 00F5C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F5C39C
DestroyIcon.USER32(?), ref: 00F5C3AB

Part of subcall function 00FAA4AF: DeleteObject.GDI32(00000000), ref: 00FAA4E8

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 0c3c9a171f6d48653321d675e12b2587eacc470556a3ab36de2186d2902f8ca0
Instruction ID: 33356eb90a37a3a9f32f096276e58bfc80c1bba9745062cb103bf5dfa892e02e
Opcode Fuzzy Hash: 0c3c9a171f6d48653321d675e12b2587eacc470556a3ab36de2186d2902f8ca0
Instruction Fuzzy Hash: 4D516B71A00309EFDB20DF64DC45FAA3BB5EB48721F104529FA029B2A0DB74AD54FB90

Function 00F7966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F7A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F7A84C
Part of subcall function 00F7A82C: GetCurrentThreadId.KERNEL32 ref: 00F7A853
Part of subcall function 00F7A82C: AttachThreadInput.USER32(00000000,?,00F79683,?,00000001), ref: 00F7A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 00F7968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00F796AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00F796AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F796B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00F796D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00F796D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F796E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00F796F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00F796FB

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 37b9e7ace8c085076e69cd81a1cce88e697b8e5a85de1f4993ef893a536ce5c4
Instruction ID: 40b705720ee58a7156d4f7a0e69960e7e5895665bfafab15779f82fe97b79495
Opcode Fuzzy Hash: 37b9e7ace8c085076e69cd81a1cce88e697b8e5a85de1f4993ef893a536ce5c4
Instruction Fuzzy Hash: 5A11E1B1910618BEF6106FA0DC89F6A3B2DEB4D750F110426F248AF1E1C9F26C11EAA5

Function 00F78921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00F7853C,00000B00,?,?), ref: 00F7892A
HeapAlloc.KERNEL32(00000000,?,00F7853C,00000B00,?,?), ref: 00F78931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F7853C,00000B00,?,?), ref: 00F78946
GetCurrentProcess.KERNEL32(?,00000000,?,00F7853C,00000B00,?,?), ref: 00F7894E
DuplicateHandle.KERNEL32(00000000,?,00F7853C,00000B00,?,?), ref: 00F78951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00F7853C,00000B00,?,?), ref: 00F78961
GetCurrentProcess.KERNEL32(00F7853C,00000000,?,00F7853C,00000B00,?,?), ref: 00F78969
DuplicateHandle.KERNEL32(00000000,?,00F7853C,00000B00,?,?), ref: 00F7896C
CreateThread.KERNEL32(00000000,00000000,00F78992,00000000,00000000,00000000), ref: 00F78986

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: e8c05f92bb1d343edae0a53a9b21491c575f9e1f53724c1420e1930bd98e13fb
Instruction ID: 9dbb4030237b6015060ccfaebf0bf7a0ddaaf00304def1ff6cb01537af440c54
Opcode Fuzzy Hash: e8c05f92bb1d343edae0a53a9b21491c575f9e1f53724c1420e1930bd98e13fb
Instruction Fuzzy Hash: 0101BBB5240348FFE760ABA5DC4DF6B3BACEB89711F418421FA05DF1A1DA709804DB21

Function 00F99B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00F99B7B
NULL Pointer assignment, xrefs: 00F99BA4, 00F99EC8

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: e54a46afa3f2575541de18ab4e1dd6ccdf5642acf8442654be182f996cf0ec4a
Instruction ID: 86554ff11450dbd72ee28fa829d79ef819045c8c3642cbbd42ff09fcfccd5cb5
Opcode Fuzzy Hash: e54a46afa3f2575541de18ab4e1dd6ccdf5642acf8442654be182f996cf0ec4a
Instruction Fuzzy Hash: 19C19171E0420A9BEF14DF98D884BAEB7F5BB48314F15846DE905AB280E7B09D45DBA0

Function 00F99113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F99167
VariantInit.OLEAUT32(?), ref: 00F99238
VariantInit.OLEAUT32(?), ref: 00F99339
VariantClear.OLEAUT32(?), ref: 00F99343
VariantClear.OLEAUT32(?), ref: 00F993A0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00F991C8, 00F992F6, 00F993AE
Incorrect Object type in FOR..IN loop, xrefs: 00F9931C

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: d0ef15edc5bee421d1ff470d2539d54d0db830f34f8dd095ce019804aaf8b98d
Instruction ID: f6b058691fba7214d2483406ec3c3bd49d00e140a980538cadd98243119a2d96
Opcode Fuzzy Hash: d0ef15edc5bee421d1ff470d2539d54d0db830f34f8dd095ce019804aaf8b98d
Instruction Fuzzy Hash: C4918F71E04215ABEF24DFA9CC48FAEB7B8EF45720F11811DF505AB280D7B09945DBA0

Function 00F9975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00F7710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F77044,80070057,?,?,?,00F77455), ref: 00F77127
Part of subcall function 00F7710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F77044,80070057,?,?), ref: 00F77142
Part of subcall function 00F7710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F77044,80070057,?,?), ref: 00F77150
Part of subcall function 00F7710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F77044,80070057,?), ref: 00F77160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00F99806
_memset.LIBCMT ref: 00F99813
_memset.LIBCMT ref: 00F99956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00F99982
CoTaskMemFree.OLE32(?), ref: 00F9998D

Strings

NULL Pointer assignment, xrefs: 00F999DB

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 7b3dc9b4329f408c95b0c69083161a2dd867592b73bd7f4761665e0a6d3d31b1
Instruction ID: 1c630de61d6ad6cfb4709c6669c30464efeb48b50964b85919d8fb73bb6ff477
Opcode Fuzzy Hash: 7b3dc9b4329f408c95b0c69083161a2dd867592b73bd7f4761665e0a6d3d31b1
Instruction Fuzzy Hash: 70912671D00229ABDF10DFA5DC40EDEBBB9EF09710F20416AF419A7291EB759A44DFA0

Function 00FA6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00FA6E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00FA6E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00FA6E52
_wcscat.LIBCMT ref: 00FA6EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00FA6EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00FA6EF2

Strings

SysListView32, xrefs: 00FA6DF6

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: b3c27c3a6f96ea7ec63f1fd4332799648034460b1f53e0c325296a8a3fd9b0e1
Instruction ID: c607b7a025651466a9f6702a2d18efe715c88d291087200e21174c621bc8174b
Opcode Fuzzy Hash: b3c27c3a6f96ea7ec63f1fd4332799648034460b1f53e0c325296a8a3fd9b0e1
Instruction Fuzzy Hash: BE41A1B1A00348AFDB219FA4CC85BEA77A9EF09360F14042AF544E7291D6759D84AB64

Function 00F9E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00F83C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00F83C7A
Part of subcall function 00F83C55: Process32FirstW.KERNEL32(00000000,?), ref: 00F83C88
Part of subcall function 00F83C55: CloseHandle.KERNEL32(00000000), ref: 00F83D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F9E9A4
GetLastError.KERNEL32 ref: 00F9E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F9E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 00F9EA63
GetLastError.KERNEL32(00000000), ref: 00F9EA6E
CloseHandle.KERNEL32(00000000), ref: 00F9EAA3

Strings

SeDebugPrivilege, xrefs: 00F9E9C2

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 591c985d3095fda71aa765d773dcbcbe6fc059958ae8ee0ed6985915bf2d5a72
Instruction ID: d22854cdaf5c13d28d7e6161899ab67c072db2afb7fdc87454e183ddeacbfa18
Opcode Fuzzy Hash: 591c985d3095fda71aa765d773dcbcbe6fc059958ae8ee0ed6985915bf2d5a72
Instruction Fuzzy Hash: 1041CE717042009FDB14EF54CC95FADB7A5AF41314F188419F9469F2D2CBB8E809EB92

Function 00F82F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00F83033

Strings

stop, xrefs: 00F83004
question, xrefs: 00F82FEC
warning, xrefs: 00F8301C
info, xrefs: 00F82FD4
blank, xrefs: 00F82FB5

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 731605b45219729645dba40291700889abed6029c5188a3c61114ce78246899a
Instruction ID: 28a2df2b8596e486425497e3d8813301b315c7127adffe5c47689679453a006b
Opcode Fuzzy Hash: 731605b45219729645dba40291700889abed6029c5188a3c61114ce78246899a
Instruction Fuzzy Hash: 3A112B32748346BED714AB54DC42EEB7B9C9F15774B14002AFD00A6281EB74AF4077A5

Function 00F842F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00F84312
LoadStringW.USER32(00000000), ref: 00F84319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00F8432F
LoadStringW.USER32(00000000), ref: 00F84336
_wprintf.LIBCMT ref: 00F8435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F8437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00F84357

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: e99f92a77456692203f4bf59c288b6d3cac9a2763e94369ae6c3ba52839b4b8e
Instruction ID: cbc4fa957607fbe3caac1030ae1bb5787281271862a72e3bb0f957cd1a9eefcb
Opcode Fuzzy Hash: e99f92a77456692203f4bf59c288b6d3cac9a2763e94369ae6c3ba52839b4b8e
Instruction Fuzzy Hash: B301A2F290020CBFE710A7E0DD89EE7776CDB09300F4000A1BB05E6111EA349E896B70

Function 00FAD43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F22612: GetWindowLongW.USER32(?,000000EB), ref: 00F22623

GetSystemMetrics.USER32(0000000F), ref: 00FAD47C
GetSystemMetrics.USER32(0000000F), ref: 00FAD49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00FAD6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00FAD6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00FAD716
ShowWindow.USER32(00000003,00000000), ref: 00FAD735
InvalidateRect.USER32(?,00000000,00000001), ref: 00FAD75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 00FAD77D

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 488b6874f930efb04ec0b05ea6a4d1edb085c37d0a41221ca62344f7ad93b008
Instruction ID: b264c0da52c015b0987a5e831c572fdd34f505a482e246427fe5ec643ac449de
Opcode Fuzzy Hash: 488b6874f930efb04ec0b05ea6a4d1edb085c37d0a41221ca62344f7ad93b008
Instruction Fuzzy Hash: 92B1BCB5A00219EFDF18CF68C9C47AD3BB1BF09710F088069EC4A9F695D734A950EB90

Function 00F22A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00F5C1C7,00000004,00000000,00000000,00000000), ref: 00F22ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00F5C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00F22B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00F5C1C7,00000004,00000000,00000000,00000000), ref: 00F5C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00F5C1C7,00000004,00000000,00000000,00000000), ref: 00F5C286

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 0b3dabf67819817472ec09bbb8d681f112a7d2b8d723f4a665297642879d38c8
Instruction ID: f7ffcaad954b1ca74ea836d4f0d007dc912c9447dbcd99068ba4eef07e1b0269
Opcode Fuzzy Hash: 0b3dabf67819817472ec09bbb8d681f112a7d2b8d723f4a665297642879d38c8
Instruction Fuzzy Hash: 76414231A047D0BEC7B55F78EC8C76B7BD1AF86320F14842DE54786960C6799889FB50

Function 00F870C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00F870DD

Part of subcall function 00F40DB6: std::exception::exception.LIBCMT ref: 00F40DEC
Part of subcall function 00F40DB6: __CxxThrowException@8.LIBCMT ref: 00F40E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00F87114
EnterCriticalSection.KERNEL32(?), ref: 00F87130
_memmove.LIBCMT ref: 00F8717E
_memmove.LIBCMT ref: 00F8719B
LeaveCriticalSection.KERNEL32(?), ref: 00F871AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00F871BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 00F871DE

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: bee5fe171f374cec735615e32515952a4cc44e9c4535e3b411932f6bb9b5f4d8
Instruction ID: b35a9afb4d806bd76238268fc86e4a0fc02cc720668d6b9f472720048e3818b1
Opcode Fuzzy Hash: bee5fe171f374cec735615e32515952a4cc44e9c4535e3b411932f6bb9b5f4d8
Instruction Fuzzy Hash: A4317071900205EBCB10EFA4DC89AAEBBB8EF45710F2441B5ED04AB256DB34DE14EB60

Function 00FA61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00FA61EB
GetDC.USER32(00000000), ref: 00FA61F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FA61FE
ReleaseDC.USER32(00000000,00000000), ref: 00FA620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00FA6246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00FA6257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00FA902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00FA6291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00FA62B1

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: b0ef8349b02b87df3959cae4cd09ac6f98ff2e19235ef8c3119c17c23cfc5044
Instruction ID: 9adadd11c32d1d0c42bca0dd5522a4f4e2ebea7bb0581eedf56c0d713f254ad0
Opcode Fuzzy Hash: b0ef8349b02b87df3959cae4cd09ac6f98ff2e19235ef8c3119c17c23cfc5044
Instruction Fuzzy Hash: F5316DB2101214BFEF118F50CC8AFEA3BA9EF4A765F084065FE08DE291C6759841DB64

Function 00F7BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00F7BBC4
_memcmp.LIBCMT ref: 00F7BBE6
_memcmp.LIBCMT ref: 00F7BBFE
_memcmp.LIBCMT ref: 00F7BC11
_memcmp.LIBCMT ref: 00F7BC2B
_memcmp.LIBCMT ref: 00F7BC3E
_memcmp.LIBCMT ref: 00F7BC56
_memcmp.LIBCMT ref: 00F7BC71

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 10c4d81fe22442429d07a9b1719e1173ccd109cde86f7268b1680a6486c34ec0
Instruction ID: bd89f6cbe566b1d3673fab7185446805b9c4c9dfaa96d03966492032ab8eae8f
Opcode Fuzzy Hash: 10c4d81fe22442429d07a9b1719e1173ccd109cde86f7268b1680a6486c34ec0
Instruction Fuzzy Hash: B721FC616012057BE205B615DD42FFB7B5DAE53368F04C022FD0C56647EB18DE11B5A3

Function 00F8EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00F29837: __itow.LIBCMT ref: 00F29862
Part of subcall function 00F29837: __swprintf.LIBCMT ref: 00F298AC

Part of subcall function 00F3FC86: _wcscpy.LIBCMT ref: 00F3FCA9

_wcstok.LIBCMT ref: 00F8EC94
_wcscpy.LIBCMT ref: 00F8ED23
_memset.LIBCMT ref: 00F8ED56

Strings

X, xrefs: 00F8ED93

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 34455eb820161053145743299aadbca52853f66c8db2e8371ee8335b2f55aef3
Instruction ID: fbd00f83a4f1bd626c02210f7e5892ef7bdc92c845e2c957e6ded2ad5584d99e
Opcode Fuzzy Hash: 34455eb820161053145743299aadbca52853f66c8db2e8371ee8335b2f55aef3
Instruction Fuzzy Hash: D7C191719087119FC754FF24D881A9AB7E0FF85310F04492DF8999B2A2DB74ED49EB42

Function 00F96B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00F96C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00F96C21
WSAGetLastError.WSOCK32(00000000), ref: 00F96C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00F96CEA
inet_ntoa.WSOCK32(?), ref: 00F96CA7

Part of subcall function 00F7A7E9: _strlen.LIBCMT ref: 00F7A7F3
Part of subcall function 00F7A7E9: _memmove.LIBCMT ref: 00F7A815

_strlen.LIBCMT ref: 00F96D44
_memmove.LIBCMT ref: 00F96DAD

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: db7f2a1df58f0e05f10944ad60ae6e1842a7c71e87626236096da37e19a8135b
Instruction ID: 278ad0019d5db78446096cec9c69e84de740ee585c066c8079d1454af09c5a47
Opcode Fuzzy Hash: db7f2a1df58f0e05f10944ad60ae6e1842a7c71e87626236096da37e19a8135b
Instruction Fuzzy Hash: 5F811272608300ABDB10EF24DC82F6AB7A8AFC4724F40491DF555DB2D2DA78DD05EB52

Function 00F21424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2a22066df4185512bbdb4915d635a09ef0b41f5328b3881b54b787b48b9249
Instruction ID: 4be7b7481fce7844eb6bc3e8519d75e2e7c6e78e4771f3dad6b9cf600dca84bc
Opcode Fuzzy Hash: 8e2a22066df4185512bbdb4915d635a09ef0b41f5328b3881b54b787b48b9249
Instruction Fuzzy Hash: 9571BE31900119EFCB04DF98DC49ABEBB79FF86320F248149F915AA251C734AA11EF64

Function 00FAB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01466898), ref: 00FAB3EB
IsWindowEnabled.USER32(01466898), ref: 00FAB3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00FAB4DB
SendMessageW.USER32(01466898,000000B0,?,?), ref: 00FAB512
IsDlgButtonChecked.USER32(?,?), ref: 00FAB54F
GetWindowLongW.USER32(01466898,000000EC), ref: 00FAB571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00FAB589

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: a7fb12d491009976a5eba96b2dbd5067b47178e6974d3b75df068a88de229653
Instruction ID: 71010201b95fe68bc15e854f372733bf885ee26f969a7b9714396189b365a196
Opcode Fuzzy Hash: a7fb12d491009976a5eba96b2dbd5067b47178e6974d3b75df068a88de229653
Instruction Fuzzy Hash: E0717CB4A04348EFDB20DF95C894FBA7BA9EF0B320F144059E955972A3C736A950FB50

Function 00F9F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F9F448
_memset.LIBCMT ref: 00F9F511
ShellExecuteExW.SHELL32(?), ref: 00F9F556

Part of subcall function 00F29837: __itow.LIBCMT ref: 00F29862
Part of subcall function 00F29837: __swprintf.LIBCMT ref: 00F298AC

Part of subcall function 00F3FC86: _wcscpy.LIBCMT ref: 00F3FCA9

GetProcessId.KERNEL32(00000000), ref: 00F9F5CD
CloseHandle.KERNEL32(00000000), ref: 00F9F5FC

Strings

@, xrefs: 00F9F525

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 22eb102671502908104f306aa6f855c8dd637180ab085349d591e4647332bc82
Instruction ID: dfe830e33b71de8865db25434110752f10f3d8beb592611ba128ed741e77eab2
Opcode Fuzzy Hash: 22eb102671502908104f306aa6f855c8dd637180ab085349d591e4647332bc82
Instruction Fuzzy Hash: D8619F75A006299FCF04DFA4C8819AEBBF5FF49320F188069E855AB351CB34AD45EF90

Function 00F80F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00F80F8C
GetKeyboardState.USER32(?), ref: 00F80FA1
SetKeyboardState.USER32(?), ref: 00F81002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00F81030
PostMessageW.USER32(?,00000101,00000011,?), ref: 00F8104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00F81095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00F810B8

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: fbd363c0ddbd205bacf62204c2a5a3f2799ab869f489d9ab6e8ce899c2f0cf82
Instruction ID: 1f8e4e05332027ee66140b94f2728bb469eb586cf3eaf5e0c5eb38aa7411bfc7
Opcode Fuzzy Hash: fbd363c0ddbd205bacf62204c2a5a3f2799ab869f489d9ab6e8ce899c2f0cf82
Instruction Fuzzy Hash: 7551D4A09047D53DFB3662348C09BF6BEAD6B06314F088689E2D9858D3C699DCCAF751

Function 00F80D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00F80DA5
GetKeyboardState.USER32(?), ref: 00F80DBA
SetKeyboardState.USER32(?), ref: 00F80E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00F80E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00F80E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00F80EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00F80EC9

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: fc9165702bb4b5ac380ec80ca1a71c93b3a2a8e2f8bd49d1047306da1b191baa
Instruction ID: 0498ad4e0698cc70201247d8c130ffad156d13ce7972cdd2fc800d22b47624ae
Opcode Fuzzy Hash: fc9165702bb4b5ac380ec80ca1a71c93b3a2a8e2f8bd49d1047306da1b191baa
Instruction Fuzzy Hash: 1C5107A19047D53DFB7263748C45BFB7EA96B06310F488989F1D48A4C2CB95AC8DF750

Function 00F855FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00F8560A
_wcsncpy.LIBCMT ref: 00F8563F
_wcsncpy.LIBCMT ref: 00F85671
_wcsncpy.LIBCMT ref: 00F856A4
_wcsncpy.LIBCMT ref: 00F856E6
_wcsncpy.LIBCMT ref: 00F85720
_wcsncpy.LIBCMT ref: 00F8574F

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 93ba6e5663b7868d9153d267785e8fb6f0e75a15817e0d07e5593d686821ef5d
Instruction ID: 8921f04987789884dc62ba60c74a8b5d59f3ecc311c077bac2cefdebac2c5c15
Opcode Fuzzy Hash: 93ba6e5663b7868d9153d267785e8fb6f0e75a15817e0d07e5593d686821ef5d
Instruction Fuzzy Hash: 8141B565C1061876CB11FBF48C46ACFBBB89F04710F508966F909E3221FB38A755E7A6

Function 00F83671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F8466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F83697,?), ref: 00F8468B

Part of subcall function 00F8466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F83697,?), ref: 00F846A4

lstrcmpiW.KERNEL32(?,?), ref: 00F836B7
_wcscmp.LIBCMT ref: 00F836D3
MoveFileW.KERNEL32(?,?), ref: 00F836EB
_wcscat.LIBCMT ref: 00F83733
SHFileOperationW.SHELL32(?), ref: 00F8379F

Strings

\*.*, xrefs: 00F8372D

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: f17a71f71f2e9f80b998d3548d422b90f9e3e7ab2e00b811dc42288962f0e29c
Instruction ID: 3cbcd1fee0d4098a3eda2e6cc5daa2b89c5d0997b61c04a8aef7d1643e70e962
Opcode Fuzzy Hash: f17a71f71f2e9f80b998d3548d422b90f9e3e7ab2e00b811dc42288962f0e29c
Instruction Fuzzy Hash: A741B1B1508345AEC751FF64C841ADFB7E8AF89790F40082EF48AC7261EA38D689D752

Function 00FA7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FA72AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FA7351
IsMenu.USER32(?), ref: 00FA7369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FA73B1
DrawMenuBar.USER32 ref: 00FA73C4

Strings

0, xrefs: 00FA729E

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: afbea60df9bae5c9d8a67fa6ae7ebe75cfd494d6d72046265bb4ee8a8b1466ea
Instruction ID: b336a39deb79e4a05dda6e83d885fdaa4535edc1b0efe2dd066df3e9fe99484d
Opcode Fuzzy Hash: afbea60df9bae5c9d8a67fa6ae7ebe75cfd494d6d72046265bb4ee8a8b1466ea
Instruction Fuzzy Hash: B74116B5A04308AFDF20EF50D884E9ABBB8FF06324F158429FD059B250D730AD54EB50

Function 00FA0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00FA0FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FA0FFE
FreeLibrary.KERNEL32(00000000), ref: 00FA10B5

Part of subcall function 00FA0FA5: RegCloseKey.ADVAPI32(?), ref: 00FA101B
Part of subcall function 00FA0FA5: FreeLibrary.KERNEL32(?), ref: 00FA106D
Part of subcall function 00FA0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00FA1090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00FA1058

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: d50034092995dff085f5f176ade50fb805c451bf2ed07411529a66837449f46a
Instruction ID: 9449bc869c2c6fa290e17dccbec853d983b203e5035ae385751102fd607635be
Opcode Fuzzy Hash: d50034092995dff085f5f176ade50fb805c451bf2ed07411529a66837449f46a
Instruction Fuzzy Hash: 0E312DB1D00109BFDB159F90DC89EFFB7BCEF09310F004169E502E6141EA749E89AAA0

Function 00FA62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00FA62EC
GetWindowLongW.USER32(01466898,000000F0), ref: 00FA631F
GetWindowLongW.USER32(01466898,000000F0), ref: 00FA6354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00FA6386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00FA63B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00FA63C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00FA63DB

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: f14131f8caec1f3cec1d81d7c5664f2df057776350cfa06aa95e2a2118e69c2c
Instruction ID: 827ec24ea4137a311993dc067825d8d83baae6de19547190c6dd0b901238c7bc
Opcode Fuzzy Hash: f14131f8caec1f3cec1d81d7c5664f2df057776350cfa06aa95e2a2118e69c2c
Instruction Fuzzy Hash: F8310FB5A40284EFEB208F58DC84F5537E1FB4A724F1901A4F551CF3B2CB61A845AB50

Function 00F7DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F7DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F7DB54
SysAllocString.OLEAUT32(00000000), ref: 00F7DB57
SysAllocString.OLEAUT32(?), ref: 00F7DB75
SysFreeString.OLEAUT32(?), ref: 00F7DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 00F7DBA3
SysAllocString.OLEAUT32(?), ref: 00F7DBB1

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: a99ef1485ca21f8c835489f02fff1e036bad768cde21de950ab5bb91781688d0
Instruction ID: 90590df3bb4a4234dec67e9d3dcfe09e811ae569db0b78f88d6957e0bc1bcca1
Opcode Fuzzy Hash: a99ef1485ca21f8c835489f02fff1e036bad768cde21de950ab5bb91781688d0
Instruction Fuzzy Hash: E0218076A01219AFDB10DFB8DC84CAB77BCEF49360B418126FD18DB250D6749C45A761

Function 00F96173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00F97DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00F961C6
WSAGetLastError.WSOCK32(00000000), ref: 00F961D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00F9620E
connect.WSOCK32(00000000,?,00000010), ref: 00F96217
WSAGetLastError.WSOCK32 ref: 00F96221
closesocket.WSOCK32(00000000), ref: 00F9624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00F96263

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: d965e584a6cce12402a6293df401661b19510238d5a4955e42db85365e56db82
Instruction ID: 3be999133fd8607638e387e430b551a960a9eedf210872ae639b5818624a8aa7
Opcode Fuzzy Hash: d965e584a6cce12402a6293df401661b19510238d5a4955e42db85365e56db82
Instruction Fuzzy Hash: 0031B371600218AFEF10AF64DC85BBE77ACEF45760F044029FD05EB291DB78AD44ABA1

Function 00F7F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00F7F671
__wcsnicmp.LIBCMT ref: 00F7F692
__wcsnicmp.LIBCMT ref: 00F7F6AC

Strings

#requireadmin, xrefs: 00F7F68C
#notrayicon, xrefs: 00F7F669
#OnAutoItStartRegister, xrefs: 00F7F6A6

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 54e48b9a9d2916453fffbadfd069110407ea9d9c7eed64428d09a2abce510abc
Instruction ID: a84b3079f2698e370520bcb8942828fa50f25bd47e5c93bde2893695a93d1cec
Opcode Fuzzy Hash: 54e48b9a9d2916453fffbadfd069110407ea9d9c7eed64428d09a2abce510abc
Instruction Fuzzy Hash: 6021467261421166D324AA34AC02FA773D8EF55360F10C03BF98AC7091EB689E5AF297

Function 00F7DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F7DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F7DC2F
SysAllocString.OLEAUT32(00000000), ref: 00F7DC32
SysAllocString.OLEAUT32 ref: 00F7DC53
SysFreeString.OLEAUT32 ref: 00F7DC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 00F7DC76
SysAllocString.OLEAUT32(?), ref: 00F7DC84

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 80ab45a803ba33486dbaecf65c90caea302605b7aed77a99e70f99c4a088297d
Instruction ID: 05dbaaea0194ef3439280866fd9acdd669832f0dddc5cc21ae87bf6961c1f07f
Opcode Fuzzy Hash: 80ab45a803ba33486dbaecf65c90caea302605b7aed77a99e70f99c4a088297d
Instruction Fuzzy Hash: 88213E76604208AF9B11DBE8DC88DAA77BCEF09360B50C126F918CB261DAB49C45E765

Function 00FA75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F21D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F21D73
Part of subcall function 00F21D35: GetStockObject.GDI32(00000011), ref: 00F21D87
Part of subcall function 00F21D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F21D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00FA7632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00FA763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00FA764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00FA7659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00FA7665

Strings

Msctls_Progress32, xrefs: 00FA7603

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: d1ddcec7a3b2927b4448003df835ea23eb56a5b4a4ed8eb94ffad163f3597f88
Instruction ID: f26cb34b8c35d7bdad3be44ee84aecf453056f54e8ead8dddd451703f24cd66f
Opcode Fuzzy Hash: d1ddcec7a3b2927b4448003df835ea23eb56a5b4a4ed8eb94ffad163f3597f88
Instruction Fuzzy Hash: EC11B6B251021DBFEF119F64CC85EE77F6DEF09798F014115B604A6150CA729C21EBA4

Function 00F49AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00F49AE6

Part of subcall function 00F43187: EncodePointer.KERNEL32(00000000), ref: 00F4318A
Part of subcall function 00F43187: __initp_misc_winsig.LIBCMT ref: 00F431A5
Part of subcall function 00F43187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00F49EA0
Part of subcall function 00F43187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00F49EB4
Part of subcall function 00F43187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00F49EC7
Part of subcall function 00F43187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00F49EDA
Part of subcall function 00F43187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00F49EED
Part of subcall function 00F43187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00F49F00
Part of subcall function 00F43187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00F49F13
Part of subcall function 00F43187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00F49F26
Part of subcall function 00F43187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00F49F39
Part of subcall function 00F43187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00F49F4C
Part of subcall function 00F43187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00F49F5F
Part of subcall function 00F43187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00F49F72
Part of subcall function 00F43187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00F49F85
Part of subcall function 00F43187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00F49F98
Part of subcall function 00F43187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00F49FAB
Part of subcall function 00F43187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00F49FBE

__mtinitlocks.LIBCMT ref: 00F49AEB
__mtterm.LIBCMT ref: 00F49AF4

Part of subcall function 00F49B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00F49AF9,00F47CD0,00FDA0B8,00000014), ref: 00F49C56
Part of subcall function 00F49B5C: _free.LIBCMT ref: 00F49C5D
Part of subcall function 00F49B5C: DeleteCriticalSection.KERNEL32(00FDEC00,?,?,00F49AF9,00F47CD0,00FDA0B8,00000014), ref: 00F49C7F

__calloc_crt.LIBCMT ref: 00F49B19
__initptd.LIBCMT ref: 00F49B3B
GetCurrentThreadId.KERNEL32 ref: 00F49B42

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: b4be91ff31c80a6107a1fedd1afa11b960448fc25ca8bda01909ad9a2a9467f2
Instruction ID: 9df20b88d54cde454340737d3bd8add35a1455cb445c5d6938002d902710dba2
Opcode Fuzzy Hash: b4be91ff31c80a6107a1fedd1afa11b960448fc25ca8bda01909ad9a2a9467f2
Instruction Fuzzy Hash: 57F06D32B1E7115AE634B674BC03A4B3EA1DF42734B200A1AFC60891D2FEA8954171A1

Function 00F4406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00F43F85), ref: 00F44085
GetProcAddress.KERNEL32(00000000), ref: 00F4408C
EncodePointer.KERNEL32(00000000), ref: 00F44097
DecodePointer.KERNEL32(00F43F85), ref: 00F440B2

Strings

combase.dll, xrefs: 00F44080
RoUninitialize, xrefs: 00F44074

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 2cde8e73eb0426a679a79b2b41b1c0f811fb2f6d35afa1d39ebbd479f878f14f
Instruction ID: 27731b8c3dafd9f8ebbe3870ddb81603066acf37e0fb1877c54b6a73a52d80ba
Opcode Fuzzy Hash: 2cde8e73eb0426a679a79b2b41b1c0f811fb2f6d35afa1d39ebbd479f878f14f
Instruction Fuzzy Hash: 88E0BFB0941348EFEB50AFA2EC4DB453AA4B715742F10442DF501EA0A0CB7A9604FE15

Function 00F864B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F8660B
_memmove.LIBCMT ref: 00F86546

Part of subcall function 00F29837: __itow.LIBCMT ref: 00F29862
Part of subcall function 00F29837: __swprintf.LIBCMT ref: 00F298AC

_memmove.LIBCMT ref: 00F865B9
_memmove.LIBCMT ref: 00F866A0
_memmove.LIBCMT ref: 00F866B9
_memmove.LIBCMT ref: 00F866D5

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 9d80155e7f2a53e1e73f8c24d63cc00193ec6995be1ce472b138d7b8ebbb779b
Instruction ID: dada10fc8514ab830dc301d144322ace7fc88ebd20f469c94b2db0a84890f153
Opcode Fuzzy Hash: 9d80155e7f2a53e1e73f8c24d63cc00193ec6995be1ce472b138d7b8ebbb779b
Instruction Fuzzy Hash: A0619C3190429A9BCF01FF60CC82EFE3BA5AF05308F484519FD599B292EB7C9955EB50

Function 00FA01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

Part of subcall function 00FA0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F9FDAD,?,?), ref: 00FA0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FA02BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FA02FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00FA0320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00FA0349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00FA038C
RegCloseKey.ADVAPI32(00000000), ref: 00FA0399

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: a3dfc560d017a0841da4c24ac865f40ecbfb0a1e81b56edef2b568a640a42494
Instruction ID: 5525664a2090cf627777050033ae345767c81747f6a7bf205ac331fe6127d299
Opcode Fuzzy Hash: a3dfc560d017a0841da4c24ac865f40ecbfb0a1e81b56edef2b568a640a42494
Instruction Fuzzy Hash: A4513871508304AFCB14EF64DC85E6ABBE8FF86314F04491DF5458B2A2DB35E909EB52

Function 00FA5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00FA57FB
GetMenuItemCount.USER32(00000000), ref: 00FA5832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00FA585A
GetMenuItemID.USER32(?,?), ref: 00FA58C9
GetSubMenu.USER32(?,?), ref: 00FA58D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00FA5928

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: eb9ae31bfc88120d833393303fb4c59ced01e4174067e5812a0c95e729d9c5fa
Instruction ID: b3c42847888c74c9e0f1a6e05cc35a46b6931ec0130285b3ffb557a1ee579f65
Opcode Fuzzy Hash: eb9ae31bfc88120d833393303fb4c59ced01e4174067e5812a0c95e729d9c5fa
Instruction Fuzzy Hash: FC515D75E00615AFCF11EFA4C845AAEBBB4EF49720F144069EC41BB351CB78AE41AB90

Function 00F7EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F7EF06
VariantClear.OLEAUT32(00000013), ref: 00F7EF78
VariantClear.OLEAUT32(00000000), ref: 00F7EFD3
_memmove.LIBCMT ref: 00F7EFFD
VariantClear.OLEAUT32(?), ref: 00F7F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00F7F078

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: ca5fa5abb0d0ed9a4d2b6388daa65ee43a1e2d7f638161765ba951d0727b5c7e
Instruction ID: 95732b8bb10c6d3cc0582967998e2c04c87e3267f859424b16e3ff50834a8b92
Opcode Fuzzy Hash: ca5fa5abb0d0ed9a4d2b6388daa65ee43a1e2d7f638161765ba951d0727b5c7e
Instruction Fuzzy Hash: 6D5168B5A00209EFCB14CF58C884AAAB7B8FF4D314B15856AED59DB305E334E915CFA1

Function 00F8220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F82258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F822A3
IsMenu.USER32(00000000), ref: 00F822C3
CreatePopupMenu.USER32 ref: 00F822F7
GetMenuItemCount.USER32(000000FF), ref: 00F82355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00F82386

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: b7d3a44687aeffb1c101d95c234cb5e20dac210b7040fe0ecd6910ff4ef2eb6c
Instruction ID: 84a4fbf7a0f06b81539d37d53476e1901f84ec479b54c9dff9dedf52f84be8ea
Opcode Fuzzy Hash: b7d3a44687aeffb1c101d95c234cb5e20dac210b7040fe0ecd6910ff4ef2eb6c
Instruction Fuzzy Hash: 2651D270A00209DFDF61EF68D898BEDBBF5FF06324F144129E8559B290D778A904EB51

Function 00F21765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00F22612: GetWindowLongW.USER32(?,000000EB), ref: 00F22623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00F2179A
GetWindowRect.USER32(?,?), ref: 00F217FE
ScreenToClient.USER32(?,?), ref: 00F2181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F2182C
EndPaint.USER32(?,?), ref: 00F21876

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 9b6292f9134be949bb004e1b8100f972d719d023045225329351ca9da7dc8a5f
Instruction ID: fe8b2efd612c9a90d0293922c4dae98cbb92a3b9332ec60de9c2b07037b630f6
Opcode Fuzzy Hash: 9b6292f9134be949bb004e1b8100f972d719d023045225329351ca9da7dc8a5f
Instruction Fuzzy Hash: DE41CC71504754AFC710DF24DCC4FBA7BE8FB5A724F140228FAA48B2A1C7309949EB62

Function 00FAB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00FE57B0,00000000,01466898,?,?,00FE57B0,?,00FAB5A8,?,?), ref: 00FAB712
EnableWindow.USER32(00000000,00000000), ref: 00FAB736
ShowWindow.USER32(00FE57B0,00000000,01466898,?,?,00FE57B0,?,00FAB5A8,?,?), ref: 00FAB796
ShowWindow.USER32(00000000,00000004,?,00FAB5A8,?,?), ref: 00FAB7A8
EnableWindow.USER32(00000000,00000001), ref: 00FAB7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00FAB7EF

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 769722182a8e160464e1b358ac2f685b7119b5c79c3a0ebe76915a025927d38e
Instruction ID: b2d45ef2d2b6b6a109ed07908af941686131a1667fafa6238fa625b3f2e39e5a
Opcode Fuzzy Hash: 769722182a8e160464e1b358ac2f685b7119b5c79c3a0ebe76915a025927d38e
Instruction Fuzzy Hash: A74173B4A00244AFDB26CF24C499B947BE1FF46320F1841B9F9488F6A3C771AC56EB51

Function 00F9709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00F94E41,?,?,00000000,00000001), ref: 00F970AC

Part of subcall function 00F939A0: GetWindowRect.USER32(?,?), ref: 00F939B3

GetDesktopWindow.USER32 ref: 00F970D6
GetWindowRect.USER32(00000000), ref: 00F970DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00F9710F

Part of subcall function 00F85244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F852BC

GetCursorPos.USER32(?), ref: 00F9713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00F97199

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: bf7ce2b1ebac70eb50d428ee5856202f928a91846ca2bcef0ce2973092be2d5a
Instruction ID: bdefaf14b6a7f09fce18e319e17db71cd0308aed84c225a2f2cb412cf3fc51ad
Opcode Fuzzy Hash: bf7ce2b1ebac70eb50d428ee5856202f928a91846ca2bcef0ce2973092be2d5a
Instruction Fuzzy Hash: 0D31D272509309AFDB20EF54CC49B9BB7EAFF89314F000919F58597191CB34EA49DB92

Function 00F78879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F780A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F780C0
Part of subcall function 00F780A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F780CA
Part of subcall function 00F780A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F780D9
Part of subcall function 00F780A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F780E0
Part of subcall function 00F780A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F780F6

GetLengthSid.ADVAPI32(?,00000000,00F7842F), ref: 00F788CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00F788D6
HeapAlloc.KERNEL32(00000000), ref: 00F788DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 00F788F6
GetProcessHeap.KERNEL32(00000000,00000000,00F7842F), ref: 00F7890A
HeapFree.KERNEL32(00000000), ref: 00F78911

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 50935f48329f06c7de89a5991535f6d6195a00516d47f64389dfbab4b9b92cba
Instruction ID: a74886ece0df29703acd094755f86836d8453ec994708f8a37998132e1c0a48a
Opcode Fuzzy Hash: 50935f48329f06c7de89a5991535f6d6195a00516d47f64389dfbab4b9b92cba
Instruction Fuzzy Hash: 6311B471A41209FFDB109F94DC09BBE7B78EB45361F10C02AE94997111CB329D05EB62

Function 00F785B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00F785E2
OpenProcessToken.ADVAPI32(00000000), ref: 00F785E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00F785F8
CloseHandle.KERNEL32(00000004), ref: 00F78603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F78632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00F78646

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 5e92ef9a7aa6f2538549d200ed50054c6cf530aa03adc82d1b174d0df934c670
Instruction ID: 77667cf9748b9cdb3d5c8e8e8482e5f87f93417d59a6e1a601af95a86cc8398e
Opcode Fuzzy Hash: 5e92ef9a7aa6f2538549d200ed50054c6cf530aa03adc82d1b174d0df934c670
Instruction Fuzzy Hash: 25115CB254020DABDF018FA4DD49BDE7BA9EF09354F048065FE05A6160C7718D65EB61

Function 00F7B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F7B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 00F7B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F7B7CD
ReleaseDC.USER32(00000000,00000000), ref: 00F7B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00F7B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 00F7B7FE

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 2a2755be9436a8676fe8f3ee00f6c2e62733e27732b0e8eb669c433f57c92538
Instruction ID: ed53a8ef14e24f60f53b8a9eaf69b79192e1e005c9f5cdaa1bb6d5b80a0118a9
Opcode Fuzzy Hash: 2a2755be9436a8676fe8f3ee00f6c2e62733e27732b0e8eb669c433f57c92538
Instruction Fuzzy Hash: 500175B5E00209BBEB105BE69C45A5ABFA8EB49321F008066FA08AB291D6709C00DF91

Function 00F40162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F40193
MapVirtualKeyW.USER32(00000010,00000000), ref: 00F4019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F401A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F401B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00F401B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F401C1

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 996521e29cd677699d667c631696cb72d7e3cac99f57e89b717177d821fc993f
Instruction ID: 28ef2a0a41ba0148394e45b6955c62ba314cf17218137ec9a8af94a574f62da4
Opcode Fuzzy Hash: 996521e29cd677699d667c631696cb72d7e3cac99f57e89b717177d821fc993f
Instruction Fuzzy Hash: 97016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C4BA41C7F5A868CBE5

Function 00F853E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00F853F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00F8540F
GetWindowThreadProcessId.USER32(?,?), ref: 00F8541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F8542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F85437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F8543E

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 94e9b7f4633f5b8b6ef529872522a2308157e2e84d49d09f29cef41ca0d7d7ba
Instruction ID: ad7388bfa1f9f3bad8e771235f29ee45f3b12c96c73fcc30e6460a880d3c5350
Opcode Fuzzy Hash: 94e9b7f4633f5b8b6ef529872522a2308157e2e84d49d09f29cef41ca0d7d7ba
Instruction Fuzzy Hash: 07F06D7224115CBBE7205BE2DC0DEEB7A7CEBC7B11F000169FA04D515096A01A05A6B5

Function 00F87230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00F87243
EnterCriticalSection.KERNEL32(?,?,00F30EE4,?,?), ref: 00F87254
TerminateThread.KERNEL32(00000000,000001F6,?,00F30EE4,?,?), ref: 00F87261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00F30EE4,?,?), ref: 00F8726E

Part of subcall function 00F86C35: CloseHandle.KERNEL32(00000000,?,00F8727B,?,00F30EE4,?,?), ref: 00F86C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00F87281
LeaveCriticalSection.KERNEL32(?,?,00F30EE4,?,?), ref: 00F87288

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: da01b751f37bb04e5c15574ab9556e29442dd65b8003d8a72aefe519212ef921
Instruction ID: a6da4ed81f03e44a995370f04553bd310f13c7e58f1458406704e63dd23ef96e
Opcode Fuzzy Hash: da01b751f37bb04e5c15574ab9556e29442dd65b8003d8a72aefe519212ef921
Instruction Fuzzy Hash: EDF0BEB6540216EBD7622BA4ED4CBEA7779EF07312B100131F103980A0CB765805EB50

Function 00F78992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F7899D
UnloadUserProfile.USERENV(?,?), ref: 00F789A9
CloseHandle.KERNEL32(?), ref: 00F789B2
CloseHandle.KERNEL32(?), ref: 00F789BA
GetProcessHeap.KERNEL32(00000000,?), ref: 00F789C3
HeapFree.KERNEL32(00000000), ref: 00F789CA

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 659e19df5a668a31bacc5a39fe346846e8a1ab5c2b68204ea6682954ca900e88
Instruction ID: 3a459874c8f4af6e345412489f6ba03243f9bbbd058d3ef11f056233ef82a429
Opcode Fuzzy Hash: 659e19df5a668a31bacc5a39fe346846e8a1ab5c2b68204ea6682954ca900e88
Instruction Fuzzy Hash: CFE052B6104509FFDB011FE5EC0C95ABB79FB8A762B508631F21989470CB329469EB50

Function 00F985ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F98613
CharUpperBuffW.USER32(?,?), ref: 00F98722
VariantClear.OLEAUT32(?), ref: 00F9889A

Part of subcall function 00F87562: VariantInit.OLEAUT32(00000000), ref: 00F875A2
Part of subcall function 00F87562: VariantCopy.OLEAUT32(00000000,?), ref: 00F875AB
Part of subcall function 00F87562: VariantClear.OLEAUT32(00000000), ref: 00F875B7

Strings

AUTOIT.ERROR, xrefs: 00F98728
Incorrect Parameter format, xrefs: 00F9864B, 00F9880D

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: bff55633828637b407bd35290887e6ac2271b0046ca0d7c5fe86fd90b3905e13
Instruction ID: 916dc9ece5af6c1c571f99d67e6cd587df027f45c778992d3e2e802cdf903794
Opcode Fuzzy Hash: bff55633828637b407bd35290887e6ac2271b0046ca0d7c5fe86fd90b3905e13
Instruction Fuzzy Hash: 88918071A083019FCB10DF24C88495ABBF4EF8A754F14892EF88A8B351DB35ED46DB52

Function 00F82A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F3FC86: _wcscpy.LIBCMT ref: 00F3FCA9

_memset.LIBCMT ref: 00F82B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F82BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F82C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00F82C97

Strings

0, xrefs: 00F82B73

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 60819808f4d023f462c7fdc213cd0a8b9f794ce7737721b5af3bebcfede78ac7
Instruction ID: c376a6e61907506ea77979805be6756a88be0de6ba44f4ffc21f3d0291574c19
Opcode Fuzzy Hash: 60819808f4d023f462c7fdc213cd0a8b9f794ce7737721b5af3bebcfede78ac7
Instruction Fuzzy Hash: DC51BF71A093019ED7A4AE28D845ABFBBE4EF86330F040A2DF895D61D1DB74ED04B752

Function 00F7D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00F7D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00F7D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00F7D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00F7D69D

Strings

DllGetClassObject, xrefs: 00F7D610

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 163aa1e1923ddb7a686dd8514d8a350d5ca4389879b6b7338e263f4f8c992b97
Instruction ID: a0d70eef84894e198f47cd759fb76ea48e871e112d0d4c65208ad68a2e36b836
Opcode Fuzzy Hash: 163aa1e1923ddb7a686dd8514d8a350d5ca4389879b6b7338e263f4f8c992b97
Instruction Fuzzy Hash: 0A418EB1600204EFDB15DF64CC84A9ABBB9EF84314F55C1AEAC0D9F206D7B1D944EBA1

Function 00F82753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F827C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00F827DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00F82822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00FE5890,00000000), ref: 00F8286B

Strings

0, xrefs: 00F827B5

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 279647daec9e0b894273fb2f269a29551fa43ff09bc448a69d1205944ec1e3e6
Instruction ID: b7b29eddf239820713f7afd9edc300e31d29ba258f6a05d42da736e21646c196
Opcode Fuzzy Hash: 279647daec9e0b894273fb2f269a29551fa43ff09bc448a69d1205944ec1e3e6
Instruction Fuzzy Hash: 7141BF71604301AFDB60EF24CC44B9ABBE8EF85324F04492EF8A597291D734F805DB52

Function 00F9D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00F9D7C5

Part of subcall function 00F2784B: _memmove.LIBCMT ref: 00F27899

Strings

stdcall, xrefs: 00F9D847
none, xrefs: 00F9D8A0
winapi, xrefs: 00F9D836
cdecl, xrefs: 00F9D81C

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 9e76ea3f31d2bdfe52bb2cbcffa011d87c0cf95fd44b2d50d3d0d9060d993fc1
Instruction ID: 3cf81c1802189a271efea33afa522c50d81661f71f3f9c6dba4b2768ee510282
Opcode Fuzzy Hash: 9e76ea3f31d2bdfe52bb2cbcffa011d87c0cf95fd44b2d50d3d0d9060d993fc1
Instruction Fuzzy Hash: DB31B071904619ABDF00EF94CC519FEB7B5FF05320B10862AE829977D2DB75A905EB80

Function 00F78E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

Part of subcall function 00F7AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F7AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00F78F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00F78F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00F78F57

Part of subcall function 00F27BCC: _memmove.LIBCMT ref: 00F27C06

Strings

ListBox, xrefs: 00F78ED3
ComboBox, xrefs: 00F78E9E

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: d3d1f51839b862f86dfd6315ead868e75ba308abadd7470e28611974a6c866ed
Instruction ID: 2ad806faba1ac157db30ef7508bc8d1c4e9e56b8119d5ba8bb6606386d57cdfc
Opcode Fuzzy Hash: d3d1f51839b862f86dfd6315ead868e75ba308abadd7470e28611974a6c866ed
Instruction Fuzzy Hash: B8210471A40208BEDB14ABB0DC49DFFB769DF46360F14812AF829972E0DF39580AB651

Function 00F9182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F9184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F91872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F918A2
InternetCloseHandle.WININET(00000000), ref: 00F918E9

Part of subcall function 00F92483: GetLastError.KERNEL32(?,?,00F91817,00000000,00000000,00000001), ref: 00F92498
Part of subcall function 00F92483: SetEvent.KERNEL32(?,?,00F91817,00000000,00000000,00000001), ref: 00F924AD

Strings

, xrefs: 00F91893

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 906bc69c9984733b512c6e55ac9d971b9d7beef01115ca7ead6d7c3facacbca7
Instruction ID: c42e406c1ad7c570b122b3dcba3f0f98a1d515b2aef405bb3a16f1716b636d02
Opcode Fuzzy Hash: 906bc69c9984733b512c6e55ac9d971b9d7beef01115ca7ead6d7c3facacbca7
Instruction Fuzzy Hash: 81217FB550020DBFFB129B649C85EBF76ADFB49754F10413AF80596140DA249D0977A1

Function 00FA63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F21D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F21D73
Part of subcall function 00F21D35: GetStockObject.GDI32(00000011), ref: 00F21D87
Part of subcall function 00F21D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F21D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00FA6461
LoadLibraryW.KERNEL32(?), ref: 00FA6468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00FA647D
DestroyWindow.USER32(?), ref: 00FA6485

Strings

SysAnimate32, xrefs: 00FA643C

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 203de6a918ef41663fe3c06786b4e917cab3583174eb05f38fe7a2d238205f30
Instruction ID: a9e31e0b4c3ca9bd1bef0f4854aca6620d7ea493994b0b809cdcbe0f00f3fd9a
Opcode Fuzzy Hash: 203de6a918ef41663fe3c06786b4e917cab3583174eb05f38fe7a2d238205f30
Instruction Fuzzy Hash: E3218BB2600209ABEF108FA4DC80EBA77A9EB5A738F184629FA10D6190D775DC51B760

Function 00F86D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00F86DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F86DEF
GetStdHandle.KERNEL32(0000000C), ref: 00F86E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00F86E3B

Strings

nul, xrefs: 00F86E36

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: ed69facce0338e19a995edc0b24331821b7550935b59f5aa2b7238d87f409cf0
Instruction ID: 24edddc178c909686b569266306188a5b737e51b729252ffbba890aee8f31bd8
Opcode Fuzzy Hash: ed69facce0338e19a995edc0b24331821b7550935b59f5aa2b7238d87f409cf0
Instruction Fuzzy Hash: 1221A476A00209ABDB20AF69DC04BDA77F4EF45730F204619FCA1D72D0D7709955EB54

Function 00F86E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00F86E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F86EBB
GetStdHandle.KERNEL32(000000F6), ref: 00F86ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00F86F06

Strings

nul, xrefs: 00F86F01

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 2e9e761554ef588c7566bb962f47c6597e962537083d2541540e20add128ec53
Instruction ID: 40f7621ecc6e7405b721166d9a6abdd3e2cb2451f11a44c4beddd7d4a949501c
Opcode Fuzzy Hash: 2e9e761554ef588c7566bb962f47c6597e962537083d2541540e20add128ec53
Instruction Fuzzy Hash: 1C2186759003059BDB20AF69DC04BDA77E8EF45730F200A19FDA1D72D0DB709855E755

Function 00F8AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F8AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00F8ACA8
__swprintf.LIBCMT ref: 00F8ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,00FAF910), ref: 00F8ACFF

Strings

%lu, xrefs: 00F8ACBB

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: fe69a0d887fe7361d7dcab72e458719e76acefc46513e0ac911feea3f072133a
Instruction ID: 7e6d9d442df1f1351f7131321c95681d4d450b25b1ba6899b726f1ff19d18c1f
Opcode Fuzzy Hash: fe69a0d887fe7361d7dcab72e458719e76acefc46513e0ac911feea3f072133a
Instruction Fuzzy Hash: 3E21B370A00109AFCB10EFA4DD45EEE7BB8FF49714B044069F909DB251DB75EA45EB21

Function 00F81AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F81B19

Strings

EXISTS, xrefs: 00F81B41
REMOVE, xrefs: 00F81B1F
APPEND, xrefs: 00F81B52
KEYS, xrefs: 00F81B30

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 0c1d12f28f63120b5ac3cf47632555074f47a0b531a43c4916252c07ec42c3b1
Instruction ID: 5701efc651b5f5dfeda2a0f6bf192e94cf2c558ba319c2bddf242e8323050bc0
Opcode Fuzzy Hash: 0c1d12f28f63120b5ac3cf47632555074f47a0b531a43c4916252c07ec42c3b1
Instruction Fuzzy Hash: 27117C709402089BCF00FF94E8519EEB7B4BF66314F1845A5D814A7292EB365906EB50

Function 00F9EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00F9EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00F9EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00F9ED6A
CloseHandle.KERNEL32(?), ref: 00F9EDEB

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: f5a0e1ef781173378734dfd0a8c461158e97394e8b84040c5a979481a4868d2e
Instruction ID: fab3182f6e1f6f60fc93ffc1d5c4aecb511df2932eac4615fea95b6e35a06fd6
Opcode Fuzzy Hash: f5a0e1ef781173378734dfd0a8c461158e97394e8b84040c5a979481a4868d2e
Instruction Fuzzy Hash: EA8191716043109FEB20EF28DC46F6AB7E5AF88720F44881DF999DB2D2D6B4AC45DB41

Function 00FA0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

Part of subcall function 00FA0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F9FDAD,?,?), ref: 00FA0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FA00FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FA013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00FA0183
RegCloseKey.ADVAPI32(?,?), ref: 00FA01AF
RegCloseKey.ADVAPI32(00000000), ref: 00FA01BC

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: a3faae06603fbe315bb4943452ea8013f4ef85146c587eaab32199e674ed3ddf
Instruction ID: 1ed4382f5942010ac9f27ccddd8fb041c22a25d38ec2daeccd07bbdbf4ff0713
Opcode Fuzzy Hash: a3faae06603fbe315bb4943452ea8013f4ef85146c587eaab32199e674ed3ddf
Instruction Fuzzy Hash: C9518BB1608204AFC704EF54DC81EAAB7E8FF85314F44882DF5858B2A2DB35E904EB52

Function 00F9D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00F29837: __itow.LIBCMT ref: 00F29862
Part of subcall function 00F29837: __swprintf.LIBCMT ref: 00F298AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00F9D927
GetProcAddress.KERNEL32(00000000,?), ref: 00F9D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 00F9D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 00F9DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00F9DA21

Part of subcall function 00F25A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F87896,?,?,00000000), ref: 00F25A2C
Part of subcall function 00F25A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F87896,?,?,00000000,?,?), ref: 00F25A50

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 43fd892341d1ef3cb6069407d580c0e3c89d7ccf001e7a22eb5fbfd512c0b28c
Instruction ID: b1365bec6f55410e2099e6463412bd59f67c6f23f49a8d1bb9629e01b8e03315
Opcode Fuzzy Hash: 43fd892341d1ef3cb6069407d580c0e3c89d7ccf001e7a22eb5fbfd512c0b28c
Instruction Fuzzy Hash: 95514775A04219DFDB00EFA8D8849ADB7F4FF09320B148069E819AB312D738ED45EF90

Function 00F8E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00F8E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00F8E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00F8E687

Part of subcall function 00F29837: __itow.LIBCMT ref: 00F29862
Part of subcall function 00F29837: __swprintf.LIBCMT ref: 00F298AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00F8E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00F8E6B4

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 4c7266cf24df6ea6246e0e5cee406b2d8c0fa9772edf3b8a39c2406ab012607b
Instruction ID: 36d453b8fdd715595c1366201928980099d81058b6c2ecec2aff31df61b633c1
Opcode Fuzzy Hash: 4c7266cf24df6ea6246e0e5cee406b2d8c0fa9772edf3b8a39c2406ab012607b
Instruction Fuzzy Hash: AB514D35A00115DFCB01EF64D981AADBBF5EF09314F1880A9E809AB361DB35ED11EF50

Function 00FAA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8013edf51351e6a96066b2cbef027b6e4625b78435a904a8c70d310eaab44dc
Instruction ID: c154fe19c996038c97c0501cb639403c39c9baf2c239483c9c5ecd49836ffa3f
Opcode Fuzzy Hash: b8013edf51351e6a96066b2cbef027b6e4625b78435a904a8c70d310eaab44dc
Instruction Fuzzy Hash: 5A41A4B5D04108BFD720DF64CC88FA9BBA4EB0B320F144165F815AB2E1C730AD59FA51

Function 00F22344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F22357
ScreenToClient.USER32(00FE57B0,?), ref: 00F22374
GetAsyncKeyState.USER32(00000001), ref: 00F22399
GetAsyncKeyState.USER32(00000002), ref: 00F223A7

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 03eeb608a7a975ea889da3b0e983fbb509229fd206598f510b3381d0e9bc39bb
Instruction ID: 55da3c1d8a89361624433da7b53e62c58f306395f62b227250ff3d3168ad0df8
Opcode Fuzzy Hash: 03eeb608a7a975ea889da3b0e983fbb509229fd206598f510b3381d0e9bc39bb
Instruction Fuzzy Hash: FB416F75A04219FFCB159FA8CC44AE9BBB4BB05361F204319E92996290CB349D54EB91

Function 00F763AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F763E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00F76433
TranslateMessage.USER32(?), ref: 00F7645C
DispatchMessageW.USER32(?), ref: 00F76466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F76475

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 281225008972e8d6be106f3e92098f291b2ce5a09dc7e0f174af00b48644097d
Instruction ID: 48a19d36c35966f313cb6c1dc3376b61ff928d92765455f406802fac8b80d435
Opcode Fuzzy Hash: 281225008972e8d6be106f3e92098f291b2ce5a09dc7e0f174af00b48644097d
Instruction Fuzzy Hash: 6D31FD71D00A4AAFDB64CFB0CC84BB67BECAB01714F148177E519CA1A0D7359449F752

Function 00F78A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F78A30
PostMessageW.USER32(?,00000201,00000001), ref: 00F78ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00F78AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00F78AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00F78AF8

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 3163225f899aaa3a7829e8befefa82c1f0bc60b35e5b68233ba2d9a05e963b2a
Instruction ID: 9ab63de986b8e7b20181fe23bdd1ecb9f0cbb91bfdffbe1ad63e61e56a86ed77
Opcode Fuzzy Hash: 3163225f899aaa3a7829e8befefa82c1f0bc60b35e5b68233ba2d9a05e963b2a
Instruction Fuzzy Hash: 07310471900219FBDF10CFA8DD4CA9E3BB5EB05325F10822AF829DB2D0C7749915EB91

Function 00F7B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00F7B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00F7B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00F7B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00F7B27F
_wcsstr.LIBCMT ref: 00F7B289

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 1d2568ce51a8fb2c4554edfbd46c9c317b2f1f601d2f50d1048992cc840d8b9f
Instruction ID: 5fe047d40d668d183b14150571c0a2c56ee0510b7f472fe0d5fc02605933e4c2
Opcode Fuzzy Hash: 1d2568ce51a8fb2c4554edfbd46c9c317b2f1f601d2f50d1048992cc840d8b9f
Instruction Fuzzy Hash: B521F5726052057AEB165B759C09F7F7BA8DF4A720F00813AFC08DA162EF659C40F2A1

Function 00FAB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00F22612: GetWindowLongW.USER32(?,000000EB), ref: 00F22623

GetWindowLongW.USER32(?,000000F0), ref: 00FAB192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00FAB1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00FAB1CF
GetSystemMetrics.USER32(00000004), ref: 00FAB1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00F90E90,00000000), ref: 00FAB216

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 248cdddf89360a20ff4871075af275fd926346d247ba80e67412ca00b4415d59
Instruction ID: 97ad49956b959c311143c45644796477e05ffa57fc15fbe642d06abac2e5983f
Opcode Fuzzy Hash: 248cdddf89360a20ff4871075af275fd926346d247ba80e67412ca00b4415d59
Instruction Fuzzy Hash: 222180B1910265AFCB109F78DC54B6A3BA4EB06731F144729B922D71E1E7309960EB90

Function 00F79307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F79320

Part of subcall function 00F27BCC: _memmove.LIBCMT ref: 00F27C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F79352
__itow.LIBCMT ref: 00F7936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F79392
__itow.LIBCMT ref: 00F793A3

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: a3d046e68251f8c2e2fa4805aadf4e6c7f0b94f32f8516c0a23d4682c19bf41d
Instruction ID: 53e0931bc758a572ac4782eed998044a38ebadf8565bd6b5644318a03c950af4
Opcode Fuzzy Hash: a3d046e68251f8c2e2fa4805aadf4e6c7f0b94f32f8516c0a23d4682c19bf41d
Instruction Fuzzy Hash: 08210A31B052086BDB10AEA09C85EEE3BADEB49720F048026FD08DB2D0D6F0DD45B793

Function 00F95A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00F95A6E
GetForegroundWindow.USER32 ref: 00F95A85
GetDC.USER32(00000000), ref: 00F95AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00F95ACD
ReleaseDC.USER32(00000000,00000003), ref: 00F95B08

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: c987a485663d52187dfcf9c882c10b3bf4577ce896446aba618248c8ff354960
Instruction ID: 55c4722fe00bcfb79802eb0edba3fbd99ee899206d6957c954aaf4970e43e36b
Opcode Fuzzy Hash: c987a485663d52187dfcf9c882c10b3bf4577ce896446aba618248c8ff354960
Instruction Fuzzy Hash: 9B21C375A00108AFDB14EFA4DC84A9ABBF5EF49350F148079F809DB362CA74AD05EB90

Function 00F212F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F2134D
SelectObject.GDI32(?,00000000), ref: 00F2135C
BeginPath.GDI32(?), ref: 00F21373
SelectObject.GDI32(?,00000000), ref: 00F2139C

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5abcdf99c9f21b267ff8754a7a5017209d7490d33a2eb864d89c85fafaa13628
Instruction ID: 16d374ffbec65feb4c794c6394cbc89a8376bc2b52b7cfe7c230323606f36474
Opcode Fuzzy Hash: 5abcdf99c9f21b267ff8754a7a5017209d7490d33a2eb864d89c85fafaa13628
Instruction Fuzzy Hash: 0721897080065CEBDB10CF65EC847693BA9FB10B2AF148226E8109E1B0D3B19E95FF94

Function 00F7BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00F7BCB3
_memcmp.LIBCMT ref: 00F7BCD1
_memcmp.LIBCMT ref: 00F7BCE4
_memcmp.LIBCMT ref: 00F7BCFC
_memcmp.LIBCMT ref: 00F7BD14

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 01a96dabc3f425b64a9a41cfec89174b2f19b8a84e377d8bb0d6c3313e7ec21c
Instruction ID: 28ce25741840932b9a721c866818cf50f812ffaa90e5aa346648c9a897a9cd68
Opcode Fuzzy Hash: 01a96dabc3f425b64a9a41cfec89174b2f19b8a84e377d8bb0d6c3313e7ec21c
Instruction Fuzzy Hash: 0001B5B26001097BD215AB129D42FFBBB5CEE533A8B04C022FD0996243EB54DE10B6A3

Function 00F84A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F84ABA
__beginthreadex.LIBCMT ref: 00F84AD8
MessageBoxW.USER32(?,?,?,?), ref: 00F84AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00F84B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00F84B0A

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: ea47997dad2824e7c26774a38c21874df90b2bb060f5cd8b0eb3e434b1feea98
Instruction ID: 16bf2ae4209b4b12694b9c3bdc48d879d2fd498864e9a6a81e2bcab26bc37e04
Opcode Fuzzy Hash: ea47997dad2824e7c26774a38c21874df90b2bb060f5cd8b0eb3e434b1feea98
Instruction Fuzzy Hash: D21144B690424DBBCB00AFA8EC48ADB7FACEB85324F144269F914D7250D675D904ABA0

Function 00F78202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F7821E
GetLastError.KERNEL32(?,00F77CE2,?,?,?), ref: 00F78228
GetProcessHeap.KERNEL32(00000008,?,?,00F77CE2,?,?,?), ref: 00F78237
HeapAlloc.KERNEL32(00000000,?,00F77CE2,?,?,?), ref: 00F7823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F78255

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 8b4e3990f89a73a339dc6c737763b58cbe673c4b6eb6e67f3aa8b60a09dda2e9
Instruction ID: 3eb07270f92aeac188a9335d8667f6e6ac98ca6894b8d45efc0289c339f81902
Opcode Fuzzy Hash: 8b4e3990f89a73a339dc6c737763b58cbe673c4b6eb6e67f3aa8b60a09dda2e9
Instruction Fuzzy Hash: 3B0162B1740208BFDB204FA5DC4CD677B6DEF867A57504469F809C6220DA318C05EA61

Function 00F7710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F77044,80070057,?,?,?,00F77455), ref: 00F77127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F77044,80070057,?,?), ref: 00F77142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F77044,80070057,?,?), ref: 00F77150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F77044,80070057,?), ref: 00F77160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F77044,80070057,?,?), ref: 00F7716C

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 520a1965b1df729776388e2a7dee7350d80f229835d3edbd76a1e6193645c0ae
Instruction ID: 44d43f4a74e08fffef21a67188329a330dfe22945be68e9d77b9ff2f3f2cd24b
Opcode Fuzzy Hash: 520a1965b1df729776388e2a7dee7350d80f229835d3edbd76a1e6193645c0ae
Instruction Fuzzy Hash: 3A01D4B6610308BBCB105F64DC44BAA7BADEF49761F144175FD08D6220D7B1DD00A7A0

Function 00F85244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F85260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00F8526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F85276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00F85280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F852BC

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 63d3f1c478bb6233b4f2c2d2e2834a91e4f6e61cda9b7994a4824017cb7c75c4
Instruction ID: b2c6adfaad52a32fcc81814806793463236b4cdf9ab1c08e39d449dfa0418857
Opcode Fuzzy Hash: 63d3f1c478bb6233b4f2c2d2e2834a91e4f6e61cda9b7994a4824017cb7c75c4
Instruction Fuzzy Hash: 2E011B71D01A1DDBCF00EFE4DC49AEDBB78BB09B11F400555E981B6141CF305554ABA1

Function 00F7810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F78121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F7812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F7813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F78141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F78157

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 51b754d05d1aca093e0de4318965bd144396a8c2d5b5ddcbd408bfc2a6265ffe
Instruction ID: 09b83753a14c66ac3f151073b7821472737d595c28cfc189a5f4300f33429ba6
Opcode Fuzzy Hash: 51b754d05d1aca093e0de4318965bd144396a8c2d5b5ddcbd408bfc2a6265ffe
Instruction Fuzzy Hash: 9AF068B1740308AFDB110FA5DC8CE673BADFF467A5B404036F549C6150CFA19D46EA61

Function 00F7C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00F7C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 00F7C20E
MessageBeep.USER32(00000000), ref: 00F7C226
KillTimer.USER32(?,0000040A), ref: 00F7C242
EndDialog.USER32(?,00000001), ref: 00F7C25C

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 7b3659c309ad96a6a4553dbe9dd0c0f5a87301f733e766e65083ed65721b3c4a
Instruction ID: ad0402eb5eb82c43f9385398ef36d75864a4619f9e06ebcf08960229853affab
Opcode Fuzzy Hash: 7b3659c309ad96a6a4553dbe9dd0c0f5a87301f733e766e65083ed65721b3c4a
Instruction Fuzzy Hash: 7401A770804308ABEB205B90ED4EB967778BF01706F00426EE586A55E1DBE46948EB91

Function 00F213B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00F213BF
StrokeAndFillPath.GDI32(?,?,00F5B888,00000000,?), ref: 00F213DB
SelectObject.GDI32(?,00000000), ref: 00F213EE
DeleteObject.GDI32 ref: 00F21401
StrokePath.GDI32(?), ref: 00F2141C

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 42c5ffe31d1d4b086453242cadd75a429bdb6b344d9a375404f68e2b66df1948
Instruction ID: cd78694be74e5dd89f82599ab9094217e66c48e1c465e1310a35e91027aa2ddb
Opcode Fuzzy Hash: 42c5ffe31d1d4b086453242cadd75a429bdb6b344d9a375404f68e2b66df1948
Instruction Fuzzy Hash: 2BF0C970004A4CEBDB159F66EC8C7593BA5BB1272AF08C224E4698D0F1C7714A99FF54

Function 00F8C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00F8C432
CoCreateInstance.OLE32(00FB2D6C,00000000,00000001,00FB2BDC,?), ref: 00F8C44A

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

CoUninitialize.OLE32 ref: 00F8C6B7

Strings

.lnk, xrefs: 00F8C3C6, 00F8C3EE, 00F8C3F8

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 610ea01cc1d456c3b4445c8d6147eff97f28d53dabad3c67db97616f9e643c9f
Instruction ID: d05db844ccce76df07cf2697484a3f29164cd7cb28886d36d6b719c213926335
Opcode Fuzzy Hash: 610ea01cc1d456c3b4445c8d6147eff97f28d53dabad3c67db97616f9e643c9f
Instruction Fuzzy Hash: 95A15CB1108205AFD300EF54DC81EABB7E8FF85354F40492CF5558B1A2EBB5EA49DB62

Function 00F32CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00F40DB6: std::exception::exception.LIBCMT ref: 00F40DEC
Part of subcall function 00F40DB6: __CxxThrowException@8.LIBCMT ref: 00F40E01

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

Part of subcall function 00F27A51: _memmove.LIBCMT ref: 00F27AAB

__swprintf.LIBCMT ref: 00F32ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00F32D66

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 72469017c12c9030373e2e67bb15c534a36743675be42f1efd848aa291a1e67d
Instruction ID: fbc0542f10b1c0cc89138c26c4fbf18b59fad599227f0f8722d3546506e147ea
Opcode Fuzzy Hash: 72469017c12c9030373e2e67bb15c534a36743675be42f1efd848aa291a1e67d
Instruction Fuzzy Hash: E4915C715083119FC714EF24DC86D6EB7B8EF85720F00491DF9569B2A2DA38ED44EB52

Function 00F8B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F24750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F24743,?,?,00F237AE,?), ref: 00F24770

CoInitialize.OLE32(00000000), ref: 00F8B9BB
CoCreateInstance.OLE32(00FB2D6C,00000000,00000001,00FB2BDC,?), ref: 00F8B9D4
CoUninitialize.OLE32 ref: 00F8B9F1

Part of subcall function 00F29837: __itow.LIBCMT ref: 00F29862
Part of subcall function 00F29837: __swprintf.LIBCMT ref: 00F298AC

Strings

.lnk, xrefs: 00F8B99D, 00F8B9AB

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: e01735b5b0f4dcb7691320628869b4ecd8cf6f4643760484f7eb1a0386b0b9ba
Instruction ID: b4359e0f6554cdfeeaca58235e13aa24d157137c1b768155788c43da636baa41
Opcode Fuzzy Hash: e01735b5b0f4dcb7691320628869b4ecd8cf6f4643760484f7eb1a0386b0b9ba
Instruction Fuzzy Hash: 2EA178756043159FCB04EF14C884DAABBE5FF89324F048998F8999B3A2CB35EC45DB91

Function 00F4501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00F450AD

Part of subcall function 00F500F0: __87except.LIBCMT ref: 00F5012B

Strings

pow, xrefs: 00F45085, 00F450A2

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: bc9fb46aca21e634668567b9ad82e03636cbcb2b52a5874886d869203f4715b5
Instruction ID: ca113419b4c6e3209e71b2c1ae8445d4734f59dab8527d8a2ea7e9cca4b0eb73
Opcode Fuzzy Hash: bc9fb46aca21e634668567b9ad82e03636cbcb2b52a5874886d869203f4715b5
Instruction Fuzzy Hash: 84515C65D0CA0687DB117728CC4536E3F909B81B21F208D59EDD5862ABDE388DCCBA86

Function 00F36192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F36248
_memmove.LIBCMT ref: 00F362E4
_memset.LIBCMT ref: 00F36308

Strings

ERCP, xrefs: 00F361B3

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 510f58c946de3ee107eab1de51a3c4455db006a288b9f4d2e02817764c922518
Instruction ID: cc687c5b5a326a9a28da588b5e31100a6aaeae0a7da8779a9402e56eb37159b8
Opcode Fuzzy Hash: 510f58c946de3ee107eab1de51a3c4455db006a288b9f4d2e02817764c922518
Instruction Fuzzy Hash: A951A171900705EBDB24CF95C841BABBBF5AF04324F20856EE94ACB241EB74E950EB41

Function 00F797F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F814BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F79296,?,?,00000034,00000800,?,00000034), ref: 00F814E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00F7983F

Part of subcall function 00F81487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F792C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00F814B1

Part of subcall function 00F813DE: GetWindowThreadProcessId.USER32(?,?), ref: 00F81409
Part of subcall function 00F813DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00F7925A,00000034,?,?,00001004,00000000,00000000), ref: 00F81419
Part of subcall function 00F813DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00F7925A,00000034,?,?,00001004,00000000,00000000), ref: 00F8142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F798AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F798F9

Strings

@, xrefs: 00F79911

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: ce4221f84ac8fed2043beb9de1d6617cc90118557e02a10571a25727dee57eee
Instruction ID: 992734feaf54aa83a4ab9f603d85245652517c4415feb62361f11d86aaf1b734
Opcode Fuzzy Hash: ce4221f84ac8fed2043beb9de1d6617cc90118557e02a10571a25727dee57eee
Instruction Fuzzy Hash: 3541507690021CBFDB10EFA4CC41ADEBBB8EB09310F104159FA45B7141DA746E45DBA1

Function 00FA7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00FAF910,00000000,?,?,?,?), ref: 00FA79DF
GetWindowLongW.USER32 ref: 00FA79FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FA7A0C

Strings

SysTreeView32, xrefs: 00FA79B1

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: fe7261b9f521216f285b8c702d915ed535c8e365ed4d21af3c7caaaa11ff2b2b
Instruction ID: df4003da677d0177fa05374d0643c1fc0f77040be0e03e51fe0609180a5e0852
Opcode Fuzzy Hash: fe7261b9f521216f285b8c702d915ed535c8e365ed4d21af3c7caaaa11ff2b2b
Instruction Fuzzy Hash: 7431BDB160420AABDB119E78DC41FEB77A9EB0A334F248725F875922E0D735ED50AB50

Function 00FA73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00FA7461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00FA7475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FA7499

Strings

SysMonthCal32, xrefs: 00FA742C

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 7b462b9260f3013792fa8875613b97d7fcbb9d8bc8f17ad6922d9ea416262c9b
Instruction ID: f5948ceada702d964929c070c1c72075e2bd5bdb5be6db5f6f31c1dbe5c8d4a2
Opcode Fuzzy Hash: 7b462b9260f3013792fa8875613b97d7fcbb9d8bc8f17ad6922d9ea416262c9b
Instruction Fuzzy Hash: 7421BF72500218ABDF11DEA4CC42FEA3B7AEB4D724F110214FE156B190DAB5AC51ABA0

Function 00FA7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00FA7C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00FA7C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00FA7C5F

Strings

msctls_updown32, xrefs: 00FA7BC4

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 602207b6867f693265d15f0fb407722ae97c77da967a9c610af92902c4ac6fdf
Instruction ID: c3691cab7a57c218a55d4f28bbc1331cb8e2a1d0cdd30cfa824efce181d5e137
Opcode Fuzzy Hash: 602207b6867f693265d15f0fb407722ae97c77da967a9c610af92902c4ac6fdf
Instruction Fuzzy Hash: 5B215EF5604208AFDB11EF64DCC1DA737EDEF5A7A4B140059FA019B3A1CB71EC11AAA0

Function 00FA6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00FA6D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00FA6D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00FA6D70

Strings

Listbox, xrefs: 00FA6D08

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: c80548eb55ef80e8d3997f65e3d7870b7a44cb21f97440da6b76bfe1210ba0cb
Instruction ID: 35be8536c6c899745469920f66f638449325d8df7af8be7ed3673c7736eaf9ca
Opcode Fuzzy Hash: c80548eb55ef80e8d3997f65e3d7870b7a44cb21f97440da6b76bfe1210ba0cb
Instruction Fuzzy Hash: 1F21C672A10118BFDF118F54DC45FBB3BBAEF8A774F058124FA459B1A0CA719C51ABA0

Function 00FA770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00FA7772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00FA7787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00FA7794

Strings

msctls_trackbar32, xrefs: 00FA7749

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 00b58b3b6f80aa8971a4167f51ab6fcad76a8c9dd637b6d83c9a9ad08f4321a9
Instruction ID: 0073fdb8bc561fce929f8f6182d78a4c8e5b4ea89d94614cb0ccb80392acb67d
Opcode Fuzzy Hash: 00b58b3b6f80aa8971a4167f51ab6fcad76a8c9dd637b6d83c9a9ad08f4321a9
Instruction Fuzzy Hash: 29113AB2614308BFEF106F70CC01FD77769EF89B64F010118F64196090C671E811EB20

Function 00F24C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F24B83,?), ref: 00F24C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F24C56

Strings

kernel32.dll, xrefs: 00F24C3F
Wow64RevertWow64FsRedirection, xrefs: 00F24C50

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 909ec9ce0c21d84bd70d24ea759c13af11fed956c4ea6ff16037626ebdbac594
Instruction ID: 0793416f21003dde1f2b11ba8e772d42dcd96be1837655b4875881e1307a2ab3
Opcode Fuzzy Hash: 909ec9ce0c21d84bd70d24ea759c13af11fed956c4ea6ff16037626ebdbac594
Instruction Fuzzy Hash: 34D02B70910723CFC7205F75E80820673E4EF02355B14C83ED4E2DA160E7B0D480E610

Function 00F24C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F24BD0,?,00F24DEF,?,00FE52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F24C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F24C23

Strings

kernel32.dll, xrefs: 00F24C0C
Wow64DisableWow64FsRedirection, xrefs: 00F24C1D

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 5729efc2592e6fc092749c60ec399ba3de1dec7227e24bf716921a32a7e4eb1c
Instruction ID: a8042efbf00b2ed7b048fb44743f6d95fe6cc2777be77f583f416f33ea86afec
Opcode Fuzzy Hash: 5729efc2592e6fc092749c60ec399ba3de1dec7227e24bf716921a32a7e4eb1c
Instruction Fuzzy Hash: 7CD0C270910723CFC720AFB4EC08206B6E5EF0A356B048C3AD481CA250E6B0D480E611

Function 00FA0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00FA1039), ref: 00FA0DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FA0E07

Strings

advapi32.dll, xrefs: 00FA0DF0
RegDeleteKeyExW, xrefs: 00FA0E01

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 0982f2332d42f5e27c7fe35f347e908cc99f2cd0d4630b8e45a514c68d8f93a4
Instruction ID: f150622d1d7850b8863d4181dcea62db6b9c476d5d221286185259f95ae0191b
Opcode Fuzzy Hash: 0982f2332d42f5e27c7fe35f347e908cc99f2cd0d4630b8e45a514c68d8f93a4
Instruction Fuzzy Hash: A1D0C2B0850316CFC3205FB0E84834272D5AF12351F088C3ED481C6250DAB0D490E600

Function 00F990E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00F98CF4,?,00FAF910), ref: 00F990EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00F99100

Strings

kernel32.dll, xrefs: 00F990E9
GetModuleHandleExW, xrefs: 00F990FA

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 74bf1d99a1432ef64fc40322368946b0fa09d18bc138cdcb00f1387e1605a1c0
Instruction ID: 11ff92075948252936c8a0893d726080d359c08101547c69fee449b5b9e614d9
Opcode Fuzzy Hash: 74bf1d99a1432ef64fc40322368946b0fa09d18bc138cdcb00f1387e1605a1c0
Instruction Fuzzy Hash: 51D0C274910313CFDB209F75C80810272E4AF02392B068C3ED482CA150E6B0C4C0EA90

Function 00F61714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00F61718
__swprintf.LIBCMT ref: 00F61749

Strings

%.3d, xrefs: 00F61723
WIN_XPe, xrefs: 00F61788

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 326f64afaca9dd769c2ce7e69c14ccc4f7f4bb504a836d6a2e856c64c73fde32
Instruction ID: cc89177936835a4705ff7a7d169e3a942afd22d4f99f8c147cdae9f120d3e224
Opcode Fuzzy Hash: 326f64afaca9dd769c2ce7e69c14ccc4f7f4bb504a836d6a2e856c64c73fde32
Instruction Fuzzy Hash: D0D01273804119EAC7009A909C88EB9777CBB09301F180462F806D2040E2259758FA21

Function 00F7717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a2e53310905a1db7fc60f55070bd2f2cf4e16dde5e4426d3587a42eb2f9107
Instruction ID: 7d33c40a4be362e6ad393175de36e88f2efb41b012ebd7e963ae6889ab0586a4
Opcode Fuzzy Hash: a6a2e53310905a1db7fc60f55070bd2f2cf4e16dde5e4426d3587a42eb2f9107
Instruction Fuzzy Hash: ABC19175A14316EFCB14DFA4C884EAEBBB5FF48314B10859AE809EB251D730DD41EB91

Function 00F9E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00F9E0BE
CharLowerBuffW.USER32(?,?), ref: 00F9E101

Part of subcall function 00F9D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00F9D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00F9E301
_memmove.LIBCMT ref: 00F9E314

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: d4f5b1d166b2e29e6d7d997cea2079a1037ba61247dda354bba7037ad21f63cb
Instruction ID: 9514d495883d9b6fb9270af797e8c4a92eb4eba35f3ca293095239c10a471f47
Opcode Fuzzy Hash: d4f5b1d166b2e29e6d7d997cea2079a1037ba61247dda354bba7037ad21f63cb
Instruction Fuzzy Hash: 21C18C71A08311DFDB04DF28C880A6ABBE4FF89714F04896DF9999B351D731E945DB82

Function 00F98093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00F980C3
CoUninitialize.OLE32 ref: 00F980CE

Part of subcall function 00F7D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00F7D5D4

VariantInit.OLEAUT32(?), ref: 00F980D9
VariantClear.OLEAUT32(?), ref: 00F983AA

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: ca2ca5ee189ce90fa9e1f8459bec4d86b040994c6afb5ad1e19b697c4be37405
Instruction ID: d97edc61045947504436427ec6ebb613e291823e697c8dae4b23827b81214442
Opcode Fuzzy Hash: ca2ca5ee189ce90fa9e1f8459bec4d86b040994c6afb5ad1e19b697c4be37405
Instruction Fuzzy Hash: 85A18C756087119FDB00DF64C881B6AB7E4BF8A364F08440CF9969B3A1CB78EC45EB46

Function 00F77530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00FB2C7C,?), ref: 00F776EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00FB2C7C,?), ref: 00F77702
CLSIDFromProgID.OLE32(?,?,00000000,00FAFB80,000000FF,?,00000000,00000800,00000000,?,00FB2C7C,?), ref: 00F77727
_memcmp.LIBCMT ref: 00F77748

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 0d40b0737f3afecc771d22219fe7374c437ad80b6e8cdd6cd214e92b75ba1c24
Instruction ID: 2c7a3c802daf88733910b53d5d04ed392bb640a7d636aeb6f2532867981ec3cc
Opcode Fuzzy Hash: 0d40b0737f3afecc771d22219fe7374c437ad80b6e8cdd6cd214e92b75ba1c24
Instruction Fuzzy Hash: 7D814C71A10209EFCB04DFE4C984EEEB7B9FF89315F208159E505AB250DB71AE06DB61

Function 00F7687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F7688E
SysAllocString.OLEAUT32(00000000), ref: 00F76937
VariantCopy.OLEAUT32 ref: 00F76966
VariantClear.OLEAUT32(?), ref: 00F7698D

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 197ef76b1103411728a38402c61a2d546f7a60c0791e0793f855ffb293f72024
Instruction ID: 8fec56331a512d77c8bef979fc41c2659fd7a696a4c76b2a0d419628ab210a24
Opcode Fuzzy Hash: 197ef76b1103411728a38402c61a2d546f7a60c0791e0793f855ffb293f72024
Instruction Fuzzy Hash: 8F51E775B04B019ADB20EF65D891B2AB3E5AF45310F20C81FE58EDB291DE78D840A702

Function 00FA97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0146F370,?), ref: 00FA9863
ScreenToClient.USER32(00000002,00000002), ref: 00FA9896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00FA9903

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: bc423f116bbfc2cad54c01f873bcb594c3ca9129829c77ce19fd5e2e88bb322a
Instruction ID: ce72264e3f93baffb93463fe239dfe0fd8d1098de2d716a9ba319d0ec795fef6
Opcode Fuzzy Hash: bc423f116bbfc2cad54c01f873bcb594c3ca9129829c77ce19fd5e2e88bb322a
Instruction Fuzzy Hash: 88514074E04209EFCF10CF54C884AAE7BB5FF56360F548169F9659B2A0D770AD41EB90

Function 00F79A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00F79AD2
__itow.LIBCMT ref: 00F79B03

Part of subcall function 00F79D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00F79DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00F79B6C
__itow.LIBCMT ref: 00F79BC3

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: ddeb1d00a55aef9b5c21a444b367ed03e33094be1e0f2cfcea6bda5a73107663
Instruction ID: 22ed019322953054411b49f10a4cf13d1482436565ea141339956317747e3a46
Opcode Fuzzy Hash: ddeb1d00a55aef9b5c21a444b367ed03e33094be1e0f2cfcea6bda5a73107663
Instruction Fuzzy Hash: 5A41B570A04318ABDF11EF54DC45FEE7BB9EF85720F00405AF909A7291DBB49A44EB92

Function 00F969AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00F969D1
WSAGetLastError.WSOCK32(00000000), ref: 00F969E1

Part of subcall function 00F29837: __itow.LIBCMT ref: 00F29862
Part of subcall function 00F29837: __swprintf.LIBCMT ref: 00F298AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00F96A45
WSAGetLastError.WSOCK32(00000000), ref: 00F96A51

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 133f0181b4dd3bebe68f055ddcd1ab97793e2ad30a1d22d3a97099c8d1c0ddd2
Instruction ID: 29580e50436a5320ba35d5eca8ed0f3f005047c3ec4ace797e3209266589ea87
Opcode Fuzzy Hash: 133f0181b4dd3bebe68f055ddcd1ab97793e2ad30a1d22d3a97099c8d1c0ddd2
Instruction Fuzzy Hash: 6C41B175740210AFEB60AF64DC86F7A77A49F05B14F44801CFA59EF2C2DAB89D01AB91

Function 00F9641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00FAF910), ref: 00F964A7
_strlen.LIBCMT ref: 00F964D9

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 960fff44adad29512c2f4c1d3d620c08698d64aa109bd28e6f95a4e23b2819b7
Instruction ID: b7703abe150ba9e3d780d0b6c569b89679ab2feb956ba67ea78892ddc9ad4ca5
Opcode Fuzzy Hash: 960fff44adad29512c2f4c1d3d620c08698d64aa109bd28e6f95a4e23b2819b7
Instruction Fuzzy Hash: 9241B571904214ABDF14EBA8EC85FAEB7A8AF44310F158159F819DB292DB38ED44EB50

Function 00F8B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00F8B89E
GetLastError.KERNEL32(?,00000000), ref: 00F8B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00F8B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00F8B915

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: ae76bacc2028e3665822d0348125349c9ef6f8194702570e9e753f17d70b29fa
Instruction ID: 6e89a831f7219338bd59bbd04b14c4d52f573518b6ff1ac06ff2ff51af73ec86
Opcode Fuzzy Hash: ae76bacc2028e3665822d0348125349c9ef6f8194702570e9e753f17d70b29fa
Instruction Fuzzy Hash: 1D412D35A00514DFCB10EF55D844A99BBE1EF4A320F498098EC4A9F362CB78FD01EB95

Function 00FA8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FA88DE

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: ab1bd9e56eae26a9f66a356804106cdca880ceeccfc9b32c6f833c369ce1a08b
Instruction ID: e424870119299917ec6905e55e7a32fa3817244d91d375d05fc9cba25129bfc9
Opcode Fuzzy Hash: ab1bd9e56eae26a9f66a356804106cdca880ceeccfc9b32c6f833c369ce1a08b
Instruction Fuzzy Hash: D831D6B4A40108AFEB209E54CC45BBA77B5EB0B7A0F544112FA51E62A1CEB4E942B752

Function 00FAAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00FAAB60
GetWindowRect.USER32(?,?), ref: 00FAABD6
PtInRect.USER32(?,?,00FAC014), ref: 00FAABE6
MessageBeep.USER32(00000000), ref: 00FAAC57

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 11f4030ec9613d6c94f7b341a6610f4c94789eafdf27b2e17a84e1f5a003fe6d
Instruction ID: d555ff9b1a40eb23bcef0e33d643b7ab98a38ea26ccf920b6828d94f15f02c49
Opcode Fuzzy Hash: 11f4030ec9613d6c94f7b341a6610f4c94789eafdf27b2e17a84e1f5a003fe6d
Instruction Fuzzy Hash: FD419FB0A00219DFDB11DF58C884B697BF5FF4A760F1880A9E8159F364D730E949EB92

Function 00F80AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00F80B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00F80B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00F80BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00F80BFB

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b5dccc8fe248206e0ccf583ed53f5fba49504e3dbefef8ed1363653549dd3656
Instruction ID: 678e2ee8673d94987136379ee02783e0866624c17b7b60e8592960772ec60f8b
Opcode Fuzzy Hash: b5dccc8fe248206e0ccf583ed53f5fba49504e3dbefef8ed1363653549dd3656
Instruction Fuzzy Hash: A3314B70D40208AEFF70AB658C09BF9BBA5AB85334F88435AE491D21D1CB78894CB752

Function 00F80C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00F80C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00F80C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00F80CE1
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00F80D33

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 73db30d4206c98d72443f7561eab55f157a5af2fa449382a6b8263240097ade6
Instruction ID: 61d56baf3fcf8b18bbcc888c508b313f8c9b1160d61bf538626664b1ee57a18d
Opcode Fuzzy Hash: 73db30d4206c98d72443f7561eab55f157a5af2fa449382a6b8263240097ade6
Instruction Fuzzy Hash: 68314B71E002185EFF70AFA5CC047FEBB65AB46330F84431AE485511D1CB39594DB752

Function 00F561C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00F561FB
__isleadbyte_l.LIBCMT ref: 00F56229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F56257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F5628D

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 3dde6ca2ecdd9b558a8616a3aa234d6bb42fa402a70bdf4256f7a9f08ee20965
Instruction ID: 1f2f2aa0386d5ea012beec756d4c9f6a806df3911f67703ef351a4ffa462c6c4
Opcode Fuzzy Hash: 3dde6ca2ecdd9b558a8616a3aa234d6bb42fa402a70bdf4256f7a9f08ee20965
Instruction Fuzzy Hash: 1331BC31A04246AFDF218F65CC44BBA7FA9BF42322F554128ED64C71A1DB30E958EB90

Function 00FA4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00FA4F02

Part of subcall function 00F83641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F8365B
Part of subcall function 00F83641: GetCurrentThreadId.KERNEL32 ref: 00F83662
Part of subcall function 00F83641: AttachThreadInput.USER32(00000000,?,00F85005), ref: 00F83669

GetCaretPos.USER32(?), ref: 00FA4F13
ClientToScreen.USER32(00000000,?), ref: 00FA4F4E
GetForegroundWindow.USER32 ref: 00FA4F54

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 94767e9029481ddb20680769ad906a1ee048b7b2651f00201b1157f040e57988
Instruction ID: 0cd2f6afb7d7c5d7542d791e358c90bf56f91f769d1172a61fdc4d11f8345138
Opcode Fuzzy Hash: 94767e9029481ddb20680769ad906a1ee048b7b2651f00201b1157f040e57988
Instruction Fuzzy Hash: 87312FB1D00118AFDB00EFA5DC85DEFB7F9EF89300F11446AE415E7241DA759E059BA0

Function 00F83C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00F83C7A
Process32FirstW.KERNEL32(00000000,?), ref: 00F83C88
Process32NextW.KERNEL32(00000000,?), ref: 00F83CA8
CloseHandle.KERNEL32(00000000), ref: 00F83D52

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 70ced26c56556d1c7eb21462843145289ff23e8090002564a7211aff13926050
Instruction ID: a4656eda4422328745024673c89076f249148c6223eee02c0726841ba30e5a9f
Opcode Fuzzy Hash: 70ced26c56556d1c7eb21462843145289ff23e8090002564a7211aff13926050
Instruction Fuzzy Hash: 1331A0721083099FD300FF50DC81AAFBBE8EF95754F50082DF481861A1EB75EA49EB92

Function 00FAC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F22612: GetWindowLongW.USER32(?,000000EB), ref: 00F22623

GetCursorPos.USER32(?), ref: 00FAC4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F5B9AB,?,?,?,?,?), ref: 00FAC4E7
GetCursorPos.USER32(?), ref: 00FAC534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F5B9AB,?,?,?), ref: 00FAC56E

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: bbdf7ec4d431e3c58cc53e209d93cf38fcfdc0dc9189899a72a45eff945bc846
Instruction ID: 92f22419fc053335787fa69da7d7f74a83b0f0de2e24229bfada9f7e135fcaf6
Opcode Fuzzy Hash: bbdf7ec4d431e3c58cc53e209d93cf38fcfdc0dc9189899a72a45eff945bc846
Instruction Fuzzy Hash: C331647990045CEFCB15CF98C854EAA7BB9EF4A720F484155F9058B261C7316950EBE4

Function 00F78656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F7810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F78121
Part of subcall function 00F7810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F7812B
Part of subcall function 00F7810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F7813A
Part of subcall function 00F7810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F78141
Part of subcall function 00F7810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F78157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00F786A3
_memcmp.LIBCMT ref: 00F786C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F786FC
HeapFree.KERNEL32(00000000), ref: 00F78703

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: db731bd56e65c8fab7b53a4d288686694ae4e3d64bacdace511c1a0cfbbff42f
Instruction ID: bf59b5ce63e464be5d45f87530f231196434dd4d40c2d640cad48311b0785f68
Opcode Fuzzy Hash: db731bd56e65c8fab7b53a4d288686694ae4e3d64bacdace511c1a0cfbbff42f
Instruction Fuzzy Hash: 53217C71E80108EFDB10DFA4CD49BEEB7B8EF45354F15805AE448AB241DB30AE06EB61

Function 00F4098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00F409AE

Part of subcall function 00F25A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F87896,?,?,00000000), ref: 00F25A2C
Part of subcall function 00F25A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F87896,?,?,00000000,?,?), ref: 00F25A50

_fprintf.LIBCMT ref: 00F409E5
OutputDebugStringW.KERNEL32(?), ref: 00F75DBB

Part of subcall function 00F44AAA: _flsall.LIBCMT ref: 00F44AC3

__setmode.LIBCMT ref: 00F40A1A

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 01c3f94efa83d852090ceded5b7e7f11abe9dc1be00994b4b70782c5c30014b9
Instruction ID: e76af4a3eaa2a906bffce0a5f07e339eeed58b711aa5f547181b5a08687ed6fc
Opcode Fuzzy Hash: 01c3f94efa83d852090ceded5b7e7f11abe9dc1be00994b4b70782c5c30014b9
Instruction Fuzzy Hash: D8113A329082046FDB04B7B4AC47AFE7FA89F46320F64401AF60467282EE7C6C4677A5

Function 00F91767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F917A3

Part of subcall function 00F9182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F9184C
Part of subcall function 00F9182D: InternetCloseHandle.WININET(00000000), ref: 00F918E9

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 81a90a63797da56b0a4aca514d55d8f46a3114f232f53a666ebca6a40415eb6f
Instruction ID: ce70619e4cbcf188cf00be56e73e8b4dab430de64987a7cf4348e1b87b610501
Opcode Fuzzy Hash: 81a90a63797da56b0a4aca514d55d8f46a3114f232f53a666ebca6a40415eb6f
Instruction Fuzzy Hash: 1121A172600606BFFF169FA0DC41FBABBA9FF49710F10443AFA1196650DB759811BBA0

Function 00F83A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00FAFAC0), ref: 00F83A64
GetLastError.KERNEL32 ref: 00F83A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00F83A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00FAFAC0), ref: 00F83ADF

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: f0e2357baaf27dbb0bbf2bc87dfe4786c1fe798160792a35d212c7d87cb2a1d0
Instruction ID: d645830b61fa62384326b6dbb2b22e1cc0237e9b2e127bcb3bea9abfdb656b1f
Opcode Fuzzy Hash: f0e2357baaf27dbb0bbf2bc87dfe4786c1fe798160792a35d212c7d87cb2a1d0
Instruction Fuzzy Hash: 1121D3785083058FC714FF28D8818AA77E4AE56764F104A2DF499C72A1D735DE4AEB42

Function 00F7DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F7F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00F7DCD3,?,?,?,00F7EAC6,00000000,000000EF,00000119,?,?), ref: 00F7F0CB
Part of subcall function 00F7F0BC: lstrcpyW.KERNEL32(00000000,?,?,00F7DCD3,?,?,?,00F7EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00F7F0F1
Part of subcall function 00F7F0BC: lstrcmpiW.KERNEL32(00000000,?,00F7DCD3,?,?,?,00F7EAC6,00000000,000000EF,00000119,?,?), ref: 00F7F122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00F7EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00F7DCEC
lstrcpyW.KERNEL32(00000000,?,?,00F7EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00F7DD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,00F7EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00F7DD46

Strings

cdecl, xrefs: 00F7DD3D

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: c1dbdba4f156e746c23efd4324569bf91ef8050344cb77410cbc0dd63c7bbe33
Instruction ID: dffc13b77b9edfbd38f1506523d421d52025d1f5c1b44d6b3be513058489108a
Opcode Fuzzy Hash: c1dbdba4f156e746c23efd4324569bf91ef8050344cb77410cbc0dd63c7bbe33
Instruction Fuzzy Hash: 8211B43A600305EBCB259F74CC4597A77B5FF45350B80812BE90ACB250EB719850E792

Function 00F550E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F55101

Part of subcall function 00F4571C: __FF_MSGBANNER.LIBCMT ref: 00F45733
Part of subcall function 00F4571C: __NMSG_WRITE.LIBCMT ref: 00F4573A
Part of subcall function 00F4571C: RtlAllocateHeap.NTDLL(01450000,00000000,00000001,00000000,?,?,?,00F40DD3,?), ref: 00F4575F

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: f94dd7dc2a2eb292265d28d944b4cce7db12c4431a680ca9a3e995536b87eb85
Instruction ID: c71864af85d548acb65e86a1fbbdd6385486c5df6357bd3228cc7700561c4685
Opcode Fuzzy Hash: f94dd7dc2a2eb292265d28d944b4cce7db12c4431a680ca9a3e995536b87eb85
Instruction Fuzzy Hash: 5611E372D00E15AFCF313FB0AC5976D3F989F41BB3B100529FE449A161DE388849BA90

Function 00F96369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F25A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F87896,?,?,00000000), ref: 00F25A2C
Part of subcall function 00F25A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F87896,?,?,00000000,?,?), ref: 00F25A50

gethostbyname.WSOCK32(?,?,?), ref: 00F96399
WSAGetLastError.WSOCK32(00000000), ref: 00F963A4
_memmove.LIBCMT ref: 00F963D1
inet_ntoa.WSOCK32(?), ref: 00F963DC

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: ee6cdfc71d2b9151f6cbeb5b964219a34429903d671de9be64ced5aea4d6696e
Instruction ID: 3fec4408c06ced34a64aa200ff0921522ad3a7fd83edd50909a6d6ba795a159f
Opcode Fuzzy Hash: ee6cdfc71d2b9151f6cbeb5b964219a34429903d671de9be64ced5aea4d6696e
Instruction Fuzzy Hash: B2116072900109AFCF00FBA4ED46CEEB7B8AF09310B144065F505E7261DB38EE18EBA1

Function 00F78B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00F78B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F78B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F78B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F78BA4

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f92b88ef397250a14e0de973af31e0b75ab628d08162cf6d167c9361c9bc5ded
Instruction ID: 72568c332e82b6d78240ab56b5d898edff9a7ea9939af5fce87136ec381ad040
Opcode Fuzzy Hash: f92b88ef397250a14e0de973af31e0b75ab628d08162cf6d167c9361c9bc5ded
Instruction Fuzzy Hash: 02114C79940218FFDB10DF99CC84F9DBB74FB48350F204096E904B7250DA716E11EB94

Function 00F21290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00F22612: GetWindowLongW.USER32(?,000000EB), ref: 00F22623

DefDlgProcW.USER32(?,00000020,?), ref: 00F212D8
GetClientRect.USER32(?,?), ref: 00F5B5FB
GetCursorPos.USER32(?), ref: 00F5B605
ScreenToClient.USER32(?,?), ref: 00F5B610

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: d3d0499538941d460d65fa49f8ad76f2d16ea12a0e85bae8bde32e6dc9e48847
Instruction ID: 0050249d21d35745c6fdf462ed014366f0a77ffde7b6f32847d84d54c4780c03
Opcode Fuzzy Hash: d3d0499538941d460d65fa49f8ad76f2d16ea12a0e85bae8bde32e6dc9e48847
Instruction Fuzzy Hash: 05113A7690102DEFCB10DFA8E8859EE77B8FB16301F500456F901E7281D734BA55EBA9

Function 00F81142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00F7FCED,?,00F80D40,?,00008000), ref: 00F8115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00F7FCED,?,00F80D40,?,00008000), ref: 00F81184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00F7FCED,?,00F80D40,?,00008000), ref: 00F8118E
Sleep.KERNEL32(?,?,?,?,?,?,?,00F7FCED,?,00F80D40,?,00008000), ref: 00F811C1

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 7babe4764742e980c9048d90fb42acb41b05bea22e7d7c0d366275604cd7d17c
Instruction ID: b241184e24f38d95d786ce3c83254ad7e2df8a4ce261ae078e5c41314b528a0e
Opcode Fuzzy Hash: 7babe4764742e980c9048d90fb42acb41b05bea22e7d7c0d366275604cd7d17c
Instruction Fuzzy Hash: FE117C72D0091DD7CF00AFE4D848AEEBB7CFF09711F104155EA80B6240CB709556EBA1

Function 00F7D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00F7D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00F7D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00F7D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00F7D897

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 840b41f67d17612ca972328d98daf589fd20d0b3833964f4247fc9c9deb673b8
Instruction ID: bab961d3967083c4a5680dded1319903afdee03f6312d536ee96777d19f21374
Opcode Fuzzy Hash: 840b41f67d17612ca972328d98daf589fd20d0b3833964f4247fc9c9deb673b8
Instruction Fuzzy Hash: 591161B5605304DBE320CF90DC08F93BBBCEF04B00F50856AA95ADA490D7B0E549ABA3

Function 00F56FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00F56FDB

Part of subcall function 00F576C2: __fltout2.LIBCMT ref: 00F576EB

__cftog_l.LIBCMT ref: 00F57001
__cftoe_l.LIBCMT ref: 00F57033

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 270bdaf2d67df71e12e784d1126f08a6de00b503bc808132121978051b2dab26
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 95014E7244424ABBCF166E84EC01CED3FA6BB18352F598415FF1859071D336D9B9BB81

Function 00FAB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FAB2E4
ScreenToClient.USER32(?,?), ref: 00FAB2FC
ScreenToClient.USER32(?,?), ref: 00FAB320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00FAB33B

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: cb7cc85f93ebab761a245c1df11c88b8be15a49d3035d3eec7b36f3c2700bced
Instruction ID: 1ae4c2cd94170203b1849a9337c44505b17f0557211216cc3cbbdcb97b934854
Opcode Fuzzy Hash: cb7cc85f93ebab761a245c1df11c88b8be15a49d3035d3eec7b36f3c2700bced
Instruction Fuzzy Hash: 931143B9D0020DEFDB41CFA9C8849EEBBB9FB09311F108166E914E3220D735AA559F90

Function 00FAB635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FAB644
_memset.LIBCMT ref: 00FAB653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00FE6F20,00FE6F64), ref: 00FAB682
CloseHandle.KERNEL32 ref: 00FAB694

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 9a008d80399f3e89d90f0b38a5cabe5d729ada7aae4908c7d81712694da020f6
Instruction ID: f8fb33e7cd4100b3988f41e0e1e651547dcb786dfd36cb1c636b9c809eeacd5b
Opcode Fuzzy Hash: 9a008d80399f3e89d90f0b38a5cabe5d729ada7aae4908c7d81712694da020f6
Instruction Fuzzy Hash: 9AF0FEF294038C7AE7102765BC46FBB7A9CEB197D5F404031BA08E9192E7755C10A7A8

Function 00F86BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00F86BE6

Part of subcall function 00F876C4: _memset.LIBCMT ref: 00F876F9

_memmove.LIBCMT ref: 00F86C09
_memset.LIBCMT ref: 00F86C16
LeaveCriticalSection.KERNEL32(?), ref: 00F86C26

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 7fcf097bc6a9777e2fb667a9710cf41139075f021e28b9f661cea20bf1a77e7c
Instruction ID: dd2dfd54815b33b18dd565897bce7a07fc6e319676979d2d9465ed6250280466
Opcode Fuzzy Hash: 7fcf097bc6a9777e2fb667a9710cf41139075f021e28b9f661cea20bf1a77e7c
Instruction Fuzzy Hash: 6EF05E7A200204ABCF416F95DC85A8ABF69EF46360F048061FE085E227DB35E811EBB4

Function 00F22218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00F22231
SetTextColor.GDI32(?,000000FF), ref: 00F2223B
SetBkMode.GDI32(?,00000001), ref: 00F22250
GetStockObject.GDI32(00000005), ref: 00F22258
GetWindowDC.USER32(?,00000000), ref: 00F5BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 00F5BE90
GetPixel.GDI32(00000000,?,00000000), ref: 00F5BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 00F5BEC2
GetPixel.GDI32(00000000,?,?), ref: 00F5BEE2
ReleaseDC.USER32(?,00000000), ref: 00F5BEED

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 91459cb289d83475352bede458ec657f61dcb006510250dff2ebf38fa7e7e853
Instruction ID: fcf416c15483a11843792679b811f9c0ca7946e3c84efb0b304b43a0086e454c
Opcode Fuzzy Hash: 91459cb289d83475352bede458ec657f61dcb006510250dff2ebf38fa7e7e853
Instruction Fuzzy Hash: 49E03071904148EBDB215FA4FC0D7D83F10EB06332F148366FA69880E187714588EB12

Function 00F78712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00F7871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,00F782E6), ref: 00F78722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00F782E6), ref: 00F7872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,00F782E6), ref: 00F78736

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 9e98b6379647f1937d9472a8b3fd499182d564380d60e70d100f5b377e3e4634
Instruction ID: 12d688012bffb973fadc8000a726b0f05bbff3cef09cf6e7b379394e9ef356d8
Opcode Fuzzy Hash: 9e98b6379647f1937d9472a8b3fd499182d564380d60e70d100f5b377e3e4634
Instruction Fuzzy Hash: 01E086B6A513159BD7605FF05D0CB973BACEF527E1F14C828F24ACE040DA34844AE751

Function 00F7B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00F7B4BE

Strings

AutoIt3GUI, xrefs: 00F7B436
Container, xrefs: 00F7B43B

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 52a5c29a47f71654f5f3886b39ee2a6c2462bc230b279dae43758defe61bad30
Instruction ID: e11afa76f646b71ff00eee4cd6b4aae7808c2eb8aa5ff53c4d4e37636637f102
Opcode Fuzzy Hash: 52a5c29a47f71654f5f3886b39ee2a6c2462bc230b279dae43758defe61bad30
Instruction Fuzzy Hash: 58916870600601AFDB54DF64C884B6ABBF5FF4A710F24856EF94ACB291DB70E841DB51

Function 00F8AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F3FC86: _wcscpy.LIBCMT ref: 00F3FCA9

Part of subcall function 00F29837: __itow.LIBCMT ref: 00F29862
Part of subcall function 00F29837: __swprintf.LIBCMT ref: 00F298AC

__wcsnicmp.LIBCMT ref: 00F8B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00F8B0F6

Strings

LPT, xrefs: 00F8B027

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 0f0c9ae992ea110aeebd76fcaa2a1a154b0f54f1f69a4c48b3848e20713e8388
Instruction ID: 8aadade329dec86900b33a841ca57e50c4d8ce7fa7397c04e8f915e00c50cea3
Opcode Fuzzy Hash: 0f0c9ae992ea110aeebd76fcaa2a1a154b0f54f1f69a4c48b3848e20713e8388
Instruction Fuzzy Hash: 8761B072E00219AFCB14EF94C895EEEB7B4EF09310F044069F916AB391DB74AE44EB50

Function 00F32957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00F32968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00F32981

Strings

@, xrefs: 00F32975

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 372d4f093b245179bc7aeedbb098c41d922f66b235b52076222e3a7e6f193a13
Instruction ID: f428711ddffd397af76db80d8e31b8b837d91eee15e9d5a8f43a88e168e8655e
Opcode Fuzzy Hash: 372d4f093b245179bc7aeedbb098c41d922f66b235b52076222e3a7e6f193a13
Instruction Fuzzy Hash: 19518A714097589BD320EF50EC86BAFBBE8FF85350F82485DF2D8420A1DB709529DB66

Function 00F89734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00F24F0B: __fread_nolock.LIBCMT ref: 00F24F29

_wcscmp.LIBCMT ref: 00F89824
_wcscmp.LIBCMT ref: 00F89837

Strings

FILE, xrefs: 00F89770

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: fc84b35c310b0fffa23840d2c50d71ed5a2276540518f818109bb64c7b3df5a8
Instruction ID: c98260b2927bf764c949838eed86a5430a1d4ae0371ff6b7099d0b6f4ae30d9c
Opcode Fuzzy Hash: fc84b35c310b0fffa23840d2c50d71ed5a2276540518f818109bb64c7b3df5a8
Instruction Fuzzy Hash: F041D831A0421ABADF20AFA0DC45FEFBBBDDF85710F050069F904B7181DBB5A9049B61

Function 00F9258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F9259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00F925D4

Strings

|, xrefs: 00F925A5

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 139f343e4a606a46c9d6894ec57b4a6761b503cf5b7990caed941b0760745ea1
Instruction ID: cf1762ebad982fee9c3f1c62aa9baf14d48a72e95aff4f6f936a0f9566f18c43
Opcode Fuzzy Hash: 139f343e4a606a46c9d6894ec57b4a6761b503cf5b7990caed941b0760745ea1
Instruction Fuzzy Hash: DE310871C00219ABDF41EFA5DC85EEEBFB8FF08350F100069F915A6162EB355956EB60

Function 00FA7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00FA7B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FA7B76

Strings

', xrefs: 00FA7ACA

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 9165e885baf4bbdb4c683de371f9895b93fa27cbe8648c219305d0dfa70cb75c
Instruction ID: 78e42e2524e14b0f76d41c0d733c04649ad382a3a7724f00891bbdb5f1a95644
Opcode Fuzzy Hash: 9165e885baf4bbdb4c683de371f9895b93fa27cbe8648c219305d0dfa70cb75c
Instruction Fuzzy Hash: 2F4117B5A04309AFDB14DF65C880FEABBB5FB49340F10016AE904AB395D770AA51DFA0

Function 00FA6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00FA6B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00FA6B53

Strings

static, xrefs: 00FA6AB3

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 91e607804ad8a57481c98f690b0fc81015a8510a8dff71583dd232c6cee85865
Instruction ID: 22f891d54b7fbac7b4d97ad6f716570881912feb22b8cb5f27219a0ab128b697
Opcode Fuzzy Hash: 91e607804ad8a57481c98f690b0fc81015a8510a8dff71583dd232c6cee85865
Instruction Fuzzy Hash: 3F31A1B1500604AEDB109F74CC80BFB73B9FF89764F148619F9A5D7190DA34AC91E760

Function 00F828A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F82911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F8294C

Strings

0, xrefs: 00F8290A

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 2c7c22fba13131ba8c9535351514d2bea9735d9c9978013cc8d9ea728c14811a
Instruction ID: d06fc5fbd8ef8c11e789febc5cc6f97ed7aaf5a849501a388ebedbe6e5960861
Opcode Fuzzy Hash: 2c7c22fba13131ba8c9535351514d2bea9735d9c9978013cc8d9ea728c14811a
Instruction Fuzzy Hash: D631C331E00305AFEB64EF58CD85BEEBBB4EF45360F140029ED85A61A1D774A944FB51

Function 00F939E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00F93A66

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 00F93A58
, $, xrefs: 00F93AA6

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: f39c985652acf2756686d7f408c39f3d70ce8179b45aa8ec191fce08bd68112d
Instruction ID: 32468f0e0d2b7453e6880ee07ce174cf8925748619f0ceebee80ca478ae873e7
Opcode Fuzzy Hash: f39c985652acf2756686d7f408c39f3d70ce8179b45aa8ec191fce08bd68112d
Instruction Fuzzy Hash: 9B21A235600229AFCF10FF64DC82EAE77B5EF44740F444455F455AB282DB38EA46EB62

Function 00FA66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00FA6761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FA676C

Strings

Combobox, xrefs: 00FA672E

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: ac922159dfc2021ead9bbd110953243c18419b417259d24cab01e29d941b6ad1
Instruction ID: c7238f735d426bf97e051d419630b835b232a8489ad27ca241ce95ed44a93017
Opcode Fuzzy Hash: ac922159dfc2021ead9bbd110953243c18419b417259d24cab01e29d941b6ad1
Instruction Fuzzy Hash: E711C8B5710208AFEF11DF54CC80EBB376AEB45368F150125F914DB290DA75DC51A7A0

Function 00FA6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00F21D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F21D73
Part of subcall function 00F21D35: GetStockObject.GDI32(00000011), ref: 00F21D87
Part of subcall function 00F21D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F21D91

GetWindowRect.USER32(00000000,?), ref: 00FA6C71
GetSysColor.USER32(00000012), ref: 00FA6C8B

Strings

static, xrefs: 00FA6C4E

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 435eed3769b74d656f78f1875837fea522d5b58bd020d1699924f5122627260e
Instruction ID: 2ea1328470bd3b3cfc9a25971b771206f34347340a6d814399d256b4fb7859d3
Opcode Fuzzy Hash: 435eed3769b74d656f78f1875837fea522d5b58bd020d1699924f5122627260e
Instruction Fuzzy Hash: AD2159B2910219AFDF05DFB8CC45AEA7BA9FB09315F044628F995D2250D635E850EB60

Function 00FA6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00FA69A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00FA69B1

Strings

edit, xrefs: 00FA6986

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 31dc3973357741f12833f8cffca214a580395baa95be33e939bee93330f17377
Instruction ID: ad8689c1ff0e860946345b14e5bd58a925a458d8e290e633c2aa8d78a2da7663
Opcode Fuzzy Hash: 31dc3973357741f12833f8cffca214a580395baa95be33e939bee93330f17377
Instruction Fuzzy Hash: E5116AB1910208AFEB108E64DC44AEB37A9EB0A3B8F544728F9A5D61E0C735DC55BB60

Function 00F829AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F82A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00F82A41

Strings

0, xrefs: 00F82A18

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 935e6e9b0842f2a0cf3216872fd93aa887f30025bb4134e2a8589fc272c78970
Instruction ID: cd0897f72cc132fde1992fc0d8d65f27a3d8071e4b3d9532d03ceea4eab2c855
Opcode Fuzzy Hash: 935e6e9b0842f2a0cf3216872fd93aa887f30025bb4134e2a8589fc272c78970
Instruction Fuzzy Hash: 0F11D336D01118ABCF78EB98DD44BDA77B8AF46724F044021E855EB2A0D738BD0AE791

Function 00F921D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00F9222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00F92255

Strings

<local>, xrefs: 00F9221D

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 70233fd2bac1e343e64a27e400ab7d06d1f2d3fe693e59ad5d830616ff132a34
Instruction ID: 51d0d52a65574606388728329089215442ca2abfb71510f32761a922a243c08d
Opcode Fuzzy Hash: 70233fd2bac1e343e64a27e400ab7d06d1f2d3fe693e59ad5d830616ff132a34
Instruction Fuzzy Hash: 5611E070941225BAFF288F518C84FFBFBA8FF06761F10822AF90486000D3706994E6F0

Function 00F78E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

Part of subcall function 00F7AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F7AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00F78E73

Strings

ListBox, xrefs: 00F78E3D
ComboBox, xrefs: 00F78E12

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 5c00405fdeb6e0c4ee7e12b3903f11b648bcc1a8517bb688b35414338c7618ea
Instruction ID: b017bec39190b0fd842eaaa62994920bf69bf90a78e8ea83a03554dbe81951ac
Opcode Fuzzy Hash: 5c00405fdeb6e0c4ee7e12b3903f11b648bcc1a8517bb688b35414338c7618ea
Instruction Fuzzy Hash: 7401F571A41228AB9B14FBE0CC45DFE7369AF02360B14461AF825573D1EF39580CF651

Function 00F78CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

Part of subcall function 00F7AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F7AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00F78D6B

Strings

ListBox, xrefs: 00F78D35
ComboBox, xrefs: 00F78D0A

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 441af9fad9b28490340004b690b85fe3b3fdc52ff97c7c99f2c5f7ef79f354f3
Instruction ID: 1ffcd0f82d0d9da9c1798024d58b5351a47b9bb4661e1a0d766b341207af0770
Opcode Fuzzy Hash: 441af9fad9b28490340004b690b85fe3b3fdc52ff97c7c99f2c5f7ef79f354f3
Instruction Fuzzy Hash: 9301D471A81218ABDB24EBA0CD56EFE77A89F15350F14401AB809672D1DE299E0CF272

Function 00F78D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

Part of subcall function 00F7AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F7AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00F78DEE

Strings

ListBox, xrefs: 00F78DBA
ComboBox, xrefs: 00F78D8F

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: d5edc45daec323cda68719c8cbefe8e3197be9e35e5af839ade4bb565e30aee9
Instruction ID: ec30f22c39b1c46933ca5cbffbc52470c53ca8a5473cce41fd235e90ec78ab19
Opcode Fuzzy Hash: d5edc45daec323cda68719c8cbefe8e3197be9e35e5af839ade4bb565e30aee9
Instruction Fuzzy Hash: EC01F771A81218A7DB25F6A4CD46EFE77AC8F11350F144016B809A7291DE298E0DF272

Function 00F84F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00F84F46
_wcscmp.LIBCMT ref: 00F84F58

Strings

#32770, xrefs: 00F84F52

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: cc35604a18ae65b88634747aceeeeab9fccc5ae25283a99a1c6e25045744b411
Instruction ID: 5054bdfdb5f700a99b6639ca852c64f35216b05a362f669a3ee1a4d30641a44f
Opcode Fuzzy Hash: cc35604a18ae65b88634747aceeeeab9fccc5ae25283a99a1c6e25045744b411
Instruction Fuzzy Hash: C9E06832A0032D2BD320AB99AC49FA7FBACEB51B70F04002BFD00D7040D960AA4587E0

Function 00F5B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F5B314: _memset.LIBCMT ref: 00F5B321

Part of subcall function 00F40940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00F5B2F0,?,?,?,00F2100A), ref: 00F40945

IsDebuggerPresent.KERNEL32(?,?,?,00F2100A), ref: 00F5B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F2100A), ref: 00F5B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F5B2FE

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 5574d31519d4ca6b1a2a8cadd922a2766eb4abe255c0c911892c9375ae22e8fe
Instruction ID: 9d347de130d0389af628c6427adaf7f07f708861833d19762c915d152a37a7cf
Opcode Fuzzy Hash: 5574d31519d4ca6b1a2a8cadd922a2766eb4abe255c0c911892c9375ae22e8fe
Instruction Fuzzy Hash: 8DE092B02007158FD760DF68E9047427BE4EF00715F008A6CE956DB342EBB4D448EBA1

Function 00F77C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00F77C82

Part of subcall function 00F43358: _doexit.LIBCMT ref: 00F43362

Strings

AutoIt, xrefs: 00F77C76
Error allocating memory., xrefs: 00F77C7B

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: ff542eada9ef2660cf39e854144c122298b3e14873823b2a8b14e3a44b062e06
Instruction ID: 075425a44b7272d2daea54be9fac87f8a1d31a12a2671616d64398827df8f02b
Opcode Fuzzy Hash: ff542eada9ef2660cf39e854144c122298b3e14873823b2a8b14e3a44b062e06
Instruction Fuzzy Hash: D3D05B323C431C36D21532A5BD07FDA7D484F05B52F044426FF085D5D34DD9959071E6

Function 00F61935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00F61775

Part of subcall function 00F9BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00F6195E,?), ref: 00F9BFFE
Part of subcall function 00F9BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00F9C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00F6196D

Strings

WIN_XPe, xrefs: 00F61788

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 7343b9a499ebc5560a5470422e03ae11c3fcf4725392eab9c6efbbd9c540ced4
Instruction ID: 0540debe6e351a96cc09cb35009087f7cd96a56899726ec26ce9fa1ff727714c
Opcode Fuzzy Hash: 7343b9a499ebc5560a5470422e03ae11c3fcf4725392eab9c6efbbd9c540ced4
Instruction Fuzzy Hash: 72F0C9B180010DDFDB15DB91D984BECBBF8BB18315F580095E102A6090D7755F88FF60

Function 00FA5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FA59AE
PostMessageW.USER32(00000000), ref: 00FA59B5

Part of subcall function 00F85244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F852BC

Strings

Shell_TrayWnd, xrefs: 00FA59A7

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 959d3d1afb512361c852601c075550cb55da1e9127d6b158421fe602d83a3892
Instruction ID: 8218e44e0ca78a40d109cdb05cae1681187d75fa87205999750b5bbf0e88950a
Opcode Fuzzy Hash: 959d3d1afb512361c852601c075550cb55da1e9127d6b158421fe602d83a3892
Instruction Fuzzy Hash: BDD0C9767803157BE664BBB0AC4BFD67A55AB05B50F080825B246AE2D4C9E4A804D654

Function 00FA5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FA596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00FA5981

Part of subcall function 00F85244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F852BC

Strings

Shell_TrayWnd, xrefs: 00FA5967

Memory Dump Source

Source File: 00000000.00000002.2119463439.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2119445657.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119511056.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119552836.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119566889.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_RFQ.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 5ed811fa8f800e6bd52fe94259fe80052bb6b9a8c600ffd7f0e31595f498a7f6
Instruction ID: da5bf8246804ad15c161e55766bc7ef61dcaacec9a07aae0ece8a0d77f3490fd
Opcode Fuzzy Hash: 5ed811fa8f800e6bd52fe94259fe80052bb6b9a8c600ffd7f0e31595f498a7f6
Instruction Fuzzy Hash: C8D0C976784315BBE664BBB0AC4BFD67A55AB01B50F080825B24AAE2D4C9E49804D654

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RFQ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ycdwx.exe.log

C:\Users\user\AppData\Local\Temp\Milburt

C:\Users\user\AppData\Local\Temp\aut121F.tmp

C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Windows Analysis Report
RFQ.exe

Function 00F23B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00F249A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00F24E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00F89155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00F23015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00F23041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00F2708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00F23A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00F23633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00F23766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 016E9240 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre