Edit tour

Windows Analysis Report
bcUcEm7AqP.exe

Overview

General Information

Sample name:	bcUcEm7AqP.exe renamed because original name is a hash value
Original sample name:	734CEFFDDCF39DF0E5C2259E6EBB975B.exe
Analysis ID:	1570272
MD5:	734ceffddcf39df0e5c2259e6ebb975b
SHA1:	f8a544bbe088f09308a01dc598ddaac7cd89a552
SHA256:	18725cce353d29c5fb73d6b93b17e0ddef59e53bc19c637cc15a96b921fcc173
Tags:	AsyncRATexeRATuser-abuse_ch
Infos:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected AsyncRAT

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Drops VBS files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Generic Downloader

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

bcUcEm7AqP.exe (PID: 6820 cmdline: "C:\Users\user\Desktop\bcUcEm7AqP.exe" MD5: 734CEFFDDCF39DF0E5C2259E6EBB975B)

tabulations.exe (PID: 6996 cmdline: "C:\Users\user\Desktop\bcUcEm7AqP.exe" MD5: 734CEFFDDCF39DF0E5C2259E6EBB975B)

RegSvcs.exe (PID: 7140 cmdline: "C:\Users\user\Desktop\bcUcEm7AqP.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 4996 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tabulations.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

tabulations.exe (PID: 3068 cmdline: "C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe" MD5: 734CEFFDDCF39DF0E5C2259E6EBB975B)

RegSvcs.exe (PID: 6796 cmdline: "C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "69.174.100.131", "Port": "6606", "Version": "0.5.8", "MutexName": "abkZfsCYRZhk", "Autorun": "false", "Group": "null"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.1900282603.00000000008D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000005.00000002.1900282603.00000000008D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000005.00000002.1900282603.00000000008D0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9919:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x6711:$a3: get_ActivatePong 0x9b31:$a4: vmware 0x99a9:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7460:$a6: get_SslClient
00000005.00000002.1900282603.00000000008D0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99ab:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000001.00000002.1741043434.0000000001750000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000001.00000002.1741043434.0000000001750000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000001.00000002.1741043434.0000000001750000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9919:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x6711:$a3: get_ActivatePong 0x9b31:$a4: vmware 0x99a9:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7460:$a6: get_SslClient
00000001.00000002.1741043434.0000000001750000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99ab:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000002.00000002.2925890166.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000006.00000002.2013057022.0000000000602000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000006.00000002.2013057022.0000000000602000.00000040.80000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x97ab:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: tabulations.exe PID: 6996	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: tabulations.exe PID: 6996	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 7140	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: tabulations.exe PID: 3068	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: tabulations.exe PID: 3068	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 6796	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6796	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x33399:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.tabulations.exe.1750000.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
1.2.tabulations.exe.1750000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.tabulations.exe.1750000.1.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9919:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x6711:$a3: get_ActivatePong 0x9b31:$a4: vmware 0x99a9:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7460:$a6: get_SslClient
1.2.tabulations.exe.1750000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99ab:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
5.2.tabulations.exe.8d0000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
5.2.tabulations.exe.8d0000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x7b19:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x8e38:$a2: Stub.exe 0x8ec8:$a2: Stub.exe 0x4911:$a3: get_ActivatePong 0x7d31:$a4: vmware 0x7ba9:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x5660:$a6: get_SslClient
5.2.tabulations.exe.8d0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x7bab:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
1.2.tabulations.exe.1750000.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
1.2.tabulations.exe.1750000.1.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x7b19:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x8e38:$a2: Stub.exe 0x8ec8:$a2: Stub.exe 0x4911:$a3: get_ActivatePong 0x7d31:$a4: vmware 0x7ba9:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x5660:$a6: get_SslClient
1.2.tabulations.exe.1750000.1.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x7bab:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
6.2.RegSvcs.exe.600000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
6.2.RegSvcs.exe.600000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.RegSvcs.exe.600000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9919:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x6711:$a3: get_ActivatePong 0x9b31:$a4: vmware 0x99a9:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7460:$a6: get_SslClient
6.2.RegSvcs.exe.600000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99ab:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
5.2.tabulations.exe.8d0000.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
5.2.tabulations.exe.8d0000.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
5.2.tabulations.exe.8d0000.0.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9919:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x6711:$a3: get_ActivatePong 0x9b31:$a4: vmware 0x99a9:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7460:$a6: get_SslClient
5.2.tabulations.exe.8d0000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99ab:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Click to see the 13 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tabulations.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tabulations.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tabulations.vbs" , ProcessId: 4996, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tabulations.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tabulations.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tabulations.vbs" , ProcessId: 4996, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe, ProcessId: 6996, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tabulations.vbs

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-06T17:57:24.342229+0100	2035595	1	Domain Observed Used for C2 Detected	69.174.100.131	6606	192.168.2.4	49732	TCP

ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-06T17:57:24.342229+0100	2035607	1	Domain Observed Used for C2 Detected	69.174.100.131	6606	192.168.2.4	49732	TCP

ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-06T17:57:24.342229+0100	2842478	1	Malware Command and Control Activity Detected	69.174.100.131	6606	192.168.2.4	49732	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.2925890166.0000000002A41000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: AsyncRAT {"Server": "69.174.100.131", "Port": "6606", "Version": "0.5.8", "MutexName": "abkZfsCYRZhk", "Autorun": "false", "Group": "null"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe

ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: bcUcEm7AqP.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: bcUcEm7AqP.exe

Joe Sandbox ML: detected

Source: bcUcEm7AqP.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: tabulations.exe, 00000001.00000003.1738382184.0000000003440000.00000004.00001000.00020000.00000000.sdmp, tabulations.exe, 00000001.00000003.1738072642.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, tabulations.exe, 00000005.00000003.1895770742.0000000003700000.00000004.00001000.00020000.00000000.sdmp, tabulations.exe, 00000005.00000003.1896382586.00000000038A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: tabulations.exe, 00000001.00000003.1738382184.0000000003440000.00000004.00001000.00020000.00000000.sdmp, tabulations.exe, 00000001.00000003.1738072642.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, tabulations.exe, 00000005.00000003.1895770742.0000000003700000.00000004.00001000.00020000.00000000.sdmp, tabulations.exe, 00000005.00000003.1896382586.00000000038A0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006F445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_006F445A
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006FC6D1 FindFirstFileW,FindClose,	0_2_006FC6D1
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006FC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_006FC75C
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006FEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_006FEF95
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006FF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_006FF0F2
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006FF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_006FF3F3
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006F37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006F37EF
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006F3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006F3B12
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006FBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_006FBCBC
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0096445A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_0096445A
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0096C6D1 FindFirstFileW,FindClose,	1_2_0096C6D1
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0096C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_0096C75C
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0096EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0096EF95
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0096F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0096F0F2
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0096F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0096F3F3
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_009637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_009637EF
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_00963B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00963B12
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0096BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0096BCBC

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 69.174.100.131:6606 -> 192.168.2.4:49732
Source: Network traffic	Suricata IDS: 2030673 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 69.174.100.131:6606 -> 192.168.2.4:49732
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 69.174.100.131:6606 -> 192.168.2.4:49732
Source: Network traffic	Suricata IDS: 2035607 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 69.174.100.131:6606 -> 192.168.2.4:49732

Yara detected Generic Downloader

Source: Yara match	File source: 1.2.tabulations.exe.1750000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tabulations.exe.8d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1900282603.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1741043434.0000000001750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 69.174.100.131:6606

Source: Joe Sandbox View

ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS

Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Code function: 0_2_007022EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_007022EE

Source: RegSvcs.exe, 00000002.00000002.2925168197.0000000000C38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 77EC63BDA74BD0D0E0426DC8F80085060.2.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegSvcs.exe, 00000002.00000002.2925168197.0000000000C38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabaoqv
Source: RegSvcs.exe, 00000002.00000002.2925890166.0000000002AAB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2925890166.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 1.2.tabulations.exe.1750000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tabulations.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tabulations.exe.1750000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tabulations.exe.8d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1900282603.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1741043434.0000000001750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2925890166.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2013057022.0000000000602000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tabulations.exe PID: 6996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7140, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tabulations.exe PID: 3068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6796, type: MEMORYSTR

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Code function: 0_2_00704164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00704164

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_00704164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_00704164
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_00974164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		1_2_00974164

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Code function: 0_2_00703F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00703F66

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Code function: 0_2_006F001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_006F001C

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_0071CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_0071CABC
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0098CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		1_2_0098CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.tabulations.exe.1750000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 1.2.tabulations.exe.1750000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 5.2.tabulations.exe.8d0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 5.2.tabulations.exe.8d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 1.2.tabulations.exe.1750000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 1.2.tabulations.exe.1750000.1.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 6.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 6.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 5.2.tabulations.exe.8d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 5.2.tabulations.exe.8d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000005.00000002.1900282603.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000005.00000002.1900282603.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000001.00000002.1741043434.0000000001750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000001.00000002.1741043434.0000000001750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000006.00000002.2013057022.0000000000602000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 6796, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00693B3A
Source: bcUcEm7AqP.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: bcUcEm7AqP.exe, 00000000.00000003.1698932938.0000000003A73000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ad48a708-8
Source: bcUcEm7AqP.exe, 00000000.00000003.1698932938.0000000003A73000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_ba22807c-c
Source: bcUcEm7AqP.exe, 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_18fc3f46-3
Source: bcUcEm7AqP.exe, 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_0499197b-9
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: This is a third-party compiled AutoIt script.	1_2_00903B3A
Source: tabulations.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: tabulations.exe, 00000001.00000002.1740625539.00000000009B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8741f5e3-b
Source: tabulations.exe, 00000001.00000002.1740625539.00000000009B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_b9718ba1-1
Source: tabulations.exe, 00000005.00000000.1858251439.00000000009B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_60cfbd33-f
Source: tabulations.exe, 00000005.00000000.1858251439.00000000009B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_5cd51291-9
Source: bcUcEm7AqP.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b7c9c52c-0
Source: bcUcEm7AqP.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_e05fc0b6-3
Source: tabulations.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e9a230b7-5
Source: tabulations.exe.0.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_4a683627-2

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Code function: 0_2_006FA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_006FA1EF

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Code function: 0_2_006E8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_006E8310

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006F51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_006F51BD
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_009651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		1_2_009651BD

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_0069E6A0	0_2_0069E6A0
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006BD975	0_2_006BD975
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_0069FCE0	0_2_0069FCE0
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006B21C5	0_2_006B21C5
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006C62D2	0_2_006C62D2
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_007103DA	0_2_007103DA
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006C242E	0_2_006C242E
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006B25FA	0_2_006B25FA
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006EE616	0_2_006EE616
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006A66E1	0_2_006A66E1
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006C878F	0_2_006C878F
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_00710857	0_2_00710857
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006C6844	0_2_006C6844
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006A8808	0_2_006A8808
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006F8889	0_2_006F8889
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006BCB21	0_2_006BCB21
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006C6DB6	0_2_006C6DB6
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006A6F9E	0_2_006A6F9E
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006A3030	0_2_006A3030
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006BF1D9	0_2_006BF1D9
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006B3187	0_2_006B3187
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_00691287	0_2_00691287
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006B1484	0_2_006B1484
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006A5520	0_2_006A5520
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006B7696	0_2_006B7696
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006A5760	0_2_006A5760
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006B1978	0_2_006B1978
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006C9AB5	0_2_006C9AB5
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_00717DDB	0_2_00717DDB
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006BBDA6	0_2_006BBDA6
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006B1D90	0_2_006B1D90
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_0069DF00	0_2_0069DF00
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006A3FE0	0_2_006A3FE0
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_010450E0	0_2_010450E0
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0090E6A0	1_2_0090E6A0
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0092D975	1_2_0092D975
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0090FCE0	1_2_0090FCE0
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_009221C5	1_2_009221C5
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_009362D2	1_2_009362D2
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_009803DA	1_2_009803DA
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0093242E	1_2_0093242E
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_009225FA	1_2_009225FA
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_009166E1	1_2_009166E1
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0095E616	1_2_0095E616
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0093878F	1_2_0093878F
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_00968889	1_2_00968889
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_00918808	1_2_00918808
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_00980857	1_2_00980857
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_00936844	1_2_00936844
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0092CB21	1_2_0092CB21
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_00936DB6	1_2_00936DB6
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_00916F9E	1_2_00916F9E
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_00913030	1_2_00913030
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_00923187	1_2_00923187
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0092F1D9	1_2_0092F1D9
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_00901287	1_2_00901287
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_00921484	1_2_00921484
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_00915520	1_2_00915520
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_00927696	1_2_00927696
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_00915760	1_2_00915760
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_00921978	1_2_00921978
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_00939AB5	1_2_00939AB5
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_00921D90	1_2_00921D90
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0092BDA6	1_2_0092BDA6
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_00987DDB	1_2_00987DDB
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_00913FE0	1_2_00913FE0
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0090DF00	1_2_0090DF00
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_00B98AE0	1_2_00B98AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_028665C0	2_2_028665C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02865CF0	2_2_02865CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0286A878	2_2_0286A878
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_028659A8	2_2_028659A8
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 5_2_01006EF0	5_2_01006EF0

Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: String function: 00920AE3 appears 70 times
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: String function: 00907DE1 appears 35 times
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: String function: 00928900 appears 42 times
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: String function: 006B0AE3 appears 70 times
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: String function: 00697DE1 appears 36 times
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: String function: 006B8900 appears 42 times

Source: bcUcEm7AqP.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 1.2.tabulations.exe.1750000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 1.2.tabulations.exe.1750000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 5.2.tabulations.exe.8d0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 5.2.tabulations.exe.8d0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 1.2.tabulations.exe.1750000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 1.2.tabulations.exe.1750000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 6.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 6.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 5.2.tabulations.exe.8d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 5.2.tabulations.exe.8d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000005.00000002.1900282603.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000005.00000002.1900282603.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000001.00000002.1741043434.0000000001750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000001.00000002.1741043434.0000000001750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000006.00000002.2013057022.0000000000602000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: RegSvcs.exe PID: 6796, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys

Source: 1.2.tabulations.exe.1750000.1.raw.unpack, Settings.cs	Base64 encoded string: 'WNkhGMjQebraVKNP8JFd/jNpfhjf7hdwltwh0LWvVoYCxQpHu6yJfwfwIOMC74WVcZH7+WHsrPSjMsvy7epmeg==', 'l9vDqe8osDYeqDjReN8bepnhFzK0kjLr960y5qQiDWW09d9pn0afU+PP5SNJ5nkIDorNaASKWLbbSNDHIK7ohw==', 'kCHyBES7xMp0gDfYa1fttkuy2T5Ojdnm5AZlrUEPxE81oz2R1YvVX72Lcab30+lSKpURz4FNIs8pVycEn1xb7Q==', 'iKik4JeJK95LlxMDvYBCGsoyrm75GwbWYZeSTIfull44GdBkkt/IvOwicoa4FjNoO3mD8IJSbk9u2/5QOIVePg==', 'wqzth82CYwGa74e2nPeThEgJQa/ElAolMG5pBDIJzB/LyGYHcRi4/RDNqWFi1x4qTrKz/VwUO3Ez6dtN2ihblsd8/U2Mw40EKQQuKoqoJC5vClviSZovc4xlNKck5FqowEhJ718HXDKi6DbJ0dxn8F3yTPZAc+/NMowo840gNrNVx+/ULLjAZ4s+RvajYQa+yti9IWA9pfdAgBTRpaoxWdLO/E04b8oJ5i0IhmqAZxOlRLMsr3McCMbHH6gnUQAxk7SMkc4YToe2fZfswYkrfhHr6n1IFTDLwxQo48aDXeZCLrBDUt0Hwzm5HidrCG3F+ybx2rhzqxaTwORkNZYT6qokUpIx6GEkfn2OKPgV7tJ+Z9z2to1xmIoJ4RROGKPMxfct3EPbVnVWipOEzM1y6BEbnXlBmXe5BPV+yeqJTVWy8RnzsNJTqUhVKSdKD15KaLfv4reGUwDOZVdbjimZjMXhnuOHXZ/YbZ1NiKzpNR3VBWXBPsXj0cDMhhkM7kF2ZLn90uC6pyjJPGujs+Ub26vZOZ79cpxhaqkkl5anPXo/a9bWd69gAO5IJ7zrGGWubaGMaI+40JOG5559Q0nX9LfTDyaSaTSKkxEH+CRDcyQSnxQZBHRhT15O6CfAViKFYqUhMI6C8JDYtfo2mX2yeLPeHkHdmlaYUNADyTwGQCc2Wjx2BYnCZ5pYRbLHXmitgEOt2iyHtg5mUSOZ6b5SS0UOqMNEEbBqbtKucPu7s8GeRAc50ibgJ1KM1OQ5As5LsZfo7s2N7SHsyaTS+t+xhLJ7vcoCQu5q/439VOba2WFDWK6GpeuwHjKX9Byd/O4MkHc6KilgfFIUIn4a3aMju+8vJubLWneB+tf8m/I5fFQ+BePabuTIZKxBcBYmbrR+uGy0A9xlbgo81TELAsMp+W/sasbrRupfVYmXOc2TXbWT5Xyy1mgDahk1gvHkK+yYDYATHTtAKLJ4ab7dNz+4/iVzwHiet45ADYAKim3J/otCT2OZ/YY6ml0TXWjqz5pb9kP0tQw5MfXtz3288WiBEoCL3pURv7c2susE1fI7vcEMpxgKzL/Ckhx0PT9vs6P/IOzrp0KjSB2caAa7erIB6AnAav0i7sbIFMpIZ8INn4q7hE45/draRRwjrwRscQQ6qxXk5w1mWFE+mF5kb6jCD6CVi5wmfqdX9fj6Fg9Uk8fGcJqvAmeUmlGvUUDYg1xzx/J/j8Wu9n4pordKrSyOKgiTZO45PhznLH1M6BEmYGJPH/NuT7wbU+esT4QH5IhnKRDbHZ0oNN1jkSuzqqx9Ekm4hcZXo9puwUvkEUQXpjpDs/JGnR854nT0tAPk6eKkqngqZBqQXErPwTfzPgjT08cronrZWPxutyQzSe7v/CqbYI0RCtYGHZAwNg/hugOF4tGs/uYa21x9eL7gz4buPUE7hPS88PFpQevBsUosaNU/4uapnc048D+vAveFmQcAEnKkY/XfkWvz1b+rL7NflsTBuhD4W31hsaopVUfVfZC88Z/IBRj/ncNwy04m5JS0KJZ1Qakt4FoQbvwWZnjZVg5shVYceIMWmJg1tbtJgrb0MJE3PpojZzcnUQfmRsxGuYqZSU6syjSEDC2hpoEkKHMS9WD6RenHjd1jhvBGjGKwXBdFFBSz/GLwHPXj3imwD1W6M6ZGe9alWk5IBFiFLncodbrnq5eYFC+xLCJ8puzcoqICfh3+TzhYG0Da2BrmOAnCOgnekXgIlFi+t27VorE5pkyz7sqt/ZAUBEfLFCvpSnwvTI5KmBlFpBkIWfRoQYUQ7I2lygr4L9XKc3qtGAv+3AweVhlyAxHjWXjmr/YM6ui8hqT/qN4LOe8/B+N5zJ8PM8KGecncaK21kge2ewE4s2T9CKFrBYdxrIJ5kHIwfes+PT9YbYnqNRvf/ArDONst0or3+IBo6iRqCQTFnhoEKoO7SoC/McHXcLnL5cdxmfNz/lvqyzgpcu1XGggXI+RLK4NcQf9GlC2DIPleJskQziu36Q5OtqnlnOqMB/oyLlnmsFl7G8JrmMQxwV5YMdManKl8V8rC6gEEi0OtAnezMOg7vQNFclXtDB9pxto9uHDYBzuivKv4ss+qbSPBwnAb5S7PkjLAZxRXgnlyAIsR9Ut+T6T6yP+WJwMd9DnHjXVPPcWi6Lt1g17tfBAzAkaRzJGCO+qbPemd20HlB/3v+V8OltvCO7iA7hQvrk+w0fa1L5wo5IGWAwIbfU6vlLGQtj8wvi37ClyimrazYmN9BJjHkbJSBOGVQxdyBZVfpghplZhLE+6SDKY/bP91xgP5dKB9lf04tLlgXhpUO7TJqKOwvyIGDjPNzhHIdsQ=', 'sgvFcm3Q40Evg9+J186vdf7f4+k0GL/713AdMxKTUDu8vK4h3WXM1sWIEc/KQffpGkY0DfW07sXOo4NP9Ei6XQ==', 'NL9vuydxFmwT2ed8GZE71V7r/WSjHtYFSGx11meYI4Y1/rEnKSQxxIAbZjXt2Jm0eEnGqIGc+jmtefkmNr7yAg=='
Source: 5.2.tabulations.exe.8d0000.0.raw.unpack, Settings.cs	Base64 encoded string: 'WNkhGMjQebraVKNP8JFd/jNpfhjf7hdwltwh0LWvVoYCxQpHu6yJfwfwIOMC74WVcZH7+WHsrPSjMsvy7epmeg==', 'l9vDqe8osDYeqDjReN8bepnhFzK0kjLr960y5qQiDWW09d9pn0afU+PP5SNJ5nkIDorNaASKWLbbSNDHIK7ohw==', 'kCHyBES7xMp0gDfYa1fttkuy2T5Ojdnm5AZlrUEPxE81oz2R1YvVX72Lcab30+lSKpURz4FNIs8pVycEn1xb7Q==', 'iKik4JeJK95LlxMDvYBCGsoyrm75GwbWYZeSTIfull44GdBkkt/IvOwicoa4FjNoO3mD8IJSbk9u2/5QOIVePg==', 'wqzth82CYwGa74e2nPeThEgJQa/ElAolMG5pBDIJzB/LyGYHcRi4/RDNqWFi1x4qTrKz/VwUO3Ez6dtN2ihblsd8/U2Mw40EKQQuKoqoJC5vClviSZovc4xlNKck5FqowEhJ718HXDKi6DbJ0dxn8F3yTPZAc+/NMowo840gNrNVx+/ULLjAZ4s+RvajYQa+yti9IWA9pfdAgBTRpaoxWdLO/E04b8oJ5i0IhmqAZxOlRLMsr3McCMbHH6gnUQAxk7SMkc4YToe2fZfswYkrfhHr6n1IFTDLwxQo48aDXeZCLrBDUt0Hwzm5HidrCG3F+ybx2rhzqxaTwORkNZYT6qokUpIx6GEkfn2OKPgV7tJ+Z9z2to1xmIoJ4RROGKPMxfct3EPbVnVWipOEzM1y6BEbnXlBmXe5BPV+yeqJTVWy8RnzsNJTqUhVKSdKD15KaLfv4reGUwDOZVdbjimZjMXhnuOHXZ/YbZ1NiKzpNR3VBWXBPsXj0cDMhhkM7kF2ZLn90uC6pyjJPGujs+Ub26vZOZ79cpxhaqkkl5anPXo/a9bWd69gAO5IJ7zrGGWubaGMaI+40JOG5559Q0nX9LfTDyaSaTSKkxEH+CRDcyQSnxQZBHRhT15O6CfAViKFYqUhMI6C8JDYtfo2mX2yeLPeHkHdmlaYUNADyTwGQCc2Wjx2BYnCZ5pYRbLHXmitgEOt2iyHtg5mUSOZ6b5SS0UOqMNEEbBqbtKucPu7s8GeRAc50ibgJ1KM1OQ5As5LsZfo7s2N7SHsyaTS+t+xhLJ7vcoCQu5q/439VOba2WFDWK6GpeuwHjKX9Byd/O4MkHc6KilgfFIUIn4a3aMju+8vJubLWneB+tf8m/I5fFQ+BePabuTIZKxBcBYmbrR+uGy0A9xlbgo81TELAsMp+W/sasbrRupfVYmXOc2TXbWT5Xyy1mgDahk1gvHkK+yYDYATHTtAKLJ4ab7dNz+4/iVzwHiet45ADYAKim3J/otCT2OZ/YY6ml0TXWjqz5pb9kP0tQw5MfXtz3288WiBEoCL3pURv7c2susE1fI7vcEMpxgKzL/Ckhx0PT9vs6P/IOzrp0KjSB2caAa7erIB6AnAav0i7sbIFMpIZ8INn4q7hE45/draRRwjrwRscQQ6qxXk5w1mWFE+mF5kb6jCD6CVi5wmfqdX9fj6Fg9Uk8fGcJqvAmeUmlGvUUDYg1xzx/J/j8Wu9n4pordKrSyOKgiTZO45PhznLH1M6BEmYGJPH/NuT7wbU+esT4QH5IhnKRDbHZ0oNN1jkSuzqqx9Ekm4hcZXo9puwUvkEUQXpjpDs/JGnR854nT0tAPk6eKkqngqZBqQXErPwTfzPgjT08cronrZWPxutyQzSe7v/CqbYI0RCtYGHZAwNg/hugOF4tGs/uYa21x9eL7gz4buPUE7hPS88PFpQevBsUosaNU/4uapnc048D+vAveFmQcAEnKkY/XfkWvz1b+rL7NflsTBuhD4W31hsaopVUfVfZC88Z/IBRj/ncNwy04m5JS0KJZ1Qakt4FoQbvwWZnjZVg5shVYceIMWmJg1tbtJgrb0MJE3PpojZzcnUQfmRsxGuYqZSU6syjSEDC2hpoEkKHMS9WD6RenHjd1jhvBGjGKwXBdFFBSz/GLwHPXj3imwD1W6M6ZGe9alWk5IBFiFLncodbrnq5eYFC+xLCJ8puzcoqICfh3+TzhYG0Da2BrmOAnCOgnekXgIlFi+t27VorE5pkyz7sqt/ZAUBEfLFCvpSnwvTI5KmBlFpBkIWfRoQYUQ7I2lygr4L9XKc3qtGAv+3AweVhlyAxHjWXjmr/YM6ui8hqT/qN4LOe8/B+N5zJ8PM8KGecncaK21kge2ewE4s2T9CKFrBYdxrIJ5kHIwfes+PT9YbYnqNRvf/ArDONst0or3+IBo6iRqCQTFnhoEKoO7SoC/McHXcLnL5cdxmfNz/lvqyzgpcu1XGggXI+RLK4NcQf9GlC2DIPleJskQziu36Q5OtqnlnOqMB/oyLlnmsFl7G8JrmMQxwV5YMdManKl8V8rC6gEEi0OtAnezMOg7vQNFclXtDB9pxto9uHDYBzuivKv4ss+qbSPBwnAb5S7PkjLAZxRXgnlyAIsR9Ut+T6T6yP+WJwMd9DnHjXVPPcWi6Lt1g17tfBAzAkaRzJGCO+qbPemd20HlB/3v+V8OltvCO7iA7hQvrk+w0fa1L5wo5IGWAwIbfU6vlLGQtj8wvi37ClyimrazYmN9BJjHkbJSBOGVQxdyBZVfpghplZhLE+6SDKY/bP91xgP5dKB9lf04tLlgXhpUO7TJqKOwvyIGDjPNzhHIdsQ=', 'sgvFcm3Q40Evg9+J186vdf7f4+k0GL/713AdMxKTUDu8vK4h3WXM1sWIEc/KQffpGkY0DfW07sXOo4NP9Ei6XQ==', 'NL9vuydxFmwT2ed8GZE71V7r/WSjHtYFSGx11meYI4Y1/rEnKSQxxIAbZjXt2Jm0eEnGqIGc+jmtefkmNr7yAg=='

Source: 5.2.tabulations.exe.8d0000.0.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.2.tabulations.exe.8d0000.0.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.tabulations.exe.1750000.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.tabulations.exe.1750000.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@10/9@0/1

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Code function: 0_2_006FA06A GetLastError,FormatMessageW,

0_2_006FA06A

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006E81CB AdjustTokenPrivileges,CloseHandle,	0_2_006E81CB
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006E87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_006E87E1
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_009581CB AdjustTokenPrivileges,CloseHandle,	1_2_009581CB
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_009587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	1_2_009587E1

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Code function: 0_2_006FB333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_006FB333

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Code function: 0_2_0070EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0070EE0D

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Code function: 0_2_007083BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_007083BB

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Code function: 0_2_00694E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00694E89

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

File created: C:\Users\user\AppData\Local\undiscernibleness

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\abkZfsCYRZhk

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

File created: C:\Users\user\AppData\Local\Temp\autDB6F.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tabulations.vbs"

Source: bcUcEm7AqP.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: bcUcEm7AqP.exe

ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

File read: C:\Users\user\Desktop\bcUcEm7AqP.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\bcUcEm7AqP.exe "C:\Users\user\Desktop\bcUcEm7AqP.exe"
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Process created: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe "C:\Users\user\Desktop\bcUcEm7AqP.exe"
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\bcUcEm7AqP.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tabulations.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe "C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe"
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe"
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Process created: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe "C:\Users\user\Desktop\bcUcEm7AqP.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\bcUcEm7AqP.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe "C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe"	Jump to behavior

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: bcUcEm7AqP.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: bcUcEm7AqP.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: bcUcEm7AqP.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: bcUcEm7AqP.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: bcUcEm7AqP.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: bcUcEm7AqP.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: bcUcEm7AqP.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: tabulations.exe, 00000001.00000003.1738382184.0000000003440000.00000004.00001000.00020000.00000000.sdmp, tabulations.exe, 00000001.00000003.1738072642.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, tabulations.exe, 00000005.00000003.1895770742.0000000003700000.00000004.00001000.00020000.00000000.sdmp, tabulations.exe, 00000005.00000003.1896382586.00000000038A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: tabulations.exe, 00000001.00000003.1738382184.0000000003440000.00000004.00001000.00020000.00000000.sdmp, tabulations.exe, 00000001.00000003.1738072642.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, tabulations.exe, 00000005.00000003.1895770742.0000000003700000.00000004.00001000.00020000.00000000.sdmp, tabulations.exe, 00000005.00000003.1896382586.00000000038A0000.00000004.00001000.00020000.00000000.sdmp

Source: bcUcEm7AqP.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: bcUcEm7AqP.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: bcUcEm7AqP.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: bcUcEm7AqP.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: bcUcEm7AqP.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Code function: 0_2_00694B37 LoadLibraryA,GetProcAddress,

0_2_00694B37

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_0069C4C6 push A30069BAh; retn 0069h	0_2_0069C50D
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006F848F push FFFFFF8Bh; iretd	0_2_006F8491
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006BE70F push edi; ret	0_2_006BE711
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006BE828 push esi; ret	0_2_006BE82A
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006B8945 push ecx; ret	0_2_006B8958
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006BEA03 push esi; ret	0_2_006BEA05
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006BEAEC push edi; ret	0_2_006BEAEE
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0096848F push FFFFFF8Bh; iretd	1_2_00968491
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0092E70F push edi; ret	1_2_0092E711
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0092E828 push esi; ret	1_2_0092E82A
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_00928945 push ecx; ret	1_2_00928958
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0092EAEC push edi; ret	1_2_0092EAEE
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0092EA03 push esi; ret	1_2_0092EA05

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

File created: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 1.2.tabulations.exe.1750000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tabulations.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tabulations.exe.1750000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tabulations.exe.8d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1900282603.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1741043434.0000000001750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2925890166.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2013057022.0000000000602000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tabulations.exe PID: 6996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7140, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tabulations.exe PID: 3068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6796, type: MEMORYSTR

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tabulations.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tabulations.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tabulations.vbs

Jump to behavior

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006948D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_006948D7
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_00715376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00715376
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_009048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	1_2_009048D7
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_00985376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	1_2_00985376

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Code function: 0_2_006B3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_006B3187

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: tabulations.exe PID: 6996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tabulations.exe PID: 3068, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 1.2.tabulations.exe.1750000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tabulations.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tabulations.exe.1750000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tabulations.exe.8d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1900282603.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1741043434.0000000001750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2925890166.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2013057022.0000000000602000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tabulations.exe PID: 6996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7140, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tabulations.exe PID: 3068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6796, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	API/Special instruction interceptor: Address: B98704
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	API/Special instruction interceptor: Address: 1006B14

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: tabulations.exe, 00000001.00000002.1741043434.0000000001750000.00000004.00001000.00020000.00000000.sdmp, tabulations.exe, 00000005.00000002.1900282603.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2013057022.0000000000602000.00000040.80000000.00040000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 824			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 9009			Jump to behavior

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-103126
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	API coverage: 4.7 %
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	API coverage: 5.0 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006F445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_006F445A
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006FC6D1 FindFirstFileW,FindClose,	0_2_006FC6D1
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006FC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_006FC75C
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006FEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_006FEF95
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006FF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_006FF0F2
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006FF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_006FF3F3
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006F37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006F37EF
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006F3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006F3B12
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006FBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_006FBCBC
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0096445A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_0096445A
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0096C6D1 FindFirstFileW,FindClose,	1_2_0096C6D1
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0096C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_0096C75C
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0096EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0096EF95
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0096F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0096F0F2
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0096F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0096F3F3
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_009637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_009637EF
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_00963B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00963B12
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0096BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0096BCBC

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Code function: 0_2_006949A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006949A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: wscript.exe, 00000004.00000002.1859223791.000001828FDD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: RegSvcs.exe, 00000006.00000002.2013057022.0000000000602000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: vmware
Source: RegSvcs.exe, 00000002.00000002.2925534062.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RegSvcs.exe, 00000002.00000002.2925168197.0000000000C38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWhy

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	API call chain: ExitProcess graph end node	graph_0-100584
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	API call chain: ExitProcess graph end node	graph_0-101409
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Code function: 0_2_00703F09 BlockInput,

0_2_00703F09

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Code function: 0_2_00693B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00693B3A

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Code function: 0_2_006C5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_006C5A7C

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Code function: 0_2_00694B37 LoadLibraryA,GetProcAddress,

0_2_00694B37

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_01043950 mov eax, dword ptr fs:[00000030h]	0_2_01043950
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_01044F70 mov eax, dword ptr fs:[00000030h]	0_2_01044F70
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_01044FD0 mov eax, dword ptr fs:[00000030h]	0_2_01044FD0
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_00B97350 mov eax, dword ptr fs:[00000030h]	1_2_00B97350
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_00B989D0 mov eax, dword ptr fs:[00000030h]	1_2_00B989D0
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_00B98970 mov eax, dword ptr fs:[00000030h]	1_2_00B98970
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 5_2_01006D80 mov eax, dword ptr fs:[00000030h]	5_2_01006D80
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 5_2_01006DE0 mov eax, dword ptr fs:[00000030h]	5_2_01006DE0
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 5_2_01005760 mov eax, dword ptr fs:[00000030h]	5_2_01005760

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Code function: 0_2_006E80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_006E80A9

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006BA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006BA155
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_006BA124 SetUnhandledExceptionFilter,	0_2_006BA124
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0092A124 SetUnhandledExceptionFilter,	1_2_0092A124
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_0092A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0092A155

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 821008			Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 5E1008			Jump to behavior

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Code function: 0_2_006E87B1 LogonUserW,

0_2_006E87B1

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Code function: 0_2_00693B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00693B3A

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Code function: 0_2_006948D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_006948D7

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Code function: 0_2_006F4C7F mouse_event,

0_2_006F4C7F

Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\bcUcEm7AqP.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe "C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe"	Jump to behavior

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Code function: 0_2_006E7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_006E7CAF

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Code function: 0_2_006E874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_006E874B

Source: bcUcEm7AqP.exe, tabulations.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RegSvcs.exe, 00000002.00000002.2925890166.0000000002AA0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2925890166.0000000002AAB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2925890166.0000000002A8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\^q
Source: RegSvcs.exe, 00000002.00000002.2925890166.0000000002AA0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2925890166.0000000002AAB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2925890166.0000000002A8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: bcUcEm7AqP.exe, tabulations.exe	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000002.00000002.2925890166.0000000002A8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe^q`
Source: RegSvcs.exe, 00000002.00000002.2925890166.0000000002AA0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2925890166.0000000002A8D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2925890166.0000000002AA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\^q%
Source: RegSvcs.exe, 00000002.00000002.2925890166.0000000002AA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe^q\
Source: RegSvcs.exe, 00000002.00000002.2925890166.0000000002AA0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2925890166.0000000002A8D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2925890166.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe^q
Source: RegSvcs.exe, 00000002.00000002.2925890166.0000000002AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager`,^q

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Code function: 0_2_006B862B cpuid

0_2_006B862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Code function: 0_2_006C4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_006C4E87

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Code function: 0_2_006D1E06 GetUserNameW,

0_2_006D1E06

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Code function: 0_2_006C3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_006C3F3A

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Code function: 0_2_006949A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006949A0

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 1.2.tabulations.exe.1750000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tabulations.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tabulations.exe.1750000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tabulations.exe.8d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1900282603.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1741043434.0000000001750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2925890166.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2013057022.0000000000602000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tabulations.exe PID: 6996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7140, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tabulations.exe PID: 3068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6796, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Source: tabulations.exe	Binary or memory string: WIN_81
Source: tabulations.exe	Binary or memory string: WIN_XP
Source: tabulations.exe	Binary or memory string: WIN_XPe
Source: tabulations.exe	Binary or memory string: WIN_VISTA
Source: tabulations.exe	Binary or memory string: WIN_7
Source: tabulations.exe	Binary or memory string: WIN_8
Source: tabulations.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_00706283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_00706283
Source: C:\Users\user\Desktop\bcUcEm7AqP.exe	Code function: 0_2_00706747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00706747
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_00976283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	1_2_00976283
Source: C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	Code function: 1_2_00976747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	1_2_00976747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	1 Windows Management Instrumentation	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	2 Valid Accounts	2 Valid Accounts	121 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Scheduled Task/Job	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	2 Registry Run Keys / Startup Folder	212 Process Injection	1 Masquerading	LSA Secrets	341 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	2 Valid Accounts	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	2 Registry Run Keys / Startup Folder	11 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
bcUcEm7AqP.exe	55%	ReversingLabs	Win32.Trojan.AutoitInject
bcUcEm7AqP.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe	55%	ReversingLabs	Win32.Trojan.AutoitInject

Name	IP	Active	Malicious	Antivirus Detection	Reputation
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.58.101	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.2925890166.0000000002AAB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2925890166.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
69.174.100.131	unknown	United States		8100	ASN-QUADRANET-GLOBALUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1570272
Start date and time:	2024-12-06 17:56:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	bcUcEm7AqP.exe renamed because original name is a hash value
Original Sample Name:	734CEFFDDCF39DF0E5C2259E6EBB975B.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@10/9@0/1
EGA Information:	Successful, ratio: 60%
HCA Information:	Successful, ratio: 100% Number of executed functions: 57 Number of non-executed functions: 281
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 217.20.58.101
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 6796 because it is empty
Execution Graph export aborted for target RegSvcs.exe, PID 7140 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: bcUcEm7AqP.exe

Simulations

Behavior and APIs

Time	Type	Description
11:57:25	API Interceptor	1x Sleep call for process: RegSvcs.exe modified
16:57:13	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tabulations.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
69.174.100.131	BQ_PO#385995.exe	Get hash	malicious	RedLine, Snake Keylogger, VIP Keylogger, XWorm	Browse
	BQ_PO#385995.exe	Get hash	malicious	RedLine, Snake Keylogger, VIP Keylogger, XWorm	Browse
	Drawing&spec.scr.exe	Get hash	malicious	AsyncRAT	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	FW_ _Reminder_ Membership Credit Verification - TPIS Industrial Services_ LLC.msg	Get hash	malicious	Unknown	Browse	84.201.209.75
	32.exe	Get hash	malicious	CobaltStrike	Browse	217.20.57.24
	tegga.hta	Get hash	malicious	Xmrig	Browse	217.20.58.101
	dY1ZxYJOz7.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	217.20.58.100
	Packed.exe	Get hash	malicious	Unknown	Browse	217.20.59.36
	BACS190027-01.pdf	Get hash	malicious	Unknown	Browse	84.201.208.68
	vortex.ps1	Get hash	malicious	AsyncRAT, PureLog Stealer	Browse	217.20.56.101
	E236.js	Get hash	malicious	Unknown	Browse	217.20.56.102
	15qW95or0o.exe	Get hash	malicious	Unknown	Browse	84.201.211.18
	vqIfmmbm9Y.exe	Get hash	malicious	Unknown	Browse	84.201.208.104

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN-QUADRANET-GLOBALUS	ET5.exe	Get hash	malicious	Unknown	Browse	45.61.165.224
	na.elf	Get hash	malicious	Unknown	Browse	194.146.117.28
	BQ_PO#385995.exe	Get hash	malicious	RedLine, Snake Keylogger, VIP Keylogger, XWorm	Browse	69.174.100.131
	Vwf30y6XRO.exe	Get hash	malicious	Crimson	Browse	104.223.106.8
	Vwf30y6XRO.exe	Get hash	malicious	Crimson	Browse	104.223.106.8
	SujNUVdm7o.exe	Get hash	malicious	GuLoader	Browse	72.11.142.133
	BQ_PO#385995.exe	Get hash	malicious	RedLine, Snake Keylogger, VIP Keylogger, XWorm	Browse	69.174.100.131
	Drawing&spec.scr.exe	Get hash	malicious	AsyncRAT	Browse	69.174.100.131
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	216.144.226.243
	sh4.elf	Get hash	malicious	Gafgyt, Mirai	Browse	23.163.68.178

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.1165518182376095
Encrypted:	false
SSDEEP:	6:kKlZ9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:6DnLNkPlE99SNxAhUe/3
MD5:	0D0BCF9CA2055E23ECB24C27BF89AF20
SHA1:	569C1B76CE8E568DB77CE278760C916A764DA38F
SHA-256:	27C472D07ECD30B7D1C8A15464B73D670ACA8D8513AECC4AF7C43E078AD34173
SHA-512:	BE9D8E6AD34C3A60C7E1B3AE2355C778C9727F34583C50FA159C5037255C7FFDA0583F76A106D941F878AF9CEAB55ECD662ED6A900DE688BAF5A6A5AE1762AFF
Malicious:	false
Reputation:	low
Preview:	p...... ..........#..G..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\aut2827.tmp

Download File

Process:	C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe
File Type:	data
Category:	dropped
Size (bytes):	38772
Entropy (8bit):	7.828669865844609
Encrypted:	false
SSDEEP:	768:jRrEyLnosvmdEXRj5hwMlN6K8yFBnS70ojCneFpnHJwHXtZ6No:lYyL9AEXh5hwMlN6SEjCn4wdZ6No
MD5:	15484FAD5C754368F6D8A6801D34D771
SHA1:	643F63F44553A64BB535101BD88FFF0FF5560DB2
SHA-256:	BFC692D5A9CD8DB62DB2FD1684C682C0C1DD805307A92468233328194E65FC25
SHA-512:	C34534D9113609C5F3B6E4C1EA0FD852E678BAE6A72988FAFECC614BB43069D17B3B572BC0AF13FAD4C68EAE81B25D376DB28FDE4A732041B4EDEBCD2DFDE12D
Malicious:	false
Preview:	EA06.....[.....Y..i.mw..1..(3JE&c3..k .EFiR.....S...:`.E...T.....I.."Py..Mh.H.sZ.Z.a..d....;.Z&.J..Y.Aoq.Mr.7.]..Ze..#1.d.g..V...]......X.U(.j.p.H..6b...~,...D...Rf10...H.U@.3L....4.L..13......b.Q...5.."..I...7p.Z.f....S.D.....g...0...i...`.]..)....'c4I%2x.lQ.......`.../0..,...`.$m. ..........8..es..KQ.W.-31....p./..P..Z\|z..../..E.4......"UQ.T@....O..~..x..~..i....n.x..n.(e..J..^.O}..\`....ck.6...Y...S...5..{J.&c7......B=L...:..WM.Vk5..b....f.K\.m_....:=_.P...m:.4.Scr.f.U.P.r.d.o0......].Z)..Y..-b....)...ab...t..../.T.38.~m..-49]V.Q.^%.].p.i..n6z.".G.TcpZu(.H.W-...~.h.KS....H.ow..V.\|..~....iN...C....F...$..'H...5....n.......\...u:...`.Tf....aA.Z-39.Nm..l/u.d......U.m..U.J..J..G...64.mX.H.Q...t....fu:.....G"S....b.Ab.9.....^k`.M.....9..E.G4..h.....C..2....Q.Ow.y..9h..f.=.j.H.Q@...e..."....8...)..ug.N$.....'.X*4I.8..I....Vm..(...Jc1.[...L.s..Q..\|..(..)sy=Zc3..b.....@.G.1..Z......t..K....fcF..!.j........h.....0id\|.8..$W;\...<T+.8D..{....1..

C:\Users\user\AppData\Local\Temp\autDB6F.tmp

Download File

Process:	C:\Users\user\Desktop\bcUcEm7AqP.exe
File Type:	data
Category:	dropped
Size (bytes):	38772
Entropy (8bit):	7.828669865844609
Encrypted:	false
SSDEEP:	768:jRrEyLnosvmdEXRj5hwMlN6K8yFBnS70ojCneFpnHJwHXtZ6No:lYyL9AEXh5hwMlN6SEjCn4wdZ6No
MD5:	15484FAD5C754368F6D8A6801D34D771
SHA1:	643F63F44553A64BB535101BD88FFF0FF5560DB2
SHA-256:	BFC692D5A9CD8DB62DB2FD1684C682C0C1DD805307A92468233328194E65FC25
SHA-512:	C34534D9113609C5F3B6E4C1EA0FD852E678BAE6A72988FAFECC614BB43069D17B3B572BC0AF13FAD4C68EAE81B25D376DB28FDE4A732041B4EDEBCD2DFDE12D
Malicious:	false
Preview:	EA06.....[.....Y..i.mw..1..(3JE&c3..k .EFiR.....S...:`.E...T.....I.."Py..Mh.H.sZ.Z.a..d....;.Z&.J..Y.Aoq.Mr.7.]..Ze..#1.d.g..V...]......X.U(.j.p.H..6b...~,...D...Rf10...H.U@.3L....4.L..13......b.Q...5.."..I...7p.Z.f....S.D.....g...0...i...`.]..)....'c4I%2x.lQ.......`.../0..,...`.$m. ..........8..es..KQ.W.-31....p./..P..Z\|z..../..E.4......"UQ.T@....O..~..x..~..i....n.x..n.(e..J..^.O}..\`....ck.6...Y...S...5..{J.&c7......B=L...:..WM.Vk5..b....f.K\.m_....:=_.P...m:.4.Scr.f.U.P.r.d.o0......].Z)..Y..-b....)...ab...t..../.T.38.~m..-49]V.Q.^%.].p.i..n6z.".G.TcpZu(.H.W-...~.h.KS....H.ow..V.\|..~....iN...C....F...$..'H...5....n.......\...u:...`.Tf....aA.Z-39.Nm..l/u.d......U.m..U.J..J..G...64.mX.H.Q...t....fu:.....G"S....b.Ab.9.....^k`.M.....9..E.G4..h.....C..2....Q.Ow.y..9h..f.=.j.H.Q@...e..."....8...)..ug.N$.....'.X*4I.8..I....Vm..(...Jc1.[...L.s..Q..\|..(..)sy=Zc3..b.....@.G.1..Z......t..K....fcF..!.j........h.....0id\|.8..$W;\...<T+.8D..{....1..

C:\Users\user\AppData\Local\Temp\autE9F5.tmp

Download File

Process:	C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe
File Type:	data
Category:	dropped
Size (bytes):	38772
Entropy (8bit):	7.828669865844609
Encrypted:	false
SSDEEP:	768:jRrEyLnosvmdEXRj5hwMlN6K8yFBnS70ojCneFpnHJwHXtZ6No:lYyL9AEXh5hwMlN6SEjCn4wdZ6No
MD5:	15484FAD5C754368F6D8A6801D34D771
SHA1:	643F63F44553A64BB535101BD88FFF0FF5560DB2
SHA-256:	BFC692D5A9CD8DB62DB2FD1684C682C0C1DD805307A92468233328194E65FC25
SHA-512:	C34534D9113609C5F3B6E4C1EA0FD852E678BAE6A72988FAFECC614BB43069D17B3B572BC0AF13FAD4C68EAE81B25D376DB28FDE4A732041B4EDEBCD2DFDE12D
Malicious:	false
Preview:	EA06.....[.....Y..i.mw..1..(3JE&c3..k .EFiR.....S...:`.E...T.....I.."Py..Mh.H.sZ.Z.a..d....;.Z&.J..Y.Aoq.Mr.7.]..Ze..#1.d.g..V...]......X.U(.j.p.H..6b...~,...D...Rf10...H.U@.3L....4.L..13......b.Q...5.."..I...7p.Z.f....S.D.....g...0...i...`.]..)....'c4I%2x.lQ.......`.../0..,...`.$m. ..........8..es..KQ.W.-31....p./..P..Z\|z..../..E.4......"UQ.T@....O..~..x..~..i....n.x..n.(e..J..^.O}..\`....ck.6...Y...S...5..{J.&c7......B=L...:..WM.Vk5..b....f.K\.m_....:=_.P...m:.4.Scr.f.U.P.r.d.o0......].Z)..Y..-b....)...ab...t..../.T.38.~m..-49]V.Q.^%.].p.i..n6z.".G.TcpZu(.H.W-...~.h.KS....H.ow..V.\|..~....iN...C....F...$..'H...5....n.......\...u:...`.Tf....aA.Z-39.Nm..l/u.d......U.m..U.J..J..G...64.mX.H.Q...t....fu:.....G"S....b.Ab.9.....^k`.M.....9..E.G4..h.....C..2....Q.Ow.y..9h..f.=.j.H.Q@...e..."....8...)..ug.N$.....'.X*4I.8..I....Vm..(...Jc1.[...L.s..Q..\|..(..)sy=Zc3..b.....@.G.1..Z......t..K....fcF..!.j........h.....0id\|.8..$W;\...<T+.8D..{....1..

C:\Users\user\AppData\Local\Temp\bezzo

Download File

Process:	C:\Users\user\Desktop\bcUcEm7AqP.exe
File Type:	data
Category:	dropped
Size (bytes):	46080
Entropy (8bit):	6.661475980855618
Encrypted:	false
SSDEEP:	768:AvMXf+LvdruAY0Yd2YoLbRy3yXjy3jo9xueCmWaZyts13PWyJmS2rqw5Lq/xbmqy:AktF0C27hzyTYXWagts1OSJwtqhmqsQq
MD5:	A60DDDD29BE34635D61A5FBE586C8CDF
SHA1:	426361B16AC99975CD5325288530C771EA032AC7
SHA-256:	EC173317D84F159A1FA8017B084397E15EF908BA1E457FA3BC16B3B3779BD4F6
SHA-512:	E1373B2454558FD219BA2A8B849EE424780F630C2DB9BB8E60047E5C4A74F4A96D9B51D5485A1A8093FF019CD192FE9E564B1219AAF53DC6DE9A2CC0489C76A1
Malicious:	false
Preview:	.n.I23SY]UHF..R1.0A4HI13.YYUHFQ4R170A4HI13SYYUHFQ4R170A4HI13.YYUFY.:R.>.`.I....10&h6#[5CV]aW)'_\'y;0h4$ZrXY..{.i\\7<wXELu4R170A4..13.XZU..\|QR170A4HI.3QXRT@FQ.R17:A4HI13].YUHfQ4R.70A4.I1.SYYWHFU4R170A4LI13SYYUHfP4R370A4HI33..YUXFQ$R170Q4HY13SYYUXFQ4R170A4HI..SY.UHFQ.R1.7A4HI13SYYUHFQ4R170A4II=3SYYUHFQ4R170A4HI13SYYUHFQ4R170A4HI13SYYUHFQ4R170A4Hi13[YYUHFQ4R170I.HIy3SYYUHFQ4R1.D$L<I13G.YUHfQ4R.70A6HI13SYYUHFQ4R1.0ATf;BA0YYU.AQ4R.70A<HI1.SYYUHFQ4R170A4.I1s}+<9'%Q4^170A4II11SYY.HFQ4R170A4HI13.YY.HFQ4R170A4HI13SY..HFQ4R1.0A4JI43..YU.Q4Q170@4HO13SYYUHFQ4R170A4HI13SYYUHFQ4R170A4HI13SYYUHFQ4R1.._b.....@[qx.)wR.at.*......q..4}1k0A4VK.+SYS.R8B4R5..C.[I17yC'AHFU.L3.$A4Lc+MFYYQbXS.G174k.6_13WsGW.PQ4V.-NV4HM.-Q.NUHB{.,)70E.VK.+SY].R8H4R5..C.QI17yC'OHFU.HO,0A0bW3.HYYQb\/(R13._6.U13WsC+UFQ0x/5.\4HM..QqgUHLG.Q..NJ4HM2\lYY_bh",R1=.[4HM..{pYUN\|y4R1..A4Ns/3SYq~HFW.F170i.HI7.YYYU`nQ4T.10A4\aG3SSs.`.Q4XB.0A>hi33S6.UHL{Z,/70E.XI13-GYUL).4R;#._4HM.M-VYULnF4R;.?A4Ha.3S_`PHFQ..176kb:..3#'IUHBy[R1=.b4HM.. .YU

C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe

Download File

Process:	C:\Users\user\Desktop\bcUcEm7AqP.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	976896
Entropy (8bit):	6.868090099102495
Encrypted:	false
SSDEEP:	24576:ju6J33O0c+JY5UZ+XC0kGso6Fak3X20cyWY:tu0c++OCvkGs9FaknLYY
MD5:	734CEFFDDCF39DF0E5C2259E6EBB975B
SHA1:	F8A544BBE088F09308A01DC598DDAAC7CD89A552
SHA-256:	18725CCE353D29C5FB73D6B93B17E0DDEF59E53BC19C637CC15A96B921FCC173
SHA-512:	4206ED733DDD620A5562C6FAF0034416BB27F42CFBF84D7AF59683A6742B194B066346C021546346993F4DEDA011DB1CE4BA0E7AA8DC8CCA9611E00ABC8F88F2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L...A:Pg.........."..................}............@..........................P.......$....@...@.......@.....................L...\|....p..,^.......................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...,^...p...`..................@..@.reloc...q.......r...v..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tabulations.vbs

Download File

Process:	C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe
File Type:	data
Category:	dropped
Size (bytes):	298
Entropy (8bit):	3.3897555667090025
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfcloRKUEZ+lX1QllkWbAJADzMl8nQBdnriIM8lfQVn:DsO+vNloRKQ1QlxAODzk8nEFmA2n
MD5:	B7F649615C720F8E357D3318E295C058
SHA1:	C38AA5554E9F85483C6F8E02519B746E0A8B2790
SHA-256:	C3B54933BCC8BF4C4359EE1884340C7486D98457E7181ED9D8500482E9AE3C44
SHA-512:	E786E5CEA1F3CBE25AD48A63D90D5725DC66C8B97AD566A82E57EAC235CCA1BAF1AE2280C23847FD1403183A25E58C15B37C239A936FB4D564CCBE1F3565D991
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.u.n.d.i.s.c.e.r.n.i.b.l.e.n.e.s.s.\.t.a.b.u.l.a.t.i.o.n.s...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.868090099102495
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	bcUcEm7AqP.exe
File size:	976'896 bytes
MD5:	734ceffddcf39df0e5c2259e6ebb975b
SHA1:	f8a544bbe088f09308a01dc598ddaac7cd89a552
SHA256:	18725cce353d29c5fb73d6b93b17e0ddef59e53bc19c637cc15a96b921fcc173
SHA512:	4206ed733ddd620a5562c6faf0034416bb27f42cfbf84d7af59683a6742b194b066346c021546346993f4deda011db1ce4ba0e7aa8dc8cca9611e00abc8f88f2
SSDEEP:	24576:ju6J33O0c+JY5UZ+XC0kGso6Fak3X20cyWY:tu0c++OCvkGs9FaknLYY
TLSH:	F925AE22B3DDC360CB669173BF69B7016EBF3C614630B95B2F880D7DA950161262D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67503A41 [Wed Dec 4 11:17:21 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FDD5517207Ah
jmp 00007FDD55164E44h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FDD55164FCAh
cmp edi, eax
jc 00007FDD5516532Eh
bt dword ptr [004C31FCh], 01h
jnc 00007FDD55164FC9h
rep movsb
jmp 00007FDD551652DCh
cmp ecx, 00000080h
jc 00007FDD55165194h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FDD55164FD0h
bt dword ptr [004BE324h], 01h
jc 00007FDD551654A0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007FDD5516516Dh
test edi, 00000003h
jne 00007FDD5516517Eh
test esi, 00000003h
jne 00007FDD5516515Dh
bt edi, 02h
jnc 00007FDD55164FCFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FDD55164FD3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FDD55165025h
bt esi, 03h
jnc 00007FDD55165078h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x25e2c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xed000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x25e2c	0x26000	45ff9f36d35e1727c1bb58509c7bd96e	False	0.8252402857730263	data	7.6193521717319355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xed000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x1d0f3	data			1.0003864669360734
RT_GROUP_ICON	0xec8ac	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xec924	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xec938	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xec94c	0x14	data	English	Great Britain	1.25
RT_VERSION	0xec960	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xeca3c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-06T17:57:24.342229+0100	2842478	ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)	1	69.174.100.131	6606	192.168.2.4	49732	TCP
2024-12-06T17:57:24.342229+0100	2030673	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)	1	69.174.100.131	6606	192.168.2.4	49732	TCP
2024-12-06T17:57:24.342229+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	69.174.100.131	6606	192.168.2.4	49732	TCP
2024-12-06T17:57:24.342229+0100	2035607	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)	1	69.174.100.131	6606	192.168.2.4	49732	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 17:57:22.829384089 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:57:22.949680090 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:57:22.949904919 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:57:22.964850903 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:57:23.085289001 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:57:24.216432095 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:57:24.216563940 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:57:24.216628075 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:57:24.222322941 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:57:24.342228889 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:57:24.619261980 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:57:24.664196968 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:57:27.020077944 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:57:27.139878988 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:57:27.140043974 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:57:27.260056973 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:57:38.634577036 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:57:38.754452944 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:57:38.754515886 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:57:38.874363899 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:57:39.156244993 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:57:39.211110115 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:57:39.347848892 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:57:39.354492903 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:57:39.474263906 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:57:39.474349976 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:57:39.594156981 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:57:46.932804108 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:57:46.976747036 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:57:47.124814034 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:57:47.179860115 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:57:50.285403967 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:57:50.405314922 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:57:50.405437946 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:57:50.525424957 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:57:50.824461937 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:57:50.867355108 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:57:51.016400099 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:57:51.018836975 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:57:51.138561010 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:57:51.138649940 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:57:51.258984089 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:01.899036884 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:02.020104885 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:02.020261049 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:02.140573025 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:02.434681892 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:02.476810932 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:02.626290083 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:02.628499031 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:02.748291969 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:02.748354912 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:02.868129015 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:13.524113894 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:13.644197941 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:13.644279957 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:13.764126062 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:14.059149981 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:14.101723909 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:14.259485006 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:14.270170927 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:14.391357899 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:14.391412973 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:14.512686968 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:16.945450068 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:16.992364883 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:17.137330055 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:17.179857016 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:25.149305105 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:25.269057989 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:25.269186974 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:25.389040947 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:25.687264919 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:25.742396116 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:25.879246950 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:25.929852962 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:25.954343081 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:26.074256897 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:26.074332952 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:26.194155931 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:36.774075985 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:36.896862030 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:36.897058964 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:37.016849995 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:37.309129953 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:37.351784945 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:37.501142979 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:37.503246069 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:37.623078108 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:37.623172045 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:37.743208885 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:46.948689938 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:46.992383003 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:47.140521049 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:47.195480108 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:48.399437904 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:48.521421909 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:48.521558046 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:48.641242981 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:48.934393883 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:48.976726055 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:49.127015114 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:49.179907084 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:49.249470949 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:49.369357109 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:58:49.369424105 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:58:49.489192009 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:59:00.024123907 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:59:00.145999908 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:59:00.146054029 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:59:00.265795946 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:59:00.563839912 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:59:00.617374897 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:59:00.756279945 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:59:00.762164116 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:59:00.883222103 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:59:00.883306026 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:59:01.003139973 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:59:10.134134054 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:59:10.253916979 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:59:10.253974915 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:59:10.373802900 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:59:10.668838024 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:59:10.711108923 CET	49732	6606	192.168.2.4	69.174.100.131
Dec 6, 2024 17:59:10.860428095 CET	6606	49732	69.174.100.131	192.168.2.4
Dec 6, 2024 17:59:10.914251089 CET	49732	6606	192.168.2.4	69.174.100.131

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 6, 2024 17:57:22.524430990 CET	1.1.1.1	192.168.2.4	0xb611	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2024 17:57:22.524430990 CET	1.1.1.1	192.168.2.4	0xb611	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.58.101	A (IP address)	IN (0x0001)	false
Dec 6, 2024 17:57:22.524430990 CET	1.1.1.1	192.168.2.4	0xb611	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.58.99	A (IP address)	IN (0x0001)	false
Dec 6, 2024 17:57:22.524430990 CET	1.1.1.1	192.168.2.4	0xb611	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.58.98	A (IP address)	IN (0x0001)	false
Dec 6, 2024 17:57:22.524430990 CET	1.1.1.1	192.168.2.4	0xb611	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.58.100	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	11:57:02
Start date:	06/12/2024
Path:	C:\Users\user\Desktop\bcUcEm7AqP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\bcUcEm7AqP.exe"
Imagebase:	0x690000
File size:	976'896 bytes
MD5 hash:	734CEFFDDCF39DF0E5C2259E6EBB975B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:57:06
Start date:	06/12/2024
Path:	C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\bcUcEm7AqP.exe"
Imagebase:	0x900000
File size:	976'896 bytes
MD5 hash:	734CEFFDDCF39DF0E5C2259E6EBB975B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000001.00000002.1741043434.0000000001750000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000001.00000002.1741043434.0000000001750000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000001.00000002.1741043434.0000000001750000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000001.00000002.1741043434.0000000001750000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 55%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:57:09
Start date:	06/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\bcUcEm7AqP.exe"
Imagebase:	0x700000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000002.00000002.2925890166.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	11:57:21
Start date:	06/12/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tabulations.vbs"
Imagebase:	0x7ff672d90000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:57:22
Start date:	06/12/2024
Path:	C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe"
Imagebase:	0x7ff7699e0000
File size:	976'896 bytes
MD5 hash:	734CEFFDDCF39DF0E5C2259E6EBB975B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000005.00000002.1900282603.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000005.00000002.1900282603.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000005.00000002.1900282603.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000005.00000002.1900282603.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:57:25
Start date:	06/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe"
Imagebase:	0x230000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000002.2013057022.0000000000602000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000006.00000002.2013057022.0000000000602000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	6.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	55

Executed Functions

Function 00693B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00693B68
IsDebuggerPresent.KERNEL32 ref: 00693B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,007552F8,007552E0,?,?), ref: 00693BEB

Part of subcall function 00697BCC: _memmove.LIBCMT ref: 00697C06

Part of subcall function 006A092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00693C14,007552F8,?,?,?), ref: 006A096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00693C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00747770,00000010), ref: 006CD281
SetCurrentDirectoryW.KERNEL32(?,007552F8,?,?,?), ref: 006CD2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00744260,007552F8,?,?,?), ref: 006CD33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 006CD346

Part of subcall function 00693A46: GetSysColorBrush.USER32(0000000F), ref: 00693A50
Part of subcall function 00693A46: LoadCursorW.USER32(00000000,00007F00), ref: 00693A5F
Part of subcall function 00693A46: LoadIconW.USER32(00000063), ref: 00693A76
Part of subcall function 00693A46: LoadIconW.USER32(000000A4), ref: 00693A88
Part of subcall function 00693A46: LoadIconW.USER32(000000A2), ref: 00693A9A
Part of subcall function 00693A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00693AC0
Part of subcall function 00693A46: RegisterClassExW.USER32(?), ref: 00693B16

Part of subcall function 006939D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00693A03
Part of subcall function 006939D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00693A24
Part of subcall function 006939D5: ShowWindow.USER32(00000000,?,?), ref: 00693A38
Part of subcall function 006939D5: ShowWindow.USER32(00000000,?,?), ref: 00693A41

Part of subcall function 0069434A: _memset.LIBCMT ref: 00694370
Part of subcall function 0069434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00694415

Strings

This is a third-party compiled AutoIt script., xrefs: 006CD279
%r, xrefs: 00693C44
runas, xrefs: 006CD33A

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%r
API String ID: 529118366-374001893
Opcode ID: 3d71c4a1030d92979fe205e4df3be9caa35dad53d76bc6188d69052e725fc934
Instruction ID: ec21f179f1e6cbe1fc1e34ecbc4545ae8f39df15a5d1e713dd19ea047f11db48
Opcode Fuzzy Hash: 3d71c4a1030d92979fe205e4df3be9caa35dad53d76bc6188d69052e725fc934
Instruction Fuzzy Hash: 5A51E5B0908648EEDF01EBB4DC15EFD7B7EBF45701F00806DF411A66A2DAB85646CB29

Function 006949A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 006949CD

Part of subcall function 00697BCC: _memmove.LIBCMT ref: 00697C06

GetCurrentProcess.KERNEL32(?,0071FAEC,00000000,00000000,?), ref: 00694A9A
IsWow64Process.KERNEL32(00000000), ref: 00694AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00694AE7
FreeLibrary.KERNEL32(00000000), ref: 00694AF2
GetSystemInfo.KERNEL32(00000000), ref: 00694B23
GetSystemInfo.KERNEL32(00000000), ref: 00694B2F

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 2848df990b4a1bbc832df0a3c0d283957da4b1f0666ec34ed710cafb419cca43
Instruction ID: 208e94f17bc1ecf9f92153fa4b0d3f35160dd1b8e69ef2b797d249b1e4d0790c
Opcode Fuzzy Hash: 2848df990b4a1bbc832df0a3c0d283957da4b1f0666ec34ed710cafb419cca43
Instruction Fuzzy Hash: F591E83198A7C0DECB31CB688450AEABFFAAF2A300B44496DD0C793B45D635A509D76D

Function 00694E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00694D8E,?,?,00000000,00000000), ref: 00694E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00694D8E,?,?,00000000,00000000), ref: 00694EB0
LoadResource.KERNEL32(?,00000000,?,?,00694D8E,?,?,00000000,00000000,?,?,?,?,?,?,00694E2F), ref: 006CD937
SizeofResource.KERNEL32(?,00000000,?,?,00694D8E,?,?,00000000,00000000,?,?,?,?,?,?,00694E2F), ref: 006CD94C
LockResource.KERNEL32(00694D8E,?,?,00694D8E,?,?,00000000,00000000,?,?,?,?,?,?,00694E2F,00000000), ref: 006CD95F

Strings

SCRIPT, xrefs: 00694EA6

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 0abf742fe09237f6c903ac0c3da5d1a10aab85d8ca24e79900e9f79ba41a9697
Instruction ID: f2b25c0e8242e4c12a8b4e6bab565aa1b39a04dcd7bf9bd8fc76e1e2e21dcc8f
Opcode Fuzzy Hash: 0abf742fe09237f6c903ac0c3da5d1a10aab85d8ca24e79900e9f79ba41a9697
Instruction Fuzzy Hash: 73114C75240700ABDB218B69EC48FAB7BBEFBC5B11F108268F40586690DB75EC018660

Function 0069FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

%r, xrefs: 0069FCF3
pbu, xrefs: 006D49B9

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: BuffCharUpper
String ID: pbu$%r
API String ID: 3964851224-3538053991
Opcode ID: 2452d8518578d6c56c70d9f292115dc34ee02e3f185c16acaa3b072e61bb4926
Instruction ID: 859622c8fc1a6883ab8bc97448684e19d210cb3ec83de299579e0988fc0c7c20
Opcode Fuzzy Hash: 2452d8518578d6c56c70d9f292115dc34ee02e3f185c16acaa3b072e61bb4926
Instruction Fuzzy Hash: F3926D70A083419FEB60DF14C480B6AB7E6BF86304F14896DE88A9B351DB75EC45CF96

Function 0069E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Ddu, xrefs: 0069EAC1
Ddu, xrefs: 006D3B2E
Variable must be of type 'Object'., xrefs: 006D3E62
Ddu, xrefs: 006D3AF5
Ddu, xrefs: 0069EABA

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID:
String ID: Ddu$Ddu$Ddu$Ddu$Variable must be of type 'Object'.
API String ID: 0-808039955
Opcode ID: 53b85c441f12da2f46200cdd8d6660617eed9839c53aeb912324d9ab41ed7b85
Instruction ID: 582e61b61a9d882f969e7c59618d5249e3b4b903f5ef4af7d03f1c4263b8d471
Opcode Fuzzy Hash: 53b85c441f12da2f46200cdd8d6660617eed9839c53aeb912324d9ab41ed7b85
Instruction Fuzzy Hash: FEA26A74A00215CFCF24CF98C480AAAB7BBFF58314F64846AE905AB751D776ED42CB91

Function 006F445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,006CE398), ref: 006F446A
FindFirstFileW.KERNELBASE(?,?), ref: 006F447B
FindClose.KERNEL32(00000000), ref: 006F448B

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 47c5c7f36bfe3f83edfe4e84ebff3390f9584f2e1358abe3fa59c89816c14140
Instruction ID: eda1fa873b5499b9b23fc4e189178c1c78c4b8ac3e8e957acf8050c0a9e8ad68
Opcode Fuzzy Hash: 47c5c7f36bfe3f83edfe4e84ebff3390f9584f2e1358abe3fa59c89816c14140
Instruction Fuzzy Hash: C8E0D8324149046752106B3CEC0D4FE779DEE05335F108715F935D11D0EB78590095D9

Function 006A09D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006A0A5B
timeGetTime.WINMM ref: 006A0D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006A0E53
Sleep.KERNEL32(0000000A), ref: 006A0E61
LockWindowUpdate.USER32(00000000,?,?), ref: 006A0EFA
DestroyWindow.USER32 ref: 006A0F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006A0F20
Sleep.KERNEL32(0000000A,?,?), ref: 006D4E83
TranslateMessage.USER32(?), ref: 006D5C60
DispatchMessageW.USER32(?), ref: 006D5C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006D5C82

Strings

pbu, xrefs: 006D57B4
@TRAY_ID, xrefs: 006D578F
@GUI_CTRLHANDLE, xrefs: 006D4FE4
pbu, xrefs: 006D5003
@COM_EVENTOBJ, xrefs: 006D54F0
pbu, xrefs: 006D4FAE
pbu, xrefs: 006D4F59
@GUI_CTRLID, xrefs: 006D4F3A
@GUI_WINHANDLE, xrefs: 006D4F8F

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pbu$pbu$pbu$pbu
API String ID: 4212290369-2982233261
Opcode ID: 19eb30c7e00cf65768a73cd443cf7e335d53852c8de2a368da3e3f65a768e299
Instruction ID: 78579c9bac579aa5e243ab4b440e0e927fad10775712c8ec3ffc75c86059a65c
Opcode Fuzzy Hash: 19eb30c7e00cf65768a73cd443cf7e335d53852c8de2a368da3e3f65a768e299
Instruction Fuzzy Hash: BAB2E270A08741DFEB24DF24C884BAAB7E6BF85304F14891EE44A977A1CB75EC45CB46

Function 006F9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006F8F5F: __time64.LIBCMT ref: 006F8F69

Part of subcall function 00694EE5: _fseek.LIBCMT ref: 00694EFD

__wsplitpath.LIBCMT ref: 006F9234

Part of subcall function 006B40FB: __wsplitpath_helper.LIBCMT ref: 006B413B

_wcscpy.LIBCMT ref: 006F9247
_wcscat.LIBCMT ref: 006F925A
__wsplitpath.LIBCMT ref: 006F927F
_wcscat.LIBCMT ref: 006F9295
_wcscat.LIBCMT ref: 006F92A8

Part of subcall function 006F8FA5: _memmove.LIBCMT ref: 006F8FDE
Part of subcall function 006F8FA5: _memmove.LIBCMT ref: 006F8FED

_wcscmp.LIBCMT ref: 006F91EF

Part of subcall function 006F9734: _wcscmp.LIBCMT ref: 006F9824
Part of subcall function 006F9734: _wcscmp.LIBCMT ref: 006F9837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 006F9452
_wcsncpy.LIBCMT ref: 006F94C5
DeleteFileW.KERNEL32(?,?), ref: 006F94FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 006F9511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006F9522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006F9534

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: cd7d9365a10497b90e26971dd4d2510a4981b877315d328b22195e8ee29163db
Instruction ID: 914c01c2ecef9600c7b595da7c7ebdd2bb31c4ed84bf33fa6da96f19f54a72c3
Opcode Fuzzy Hash: cd7d9365a10497b90e26971dd4d2510a4981b877315d328b22195e8ee29163db
Instruction Fuzzy Hash: 99C12CB1D0021DAADF61DF95CC85EEEB7BEEF85310F0040AAF609E6151DB309A858F65

Function 00693015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00693074
RegisterClassExW.USER32(00000030), ref: 0069309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006930AF
InitCommonControlsEx.COMCTL32(?), ref: 006930CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006930DC
LoadIconW.USER32(000000A9), ref: 006930F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00693101

Strings

TaskbarCreated, xrefs: 006930A4
+, xrefs: 0069305D
0, xrefs: 00693056
AutoIt v3 GUI, xrefs: 00693090

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 084b4eba7ab75e4657733079cb2d9a97059d2930cb719578c6e3d3e9e827f74c
Instruction ID: 0816c747a8bbb78398a526b5a371422719e8952a91136cafd4beebd8e33baf3f
Opcode Fuzzy Hash: 084b4eba7ab75e4657733079cb2d9a97059d2930cb719578c6e3d3e9e827f74c
Instruction Fuzzy Hash: 4C3148B1805348AFDB00CFA8D889AD9BFF4FB09310F14816EE580E62A0D3B91545CF95

Function 00693041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00693074
RegisterClassExW.USER32(00000030), ref: 0069309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006930AF
InitCommonControlsEx.COMCTL32(?), ref: 006930CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006930DC
LoadIconW.USER32(000000A9), ref: 006930F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00693101

Strings

TaskbarCreated, xrefs: 006930A4
+, xrefs: 0069305D
0, xrefs: 00693056
AutoIt v3 GUI, xrefs: 00693090

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 535eec30bd082c4000b5b305719254597c408ff77c8ed031e2c33561965d229c
Instruction ID: 23fd8a2e533820b4591dfd0d9ca48f339080642cc7c0003c9b86ece16a4552af
Opcode Fuzzy Hash: 535eec30bd082c4000b5b305719254597c408ff77c8ed031e2c33561965d229c
Instruction Fuzzy Hash: 6A21B2B1911718AFDB00DFA8EC89BDDBBF4FB08711F10C12AF914A62A0D7B955448F99

Function 0069708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00694706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007552F8,?,006937AE,?), ref: 00694724

Part of subcall function 006B050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00697165), ref: 006B052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 006971A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 006CE8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 006CE909
RegCloseKey.ADVAPI32(?), ref: 006CE947
_wcscat.LIBCMT ref: 006CE9A0

Strings

\, xrefs: 006CE9C3
Include, xrefs: 006CE8BF, 006CE900
\Include\, xrefs: 00697165
Software\AutoIt v3\AutoIt, xrefs: 0069719E

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: c987306084b6871dc145bf412555fbed9c2f309c5f523334c0bd381b9af65820
Instruction ID: 8a43da4c5063d63a72a36e7ffa290ed1abd1cbd3780dff516341c4bec6c24c62
Opcode Fuzzy Hash: c987306084b6871dc145bf412555fbed9c2f309c5f523334c0bd381b9af65820
Instruction Fuzzy Hash: D7717D715083019ED744EF29E8419EBBBF9FF88310F80852EF445872A1EBB5D949CB5A

Function 00693633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 006936D2
KillTimer.USER32(?,00000001), ref: 006936FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0069371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0069372A
CreatePopupMenu.USER32 ref: 0069373E
PostQuitMessage.USER32(00000000), ref: 0069374D

Strings

TaskbarCreated, xrefs: 00693725
%r, xrefs: 006CD081, 006CD0CF

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%r
API String ID: 129472671-4130811174
Opcode ID: ca467d148297beb9163ad623a7797b74d33161721a171fff5d8be7a6fdb0102f
Instruction ID: 90c544d38ccb4d169c9bf3a9f5cf1feab2010c9772cda4b1d7e07691aec055fb
Opcode Fuzzy Hash: ca467d148297beb9163ad623a7797b74d33161721a171fff5d8be7a6fdb0102f
Instruction Fuzzy Hash: B24149B1200615BBDF106FA8DC29BF9379FEB01301F504139F5029A7E1CAA9AE05976E

Function 00693A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00693A50
LoadCursorW.USER32(00000000,00007F00), ref: 00693A5F
LoadIconW.USER32(00000063), ref: 00693A76
LoadIconW.USER32(000000A4), ref: 00693A88
LoadIconW.USER32(000000A2), ref: 00693A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00693AC0
RegisterClassExW.USER32(?), ref: 00693B16

Part of subcall function 00693041: GetSysColorBrush.USER32(0000000F), ref: 00693074
Part of subcall function 00693041: RegisterClassExW.USER32(00000030), ref: 0069309E
Part of subcall function 00693041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006930AF
Part of subcall function 00693041: InitCommonControlsEx.COMCTL32(?), ref: 006930CC
Part of subcall function 00693041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006930DC
Part of subcall function 00693041: LoadIconW.USER32(000000A9), ref: 006930F2
Part of subcall function 00693041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00693101

Strings

AutoIt v3, xrefs: 00693B05
#, xrefs: 00693AFB
0, xrefs: 00693AF4

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: da77127f1df0ceb8a460cdf90dd0f31d1ad4477cb6ca0a2109ef8fbcb97aba66
Instruction ID: 6144afd0c058d2e43927a4042daa50f3829cd70b6520b7c4e906f8d78ebcc792
Opcode Fuzzy Hash: da77127f1df0ceb8a460cdf90dd0f31d1ad4477cb6ca0a2109ef8fbcb97aba66
Instruction Fuzzy Hash: 292119B1D10708AFEF10DFA8EC59BDD7BB5FB08712F10812AE504A62E1D7B956508F98

Function 00693766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINE, xrefs: 00693822
/AutoIt3OutputDebug, xrefs: 00693892
/AutoIt3ExecuteLine, xrefs: 006938A7
/ErrorStdOut, xrefs: 0069387D
Ru, xrefs: 006CD213
CMDLINERAW, xrefs: 006937FB
/AutoIt3ExecuteScript, xrefs: 006938BC
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 006937AE

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$Ru
API String ID: 1825951767-3048454719
Opcode ID: b7a157617d69456690c4a4deda069c03083870d053e61dc82edf8f6a736bb384
Instruction ID: f11b16dd4c44c4bebeb8dfb7d89a31cdb2a5467380d84247156c6f8c0cb0d905
Opcode Fuzzy Hash: b7a157617d69456690c4a4deda069c03083870d053e61dc82edf8f6a736bb384
Instruction Fuzzy Hash: E1A16CB191022D9ADF44EBA4DC91EFEB77EBF15300F04042EE416A7691EF745A09CB64

Function 0069F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006B0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006B0193
Part of subcall function 006B0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 006B019B
Part of subcall function 006B0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006B01A6
Part of subcall function 006B0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006B01B1
Part of subcall function 006B0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 006B01B9
Part of subcall function 006B0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 006B01C1

Part of subcall function 006A60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0069F930), ref: 006A6154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0069F9CD
OleInitialize.OLE32(00000000), ref: 0069FA4A
CloseHandle.KERNEL32(00000000), ref: 006D45C8

Strings

<Wu, xrefs: 0069F930
\Tu, xrefs: 0069F7F7
%r, xrefs: 0069F796, 0069F7A8, 0069F96E, 0069FA51
Su, xrefs: 0069F7EB

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <Wu$\Tu$%r$Su
API String ID: 1986988660-3617137637
Opcode ID: 3388dc1e8fc8a1b75a8369daf9a55338dafbb7008f3e511a058f60e2bab3044b
Instruction ID: f7de86ec5d2b95b454b170ce7106caaec4c5387bee201342d655d67b6c041def
Opcode Fuzzy Hash: 3388dc1e8fc8a1b75a8369daf9a55338dafbb7008f3e511a058f60e2bab3044b
Instruction Fuzzy Hash: CE81BBB0911B80CF8784DF29A8616A87BE6FB98307790C53ED419CB271EBFC54858F59

Function 01042380 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 010423C5

Memory Dump Source

Source File: 00000000.00000002.1699754501.0000000001041000.00000040.00000020.00020000.00000000.sdmp, Offset: 01041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1041000_bcUcEm7AqP.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: 40581583217f11832b47715342ff4b9eac5439b3a5e4d228ef22cfd75289f073
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: 1D512AB5B10208FBEF64DFE4DC99FDE77B8AF48701F108554FA4AEA180DA7496448B60

Function 006939D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00693A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00693A24
ShowWindow.USER32(00000000,?,?), ref: 00693A38
ShowWindow.USER32(00000000,?,?), ref: 00693A41

Strings

AutoIt v3, xrefs: 006939FB, 00693A00, 00693A01
edit, xrefs: 00693A1E

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: f276a91f692d7c310fefe5913e61a41594d7ff068c6ef8cd6371ce4d6d4a3a0b
Instruction ID: a3efd29a659e2d9e3293b76a4f8fda79f463053c104f4a59d654d2f73cf332ac
Opcode Fuzzy Hash: f276a91f692d7c310fefe5913e61a41594d7ff068c6ef8cd6371ce4d6d4a3a0b
Instruction Fuzzy Hash: 32F030B05407907EEB315717AC18EA72E7DE7C6F61F008029F904A21B0C5E91840CB78

Function 0069407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 006CD3D7

Part of subcall function 00697BCC: _memmove.LIBCMT ref: 00697C06

_memset.LIBCMT ref: 006940FC
_wcscpy.LIBCMT ref: 00694150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00694160

Strings

Line: , xrefs: 006CD400

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 873ef80b615ee2295fc6c7455503b23740997aa72eeedd6df3befffcd1037d16
Instruction ID: 965c28d248d5ccaf1917d3e631ad8cff31cd777cafa78ab93d3addd74d7c64a9
Opcode Fuzzy Hash: 873ef80b615ee2295fc6c7455503b23740997aa72eeedd6df3befffcd1037d16
Instruction Fuzzy Hash: 8531EFB1008304AFDBA1EB60DC46FEB77DEAF40310F10851EF585925A1EFB4A649C78A

Function 006B541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 006B547B
_memcpy_s.LIBCMT ref: 006B54ED
__read_nolock.LIBCMT ref: 006B554B
__filbuf.LIBCMT ref: 006B556E
_memset.LIBCMT ref: 006B55B2

Part of subcall function 006B8B28: __getptd_noexit.LIBCMT ref: 006B8B28

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: 0d2d0d64ffd31a63ea2f740d2641a3298343e86765206d981d86435a0346f836
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: 235190B1A00B05DBDB249E69D8807EE77A7AF40322F24872DF826962D1D7719ED18B40

Function 0069686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00694DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00694E0F

_free.LIBCMT ref: 006CE263
_free.LIBCMT ref: 006CE2AA

Part of subcall function 00696A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00696BAD

Strings

Bad directive syntax error, xrefs: 006CE292
>>>AUTOIT SCRIPT<<<, xrefs: 006CE039

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 5e8bcbc529cc1a297b6d5354f82a6022464b44670516b62b341ef08fea0af6a0
Instruction ID: e0cd942a72363d419421dc136407a08592b67b5efd9239fb0ddbc583696a80f3
Opcode Fuzzy Hash: 5e8bcbc529cc1a297b6d5354f82a6022464b44670516b62b341ef08fea0af6a0
Instruction Fuzzy Hash: 5E918F71A10219AFCF04EFA4C891EFDB7BAFF04310B14442EF815AB2A1DB759A55CB54

Function 01043E90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 144fileCOMMON

Download Yara Rule

APIs

Part of subcall function 01043D80: Sleep.KERNELBASE(000001F4), ref: 01043D91

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01043F95

Strings

A4HI13SYYUHFQ4R170, xrefs: 01044015, 01044018

Memory Dump Source

Source File: 00000000.00000002.1699754501.0000000001041000.00000040.00000020.00020000.00000000.sdmp, Offset: 01041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1041000_bcUcEm7AqP.jbxd

Similarity

API ID: CreateFileSleep
String ID: A4HI13SYYUHFQ4R170
API String ID: 2694422964-2629952255
Opcode ID: 9d011c42f1c7344357f93ad82a53d275bb7b5a6a7e4e3ec8faaf87e44d2867e3
Instruction ID: 20fc99aa056301fdeac9f0d0b37f7265cc63a67512a95cdee71faf5f429fcf6c
Opcode Fuzzy Hash: 9d011c42f1c7344357f93ad82a53d275bb7b5a6a7e4e3ec8faaf87e44d2867e3
Instruction Fuzzy Hash: D5519571D04259DBEF11DBA4C858BEFBBB9AF45300F0041A9E6487B2C0D7791B45CBA5

Function 006935B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,006935A1,SwapMouseButtons,00000004,?), ref: 006935D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,006935A1,SwapMouseButtons,00000004,?,?,?,?,00692754), ref: 006935F5
RegCloseKey.KERNELBASE(00000000,?,?,006935A1,SwapMouseButtons,00000004,?,?,?,?,00692754), ref: 00693617

Strings

Control Panel\Mouse, xrefs: 006935D2

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: b97db846e38984d027dcc9d5878e6b6607c873aff4fc1992a414b0bbdc62124a
Instruction ID: 7e2d03841b87b6489c10059bfecf89c072ae1e976fc4dfe47cb995d87cb2a50a
Opcode Fuzzy Hash: b97db846e38984d027dcc9d5878e6b6607c873aff4fc1992a414b0bbdc62124a
Instruction Fuzzy Hash: 89113371610228BADF208FA8DC80AEABBAEEF04740F008469E805D7310E2719E419BA4

Function 006F955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00694EE5: _fseek.LIBCMT ref: 00694EFD

Part of subcall function 006F9734: _wcscmp.LIBCMT ref: 006F9824
Part of subcall function 006F9734: _wcscmp.LIBCMT ref: 006F9837

_free.LIBCMT ref: 006F96A2
_free.LIBCMT ref: 006F96A9
_free.LIBCMT ref: 006F9714

Part of subcall function 006B2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,006B9A24), ref: 006B2D69
Part of subcall function 006B2D55: GetLastError.KERNEL32(00000000,?,006B9A24), ref: 006B2D7B

_free.LIBCMT ref: 006F971C

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 57d0d2f04a8deae04fb8388104c663c78e861137db03f429770e89b5c3a69279
Instruction ID: c95ff51ad248cb345dc928551b2bf3429735d4d63c84fddadf51a4ee3dc26203
Opcode Fuzzy Hash: 57d0d2f04a8deae04fb8388104c663c78e861137db03f429770e89b5c3a69279
Instruction Fuzzy Hash: D3515FB1D14219AFDF649F64CC81AEEBBBAEF48300F10049EF209A7241DB715A81CF58

Function 006B470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006B47A0
__flush.LIBCMT ref: 006B47C0
__write.LIBCMT ref: 006B47F3
__flsbuf.LIBCMT ref: 006B4821

Part of subcall function 006B8B28: __getptd_noexit.LIBCMT ref: 006B8B28

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 188a15ad8b8c3ed6e083c9ecd6b74648a89b1a06ea9c234917ba4c98195f9e24
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 1741C2B4A007459BDB28CEA9C8809EE7BA7EF46360B24817DE85587742EF70DDC1CB40

Function 006944A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006944CF

Part of subcall function 0069407C: _memset.LIBCMT ref: 006940FC
Part of subcall function 0069407C: _wcscpy.LIBCMT ref: 00694150
Part of subcall function 0069407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00694160

KillTimer.USER32(?,00000001,?,?), ref: 00694524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00694533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006CD4B9

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 70dbfe4892d1415d6be30b5f5d95f234bc26662e243d5fc0ab6a4f2eae9c1e6e
Instruction ID: 0e7563e841e8a33738100364edf83bc70f2ed2845dd03ecd8c402fab5dfe4ad9
Opcode Fuzzy Hash: 70dbfe4892d1415d6be30b5f5d95f234bc26662e243d5fc0ab6a4f2eae9c1e6e
Instruction Fuzzy Hash: 0421F5B0504784AFEB328B648855FF6BBEDEF01304F0480ADE78E97281C7742A85CB45

Function 00694C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00694CBA

Strings

EA06, xrefs: 006CD8CC
AU3!P/r, xrefs: 00694CB4

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/r$EA06
API String ID: 4104443479-480415842
Opcode ID: 731f4702ff21bf22311ab7aba52423fcc95b41db1587cd44ddd3681a971baec9
Instruction ID: 5fbc93cb844c26095abe8ceb48f88df44f843ba4e6b5394291718a4bf6942ea2
Opcode Fuzzy Hash: 731f4702ff21bf22311ab7aba52423fcc95b41db1587cd44ddd3681a971baec9
Instruction Fuzzy Hash: 4F417D25A041585BDF259B648891FFE7FAFDF45300F284579EC829BB82DE209D4B83A1

Function 00697285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006CEA39
GetOpenFileNameW.COMDLG32(?), ref: 006CEA83

Part of subcall function 00694750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00694743,?,?,006937AE,?), ref: 00694770

Part of subcall function 006B0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006B07B0

Strings

X, xrefs: 006CEA51

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: d5a280758a82d665b72524b8e4855d26cda02c64976ad9e8474a04c41c82d421
Instruction ID: e6522267ab1a4af540796cd1932bf0f7dee27b09957759ece65c9549b4b4f228
Opcode Fuzzy Hash: d5a280758a82d665b72524b8e4855d26cda02c64976ad9e8474a04c41c82d421
Instruction Fuzzy Hash: B9218471A102489BDF819F94C845BEE7BFEAF49714F04405AE408AB241DBB859898FA5

Function 006F8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006F8DAC
__fread_nolock.LIBCMT ref: 006F8DC1

Strings

EA06, xrefs: 006F8DF3

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 3f261c5fa727386ad2fb48477b63a394795935a18dbea782c4d9743d896b1cc9
Instruction ID: 52ecf6fd7a01377e2321c29389126c4786b868dac757dd2fae79566fb81ee2ec
Opcode Fuzzy Hash: 3f261c5fa727386ad2fb48477b63a394795935a18dbea782c4d9743d896b1cc9
Instruction Fuzzy Hash: F20196B29042187EDB68CAA88856EFE7BF89F15311F00459EE552D2181E975E6048760

Function 01042A60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01042AA5
ExitProcess.KERNEL32(00000000), ref: 01042AC4

Strings

D, xrefs: 01042A71

Memory Dump Source

Source File: 00000000.00000002.1699754501.0000000001041000.00000040.00000020.00020000.00000000.sdmp, Offset: 01041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1041000_bcUcEm7AqP.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: eaefe38700dea64172a30051a10e55a487822181055063bbb51e2642d874e9cd
Instruction ID: 796cf905db273aaa0ffb71d51a80b3061d7033fa966737a9cb6f3cdf4c67aaea
Opcode Fuzzy Hash: eaefe38700dea64172a30051a10e55a487822181055063bbb51e2642d874e9cd
Instruction Fuzzy Hash: 76F0FFB154024CABDB60EFE0CD89FEE777CBF04701F048518FB4ADA180DA7896188B61

Function 006F98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 006F98F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 006F990F

Strings

aut, xrefs: 006F9909

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 1d695a57a47ede976b19c7dc012035fde38b5c92c139cb35f8806b580392100b
Instruction ID: 56ebd0469d3cb0284bebd5e79010194f6a3c90309e6aa122545dbd1b2de5812a
Opcode Fuzzy Hash: 1d695a57a47ede976b19c7dc012035fde38b5c92c139cb35f8806b580392100b
Instruction Fuzzy Hash: CCD05E7954030DABDB50ABA4DC0EFDE777CE704700F0082B1FA54920E1EAB895988B95

Function 0070CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 851e2826e882f0415f31c1bfe4067c987b1bb90095d27daa99cae1911a1feda8
Instruction ID: bc3427c0d0fb362b19c2dc102c073fea125e4bd6338f8d5205fb4b2c51cdd931
Opcode Fuzzy Hash: 851e2826e882f0415f31c1bfe4067c987b1bb90095d27daa99cae1911a1feda8
Instruction Fuzzy Hash: 54F14A71608301DFCB14DF28C584A6ABBE5FF88314F148A2EF8999B291D734E945CF82

Function 0069434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00694370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00694415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00694432

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: f9155765d12cf78d6d6d2db32d5e641d6f0eef8f6f7962121335f99ad7ebd81e
Instruction ID: d72b6b908b4a086442cc7a35f928dc05167a3d60a037fd2e5414206fc2d33ad8
Opcode Fuzzy Hash: f9155765d12cf78d6d6d2db32d5e641d6f0eef8f6f7962121335f99ad7ebd81e
Instruction Fuzzy Hash: EA31C1B05057019FDB20DF34D884ADBBBF9FB48309F00492EE68AC2751EBB4A945CB56

Function 006B571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 006B5733

Part of subcall function 006BA16B: __NMSG_WRITE.LIBCMT ref: 006BA192
Part of subcall function 006BA16B: __NMSG_WRITE.LIBCMT ref: 006BA19C

__NMSG_WRITE.LIBCMT ref: 006B573A

Part of subcall function 006BA1C8: GetModuleFileNameW.KERNEL32(00000000,007533BA,00000104,?,00000001,00000000), ref: 006BA25A
Part of subcall function 006BA1C8: ___crtMessageBoxW.LIBCMT ref: 006BA308

Part of subcall function 006B309F: ___crtCorExitProcess.LIBCMT ref: 006B30A5
Part of subcall function 006B309F: ExitProcess.KERNEL32 ref: 006B30AE

Part of subcall function 006B8B28: __getptd_noexit.LIBCMT ref: 006B8B28

RtlAllocateHeap.NTDLL(01000000,00000000,00000001,00000000,?,?,?,006B0DD3,?), ref: 006B575F

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 651f558640166c46ce6a6dd14e4b099b371cb1433c51ac497f3d5411854cf3b8
Instruction ID: c3960a85746c521ef34139fbf7bde5826c8b1f4e8a361c3e8171438f67a1eb1d
Opcode Fuzzy Hash: 651f558640166c46ce6a6dd14e4b099b371cb1433c51ac497f3d5411854cf3b8
Instruction Fuzzy Hash: 8B01D2F5300B11EED6902B79AC42BEE778A9B42362F100539F5069B292DEB49CC18769

Function 006F98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,006F9548,?,?,?,?,?,00000004), ref: 006F98BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,006F9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 006F98D1
CloseHandle.KERNEL32(00000000,?,006F9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 006F98D8

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: b4bde4490bbbc83d3af6bdfea77683cfe3052898e610f8cb928ef8f3de8501ed
Instruction ID: 6b6ab230f6f1efa6d53e62f0007ab9984f0d4a4b863aea02c51bfbe2719433ae
Opcode Fuzzy Hash: b4bde4490bbbc83d3af6bdfea77683cfe3052898e610f8cb928ef8f3de8501ed
Instruction Fuzzy Hash: B8E08632180618B7D7211B58EC09FDA7F29AB06760F10C221FB24691E0C7B55511979C

Function 006F8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006F8D1B

Part of subcall function 006B2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,006B9A24), ref: 006B2D69
Part of subcall function 006B2D55: GetLastError.KERNEL32(00000000,?,006B9A24), ref: 006B2D7B

_free.LIBCMT ref: 006F8D2C
_free.LIBCMT ref: 006F8D3E

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: f887c7e4f965b0645b8748027260a39ba3b2b041e4af4fdc7f8bb311e043219e
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 16E012E16116064ACB64A678A941AE713DE9F98352714095DF60DD7286CE64FC828228

Function 0069A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 006CFC01

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 7115cad8cea6c4c5a275da79a471f0c907e749033553b5ce371a576205d17b31
Instruction ID: 39827467d99e702b08d959b43db3492c3837c8868dbf2323a66fa325df795e84
Opcode Fuzzy Hash: 7115cad8cea6c4c5a275da79a471f0c907e749033553b5ce371a576205d17b31
Instruction Fuzzy Hash: B9225570608241DFDB64DF54C490AAABBE6FF84304F15896DE88A8B762D731EC45CB86

Function 006F77B3 Relevance: 3.1, APIs: 2, Instructions: 133COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006F78DB

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 33ee2adab76b61eaad11b048421302318a8f1e1106a9e19eb2b4e9a6ccc829cf
Instruction ID: 1514089513fabb7e63418092ab8834c66131478991e48244a84ddb87b3f4ef1b
Opcode Fuzzy Hash: 33ee2adab76b61eaad11b048421302318a8f1e1106a9e19eb2b4e9a6ccc829cf
Instruction Fuzzy Hash: 2241F37190820D9FDB50EFA8D8859FABBABEF09340B24456DE29597382DB74EC01C764

Function 00697A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00697AAB
_memmove.LIBCMT ref: 00697B16

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8a1fad2dc96cfc5bda97f6ddc727d0ae725561dd87fd932f273e0287656629b4
Instruction ID: caa6486210b0d8f206d1e634dbd2a0b65927fc9ccba55774fb55dbdc49d9f7c9
Opcode Fuzzy Hash: 8a1fad2dc96cfc5bda97f6ddc727d0ae725561dd87fd932f273e0287656629b4
Instruction Fuzzy Hash: 1D31C4B1714606AFCB04DF68C8D1EA9B3AAFF48320714862DE419CB791EB30E951CB90

Function 006947D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00694834

Part of subcall function 006B336C: __lock.LIBCMT ref: 006B3372
Part of subcall function 006B336C: DecodePointer.KERNEL32(00000001,?,00694849,006E7C74), ref: 006B337E
Part of subcall function 006B336C: EncodePointer.KERNEL32(?,?,00694849,006E7C74), ref: 006B3389

Part of subcall function 006948FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00694915
Part of subcall function 006948FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0069492A

Part of subcall function 00693B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00693B68
Part of subcall function 00693B3A: IsDebuggerPresent.KERNEL32 ref: 00693B7A
Part of subcall function 00693B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,007552F8,007552E0,?,?), ref: 00693BEB
Part of subcall function 00693B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00693C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00694874

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 56a350be4fda7ebf224d4238b97485256c1da61318cd464c04aebf9898f5225a
Instruction ID: 2fbcf9927f45a77e188258380af3d7735e5f6d763810fbc6ffa28aff3bc9745c
Opcode Fuzzy Hash: 56a350be4fda7ebf224d4238b97485256c1da61318cd464c04aebf9898f5225a
Instruction Fuzzy Hash: B911AFB19183519FCB00EF29D90598EBFE9FF88750F10891EF044832B1DBB59645CB9A

Function 006B0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006B571C: __FF_MSGBANNER.LIBCMT ref: 006B5733
Part of subcall function 006B571C: __NMSG_WRITE.LIBCMT ref: 006B573A
Part of subcall function 006B571C: RtlAllocateHeap.NTDLL(01000000,00000000,00000001,00000000,?,?,?,006B0DD3,?), ref: 006B575F

std::exception::exception.LIBCMT ref: 006B0DEC
__CxxThrowException@8.LIBCMT ref: 006B0E01

Part of subcall function 006B859B: RaiseException.KERNEL32(?,?,?,00749E78,00000000,?,?,?,?,006B0E06,?,00749E78,?,00000001), ref: 006B85F0

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 6dc530b375af3ad20da21429f4a5bd1d3d3f973c12e37df47cd7809056ea7f2d
Instruction ID: c55898a28deb6bd780b1dc05a2b9925c21b6bdef829508ff0e57457fc48c2c0b
Opcode Fuzzy Hash: 6dc530b375af3ad20da21429f4a5bd1d3d3f973c12e37df47cd7809056ea7f2d
Instruction Fuzzy Hash: 31F0A4B164022E7ADB10AA94EC059DF7BAE9F01351F50046DF90497282DF70DAC1C7D5

Function 006B55FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 006B562C
__lock_file.LIBCMT ref: 006B564D

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 3831af00bbe906c4ad5da798de4f4d868bd1275d40045df275e82e8c1d8431f1
Instruction ID: f4abe3d0cbf6a86310e734bf4ea02ffdd7a2c699ffe456d0400a2be15eb9e7de
Opcode Fuzzy Hash: 3831af00bbe906c4ad5da798de4f4d868bd1275d40045df275e82e8c1d8431f1
Instruction Fuzzy Hash: A101D4F1800608AFCF62BF688C025DE7B63AF91321F444119F8241B2A1EB358AD2DF95

Function 006B53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006B8B28: __getptd_noexit.LIBCMT ref: 006B8B28

__lock_file.LIBCMT ref: 006B53EB

Part of subcall function 006B6C11: __lock.LIBCMT ref: 006B6C34

__fclose_nolock.LIBCMT ref: 006B53F6

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 1bc02314dfd0bc05ed0da270a04e2a142903909eb74ba276bc7ef7902fa397fd
Instruction ID: 389a3827113ec2a46d6c23bcbde05bf27edc302ad247b95839d95e828d20351c
Opcode Fuzzy Hash: 1bc02314dfd0bc05ed0da270a04e2a142903909eb74ba276bc7ef7902fa397fd
Instruction Fuzzy Hash: 19F0BBF1800A049EDB607F7598017ED7BE66F41374F24810DA425AB2C1EFFC89C29B59

Function 01042AD0 Relevance: 1.7, APIs: 1, Instructions: 187COMMON

Download Yara Rule

APIs

Part of subcall function 01042340: GetFileAttributesW.KERNELBASE(?), ref: 0104234B

CreateDirectoryW.KERNELBASE(?,00000000), ref: 01042C86

Memory Dump Source

Source File: 00000000.00000002.1699754501.0000000001041000.00000040.00000020.00020000.00000000.sdmp, Offset: 01041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1041000_bcUcEm7AqP.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 75a11d2a5e422db1b3ac852db5e0df9caeacc8acd5177281bd9e76996ea6a715
Instruction ID: 0e7ccd12f5b8fc564fde5777ef150877f2c0a7332fc6b1ac2000ac645331931f
Opcode Fuzzy Hash: 75a11d2a5e422db1b3ac852db5e0df9caeacc8acd5177281bd9e76996ea6a715
Instruction Fuzzy Hash: AA718231A1060897EF14DFA0DC84BEF737AFF98700F004569B609E7290EB7A9A45C769

Function 006B0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 006B0CB7

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 84471bfe0e58c35ea8e83713446e39cfa22c970e191f7f9979120427cd905cf4
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: B131B5B4A001059FE718DF58C4859AAFFA6FB59300B6497A5E80ACB355DB31EDC1DBC0

Function 006CFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 006CFCB7

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 0d9ae4f64fd9f4dec7c4aa11c48f8e1fe013ce3a3653a1f85055acf1f3376f55
Instruction ID: 4d29b6d05c949edaf1850a8f3f833481199f9f46fc24fc0a9842bf0d7997d699
Opcode Fuzzy Hash: 0d9ae4f64fd9f4dec7c4aa11c48f8e1fe013ce3a3653a1f85055acf1f3376f55
Instruction Fuzzy Hash: EF4106B4504341DFDB24DF18C444B5ABBE6BF45318F0988ACE89A8B762C735E845CF96

Function 0069784B Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00697899

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: debd4a192cd98d234165f3013593147144481ea24bfc443804d127757904428b
Instruction ID: 054a5be6c324ea0b7da593ff42d98c78196b0968b8127d35b80e524bc832a923
Opcode Fuzzy Hash: debd4a192cd98d234165f3013593147144481ea24bfc443804d127757904428b
Instruction Fuzzy Hash: 5511A531618205AFDB14DF28C585C7EB7AEEF85324724412EE915CB791DB32EC12C794

Function 00694DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00694BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00694BEF

Part of subcall function 006B525B: __wfsopen.LIBCMT ref: 006B5266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00694E0F

Part of subcall function 00694B6A: FreeLibrary.KERNEL32(00000000), ref: 00694BA4

Part of subcall function 00694C70: _memmove.LIBCMT ref: 00694CBA

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: c312956e5ae229149ed2d0c5bead3d5220ddd4d8cc21774a11a3981542a9d934
Instruction ID: 2c7730a05eefea09d94a8b7e8d27aabe3134c31c884c91e807fd5d94a3952c08
Opcode Fuzzy Hash: c312956e5ae229149ed2d0c5bead3d5220ddd4d8cc21774a11a3981542a9d934
Instruction Fuzzy Hash: 5A11E331600205ABCF14EF74CC52FAD77AEAF44750F10882DF642A7581DE759A029B58

Function 006CFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 006CFD91

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 27b92d2c62374d4c1536b8fda2b5da3750d4c5eb729e3573f64bbb0a5f562993
Instruction ID: c03b565496fbd237b64c15ab7a1cbe7be8ad7b878832b698fb83002163f6943c
Opcode Fuzzy Hash: 27b92d2c62374d4c1536b8fda2b5da3750d4c5eb729e3573f64bbb0a5f562993
Instruction Fuzzy Hash: 0C2157B4908301DFDB14DF64C444B5ABBE6BF88314F05896CF88A47B22D731E809CB96

Function 006B4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 006B48A6

Part of subcall function 006B8B28: __getptd_noexit.LIBCMT ref: 006B8B28

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 1d4469a826abde98d7a5bbf0436d6c1bca6356a4372defea431a35ff09aecd46
Instruction ID: 6286abb9428ee9cd47216303801f814cafecaa79a14012f89d15020f2bd2f4d2
Opcode Fuzzy Hash: 1d4469a826abde98d7a5bbf0436d6c1bca6356a4372defea431a35ff09aecd46
Instruction Fuzzy Hash: 52F08CB1900609ABDF91AFA488067EE36A7AF00325F158418B4249B292CF79C9D1DB55

Function 00694E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,007552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00694E7E

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: a8cb02fb2ff99052b6a92c93d1e78e8bcafe59890637d93a17f04948cc6ceaf3
Instruction ID: daff14e69210bc5b888bd6a84953c04967368eddd01eb4d80d60e69bfefdac4c
Opcode Fuzzy Hash: a8cb02fb2ff99052b6a92c93d1e78e8bcafe59890637d93a17f04948cc6ceaf3
Instruction Fuzzy Hash: C9F01C71505711CFCF349F64D494C96B7EABF143293108A3EE2D682A11CB319882DB40

Function 006B0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006B07B0

Part of subcall function 00697BCC: _memmove.LIBCMT ref: 00697C06

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 706f628aa4925dc7c58257024e25d461e469a112a3bb6e987b280f98a71903fb
Instruction ID: fede99259454a54e8992dcdb94d85659d07bf7f327a6bf2a96de9958975c896f
Opcode Fuzzy Hash: 706f628aa4925dc7c58257024e25d461e469a112a3bb6e987b280f98a71903fb
Instruction Fuzzy Hash: 96E0863690422857CB20965C9C05FEA779DDB896A1F0441B9FC08D7249D9749C808694

Function 006F8E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 006F8EC1

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: 0ed25bb383b3e6fb35420d588534097c22ac7a06efd9e9d160d00fedd06bfed5
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: 65E092B1104B045FDB388A24D800BE373E2AB09305F00085DF2AA83342EB6278418759

Function 01042340 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 0104234B

Memory Dump Source

Source File: 00000000.00000002.1699754501.0000000001041000.00000040.00000020.00020000.00000000.sdmp, Offset: 01041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1041000_bcUcEm7AqP.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 3df7ff89cacd017dbe712c4dc589ef5037eb71cb74d6033bdd1f49f3ca54f795
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: CEE08671705208FBD760CAACA8486AD73F8EB04711F008AA4F545C3180D53099509614

Function 01042310 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 0104231B

Memory Dump Source

Source File: 00000000.00000002.1699754501.0000000001041000.00000040.00000020.00020000.00000000.sdmp, Offset: 01041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1041000_bcUcEm7AqP.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: 2fe31c4866b47b0c94b94375e88fe7774eacfbdd34283be2ed35e397ad8a2bfb
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 95D0A770A0520CEBCB10DFB8AC04ADE73B8D704321F0087A4FD15C3280D5319A409760

Function 006B525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 006B5266

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: a9d2a39ab5669621a6a2b00928ab17f66a74706e8abb958256a6676894ee2dee
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 6EB092B644020C77CE022A82EC02B893B1A9B41764F408020FB0C18162A673AAA49A89

Function 01043D7C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01043D91

Memory Dump Source

Source File: 00000000.00000002.1699754501.0000000001041000.00000040.00000020.00020000.00000000.sdmp, Offset: 01041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1041000_bcUcEm7AqP.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 0a1499f80e10333d6b90ecdf6258527c6f10427e9a12cb676dda685e6f56ed22
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 22E0BF7494011DEFDB00EFA4D6496DE7BB4FF04311F1005A1FD05D7681DB309E548A62

Function 01043D80 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01043D91

Memory Dump Source

Source File: 00000000.00000002.1699754501.0000000001041000.00000040.00000020.00020000.00000000.sdmp, Offset: 01041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1041000_bcUcEm7AqP.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 0c9acec213065c1af4db5f54cc4a853dd9147d7292174f066beecf92bcba10aa
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 37E0E67494010DDFDB00EFB4D6496DE7FB4FF04301F100161FD01D2281D6309D508A62

Non-executed Functions

Function 0071CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0071CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0071CB95
GetWindowLongW.USER32(?,000000F0), ref: 0071CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0071CC00
SendMessageW.USER32 ref: 0071CC29
_wcsncpy.LIBCMT ref: 0071CC95
GetKeyState.USER32(00000011), ref: 0071CCB6
GetKeyState.USER32(00000009), ref: 0071CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0071CCD9
GetKeyState.USER32(00000010), ref: 0071CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0071CD0C
SendMessageW.USER32 ref: 0071CD33
SendMessageW.USER32(?,00001030,?,0071B348), ref: 0071CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0071CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0071CE60
SetCapture.USER32(?), ref: 0071CE69
ClientToScreen.USER32(?,?), ref: 0071CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0071CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0071CEF5
ReleaseCapture.USER32 ref: 0071CF00
GetCursorPos.USER32(?), ref: 0071CF3A
ScreenToClient.USER32(?,?), ref: 0071CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 0071CFA3
SendMessageW.USER32 ref: 0071CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0071D00E
SendMessageW.USER32 ref: 0071D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0071D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0071D06D
GetCursorPos.USER32(?), ref: 0071D08D
ScreenToClient.USER32(?,?), ref: 0071D09A
GetParent.USER32(?), ref: 0071D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 0071D123
SendMessageW.USER32 ref: 0071D154
ClientToScreen.USER32(?,?), ref: 0071D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0071D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 0071D20C
SendMessageW.USER32 ref: 0071D22F
ClientToScreen.USER32(?,?), ref: 0071D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0071D2B5

Part of subcall function 006925DB: GetWindowLongW.USER32(?,000000EB), ref: 006925EC

GetWindowLongW.USER32(?,000000F0), ref: 0071D351

Strings

pbu, xrefs: 0071CEAF
@GUI_DRAGID, xrefs: 0071CE9C
F, xrefs: 0071D235

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pbu
API String ID: 3977979337-570719866
Opcode ID: d8263cd1824fe6a907e980f31057dbab799c39da0b20a2ed84037a20a0c98a09
Instruction ID: ccf3b5ee587db2931619d9c7dcde35cc488771438e3d2e4ba75be0d855a440f1
Opcode Fuzzy Hash: d8263cd1824fe6a907e980f31057dbab799c39da0b20a2ed84037a20a0c98a09
Instruction Fuzzy Hash: D142AB74208381AFDB22CF68C845AEABBE5FF48310F144929F555C72E0C779E894DB96

Function 006A6F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006A71C3
_memset.LIBCMT ref: 006A7539
_memmove.LIBCMT ref: 006A76AC

Strings

3cj, xrefs: 006E23A0
]t, xrefs: 006E1A22
P\t, xrefs: 006E1AB8
_j, xrefs: 006E23CB
\b(?=\w), xrefs: 006E3769
DEFINE, xrefs: 006E2103
\b(?<=\w), xrefs: 006E3773
[:>:]], xrefs: 006A7492
[:<:]], xrefs: 006A7479
Q\E, xrefs: 006A7FCB

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]t$3cj$DEFINE$P\t$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_j
API String ID: 1357608183-1184944521
Opcode ID: 79d3775b63f94249b06fb2d3ba21367a916275ddc27a77032064103aaa19006b
Instruction ID: f9d5cf575807fe259e6a7e8702e641172addec92aaf6a8883887e6550d2b1609
Opcode Fuzzy Hash: 79d3775b63f94249b06fb2d3ba21367a916275ddc27a77032064103aaa19006b
Instruction Fuzzy Hash: 0A93A171A01356DBDB24DF59C891BEDB7B2FF49310F24816AE945AB381E7709E82CB40

Function 006948D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 006948DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006CD665
IsIconic.USER32(?), ref: 006CD66E
ShowWindow.USER32(?,00000009), ref: 006CD67B
SetForegroundWindow.USER32(?), ref: 006CD685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 006CD69B
GetCurrentThreadId.KERNEL32 ref: 006CD6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 006CD6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 006CD6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 006CD6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 006CD6CF
SetForegroundWindow.USER32(?), ref: 006CD6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 006CD6E7
keybd_event.USER32(00000012,00000000), ref: 006CD6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 006CD6FC
keybd_event.USER32(00000012,00000000), ref: 006CD701
MapVirtualKeyW.USER32(00000012,00000000), ref: 006CD70A
keybd_event.USER32(00000012,00000000), ref: 006CD70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 006CD719
keybd_event.USER32(00000012,00000000), ref: 006CD71E
SetForegroundWindow.USER32(?), ref: 006CD721
AttachThreadInput.USER32(?,?,00000000), ref: 006CD748

Strings

Shell_TrayWnd, xrefs: 006CD660

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 24a72c43faadc8a2b3860351b2f6387639e8a8c63017c0eb0c5bb0f40c03a34c
Instruction ID: 9a0ae283a7a40b4c7b7e989b073106d9545e76b8c59e4d74ba5e8ba746576cfe
Opcode Fuzzy Hash: 24a72c43faadc8a2b3860351b2f6387639e8a8c63017c0eb0c5bb0f40c03a34c
Instruction Fuzzy Hash: D031A571A40318BBEB206F658C49FBF7F6DEB44B50F108039FA04EA1D1C6B49C11ABA5

Function 006E8310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 006E87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006E882B
Part of subcall function 006E87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006E8858
Part of subcall function 006E87E1: GetLastError.KERNEL32 ref: 006E8865

_memset.LIBCMT ref: 006E8353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 006E83A5
CloseHandle.KERNEL32(?), ref: 006E83B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 006E83CD
GetProcessWindowStation.USER32 ref: 006E83E6
SetProcessWindowStation.USER32(00000000), ref: 006E83F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 006E840A

Part of subcall function 006E81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006E8309), ref: 006E81E0
Part of subcall function 006E81CB: CloseHandle.KERNEL32(?,?,006E8309), ref: 006E81F2

Strings

, xrefs: 006E8362
default, xrefs: 006E8405
winsta0, xrefs: 006E83C8

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 900eec6aa2a6e3235d56bee7473fe70d853b72b9c184bbdbbc66c0aa7a62d210
Instruction ID: 453b257dfce10ada3f33a4966cd9473a9bdb2e450be80059ba96efb76e28586e
Opcode Fuzzy Hash: 900eec6aa2a6e3235d56bee7473fe70d853b72b9c184bbdbbc66c0aa7a62d210
Instruction Fuzzy Hash: DB81ADB1801389AFDF51DFA5CC45AEE7BBAEF04304F148129F819A32A1DB358E15DB24

Function 006FC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 006FC78D
FindClose.KERNEL32(00000000), ref: 006FC7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006FC806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006FC81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 006FC844
__swprintf.LIBCMT ref: 006FC890
__swprintf.LIBCMT ref: 006FC8D3

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

__swprintf.LIBCMT ref: 006FC927

Part of subcall function 006B3698: __woutput_l.LIBCMT ref: 006B36F1

__swprintf.LIBCMT ref: 006FC975

Part of subcall function 006B3698: __flsbuf.LIBCMT ref: 006B3713
Part of subcall function 006B3698: __flsbuf.LIBCMT ref: 006B372B

__swprintf.LIBCMT ref: 006FC9C4
__swprintf.LIBCMT ref: 006FCA13
__swprintf.LIBCMT ref: 006FCA62

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 006FC88A
%02d, xrefs: 006FC91B, 006FC925, 006FC973, 006FC9C2, 006FCA11, 006FCA60
%4d, xrefs: 006FC8CD

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 2199967995a199ed6971ea8290230116a1c4c0eb528d98e64b3268833e0c96a6
Instruction ID: 9dcc6b428c0dc558884bd54540ebb5b18b442a7508f39838c018311b61f68457
Opcode Fuzzy Hash: 2199967995a199ed6971ea8290230116a1c4c0eb528d98e64b3268833e0c96a6
Instruction Fuzzy Hash: 29A14EB1504248ABCB40EFA4C985DBFB7EDFF94700F40491DF595C6192EA34EA08CB66

Function 006FEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 006FEFB6
_wcscmp.LIBCMT ref: 006FEFCB
_wcscmp.LIBCMT ref: 006FEFE2
GetFileAttributesW.KERNEL32(?), ref: 006FEFF4
SetFileAttributesW.KERNEL32(?,?), ref: 006FF00E
FindNextFileW.KERNEL32(00000000,?), ref: 006FF026
FindClose.KERNEL32(00000000), ref: 006FF031
FindFirstFileW.KERNEL32(*.*,?), ref: 006FF04D
_wcscmp.LIBCMT ref: 006FF074
_wcscmp.LIBCMT ref: 006FF08B
SetCurrentDirectoryW.KERNEL32(?), ref: 006FF09D
SetCurrentDirectoryW.KERNEL32(00748920), ref: 006FF0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 006FF0C5
FindClose.KERNEL32(00000000), ref: 006FF0D2
FindClose.KERNEL32(00000000), ref: 006FF0E4

Strings

*.*, xrefs: 006FF048

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 600f8aab46123329b163364c63d56c735c23ccb99688fee809bd67d0a5b5c556
Instruction ID: 148928a561900dafabb17749061a677911728a7f971c318737645d7bf5842327
Opcode Fuzzy Hash: 600f8aab46123329b163364c63d56c735c23ccb99688fee809bd67d0a5b5c556
Instruction Fuzzy Hash: CD31057250161C7ACB24DBB4DC59AFE77AEAF44360F008175E904E22A1DF74DA80CB69

Function 00710857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00710953
RegCreateKeyExW.ADVAPI32(?,?,00000000,0071F910,00000000,?,00000000,?,?), ref: 007109C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00710A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00710A92
RegCloseKey.ADVAPI32(?), ref: 00710DB2
RegCloseKey.ADVAPI32(00000000), ref: 00710DBF

Strings

REG_EXPAND_SZ, xrefs: 00710A2F
REG_QWORD, xrefs: 00710D00
REG_SZ, xrefs: 00710AD0
REG_BINARY, xrefs: 00710D4D
REG_MULTI_SZ, xrefs: 00710B7A
REG_DWORD, xrefs: 00710C83

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 9262ecb7b469f003f8b4be0ef80224e9832c03a1a8eda3521fd7122221e3c711
Instruction ID: f79cd8c0046e897afe9a238659e29fde33e70d3c48a3032b06b6b2987e6a7b76
Opcode Fuzzy Hash: 9262ecb7b469f003f8b4be0ef80224e9832c03a1a8eda3521fd7122221e3c711
Instruction Fuzzy Hash: 990290756006019FCB54EF28C851E6AB7E9FF89310F04895CF8899B7A2DB74EC81CB95

Function 006A66E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON

Download Yara Rule

Strings

BSR_UNICODE), xrefs: 006E1338
CR), xrefs: 006E1287
0Fs, xrefs: 006A6747
ANY), xrefs: 006E12DE
CRLF), xrefs: 006E12C1
_j, xrefs: 006E1465, 006E150C, 006E15B4
UTF), xrefs: 006E10FA
LF), xrefs: 006E12A4
LIMIT_RECURSION=, xrefs: 006E11FC
NO_START_OPT), xrefs: 006E114F
0Es, xrefs: 006A673D
LIMIT_MATCH=, xrefs: 006E1170
UCP), xrefs: 006E110D
pGs, xrefs: 006A6751
3cj, xrefs: 006A68FF
BSR_ANYCRLF), xrefs: 006E131E
0Ds, xrefs: 006A6733
NO_AUTO_POSSESS), xrefs: 006E112E
ANYCRLF), xrefs: 006E12FB
UTF16), xrefs: 006E10CF

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID:
String ID: 0Ds$0Es$0Fs$3cj$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pGs$_j
API String ID: 0-1531490153
Opcode ID: 64eedf39d7795a0e65930290eb13b9a14885f3954a8fa5b5209e9f71b669c232
Instruction ID: 1147d1896a458e32b8301b7d06a0607b874d71b8e1b1f8067ef750942b207bd0
Opcode Fuzzy Hash: 64eedf39d7795a0e65930290eb13b9a14885f3954a8fa5b5209e9f71b669c232
Instruction Fuzzy Hash: 14726DB5E00259CBDB14DF59C8807EEB7B6BF49310F14816AE905EB291EB349E81DF90

Function 006FF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 006FF113
_wcscmp.LIBCMT ref: 006FF128
_wcscmp.LIBCMT ref: 006FF13F

Part of subcall function 006F4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 006F43A0

FindNextFileW.KERNEL32(00000000,?), ref: 006FF16E
FindClose.KERNEL32(00000000), ref: 006FF179
FindFirstFileW.KERNEL32(*.*,?), ref: 006FF195
_wcscmp.LIBCMT ref: 006FF1BC
_wcscmp.LIBCMT ref: 006FF1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 006FF1E5
SetCurrentDirectoryW.KERNEL32(00748920), ref: 006FF203
FindNextFileW.KERNEL32(00000000,00000010), ref: 006FF20D
FindClose.KERNEL32(00000000), ref: 006FF21A
FindClose.KERNEL32(00000000), ref: 006FF22C

Strings

*.*, xrefs: 006FF190

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 08631ed522110f39436d93167d8b84e1c2a948e6b7385a3ec4b3cbc5b56ca235
Instruction ID: 621d3aec2092e1881af9ca1027c6a238d716480cf9297f2a2dd497fcae136cb3
Opcode Fuzzy Hash: 08631ed522110f39436d93167d8b84e1c2a948e6b7385a3ec4b3cbc5b56ca235
Instruction Fuzzy Hash: 8831037650061D7ADB20EFA4EC49AFE77AE9F45320F104175E900E22E0DB75DF85CA58

Function 006FA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 006FA20F
__swprintf.LIBCMT ref: 006FA231
CreateDirectoryW.KERNEL32(?,00000000), ref: 006FA26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 006FA293
_memset.LIBCMT ref: 006FA2B2
_wcsncpy.LIBCMT ref: 006FA2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 006FA323
CloseHandle.KERNEL32(00000000), ref: 006FA32E
RemoveDirectoryW.KERNEL32(?), ref: 006FA337
CloseHandle.KERNEL32(00000000), ref: 006FA341

Strings

:, xrefs: 006FA252
\??\%s, xrefs: 006FA22B
\, xrefs: 006FA247

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 7e40606a80ff19631ea1c9564fb731e0951c9a77a9863204a8d87cb586487b4a
Instruction ID: 0839b47fca5ee1cf5199bc1d04ad44a0fc2a6bf6afd6c65aed10739392bfccda
Opcode Fuzzy Hash: 7e40606a80ff19631ea1c9564fb731e0951c9a77a9863204a8d87cb586487b4a
Instruction Fuzzy Hash: A131B5B2500109ABDB20DFA4DC45FFB77BDEF89700F1081B6F608D2260E77496448B29

Function 006E7CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006E8202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006E821E
Part of subcall function 006E8202: GetLastError.KERNEL32(?,006E7CE2,?,?,?), ref: 006E8228
Part of subcall function 006E8202: GetProcessHeap.KERNEL32(00000008,?,?,006E7CE2,?,?,?), ref: 006E8237
Part of subcall function 006E8202: HeapAlloc.KERNEL32(00000000,?,006E7CE2,?,?,?), ref: 006E823E
Part of subcall function 006E8202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006E8255

Part of subcall function 006E829F: GetProcessHeap.KERNEL32(00000008,006E7CF8,00000000,00000000,?,006E7CF8,?), ref: 006E82AB
Part of subcall function 006E829F: HeapAlloc.KERNEL32(00000000,?,006E7CF8,?), ref: 006E82B2
Part of subcall function 006E829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,006E7CF8,?), ref: 006E82C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 006E7D13
_memset.LIBCMT ref: 006E7D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 006E7D47
GetLengthSid.ADVAPI32(?), ref: 006E7D58
GetAce.ADVAPI32(?,00000000,?), ref: 006E7D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006E7DB1
GetLengthSid.ADVAPI32(?), ref: 006E7DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 006E7DDD
HeapAlloc.KERNEL32(00000000), ref: 006E7DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 006E7E05
CopySid.ADVAPI32(00000000), ref: 006E7E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 006E7E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006E7E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 006E7E77

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 4d9f96ef544a9944823b02a6bd31e225b48503c3bf15859c49b37ee5960dd442
Instruction ID: 8f088c8a1613599efcacffc3aa16ffb9ff86d6b5a262d2d867ea0bba08d7296e
Opcode Fuzzy Hash: 4d9f96ef544a9944823b02a6bd31e225b48503c3bf15859c49b37ee5960dd442
Instruction Fuzzy Hash: D3614C7190524AAFDF00DFA5DC45AEEBBBAFF08300F048269F915A7291DB359E05CB64

Function 006F001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 006F0097
SetKeyboardState.USER32(?), ref: 006F0102
GetAsyncKeyState.USER32(000000A0), ref: 006F0122
GetKeyState.USER32(000000A0), ref: 006F0139
GetAsyncKeyState.USER32(000000A1), ref: 006F0168
GetKeyState.USER32(000000A1), ref: 006F0179
GetAsyncKeyState.USER32(00000011), ref: 006F01A5
GetKeyState.USER32(00000011), ref: 006F01B3
GetAsyncKeyState.USER32(00000012), ref: 006F01DC
GetKeyState.USER32(00000012), ref: 006F01EA
GetAsyncKeyState.USER32(0000005B), ref: 006F0213
GetKeyState.USER32(0000005B), ref: 006F0221

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: a3c03796e2caf18652dab14e2ecf41ddf03409109f92bbd6b349df1a00585df3
Instruction ID: 919b79feadfc4119318cbe1a0cc6615338be560d87579565ee5fe66e8c8c3772
Opcode Fuzzy Hash: a3c03796e2caf18652dab14e2ecf41ddf03409109f92bbd6b349df1a00585df3
Instruction Fuzzy Hash: 2151FA3090478C29FB35DBA089547FABFB69F02380F08459DD6C25A2C3DAA49B8CC765

Function 007103DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00710E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0070FDAD,?,?), ref: 00710E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007104AC

Part of subcall function 00699837: __itow.LIBCMT ref: 00699862
Part of subcall function 00699837: __swprintf.LIBCMT ref: 006998AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0071054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 007105E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00710822
RegCloseKey.ADVAPI32(00000000), ref: 0071082F

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 3d641f9fd1f5562048d9bbc9f67349139c23fbcb6465e1a56c24ecf5762c37f0
Instruction ID: 20299613db0dc4561e18ef30b90b813b9bf379bc3d86443e675dcf4fadcc787c
Opcode Fuzzy Hash: 3d641f9fd1f5562048d9bbc9f67349139c23fbcb6465e1a56c24ecf5762c37f0
Instruction Fuzzy Hash: F1E16F30204200AFCB54DF28C895E6ABBE9FF89314F04C96DF849DB2A1D674ED81CB95

Function 007083BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00699837: __itow.LIBCMT ref: 00699862
Part of subcall function 00699837: __swprintf.LIBCMT ref: 006998AC

CoInitialize.OLE32 ref: 00708403
CoUninitialize.OLE32 ref: 0070840E
CoCreateInstance.OLE32(?,00000000,00000017,00722BEC,?), ref: 0070846E
IIDFromString.OLE32(?,?), ref: 007084E1
VariantInit.OLEAUT32(?), ref: 0070857B
VariantClear.OLEAUT32(?), ref: 007085DC

Strings

Failed to create object, xrefs: 00708479, 0070852F
NULL Pointer assignment, xrefs: 007084B3
Invalid parameter, xrefs: 007084FA

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: c4776a78f582a51a285deab7c24d53fdf1111b1404b2eb92c6dfd543bbbad3b1
Instruction ID: 590fbc59d545a34dbd146932d922b01fb2b72f335ba58be9623b42aca171a148
Opcode Fuzzy Hash: c4776a78f582a51a285deab7c24d53fdf1111b1404b2eb92c6dfd543bbbad3b1
Instruction Fuzzy Hash: 9D619A70608312DFC790DF24C849B6AB7E9AF49714F044A1DF9819B291DB78ED48CBA7

Function 00704164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0070418B
EmptyClipboard.USER32 ref: 00704191
GlobalAlloc.KERNEL32(00000002,?), ref: 007041A6
CloseClipboard.USER32 ref: 00704245

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 9d19e7ec8ed4ebc1c7ca6884344f2ad81b06054b278ef8a4e4e620227bd48bca
Instruction ID: 9638645491b7b4691bc721a94591aeeda3bc8eeda2644b1fad9407f6fb9c5a0c
Opcode Fuzzy Hash: 9d19e7ec8ed4ebc1c7ca6884344f2ad81b06054b278ef8a4e4e620227bd48bca
Instruction Fuzzy Hash: 0C217C752002149FDB10AF28DC09BAD7BA9FF45751F10C12AFA469B2A1DB78A8008B58

Function 006F37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00694750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00694743,?,?,006937AE,?), ref: 00694770

Part of subcall function 006F4A31: GetFileAttributesW.KERNEL32(?,006F370B), ref: 006F4A32

FindFirstFileW.KERNEL32(?,?), ref: 006F38A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 006F394B
MoveFileW.KERNEL32(?,?), ref: 006F395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 006F397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 006F399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 006F39B9

Strings

\*.*, xrefs: 006F384E, 006F3857, 006F386C

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: f5e1fa3353a021dc3ce15854ac14fe9b3ff48ffbf6b3a82121ca2445e5fdbd67
Instruction ID: e2de8a64fc3d2629fff3264851573f5b045fcf890d25cdc701f75849a23c79b0
Opcode Fuzzy Hash: f5e1fa3353a021dc3ce15854ac14fe9b3ff48ffbf6b3a82121ca2445e5fdbd67
Instruction Fuzzy Hash: 4E51AD3180515DAACF45EBA0CA92DFDB77AAF10300F60406DE506B7292EF716F09CB68

Function 006FF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 006FF440
Sleep.KERNEL32(0000000A), ref: 006FF470
_wcscmp.LIBCMT ref: 006FF484
_wcscmp.LIBCMT ref: 006FF49F
FindNextFileW.KERNEL32(?,?), ref: 006FF53D
FindClose.KERNEL32(00000000), ref: 006FF553

Strings

*.*, xrefs: 006FF425

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 5673c62068c474e80cb618ce053e1361ac72973fa1e20d4d105ec75385ca9687
Instruction ID: 1c4747e027382687f975798caebf45099589b8726f03cf3055cf1353905081c9
Opcode Fuzzy Hash: 5673c62068c474e80cb618ce053e1361ac72973fa1e20d4d105ec75385ca9687
Instruction Fuzzy Hash: 06418C7190021EAFCF54DF68CC45AFEBBBAFF15310F14446AE919A3291EB309A84CB54

Function 006A3030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

3cj, xrefs: 006A3225
_j, xrefs: 006A3322

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3cj$_j
API String ID: 674341424-2927472950
Opcode ID: 9133fc476166789c5891d5c9e42145816e97c8a697df6aeea372a70491eb3db6
Instruction ID: 8c2d951abc1a437db31fe981c13b02bac8828bd39242bf18f3013eca084cf671
Opcode Fuzzy Hash: 9133fc476166789c5891d5c9e42145816e97c8a697df6aeea372a70491eb3db6
Instruction Fuzzy Hash: 83227B716083109FDB64EF24C881BAAB7E6EF89310F00492DF49A97391DB71ED45CB96

Function 006A5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006A58A5
_memmove.LIBCMT ref: 006A58F5
_memmove.LIBCMT ref: 006A595B

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: db2ff6783785281d58397abcbca5c0ef0a6ab58e5962b698a7702ec6a99cee39
Instruction ID: 5915c1965853477726c4bf39d154dfac622577267b7b9b65525b413d569415a8
Opcode Fuzzy Hash: db2ff6783785281d58397abcbca5c0ef0a6ab58e5962b698a7702ec6a99cee39
Instruction Fuzzy Hash: BE128A70A00649EFEF04DFA5D981AEEB7F6FF49300F104569E806A7290EB39AD51CB54

Function 006F3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00694750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00694743,?,?,006937AE,?), ref: 00694770

Part of subcall function 006F4A31: GetFileAttributesW.KERNEL32(?,006F370B), ref: 006F4A32

FindFirstFileW.KERNEL32(?,?), ref: 006F3B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 006F3BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 006F3BEA
FindClose.KERNEL32(00000000), ref: 006F3C01
FindClose.KERNEL32(00000000), ref: 006F3C0A

Strings

\*.*, xrefs: 006F3B5B

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 69acf1caf4b29f630429d911cb27cdd4116980e08566ead90606b00e69fa8d50
Instruction ID: e597fdc749d1fad102e3545ef28838167c978fae9c2d1747ec22cc1d8712a5f4
Opcode Fuzzy Hash: 69acf1caf4b29f630429d911cb27cdd4116980e08566ead90606b00e69fa8d50
Instruction Fuzzy Hash: 9E319C710083999FC741EF64C8919FFB7AEBEA1314F404E2DF4D592291EB219A09C76B

Function 006F51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 006E87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006E882B
Part of subcall function 006E87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006E8858
Part of subcall function 006E87E1: GetLastError.KERNEL32 ref: 006E8865

ExitWindowsEx.USER32(?,00000000), ref: 006F51F9

Strings

SeShutdownPrivilege, xrefs: 006F51C9
@, xrefs: 006F51EC
, xrefs: 006F51E7

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 4cf3f3bb6fed10519e0d38ae882ff24942952c5b3bf07ce77ba9ffff7347fbf0
Instruction ID: cda3ea09f812dfd7170bcea7f52024073f765c668b2536d43ab2e177a127c14b
Opcode Fuzzy Hash: 4cf3f3bb6fed10519e0d38ae882ff24942952c5b3bf07ce77ba9ffff7347fbf0
Instruction Fuzzy Hash: B9014E317A1A1D6FF72862789C9BFFB725AEB05340F204635FB07E31D2DA511D0185A4

Function 00706283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 007062DC
WSAGetLastError.WSOCK32(00000000), ref: 007062EB
bind.WSOCK32(00000000,?,00000010), ref: 00706307
listen.WSOCK32(00000000,00000005), ref: 00706316
WSAGetLastError.WSOCK32(00000000), ref: 00706330
closesocket.WSOCK32(00000000,00000000), ref: 00706344

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: bd1621f2fc4c2a018866e6e832fc1d0a1b3bbf80b19be6c4b2beddcbf05c9296
Instruction ID: 69c3a9ed87a802bc695ed2b6762e43b677b304d4633e3d2a6c3beda138c472be
Opcode Fuzzy Hash: bd1621f2fc4c2a018866e6e832fc1d0a1b3bbf80b19be6c4b2beddcbf05c9296
Instruction Fuzzy Hash: 60219E31600204DFCB10EF68C955A6EB7EAEF49720F14865DF816A72D1C778AD01CBA5

Function 006A5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 006B0DB6: std::exception::exception.LIBCMT ref: 006B0DEC
Part of subcall function 006B0DB6: __CxxThrowException@8.LIBCMT ref: 006B0E01

_memmove.LIBCMT ref: 006E0258
_memmove.LIBCMT ref: 006E036D
_memmove.LIBCMT ref: 006E0414

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: eb228f3db6b52c19363006bb8eaa21cdd68b269e671c73f7f68c25ebeb238523
Instruction ID: edb51e40152bc5f4b35c14a26355846ea9e0259875c38610f6209a225e33c0a6
Opcode Fuzzy Hash: eb228f3db6b52c19363006bb8eaa21cdd68b269e671c73f7f68c25ebeb238523
Instruction Fuzzy Hash: 6F02CFB0A00209DFDF04DF65D981AAEBBB6EF45300F148069E80ADB395EB75DD91CB94

Function 00691287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623

DefDlgProcW.USER32(?,?,?,?,?), ref: 006919FA
GetSysColor.USER32(0000000F), ref: 00691A4E
SetBkColor.GDI32(?,00000000), ref: 00691A61

Part of subcall function 00691290: DefDlgProcW.USER32(?,00000020,?), ref: 006912D8

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 27ae5097f9af746535a89c35327bf3aa4f2d9b00ca1800d43630846595e338d3
Instruction ID: cced630ee5a78dcf8e0527a5ab980b0fd7375b1d862f0c0684a563c9a3db2450
Opcode Fuzzy Hash: 27ae5097f9af746535a89c35327bf3aa4f2d9b00ca1800d43630846595e338d3
Instruction Fuzzy Hash: 28A14870102546BAEF28AB2C4C59EFF355FDB43341F34411EF402DEAD2CA289D4292B9

Function 006FBCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 006FBCE6
_wcscmp.LIBCMT ref: 006FBD16
_wcscmp.LIBCMT ref: 006FBD2B
FindNextFileW.KERNEL32(00000000,?), ref: 006FBD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 006FBD6C

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 4701b4a7eac1f1158df5787fd3402023dd59f44c131b820c8e6fe7c6637e9dbe
Instruction ID: 7f943f3ee0342d9bde449de56b4f33c92bb7d2023a92eabb2c763630a7c924a4
Opcode Fuzzy Hash: 4701b4a7eac1f1158df5787fd3402023dd59f44c131b820c8e6fe7c6637e9dbe
Instruction Fuzzy Hash: CF51AB756046069FDB14DF28C491EEAB3EAFF49320F10461DEA56873A1DB30ED04CB96

Function 00706747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00707D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00707DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0070679E
WSAGetLastError.WSOCK32(00000000), ref: 007067C7
bind.WSOCK32(00000000,?,00000010), ref: 00706800
WSAGetLastError.WSOCK32(00000000), ref: 0070680D
closesocket.WSOCK32(00000000,00000000), ref: 00706821

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: b563b2292eee26f32306305d9e1e708cf6ae3088cf49ed4bf5668a852b10ab49
Instruction ID: 209c651a6749f760ae90b54269a8653a900c0c8f8d2f50574a364fe2019daa93
Opcode Fuzzy Hash: b563b2292eee26f32306305d9e1e708cf6ae3088cf49ed4bf5668a852b10ab49
Instruction Fuzzy Hash: 87419E75A00210AFDF90AF288886F7E77EA9F45714F04855CFA19AB3D2DA749D0087A5

Function 00715376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 007153C5
IsWindowEnabled.USER32 ref: 007153D3
GetForegroundWindow.USER32(?,?,00000001), ref: 007153E0
IsIconic.USER32 ref: 007153EE
IsZoomed.USER32 ref: 007153FC

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 2f7aa01d39794f015fa4dd9b13a4e84df0d70ff0e76f62d56ea913f56dd01b7f
Instruction ID: 8f370b3780ed8903a51fd783cdf5afb8ccf20908f6ed7d53bfbbea15f7454fbe
Opcode Fuzzy Hash: 2f7aa01d39794f015fa4dd9b13a4e84df0d70ff0e76f62d56ea913f56dd01b7f
Instruction Fuzzy Hash: 4B110431300910AFDB246F2EDC44AAEBB9EEF847A0B40842DF815D32C1DB78DC4186A8

Function 006E80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006E80C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006E80CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006E80D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006E80E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006E80F6

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: bd924b43b6f613030febf65d9b0ef95057dacbb3f5ccb41adab79c8e77a63a03
Instruction ID: 6d8309f6c4c763c21e5ccd041cd19dad28bafac5602dd0f60c1b9293528cc6b2
Opcode Fuzzy Hash: bd924b43b6f613030febf65d9b0ef95057dacbb3f5ccb41adab79c8e77a63a03
Instruction Fuzzy Hash: C1F0C270241305BFEB104FA9EC8CEE73BADEF49754B008029F909C32A0DB649D11DA60

Function 00694B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00694AD0), ref: 00694B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00694B57

Strings

kernel32.dll, xrefs: 00694B40
GetNativeSystemInfo, xrefs: 00694B51

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 377fb98622cf5724a56b02258d63338a8cbd8fe497a2d8944db8e174dd10d7a4
Instruction ID: ef224ff505431a188b68b92a99f24406668a1cb378ea03596324de190c9d3d53
Opcode Fuzzy Hash: 377fb98622cf5724a56b02258d63338a8cbd8fe497a2d8944db8e174dd10d7a4
Instruction Fuzzy Hash: 1AD0C2B0A00717DFCB208F39E818F8272E9AF00350B10C839D485C2694DA78D4C0C618

Function 0070EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0070EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 0070EE4B

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

Process32NextW.KERNEL32(00000000,?), ref: 0070EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0070EF1A

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: d475977fc1d238a20c25eeae570d79ae3f7171031fdc56d829e5acd3e271dd40
Instruction ID: 8417e54f83587bb3a565760887f03699ae2a6d5dca11ce71f9e38760bdb47779
Opcode Fuzzy Hash: d475977fc1d238a20c25eeae570d79ae3f7171031fdc56d829e5acd3e271dd40
Instruction Fuzzy Hash: D951AD71104315AFD750EF24CC86EABB7ECEF94710F40492DF995972A1EB30A908CB96

Function 006EE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 006EE628

Strings

(, xrefs: 006EE66E
|, xrefs: 006EE658

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: dc9cdb2e37ba426c0f6c0196fffe83f9086734797bd328e6b1a47d551198e63a
Instruction ID: 43dd2a758d788f870fbab6789b7f90321403ac9f1eb3194aa8b901a0510c5601
Opcode Fuzzy Hash: dc9cdb2e37ba426c0f6c0196fffe83f9086734797bd328e6b1a47d551198e63a
Instruction Fuzzy Hash: 89323675A017059FDB28CF1AC4819AAB7F1FF48320B15C46EE89ADB3A1E771E941CB44

Function 007022EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0070180A,00000000), ref: 007023E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00702418

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: d9a92e6a7057bd7b2a57ea6126b6def44eb384969a17b6f1eb2e132fd4b08262
Instruction ID: 9611006c382ae4e087ae5961b9ff41d465f4b46f2771f9427cb8c6c87205ea51
Opcode Fuzzy Hash: d9a92e6a7057bd7b2a57ea6126b6def44eb384969a17b6f1eb2e132fd4b08262
Instruction Fuzzy Hash: BF4104B2904209FFEB20DE95DC89FBFB7ECEB40714F10416EF601A61C2DA789E429654

Function 006FB333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006FB343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 006FB39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 006FB3EA

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: db868b55967bb674b7ffd5d6a863502748ccfe6ffc2ce9f84ea5648a9918d49a
Instruction ID: 1422730fb08edbab19dc65b1fe3361f8ca83b17300e990be669cf857fb8c056a
Opcode Fuzzy Hash: db868b55967bb674b7ffd5d6a863502748ccfe6ffc2ce9f84ea5648a9918d49a
Instruction Fuzzy Hash: 58216035A00518EFCF00EFA9D881AEDBBB9FF49310F1480AEE905AB351DB319915CB54

Function 006E87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 006B0DB6: std::exception::exception.LIBCMT ref: 006B0DEC
Part of subcall function 006B0DB6: __CxxThrowException@8.LIBCMT ref: 006B0E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006E882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006E8858
GetLastError.KERNEL32 ref: 006E8865

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 66e21db4df77788476c31aeee35e1d7ca4cb147bf7c7a2e68018fd8202ed08d9
Instruction ID: 31206e1362e8ac23e12809e40a87edcab507bfd7c269e7d35c774c000cdc6c56
Opcode Fuzzy Hash: 66e21db4df77788476c31aeee35e1d7ca4cb147bf7c7a2e68018fd8202ed08d9
Instruction Fuzzy Hash: B4116DB2414305AFE718DFA5DC85DABBBADEB44710B20C52EE85A97251EA30AC418B64

Function 006E874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 006E8774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 006E878B
FreeSid.ADVAPI32(?), ref: 006E879B

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 2292f11ee986aba09917d42defcf006bd40d0e9ca550cc2811ca00aea5f1b766
Instruction ID: e5eb9e72202c83817519e1b1cc5369e45c8257caeb8b07cd9f00af71d3f8a7b4
Opcode Fuzzy Hash: 2292f11ee986aba09917d42defcf006bd40d0e9ca550cc2811ca00aea5f1b766
Instruction Fuzzy Hash: 41F04975A1130CBFDF00DFF4DD89AEEBBBCEF08211F1084A9E901E2291E6756A448B54

Function 006F8889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 006F889B

Part of subcall function 006B520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,006F8F6E,00000000,?,?,?,?,006F911F,00000000,?), ref: 006B5213
Part of subcall function 006B520A: __aulldiv.LIBCMT ref: 006B5233

Strings

0eu, xrefs: 006F8892

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0eu
API String ID: 2893107130-3822003923
Opcode ID: 12a0ad0ddfc7becaf02dd252299b6495fa9feb9435765e63c2aba1fef05ad7de
Instruction ID: 61ad08009b64492266cc41d68f2b461dab2035dc9adaa24c67f691efc45b3e4a
Opcode Fuzzy Hash: 12a0ad0ddfc7becaf02dd252299b6495fa9feb9435765e63c2aba1fef05ad7de
Instruction Fuzzy Hash: 5821B4726356148FC729CF35D841AA2B3E2EFA5311B688E6CD1F5CB2D0CA74B905CB54

Function 006F4C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 006F4CB3

Strings

DOWN, xrefs: 006F4C98

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: 4ad4c8a4c44d00358d5d3393f34df38a1b991f6bfdfd1f53dfdcbe139c5c272a
Instruction ID: d5116f2fd1efcf5ff39aeb3335e16a0bd5f2b8fe5aaaf37b135eee05ec3c3848
Opcode Fuzzy Hash: 4ad4c8a4c44d00358d5d3393f34df38a1b991f6bfdfd1f53dfdcbe139c5c272a
Instruction Fuzzy Hash: 3BE08CB219D7223CB9482A19BC13EF7078D8B12735B10120AF910E59C1EE896C8325AC

Function 006FC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 006FC6FB
FindClose.KERNEL32(00000000), ref: 006FC72B

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 38daf428856d1922ffe009ceaede86c6bd88da498699b0df58b59634f88778f9
Instruction ID: a5a7d2b9a4b607f0b0093c7b146366f9782f16e53ae03b9c3d44578cefc62919
Opcode Fuzzy Hash: 38daf428856d1922ffe009ceaede86c6bd88da498699b0df58b59634f88778f9
Instruction Fuzzy Hash: EA118E726006049FDB10EF29C845A6AF7E9FF85320F00CA1DF9A997291DB30A801CF95

Function 006FA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00709468,?,0071FB84,?), ref: 006FA097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00709468,?,0071FB84,?), ref: 006FA0A9

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 149301c6b325fbc7eac6e4e7b00dd0dd853e4d2b3773a34fe81e2615502b4f3b
Instruction ID: 0a65a2f0c2dafaeee553e60603beafd66f0baeae10e5edbd694d8615a3ebf241
Opcode Fuzzy Hash: 149301c6b325fbc7eac6e4e7b00dd0dd853e4d2b3773a34fe81e2615502b4f3b
Instruction Fuzzy Hash: 73F0E23510422DABDB20AFA4DC48FFA736EFF09361F008169F918D7181CA309900CBA5

Function 006E81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006E8309), ref: 006E81E0
CloseHandle.KERNEL32(?,?,006E8309), ref: 006E81F2

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 73170eb09ec0293c0bdc8c0622d84a322f7e26f9f7cdff7ce92c493933496545
Instruction ID: fde72bb9f84ca11ba7a88f65ed8a0e7fa227fffeac4853f7628b03362f758015
Opcode Fuzzy Hash: 73170eb09ec0293c0bdc8c0622d84a322f7e26f9f7cdff7ce92c493933496545
Instruction Fuzzy Hash: 88E0EC72011611AFF7652B65EC09DF77BEAEF04350714C92DF8AA84470DB62AC91DB14

Function 006BA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,006B8D57,?,?,?,00000001), ref: 006BA15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 006BA163

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0d4102ae7e0c4e66400206550c11ad2850cd6f30ab7042fdfda8bd6487b359e6
Instruction ID: 4c89e8386ef48c08879af788833d57eb997205edbe68495228d50cdb18ea6403
Opcode Fuzzy Hash: 0d4102ae7e0c4e66400206550c11ad2850cd6f30ab7042fdfda8bd6487b359e6
Instruction Fuzzy Hash: 1BB09231054208EBCA002B99EC09BC83F68FB44BA2F40C020F61D840A0CB6654508A99

Function 006BF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5969569ff40a09d5d127e25e4e74944bbdd44b077d757d6f0c5031db352075b0
Instruction ID: 61be45b606631951f55aef7cdd1e535d1c9bdc9f4bf4b4ebba3f60500aecdf39
Opcode Fuzzy Hash: 5969569ff40a09d5d127e25e4e74944bbdd44b077d757d6f0c5031db352075b0
Instruction Fuzzy Hash: 9F3202A1D29F414DD7279638CD32376A249AFB73C4F15D737E819B5AA6EB28C4C34204

Function 006C242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f325296d28f4ee0653ce4c757f7304058be59d26c47fb0cf5b165bf76a0dfbbd
Instruction ID: 012579cd408e4de3d872a64061aff51a872afb6b8299f24bcfacfb64dd9ff406
Opcode Fuzzy Hash: f325296d28f4ee0653ce4c757f7304058be59d26c47fb0cf5b165bf76a0dfbbd
Instruction Fuzzy Hash: F0B10020E2AF414ED723A6398831336BB5CAFBB2D5F52D71BFC2674D22EB2585834145

Function 006E87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,006E8389), ref: 006E87D1

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 9059458491c237d9ca12df0cc668a381c984fd4fcf4dfafa6eb6412243109fcc
Instruction ID: cc71d78a571d8e6110c9bf680d00c43c933df90cb4d464d4768eb32df7ad6651
Opcode Fuzzy Hash: 9059458491c237d9ca12df0cc668a381c984fd4fcf4dfafa6eb6412243109fcc
Instruction Fuzzy Hash: 68D09E3226450EABEF019EA8DD05EEE3B69EB04B01F40C511FE15D51A1C775D935AB60

Function 006BA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 006BA12A

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6830744d266f9515a043f14290ff4e7ee6e576fe1e4ca19b1ed2e5249884f2e3
Instruction ID: 63a041da0162bfc313d8ef5c2c202dfcb5437c006ab3692812d989ebbc0eec62
Opcode Fuzzy Hash: 6830744d266f9515a043f14290ff4e7ee6e576fe1e4ca19b1ed2e5249884f2e3
Instruction Fuzzy Hash: 31A0113000020CAB8A002B8AEC08888BFACEA002A0B00C020F80C80022CB32A8208A88

Function 006A8808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2c77fdc7862b34c7ab930cbba3ddb586d87d8be2d294d125e26b315006cfd9
Instruction ID: cb495f13a4a16f543abdf2211f49e037976817ab63bd776374a9431f9b92b241
Opcode Fuzzy Hash: 9f2c77fdc7862b34c7ab930cbba3ddb586d87d8be2d294d125e26b315006cfd9
Instruction Fuzzy Hash: 3B222930904686CFDF38AA29C4947FD77A3FF42348F24806BD6568B692DB749D92CE41

Function 006B21C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: db3a295521c6ec304242cd6a2d5c97b6c8e62f97230b6d1f129f37d7d704e23b
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: F6C173B22151930ADB2D4639C4740FEBBE25EA37B135A176DD4B2CF2D4EE20C9A5D720

Function 006B25FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 05a1af58587e65e37fb7db8cf6453a1e82891a3cb9b0b40c19bbc3784599c448
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 72C184B22151930ADF2D463A84340FEBBE25EA37B135A176DD4B2DF2D4EE10C9A5D720

Function 006B1978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: f1d67cb040e52d1fc8129b0ef477110241ef1915096beec576f861a468a0a7b2
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 5DC194B22151931ADF2D4639C4340FEBBA25EA37B135A176DD4B2CF2C4EE20D9A5D710

Function 010450E0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699754501.0000000001041000.00000040.00000020.00020000.00000000.sdmp, Offset: 01041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1041000_bcUcEm7AqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 19a2848e1d9ae97f535fa3e050ba2c88523900cdfe67c0c3f3a1f506c9485cc9
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 9C41D3B1D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB40

Function 01044FD0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699754501.0000000001041000.00000040.00000020.00020000.00000000.sdmp, Offset: 01041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1041000_bcUcEm7AqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 164da42c7f9eb9e4963189bcf2c687194a81a7500758460b34c14cb6e7222fa2
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 0A0180B8A10209EFCB84DF98C5909AEF7F5FB48310F2085A9E849A7701D731AE41DB80

Function 01044F70 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699754501.0000000001041000.00000040.00000020.00020000.00000000.sdmp, Offset: 01041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1041000_bcUcEm7AqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 6bad5467e9aaa90d0a02522a7a8ddd2258a2c364c6924c25f1bfdc4e891e6bf1
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 950180B8A00109EFCB84DF98C590AAEF7F5FB48310F6085A9E949A7741D730AE41DB80

Function 01043950 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699754501.0000000001041000.00000040.00000020.00020000.00000000.sdmp, Offset: 01041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1041000_bcUcEm7AqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00707806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0070785B
DeleteObject.GDI32(00000000), ref: 0070786D
DestroyWindow.USER32 ref: 0070787B
GetDesktopWindow.USER32 ref: 00707895
GetWindowRect.USER32(00000000), ref: 0070789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 007079DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 007079ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00707A35
GetClientRect.USER32(00000000,?), ref: 00707A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00707A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00707A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00707AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00707ABB
GlobalLock.KERNEL32(00000000), ref: 00707AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00707AD3
GlobalUnlock.KERNEL32(00000000), ref: 00707ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00707AE3
GlobalFree.KERNEL32(00000000), ref: 00707AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00707B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00722CAC,00000000), ref: 00707B16
GlobalFree.KERNEL32(00000000), ref: 00707B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00707B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00707B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00707B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00707D7A

Strings

, xrefs: 00707D00
AutoIt v3, xrefs: 00707A2D
DISPLAY, xrefs: 00707BDD
static, xrefs: 00707A75, 00707BCC

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 1076611c56ad524fc611efdc4c54287bf177679a8fa5e2265c78f23400296ef2
Instruction ID: d7cf44fa67297d87183ef710a510ce5de7e561d8aae46429b8965128ca54dc16
Opcode Fuzzy Hash: 1076611c56ad524fc611efdc4c54287bf177679a8fa5e2265c78f23400296ef2
Instruction Fuzzy Hash: AF024E71900215EFDB14DFA8DC89EAE7BB9FB48310F148258F915AB2E1D778AD01CB64

Function 0071356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0071F910), ref: 00713627
IsWindowVisible.USER32(?), ref: 0071364B

Strings

SELECTSTRING, xrefs: 00713806
ISCHECKED, xrefs: 00713839
GETCURRENTLINE, xrefs: 007138ED
CHECK, xrefs: 0071386D
GETLINE, xrefs: 0071399B
SENDCOMMANDID, xrefs: 007139DA
SHOWDROPDOWN, xrefs: 007136E0
DELSTRING, xrefs: 00713749
UNCHECK, xrefs: 00713883
ADDSTRING, xrefs: 00713716
FINDSTRING, xrefs: 00713776
TABLEFT, xrefs: 00713687
SETCURRENTSELECTION, xrefs: 007137B6
GETCURRENTSELECTION, xrefs: 007137E3
GETLINECOUNT, xrefs: 007138C6
ISENABLED, xrefs: 0071366B
CURRENTTAB, xrefs: 007136BD
TABRIGHT, xrefs: 0071369D
GETCURRENTCOL, xrefs: 00713928
EDITPASTE, xrefs: 0071395F
ISVISIBLE, xrefs: 00713637
GETSELECTED, xrefs: 007138A3
HIDEDROPDOWN, xrefs: 00713700

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 6f8996f6a10b23a146b7a2995820051c5bfa0ceace99ed5c4052b5303e884de7
Instruction ID: dd0192255e4dce84e145629d8d4dda1005a462a12ebec36bc61b15d31f22264d
Opcode Fuzzy Hash: 6f8996f6a10b23a146b7a2995820051c5bfa0ceace99ed5c4052b5303e884de7
Instruction Fuzzy Hash: F9D182702143019BCB44EF18C452AAF7BA6AF54354F14486CF8855B2E3DB39EE8ACB55

Function 0071A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0071A630
GetSysColorBrush.USER32(0000000F), ref: 0071A661
GetSysColor.USER32(0000000F), ref: 0071A66D
SetBkColor.GDI32(?,000000FF), ref: 0071A687
SelectObject.GDI32(?,00000000), ref: 0071A696
InflateRect.USER32(?,000000FF,000000FF), ref: 0071A6C1
GetSysColor.USER32(00000010), ref: 0071A6C9
CreateSolidBrush.GDI32(00000000), ref: 0071A6D0
FrameRect.USER32(?,?,00000000), ref: 0071A6DF
DeleteObject.GDI32(00000000), ref: 0071A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 0071A731
FillRect.USER32(?,?,00000000), ref: 0071A763
GetWindowLongW.USER32(?,000000F0), ref: 0071A78E

Part of subcall function 0071A8CA: GetSysColor.USER32(00000012), ref: 0071A903
Part of subcall function 0071A8CA: SetTextColor.GDI32(?,?), ref: 0071A907
Part of subcall function 0071A8CA: GetSysColorBrush.USER32(0000000F), ref: 0071A91D
Part of subcall function 0071A8CA: GetSysColor.USER32(0000000F), ref: 0071A928
Part of subcall function 0071A8CA: GetSysColor.USER32(00000011), ref: 0071A945
Part of subcall function 0071A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0071A953
Part of subcall function 0071A8CA: SelectObject.GDI32(?,00000000), ref: 0071A964
Part of subcall function 0071A8CA: SetBkColor.GDI32(?,00000000), ref: 0071A96D
Part of subcall function 0071A8CA: SelectObject.GDI32(?,?), ref: 0071A97A
Part of subcall function 0071A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0071A999
Part of subcall function 0071A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0071A9B0
Part of subcall function 0071A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0071A9C5
Part of subcall function 0071A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0071A9ED

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: a3eb296cd5e9263b44cb4229698199dbd16c3ebf3e7d10c84ff66082249dfb20
Instruction ID: 9dab24bd0836e98f2d5fecde9d5120685fcdf05419670bee28ecb348bbcf271d
Opcode Fuzzy Hash: a3eb296cd5e9263b44cb4229698199dbd16c3ebf3e7d10c84ff66082249dfb20
Instruction Fuzzy Hash: 56918D72409305FFC7119F68DC08A9B7BAAFF88321F108B29F966961E1D738D944CB56

Function 00692C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00692CA2
DeleteObject.GDI32(00000000), ref: 00692CE8
DeleteObject.GDI32(00000000), ref: 00692CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00692CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00692D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 006CC43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 006CC474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 006CC89D

Part of subcall function 00691B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00692036,?,00000000,?,?,?,?,006916CB,00000000,?), ref: 00691B9A

SendMessageW.USER32(?,00001053), ref: 006CC8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 006CC8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 006CC907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 006CC912

Strings

0, xrefs: 006CC731

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 252447cc8004588960b8fb1c0a1ea85ddecf531680a9371849cb599709a0c529
Instruction ID: fde2eb3ae0e3d89368874269461a24aaec15d9211b6baa04a7e126fa1e1d2732
Opcode Fuzzy Hash: 252447cc8004588960b8fb1c0a1ea85ddecf531680a9371849cb599709a0c529
Instruction Fuzzy Hash: 9A126A30600202EFDB55CF28C894BB9BBE6FF45320F54856DE499DB662C731E852DB91

Function 007074AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 007074DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0070759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 007075DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 007075ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00707633
GetClientRect.USER32(00000000,?), ref: 0070763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00707683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00707692
GetStockObject.GDI32(00000011), ref: 007076A2
SelectObject.GDI32(00000000,00000000), ref: 007076A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 007076B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007076BF
DeleteDC.GDI32(00000000), ref: 007076C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007076F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 0070770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00707746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0070775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 0070776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0070779B
GetStockObject.GDI32(00000011), ref: 007077A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 007077B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 007077BB

Strings

msctls_progress32, xrefs: 0070773C
AutoIt v3, xrefs: 0070762B
DISPLAY, xrefs: 00707688
static, xrefs: 0070767D, 00707795

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: f408cdfeb68324cb1000d68b01e92535604f236ea0dcfd47d5504bbe059ace37
Instruction ID: 9116e69ae292ec7890afd7ac1b9da76384d4fdbc4ef3c779807f8ab9437328fc
Opcode Fuzzy Hash: f408cdfeb68324cb1000d68b01e92535604f236ea0dcfd47d5504bbe059ace37
Instruction Fuzzy Hash: 7FA145B1A40615BFEB14DB68DC4AFEE77B9EB04711F008118FA15A72E0D774AD40CB64

Function 006FAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006FAD1E
GetDriveTypeW.KERNEL32(?,0071FAC0,?,\\.\,0071F910), ref: 006FADFB
SetErrorMode.KERNEL32(00000000,0071FAC0,?,\\.\,0071F910), ref: 006FAF59

Strings

RAID, xrefs: 006FAEF7
Unknown, xrefs: 006FAE1B, 006FAEBF
PhysicalDrive, xrefs: 006FADA7
iSCSI, xrefs: 006FAEFE
Fibre, xrefs: 006FAEE9
SAS, xrefs: 006FAF05
\\.\, xrefs: 006FAD70
ATA, xrefs: 006FAED4
1394, xrefs: 006FAEDB
Fixed, xrefs: 006FAE43
RAMDisk, xrefs: 006FAE25
FileBackedVirtual, xrefs: 006FAF28
SSD, xrefs: 006FAE86
USB, xrefs: 006FAEF0
ATAPI, xrefs: 006FAECD
Virtual, xrefs: 006FAF21
MMC, xrefs: 006FAF1A
CDROM, xrefs: 006FAE2F
Removable, xrefs: 006FAE4D
SCSI, xrefs: 006FAEC6
SATA, xrefs: 006FAF0C
SSA, xrefs: 006FAEE2
Network, xrefs: 006FAE39

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 5c5be02e8b59db9aab75d82aa1738bc77d8eefcab92dddca8ddc24c82add30ef
Instruction ID: 9166101e556f8aff82ac6c941987d13d390804c23053a1bc826da2c737651e1d
Opcode Fuzzy Hash: 5c5be02e8b59db9aab75d82aa1738bc77d8eefcab92dddca8ddc24c82add30ef
Instruction Fuzzy Hash: 575195F064524DDB8B80DF94C942CBD73A7EF09710720805AE60BAB391DB759D42EB63

Function 006968DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00696931
__wcsnicmp.LIBCMT ref: 00696949
__wcsnicmp.LIBCMT ref: 00696961
__wcsnicmp.LIBCMT ref: 00696979
__wcsnicmp.LIBCMT ref: 00696991
__wcsnicmp.LIBCMT ref: 006969A9
__wcsnicmp.LIBCMT ref: 006969C1
__wcsnicmp.LIBCMT ref: 006969D5
__wcsnicmp.LIBCMT ref: 00696A16
__wcsnicmp.LIBCMT ref: 00696A2A
__wcsnicmp.LIBCMT ref: 00696A3E
__wcsnicmp.LIBCMT ref: 00696A52

Strings

#requireadmin, xrefs: 0069695B
#pragma compile, xrefs: 0069692B
#cs, xrefs: 006969CF, 00696A24
#include, xrefs: 006969A3
#ce, xrefs: 00696A4C
#comments-start, xrefs: 006969BB, 00696A10
Cannot parse #include, xrefs: 006CE3F0
#include-once, xrefs: 0069698B
#OnAutoItStartRegister, xrefs: 00696973
Bad directive syntax error, xrefs: 006CE31A
Unterminated group of comments, xrefs: 006CE403
#notrayicon, xrefs: 00696943
#comments-end, xrefs: 00696A38

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 3fa358c410481cbfd6d039feb20fe3273aee42324676d6c9c9368fddd0afdf33
Instruction ID: ec1029fa231dbb1dd86102e1fc7a9f9bbcf320fafc8257ac761d253876110fb2
Opcode Fuzzy Hash: 3fa358c410481cbfd6d039feb20fe3273aee42324676d6c9c9368fddd0afdf33
Instruction Fuzzy Hash: 4C8115F06003166ADF21AA64DC42FFB376FEF01700F044029F805AA696EB65DE82D399

Function 0071A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0071A903
SetTextColor.GDI32(?,?), ref: 0071A907
GetSysColorBrush.USER32(0000000F), ref: 0071A91D
GetSysColor.USER32(0000000F), ref: 0071A928
CreateSolidBrush.GDI32(?), ref: 0071A92D
GetSysColor.USER32(00000011), ref: 0071A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0071A953
SelectObject.GDI32(?,00000000), ref: 0071A964
SetBkColor.GDI32(?,00000000), ref: 0071A96D
SelectObject.GDI32(?,?), ref: 0071A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 0071A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0071A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 0071A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0071A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0071AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 0071AA32
DrawFocusRect.USER32(?,?), ref: 0071AA3D
GetSysColor.USER32(00000011), ref: 0071AA4B
SetTextColor.GDI32(?,00000000), ref: 0071AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0071AA67
SelectObject.GDI32(?,0071A5FA), ref: 0071AA7E
DeleteObject.GDI32(?), ref: 0071AA89
SelectObject.GDI32(?,?), ref: 0071AA8F
DeleteObject.GDI32(?), ref: 0071AA94
SetTextColor.GDI32(?,?), ref: 0071AA9A
SetBkColor.GDI32(?,?), ref: 0071AAA4

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: f040b5bc60fb9ed4c03fa818facfa6b6a615a67525f02ce4f42e4a2252b4e823
Instruction ID: 3fb8116835fb71c4c4e6b8e045cb83379a4005e38a073cd11bfa2f373686c67d
Opcode Fuzzy Hash: f040b5bc60fb9ed4c03fa818facfa6b6a615a67525f02ce4f42e4a2252b4e823
Instruction Fuzzy Hash: 78512C71901208FFDB119FA8DC48EEE7B79EF08320F118625F915AB2E1D7799980DB94

Function 007189D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00718AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00718AD2
CharNextW.USER32(0000014E), ref: 00718B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00718B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00718B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00718B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00718B86
SetWindowTextW.USER32(?,0000014E), ref: 00718BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00718BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00718C1F
_memset.LIBCMT ref: 00718C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00718C8D
_memset.LIBCMT ref: 00718CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00718D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00718D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00718E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00718E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00718E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00718EB4
DrawMenuBar.USER32(?), ref: 00718EC3
SetWindowTextW.USER32(?,0000014E), ref: 00718EEB

Strings

0, xrefs: 00718E55

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: ff77b454b6cc0ec3be799a89481ab8e278d61373331000b7d92f60d1bc09f8d7
Instruction ID: 4cc69d8079ad8bc2ccefb1b10ce2635b04ce62468fff5a1fc7569ee3e054343a
Opcode Fuzzy Hash: ff77b454b6cc0ec3be799a89481ab8e278d61373331000b7d92f60d1bc09f8d7
Instruction Fuzzy Hash: F2E17070900208ABDB60DF68CC85EEE7BB9EF09710F10815AF915AA2D0DB7899C5DF65

Function 0071488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 007149CA
GetDesktopWindow.USER32 ref: 007149DF
GetWindowRect.USER32(00000000), ref: 007149E6
GetWindowLongW.USER32(?,000000F0), ref: 00714A48
DestroyWindow.USER32(?), ref: 00714A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00714A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00714ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00714AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00714AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00714B09
IsWindowVisible.USER32(?), ref: 00714B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00714B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00714B58
GetWindowRect.USER32(?,?), ref: 00714B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00714B96
GetMonitorInfoW.USER32(00000000,?), ref: 00714BB0
CopyRect.USER32(?,?), ref: 00714BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00714C32

Strings

0, xrefs: 00714975
(, xrefs: 00714BA3
tooltips_class32, xrefs: 00714A96

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 41c791456c6a64aa29c102104089a2e1f5aca3a3bbf432a8b4f18896f963ac8a
Instruction ID: 7424fee2e845e15b1f7ae5b8582b4f358c7baf45758c8ccf4f304eeda182a52d
Opcode Fuzzy Hash: 41c791456c6a64aa29c102104089a2e1f5aca3a3bbf432a8b4f18896f963ac8a
Instruction Fuzzy Hash: 89B19C70608340AFDB44DF68C849BAABBE5FF84710F00891CF5999B2A1D779EC45CB99

Function 006927D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006928BC
GetSystemMetrics.USER32(00000007), ref: 006928C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006928EF
GetSystemMetrics.USER32(00000008), ref: 006928F7
GetSystemMetrics.USER32(00000004), ref: 0069291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00692939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00692949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0069297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00692990
GetClientRect.USER32(00000000,000000FF), ref: 006929AE
GetStockObject.GDI32(00000011), ref: 006929CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 006929D5

Part of subcall function 00692344: GetCursorPos.USER32(?), ref: 00692357
Part of subcall function 00692344: ScreenToClient.USER32(007557B0,?), ref: 00692374
Part of subcall function 00692344: GetAsyncKeyState.USER32(00000001), ref: 00692399
Part of subcall function 00692344: GetAsyncKeyState.USER32(00000002), ref: 006923A7

SetTimer.USER32(00000000,00000000,00000028,00691256), ref: 006929FC

Strings

AutoIt v3 GUI, xrefs: 00692974

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 7c36d239012f675505405756aabe2b36cb63bcce563978434c38582e205d8bbb
Instruction ID: 19dad10eef15aaa72a635389456c2b077775ae68fa35f337c995ab7aa9969f6c
Opcode Fuzzy Hash: 7c36d239012f675505405756aabe2b36cb63bcce563978434c38582e205d8bbb
Instruction Fuzzy Hash: 2AB13D7160020AEFDF14DFA8DD55BED7BBAFB08311F108129FA15A62E0DB78A851CB54

Function 006CA8CB Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 006CA92B
___wtomb_environ.LIBCMT ref: 006CA94D

Part of subcall function 006B8B28: __getptd_noexit.LIBCMT ref: 006B8B28

__malloc_crt.LIBCMT ref: 006CA975
__malloc_crt.LIBCMT ref: 006CA992
_free.LIBCMT ref: 006CA9C9
__recalloc_crt.LIBCMT ref: 006CAA02
__recalloc_crt.LIBCMT ref: 006CAA47
_strlen.LIBCMT ref: 006CAA73
__calloc_crt.LIBCMT ref: 006CAA7D
_strlen.LIBCMT ref: 006CAA8C
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 006CAABA
_free.LIBCMT ref: 006CAAD4
_free.LIBCMT ref: 006CAAE1
_free.LIBCMT ref: 006CAAF3
__invoke_watson.LIBCMT ref: 006CAB0D

Strings

{nk, xrefs: 006CA932
{nk, xrefs: 006CAAAD

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID: {nk${nk
API String ID: 884005220-4193596152
Opcode ID: adaa92b873bdc56d3f32cecc7e882c7d33bcce9541a27cc3844dd371b10f70e3
Instruction ID: feb932b0bbad7bd099678f40d40c72cd33836a7fc032397d1afb3cd20f0b77ee
Opcode Fuzzy Hash: adaa92b873bdc56d3f32cecc7e882c7d33bcce9541a27cc3844dd371b10f70e3
Instruction Fuzzy Hash: 3261E2B291060AAFDB505FB4D802FF977AAEF00369F21411DE801D7291DB78CD41C79A

Function 006EA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 006EA47A
__swprintf.LIBCMT ref: 006EA51B
_wcscmp.LIBCMT ref: 006EA52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 006EA583
_wcscmp.LIBCMT ref: 006EA5BF
GetClassNameW.USER32(?,?,00000400), ref: 006EA5F6
GetDlgCtrlID.USER32(?), ref: 006EA648
GetWindowRect.USER32(?,?), ref: 006EA67E
GetParent.USER32(?), ref: 006EA69C
ScreenToClient.USER32(00000000), ref: 006EA6A3
GetClassNameW.USER32(?,?,00000100), ref: 006EA71D
_wcscmp.LIBCMT ref: 006EA731
GetWindowTextW.USER32(?,?,00000400), ref: 006EA757
_wcscmp.LIBCMT ref: 006EA76B

Part of subcall function 006B362C: _iswctype.LIBCMT ref: 006B3634

Strings

%s%u, xrefs: 006EA515

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 9c394c6181ce9ed38d20b3df5eaf63302bc69d7a8df63aa4d293517601f9817d
Instruction ID: dd73de23b347d9b22ec9255ee323ce09b831caee524e96d3adc469f18f03d5ea
Opcode Fuzzy Hash: 9c394c6181ce9ed38d20b3df5eaf63302bc69d7a8df63aa4d293517601f9817d
Instruction Fuzzy Hash: D0A1DF71205346AFDB14DFA5C884BEAB7EAFF44314F008629F999C6290DB30F955CB92

Function 006EAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 006EAF18
_wcscmp.LIBCMT ref: 006EAF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 006EAF51
CharUpperBuffW.USER32(?,00000000), ref: 006EAF6E
_wcscmp.LIBCMT ref: 006EAF8C
_wcsstr.LIBCMT ref: 006EAF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 006EAFD5
_wcscmp.LIBCMT ref: 006EAFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 006EB00C
GetClassNameW.USER32(00000018,?,00000400), ref: 006EB055
_wcscmp.LIBCMT ref: 006EB065
GetClassNameW.USER32(00000010,?,00000400), ref: 006EB08D
GetWindowRect.USER32(00000004,?), ref: 006EB0F6

Strings

@, xrefs: 006EAEF9
ThumbnailClass, xrefs: 006EAFE0, 006EB060

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 041c523de56ab69e9aff6af1e9cd6d612805ef6620ea3d83b04ca1afd590e030
Instruction ID: 2a1ffe0140902564d02248cf084403f8be3eb5fb7946b0ccc2c77e7a357ca26b
Opcode Fuzzy Hash: 041c523de56ab69e9aff6af1e9cd6d612805ef6620ea3d83b04ca1afd590e030
Instruction Fuzzy Hash: EF81DE711093859BDB00DF16C881BEB77EAEF44314F04846EFD858A295DB34ED89CBA5

Function 0071C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623

DragQueryPoint.SHELL32(?,?), ref: 0071C627

Part of subcall function 0071AB37: ClientToScreen.USER32(?,?), ref: 0071AB60
Part of subcall function 0071AB37: GetWindowRect.USER32(?,?), ref: 0071ABD6
Part of subcall function 0071AB37: PtInRect.USER32(?,?,0071C014), ref: 0071ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 0071C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0071C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0071C6BE
_wcscat.LIBCMT ref: 0071C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0071C705
SendMessageW.USER32(?,000000B0,?,?), ref: 0071C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 0071C735
SendMessageW.USER32(?,000000B1,?,?), ref: 0071C757
DragFinish.SHELL32(?), ref: 0071C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0071C851

Strings

@GUI_DROPID, xrefs: 0071C77E
pbu, xrefs: 0071C79B
@GUI_DRAGID, xrefs: 0071C7C9
@GUI_DRAGFILE, xrefs: 0071C800

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pbu
API String ID: 169749273-3108296618
Opcode ID: 5315ae5921f8df5ff91ffa0e1b87f2efb3fad3e865387ecd8bcb67496e346929
Instruction ID: 0aae95c62c379e0c3b4372cc9909968ac004dd741fad63fdcd8d8a49a1280762
Opcode Fuzzy Hash: 5315ae5921f8df5ff91ffa0e1b87f2efb3fad3e865387ecd8bcb67496e346929
Instruction Fuzzy Hash: A5618D71108300AFCB01EF68DC85DAFBBE9EF89310F00492EF591961E1DB74A949CB56

Function 006EABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 006EAC33

Strings

REGEXP=, xrefs: 006EAC48
[ACTIVE, xrefs: 006EAC20
[ALL, xrefs: 006EACD9
HANDLE=, xrefs: 006EAC2C
[REGEXPTITLE:, xrefs: 006EAC5B
[HANDLE:, xrefs: 006EAC3F
ACTIVE, xrefs: 006EAC0E
LAST, xrefs: 006EABF8
ALL, xrefs: 006EACC7
[CLASS:, xrefs: 006EAC83
[LAST, xrefs: 006EACE0
CLASSNAME=, xrefs: 006EAC70

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: ceb8095f30b6aa9a8e777b90a635c506d22f93376d5eaa7ab3e98781be2562dd
Instruction ID: 3b2c41ca7d8d3cbe92ce2bdf204c8c7a7f8b8ec5f5365e7c68da88f2713a2274
Opcode Fuzzy Hash: ceb8095f30b6aa9a8e777b90a635c506d22f93376d5eaa7ab3e98781be2562dd
Instruction Fuzzy Hash: C731E4B0648345AADE08EAA5DD03EFE77AB9F10B10F60442DF402715D1EF156F04C65A

Function 00704FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00705013
LoadCursorW.USER32(00000000,00007F00), ref: 0070501E
LoadCursorW.USER32(00000000,00007F03), ref: 00705029
LoadCursorW.USER32(00000000,00007F8B), ref: 00705034
LoadCursorW.USER32(00000000,00007F01), ref: 0070503F
LoadCursorW.USER32(00000000,00007F81), ref: 0070504A
LoadCursorW.USER32(00000000,00007F88), ref: 00705055
LoadCursorW.USER32(00000000,00007F80), ref: 00705060
LoadCursorW.USER32(00000000,00007F86), ref: 0070506B
LoadCursorW.USER32(00000000,00007F83), ref: 00705076
LoadCursorW.USER32(00000000,00007F85), ref: 00705081
LoadCursorW.USER32(00000000,00007F82), ref: 0070508C
LoadCursorW.USER32(00000000,00007F84), ref: 00705097
LoadCursorW.USER32(00000000,00007F04), ref: 007050A2
LoadCursorW.USER32(00000000,00007F02), ref: 007050AD
LoadCursorW.USER32(00000000,00007F89), ref: 007050B8
GetCursorInfo.USER32(?), ref: 007050C8

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: ec9192362fb1f4451f72a78bef539cb2a333dc4e5193ee6d8fb5a5dcfc824ae0
Instruction ID: 32a651c07c40d5ee175b0311154ebdb51f2a4d8913a0b4dfc2d6d0d41f552ea7
Opcode Fuzzy Hash: ec9192362fb1f4451f72a78bef539cb2a333dc4e5193ee6d8fb5a5dcfc824ae0
Instruction Fuzzy Hash: 193105B1D4831DAADF109FB68C8999FBFE8FF04750F50452AE50DE7280DA78A5008FA5

Function 0071A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0071A259
DestroyWindow.USER32(?,?), ref: 0071A2D3

Part of subcall function 00697BCC: _memmove.LIBCMT ref: 00697C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0071A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0071A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0071A382
DestroyWindow.USER32(00000000), ref: 0071A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00690000,00000000), ref: 0071A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0071A3F4
GetDesktopWindow.USER32 ref: 0071A40D
GetWindowRect.USER32(00000000), ref: 0071A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0071A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0071A444

Part of subcall function 006925DB: GetWindowLongW.USER32(?,000000EB), ref: 006925EC

Strings

0, xrefs: 0071A26F
tooltips_class32, xrefs: 0071A346, 0071A3D4

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: f114c0951ea002a1912502ed33b9066531d26e8c27b8fc48fd4c6b59762498e2
Instruction ID: 0132c6aa821430885c260c320b4a6c6b4c29bd5924d92566b243d86b54f4f37a
Opcode Fuzzy Hash: f114c0951ea002a1912502ed33b9066531d26e8c27b8fc48fd4c6b59762498e2
Instruction Fuzzy Hash: 54716A70140345AFDB25CF2CCC49FAA7BE6FB88700F04852DF985872A0D7B9A946CB56

Function 00714392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00714424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0071446F

Strings

ISCHECKED, xrefs: 007145F2
EXISTS, xrefs: 007144D8
CHECK, xrefs: 0071448F
GETTEXT, xrefs: 007145C2
SELECT, xrefs: 00714620
EXPAND, xrefs: 00714521
GETTOTALCOUNT, xrefs: 00714456
GETSELECTED, xrefs: 0071457F
GETITEMCOUNT, xrefs: 00714551
COLLAPSE, xrefs: 007144B5
UNCHECK, xrefs: 0071464B

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 33328fcfda6c3e2beb548e952469477647d83b25f7d37f3aa4a44e8f804cce7d
Instruction ID: 0d47dce9c3151f6bbb1c6631b5b7d2a55d4d66ad5caf39b945ec88e2e8365099
Opcode Fuzzy Hash: 33328fcfda6c3e2beb548e952469477647d83b25f7d37f3aa4a44e8f804cce7d
Instruction Fuzzy Hash: DF91A0702003018FCF44EF28C451AAEB7E6AF95354F14886CF8965B7A2DB34ED89CB95

Function 0071B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0071B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00716B11,?), ref: 0071B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0071B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0071B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0071B9C3
FreeLibrary.KERNEL32(?), ref: 0071B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0071B9DF
DestroyIcon.USER32(?), ref: 0071B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0071BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0071BA17

Part of subcall function 006B2EFD: __wcsicmp_l.LIBCMT ref: 006B2F86

Strings

.exe, xrefs: 0071B84A
.dll, xrefs: 0071B86D
.icl, xrefs: 0071B82A

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: a30abaaa7cfe3b9abdd5cbaac94f71468433d7d33c00ede4b874aa229c8383fa
Instruction ID: a6b876f696a41f5f53150133f28f556d31c66444374436e47bd27b0f6446eab2
Opcode Fuzzy Hash: a30abaaa7cfe3b9abdd5cbaac94f71468433d7d33c00ede4b874aa229c8383fa
Instruction Fuzzy Hash: CB61B0B1500219FAEB14DF68DC45FFE7BACEB08710F108619FA15D61D1DB78A981DBA0

Function 006FDC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 006FDCDC
SystemTimeToFileTime.KERNEL32(?,?), ref: 006FDCEC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 006FDCF8
__wsplitpath.LIBCMT ref: 006FDD56
_wcscat.LIBCMT ref: 006FDD6E
_wcscat.LIBCMT ref: 006FDD80
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 006FDD95
SetCurrentDirectoryW.KERNEL32(?), ref: 006FDDA9
SetCurrentDirectoryW.KERNEL32(?), ref: 006FDDDB
SetCurrentDirectoryW.KERNEL32(?), ref: 006FDDFC
_wcscpy.LIBCMT ref: 006FDE08
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 006FDE47

Strings

*.*, xrefs: 006FDE02

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: db6b5c7d5fc2134da7f3d874b5d15d055f7d77ac7d80117dd9029fb28d217dd0
Instruction ID: 0383f7c2bd0aa36950d548fa870ca3561dcd841c7d86c2f5ec0d1c9fa8ba9222
Opcode Fuzzy Hash: db6b5c7d5fc2134da7f3d874b5d15d055f7d77ac7d80117dd9029fb28d217dd0
Instruction Fuzzy Hash: 04617A725042099FCB50EF24C8459AEB3EEFF89314F04892DFA8987251EB35E945CB96

Function 006F9C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 006F9C7F

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 006F9CA0
__swprintf.LIBCMT ref: 006F9CF9
__swprintf.LIBCMT ref: 006F9D12
_wprintf.LIBCMT ref: 006F9DB9
_wprintf.LIBCMT ref: 006F9DD7

Strings

^ ERROR , xrefs: 006F9D4E
Line %d (File "%s"):, xrefs: 006F9CF3, 006F9D0C
Incorrect parameters to object property !, xrefs: 006F9D5B
Error: , xrefs: 006F9D81
"%s" (%d) : ==> %s:%s%s, xrefs: 006F9DB4
"%s" (%d) : ==> %s:, xrefs: 006F9DD2

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 185aa4c0ba2a12fc6b504dd729eb69baf76914a98f425dd32cd29211906d6499
Instruction ID: 368268e4ea980ad1f6e4b1ea2c0620eccdc2494700ae2101afeb4925c89d5a26
Opcode Fuzzy Hash: 185aa4c0ba2a12fc6b504dd729eb69baf76914a98f425dd32cd29211906d6499
Instruction Fuzzy Hash: BB51BC7190060DAACF55EBE0CD42EFEB77AAF14300F600069F605721A2EB352F49CB69

Function 006FA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00699837: __itow.LIBCMT ref: 00699862
Part of subcall function 00699837: __swprintf.LIBCMT ref: 006998AC

CharLowerBuffW.USER32(?,?), ref: 006FA3CB
GetDriveTypeW.KERNEL32 ref: 006FA418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006FA460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006FA497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006FA4C5

Part of subcall function 00697BCC: _memmove.LIBCMT ref: 00697C06

Strings

closed, xrefs: 006FA3DF, 006FA3E8
close cd wait, xrefs: 006FA4B0
type cdaudio alias cd wait, xrefs: 006FA443
open , xrefs: 006FA427
close, xrefs: 006FA3D1
wait, xrefs: 006FA482
set cd door , xrefs: 006FA466
open, xrefs: 006FA3F2

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 7ddf521c9b1e02bab97f343e5d9e5a005e5dd8227b441217cd61c11e9a6f2b40
Instruction ID: e77d6c8d1ad034d77318cd62244ef35f7e2dd225958c05a58390919044229d2c
Opcode Fuzzy Hash: 7ddf521c9b1e02bab97f343e5d9e5a005e5dd8227b441217cd61c11e9a6f2b40
Instruction Fuzzy Hash: 72518FB11143089FCB80EF24C88196EB7E9FF84718F10886DF89A57651DB31ED0ACB56

Function 006EF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,006CE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 006EF8DF
LoadStringW.USER32(00000000,?,006CE029,00000001), ref: 006EF8E8

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,006CE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 006EF90A
LoadStringW.USER32(00000000,?,006CE029,00000001), ref: 006EF90D
__swprintf.LIBCMT ref: 006EF95D
__swprintf.LIBCMT ref: 006EF96E
_wprintf.LIBCMT ref: 006EFA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 006EFA2E

Strings

^ ERROR, xrefs: 006EF9C3
Line %d (File "%s"):, xrefs: 006EF957
Error: , xrefs: 006EF9E5
%s (%d) : ==> %s: %s %s, xrefs: 006EFA12
Line %d:, xrefs: 006EF968

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 2b3068b3ffc617182f259aecf69c3f1bdc45416a8353a8b0ebfc3ba46a00e05a
Instruction ID: b42af5e622830fa9688ae14c0fd11b8b163ec0547422a28446746a7663b63ce0
Opcode Fuzzy Hash: 2b3068b3ffc617182f259aecf69c3f1bdc45416a8353a8b0ebfc3ba46a00e05a
Instruction Fuzzy Hash: 43413A7290120DAACF45FBE4DD86EEEB77EAF14300F500069F50666092EA356F49CB69

Function 0071BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 0071BA56
GetFileSize.KERNEL32(00000000,00000000), ref: 0071BA6D
GlobalAlloc.KERNEL32(00000002,00000000), ref: 0071BA78
CloseHandle.KERNEL32(00000000), ref: 0071BA85
GlobalLock.KERNEL32(00000000), ref: 0071BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0071BA9D
GlobalUnlock.KERNEL32(00000000), ref: 0071BAA6
CloseHandle.KERNEL32(00000000), ref: 0071BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0071BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00722CAC,?), ref: 0071BAD7
GlobalFree.KERNEL32(00000000), ref: 0071BAE7
GetObjectW.GDI32(?,00000018,000000FF), ref: 0071BB0B
CopyImage.USER32(?,00000000,?,?,00002000), ref: 0071BB36
DeleteObject.GDI32(00000000), ref: 0071BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0071BB74

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 0bdbae83b8f9862f53316b9dacec3dbb98f882ae276a9fed4b32978f3d037048
Instruction ID: efcb5d5242b8ddf7e3c58ad63298303a07800bc85b8141beafc85f5a70d414ff
Opcode Fuzzy Hash: 0bdbae83b8f9862f53316b9dacec3dbb98f882ae276a9fed4b32978f3d037048
Instruction Fuzzy Hash: 63410875600208EFDB219F69DC88EEA7BB8FF89711F108069F909D72A0D7789941DB64

Function 006FD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 006FDA10
_wcscat.LIBCMT ref: 006FDA28
_wcscat.LIBCMT ref: 006FDA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 006FDA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 006FDA63
GetFileAttributesW.KERNEL32(?), ref: 006FDA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 006FDA95
SetCurrentDirectoryW.KERNEL32(?), ref: 006FDAA7

Strings

*.*, xrefs: 006FDAE6

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: ea1aa5fa4c80af16a3e7357810862565904733e3211910ed5ffd828ebb8e5c26
Instruction ID: a1d60395f78a298ef58b5a2e73ca5d42adede5db1515aaa42d0fd49a660bfdb9
Opcode Fuzzy Hash: ea1aa5fa4c80af16a3e7357810862565904733e3211910ed5ffd828ebb8e5c26
Instruction Fuzzy Hash: E081B4715042499FCB60DFA4C8459BEB7EBBF89310F14882EF989C7351E670E945CB52

Function 0071C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0071C1FC
GetFocus.USER32 ref: 0071C20C
GetDlgCtrlID.USER32(00000000), ref: 0071C217
_memset.LIBCMT ref: 0071C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0071C36D
GetMenuItemCount.USER32(?), ref: 0071C38D
GetMenuItemID.USER32(?,00000000), ref: 0071C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0071C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0071C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0071C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0071C489

Strings

0, xrefs: 0071C33A

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 4d3c1c51d7871dbcf545c6f5601a7373c799f011b440c1cbdf8d4c43b81954aa
Instruction ID: 799732b8c6eaae9f64b0500feced424d1d7c25cb8735384f747fe837d8444ab5
Opcode Fuzzy Hash: 4d3c1c51d7871dbcf545c6f5601a7373c799f011b440c1cbdf8d4c43b81954aa
Instruction Fuzzy Hash: 9B81C1701483519FD711CF98C894AEB7BE9FB88714F00892EF995972D1C778D984CB52

Function 0070731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0070738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0070739B
CreateCompatibleDC.GDI32(?), ref: 007073A7
SelectObject.GDI32(00000000,?), ref: 007073B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00707408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00707444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00707468
SelectObject.GDI32(00000006,?), ref: 00707470
DeleteObject.GDI32(?), ref: 00707479
DeleteDC.GDI32(00000006), ref: 00707480
ReleaseDC.USER32(00000000,?), ref: 0070748B

Strings

(, xrefs: 00707410

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: b3e35d98caaec32c579f3aa3f27765bceb8f22e0637ef04a756d10cf732a9e86
Instruction ID: 96e9d1582b28263435fb2a2219ca394170c94a4ad294c1d9292b77c36d9707df
Opcode Fuzzy Hash: b3e35d98caaec32c579f3aa3f27765bceb8f22e0637ef04a756d10cf732a9e86
Instruction Fuzzy Hash: 77514771904209EFDB14CFA8CC84EAEBBB9EF48310F14C52DF95AA7291C735A940CB54

Function 00696A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 006B0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00696B0C,?,00008000), ref: 006B0973

Part of subcall function 00694750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00694743,?,?,006937AE,?), ref: 00694770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00696BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00696CFA

Part of subcall function 0069586D: _wcscpy.LIBCMT ref: 006958A5

Part of subcall function 006B363D: _iswctype.LIBCMT ref: 006B3645

Strings

EA06, xrefs: 006CE452
Bad directive syntax error, xrefs: 006CE79D
>>>AUTOIT SCRIPT<<<, xrefs: 006CE496
Unterminated string, xrefs: 006CE7E4
AU3!, xrefs: 00696B61
Error opening the file, xrefs: 006CE43D, 006CE4B8
#include depth exceeded. Make sure there are no recursive includes, xrefs: 006CE421

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 94606447ad55067e56b87db86f878b49b0f27e9750717f2f1caf58cb8ea90534
Instruction ID: 65b33615549b7d92f165792a046ac0eb2457ee9a376fccdca293a36cc405bc04
Opcode Fuzzy Hash: 94606447ad55067e56b87db86f878b49b0f27e9750717f2f1caf58cb8ea90534
Instruction Fuzzy Hash: 3902AB701083419FCB64EF24C881AAFBBFAEF94314F10491DF49A976A1DB31DA49CB56

Function 006F2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006F2D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 006F2DDD
GetMenuItemCount.USER32(00755890), ref: 006F2E66
DeleteMenu.USER32(00755890,00000005,00000000,000000F5,?,?), ref: 006F2EF6
DeleteMenu.USER32(00755890,00000004,00000000), ref: 006F2EFE
DeleteMenu.USER32(00755890,00000006,00000000), ref: 006F2F06
DeleteMenu.USER32(00755890,00000003,00000000), ref: 006F2F0E
GetMenuItemCount.USER32(00755890), ref: 006F2F16
SetMenuItemInfoW.USER32(00755890,00000004,00000000,00000030), ref: 006F2F4C
GetCursorPos.USER32(?), ref: 006F2F56
SetForegroundWindow.USER32(00000000), ref: 006F2F5F
TrackPopupMenuEx.USER32(00755890,00000000,?,00000000,00000000,00000000), ref: 006F2F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 006F2F7E

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 936532aa7ba25d8fe8f871c224a2f4aa3545b2593de0296866ca5001f91bd827
Instruction ID: 4bbd2a1295ed3ef8cf06cd017b334d15a3b766f895faf704b213740ed97312ff
Opcode Fuzzy Hash: 936532aa7ba25d8fe8f871c224a2f4aa3545b2593de0296866ca5001f91bd827
Instruction Fuzzy Hash: 1771C17064120ABAEB218F58DC65FFABF66FF04324F204216F715AA2E1C7715860DF54

Function 007088AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007088D7
CoInitialize.OLE32(00000000), ref: 00708904
CoUninitialize.OLE32 ref: 0070890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00708A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00708B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00722C0C), ref: 00708B6F
CoGetObject.OLE32(?,00000000,00722C0C,?), ref: 00708B92
SetErrorMode.KERNEL32(00000000), ref: 00708BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00708C25
VariantClear.OLEAUT32(?), ref: 00708C35

Strings

,,r, xrefs: 007088C1

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,r
API String ID: 2395222682-1227627816
Opcode ID: 513502b0e872a681ba1402a31d11eeadf5bebce536bbb4dca36416658fc999cb
Instruction ID: abbc1edb5fc3d0ead0f77906513f30a4965b95c48fffe8438c3fc2ecfc0c025f
Opcode Fuzzy Hash: 513502b0e872a681ba1402a31d11eeadf5bebce536bbb4dca36416658fc999cb
Instruction Fuzzy Hash: 1AC113B1208305EFD740DF28C88496AB7E9AF89358F004A5DF9899B291DB75ED05CB62

Function 006E77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00697BCC: _memmove.LIBCMT ref: 00697C06

_memset.LIBCMT ref: 006E786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 006E78A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 006E78BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 006E78D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 006E7902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 006E792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 006E7935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 006E793A

Strings

\IPC$, xrefs: 006E7882
\CLSID, xrefs: 006E7822
SOFTWARE\Classes\, xrefs: 006E780C

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 4952a32bde3bcd0261ea60df205d349a653f35eafc69e2f3420180ac4aef0caf
Instruction ID: 1d2165b98803a04196f6e6e049da20a2671fff929440a5b82e09563560e99e78
Opcode Fuzzy Hash: 4952a32bde3bcd0261ea60df205d349a653f35eafc69e2f3420180ac4aef0caf
Instruction Fuzzy Hash: 5141F872C14629ABDF15EFA4DC85DEEB779FF14310F448069E905A32A1EB349E04CB94

Function 00710E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0070FDAD,?,?), ref: 00710E31

Strings

HKLM, xrefs: 00710EAF
HKEY_LOCAL_MACHINE, xrefs: 00710E9A
HKEY_USERS, xrefs: 00710F32
HKEY_CLASSES_ROOT, xrefs: 00710EC4
HKEY_CURRENT_CONFIG, xrefs: 00710EEE
HKU, xrefs: 00710F43
HKEY_CURRENT_USER, xrefs: 00710F10
HKCC, xrefs: 00710EFF
HKCR, xrefs: 00710ED9
HKCU, xrefs: 00710F21

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 26db56d21e6b36a615b918dcc5aef77f2b3eb7676e5d3a143d1335e5fd00bf4e
Instruction ID: 6d3901f276abb10d17eb9cfd93aeaa12bb5c024391e7501d7b862a712c08b5db
Opcode Fuzzy Hash: 26db56d21e6b36a615b918dcc5aef77f2b3eb7676e5d3a143d1335e5fd00bf4e
Instruction Fuzzy Hash: 5D416B7111028A8BDF50EF18D856AEF3769BF11310F244829FC551B2D2DBB89DDACBA0

Function 006EF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,006CE2A0,00000010,?,Bad directive syntax error,0071F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 006EF7C2
LoadStringW.USER32(00000000,?,006CE2A0,00000010), ref: 006EF7C9

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

_wprintf.LIBCMT ref: 006EF7FC
__swprintf.LIBCMT ref: 006EF81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 006EF88D

Strings

Line %d (File "%s"):, xrefs: 006EF833
., xrefs: 006EF873
Error: , xrefs: 006EF85B
Line %d:, xrefs: 006EF818
%s (%d) : ==> %s.: %s %s, xrefs: 006EF7F7

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: a57fa8fd90bd1294f931162057cce54efdbd5ef511b9102152927776610fed42
Instruction ID: cd29c5ea97cb59f891fcf2cd30c69d156c3c09089ee7ba7d0d53da4f2e6baa16
Opcode Fuzzy Hash: a57fa8fd90bd1294f931162057cce54efdbd5ef511b9102152927776610fed42
Instruction Fuzzy Hash: B621AC7290021EEFCF42EF90CC0AEEE773ABF18300F00446AF505660A2EA71A618DB55

Function 006F52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00697BCC: _memmove.LIBCMT ref: 00697C06

Part of subcall function 00697924: _memmove.LIBCMT ref: 006979AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 006F5330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 006F5346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006F5357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 006F5369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 006F537A

Strings

status PlayMe mode, xrefs: 006F532B
play PlayMe wait, xrefs: 006F5364
play PlayMe, xrefs: 006F5375
close PlayMe, xrefs: 006F5341, 006F536E
open , xrefs: 006F52DF
alias PlayMe, xrefs: 006F5309

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 16d1c3c67371460fcacc3436dc2764fb4f8bfd2ba6319e8b10c72e54fc824caf
Instruction ID: 06c4e08b95c685e8d44b9cf8519adb70b21b51fcaea9c4dced27f2efb608d708
Opcode Fuzzy Hash: 16d1c3c67371460fcacc3436dc2764fb4f8bfd2ba6319e8b10c72e54fc824caf
Instruction Fuzzy Hash: 6411C471AA412DB9DBA0B7B5DC5ADFF7BBDEB91B50F000429B502A20D1EEA00D05C5A6

Function 006F46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 006F46D2
gethostname.WSOCK32(?,00000100), ref: 006F46EC
gethostbyname.WSOCK32(?), ref: 006F46F9
_wcscpy.LIBCMT ref: 006F4721
_memmove.LIBCMT ref: 006F4734
inet_ntoa.WSOCK32(?), ref: 006F473F
_strcat.LIBCMT ref: 006F474D
_wcscpy.LIBCMT ref: 006F4764
WSACleanup.WSOCK32 ref: 006F4772
_wcscpy.LIBCMT ref: 006F4780

Strings

0.0.0.0, xrefs: 006F471B

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 0bd0843b7bb6472041933bf0b1e0cb9a812aa29bd9bc169b67f15b205e428105
Instruction ID: d38f7ddc6029ed73a7c9c8113eae4d5c2dee5fba01b2893fb8f5de572466b27c
Opcode Fuzzy Hash: 0bd0843b7bb6472041933bf0b1e0cb9a812aa29bd9bc169b67f15b205e428105
Instruction Fuzzy Hash: FA110271504109AFDB60BB349C4AEEB77BDEF02321F0481BAF64592192EF759AC18B54

Function 006F4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 006F4F7A

Part of subcall function 006B049F: timeGetTime.WINMM(?,75C0B400,006A0E7B), ref: 006B04A3

Sleep.KERNEL32(0000000A), ref: 006F4FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 006F4FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 006F4FEC
SetActiveWindow.USER32 ref: 006F500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 006F5019
SendMessageW.USER32(00000010,00000000,00000000), ref: 006F5038
Sleep.KERNEL32(000000FA), ref: 006F5043
IsWindow.USER32 ref: 006F504F
EndDialog.USER32(00000000), ref: 006F5060

Strings

BUTTON, xrefs: 006F4FDE

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 1bfd43519430ec827b00ca6c95bdad13629b6a5095e44e80f1e17ac58bb9b729
Instruction ID: 5de80087dbbf708dc0ccd063cc5c38832d99634fc8db7eb1e20b0e9d3600254e
Opcode Fuzzy Hash: 1bfd43519430ec827b00ca6c95bdad13629b6a5095e44e80f1e17ac58bb9b729
Instruction Fuzzy Hash: E321C5B0241709AFE7115F24EC89AF63B6AEB45746F04D028F206822F1DFB94D608B69

Function 006FD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00699837: __itow.LIBCMT ref: 00699862
Part of subcall function 00699837: __swprintf.LIBCMT ref: 006998AC

CoInitialize.OLE32(00000000), ref: 006FD5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 006FD67D
SHGetDesktopFolder.SHELL32(?), ref: 006FD691
CoCreateInstance.OLE32(00722D7C,00000000,00000001,00748C1C,?), ref: 006FD6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 006FD74C
CoTaskMemFree.OLE32(?,?), ref: 006FD7A4
_memset.LIBCMT ref: 006FD7E1
SHBrowseForFolderW.SHELL32(?), ref: 006FD81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 006FD840
CoTaskMemFree.OLE32(00000000), ref: 006FD847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 006FD87E
CoUninitialize.OLE32(00000001,00000000), ref: 006FD880

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: bd806b524b6e320ecd8b817b17c96ce9670c2f0ec6e6471c87925fa7813f94a7
Instruction ID: 08cf8d2e6b19ad8d00366a892772640221627f03acae30a05be51cf7ff6fe14f
Opcode Fuzzy Hash: bd806b524b6e320ecd8b817b17c96ce9670c2f0ec6e6471c87925fa7813f94a7
Instruction Fuzzy Hash: 03B1EC75A00109AFDB44DFA8C885DAEBBBAFF49314F1484A9F909DB261DB30ED41CB54

Function 006EC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 006EC283
GetWindowRect.USER32(00000000,?), ref: 006EC295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 006EC2F3
GetDlgItem.USER32(?,00000002), ref: 006EC2FE
GetWindowRect.USER32(00000000,?), ref: 006EC310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 006EC364
GetDlgItem.USER32(?,000003E9), ref: 006EC372
GetWindowRect.USER32(00000000,?), ref: 006EC383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 006EC3C6
GetDlgItem.USER32(?,000003EA), ref: 006EC3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 006EC3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 006EC3FE

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: fc018c03024da631007c06adea59d6b031a73864599245e404b87bdd24644443
Instruction ID: dd217951fd9fda2ed7ecd869cbbed9f830772093d07099ad16166065e04884dd
Opcode Fuzzy Hash: fc018c03024da631007c06adea59d6b031a73864599245e404b87bdd24644443
Instruction Fuzzy Hash: 0E512B71B00205AFDB18CFADDD99AAEBBBAEB88710F14C129F615E62D0D7709D018B14

Function 0069201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00691B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00692036,?,00000000,?,?,?,?,006916CB,00000000,?), ref: 00691B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 006920D3
KillTimer.USER32(-00000001,?,?,?,?,006916CB,00000000,?,?,00691AE2,?,?), ref: 0069216E
DestroyAcceleratorTable.USER32(00000000), ref: 006CBCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006916CB,00000000,?,?,00691AE2,?,?), ref: 006CBCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006916CB,00000000,?,?,00691AE2,?,?), ref: 006CBCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006916CB,00000000,?,?,00691AE2,?,?), ref: 006CBD0A
DeleteObject.GDI32(00000000), ref: 006CBD1C

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: fb98cadc1529432d090e9439ee8f57e1fd2ae742adde55f708a56518140607e3
Instruction ID: f2be9817a5b49986d2e6bbc09c76d239601eb060031ccbbe7aceb4b961a7c309
Opcode Fuzzy Hash: fb98cadc1529432d090e9439ee8f57e1fd2ae742adde55f708a56518140607e3
Instruction Fuzzy Hash: 95618C30500B02EFCB259F18D969BA977F7FF44312F50842CE5428AAA0C7B8B891DB94

Function 006921A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 006925DB: GetWindowLongW.USER32(?,000000EB), ref: 006925EC

GetSysColor.USER32(0000000F), ref: 006921D3

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 85277a3c6aa5baaf37230dee4cb5db30639d9337b3307643849a50246ef1b6c1
Instruction ID: 142133476a9a4ffc5b1d4bbb5fc6393a9f1b66d1448f1e96d4da80591c6e75a6
Opcode Fuzzy Hash: 85277a3c6aa5baaf37230dee4cb5db30639d9337b3307643849a50246ef1b6c1
Instruction Fuzzy Hash: F341D030004541FADF255F28ECA8BF93B6BEB06331F248265FE658A2E1C7318D42DB21

Function 006FA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0071F910), ref: 006FA90B
GetDriveTypeW.KERNEL32(00000061,007489A0,00000061), ref: 006FA9D5
_wcscpy.LIBCMT ref: 006FA9FF

Strings

ramdisk, xrefs: 006FA97F
all, xrefs: 006FA911
network, xrefs: 006FA969
fixed, xrefs: 006FA953
cdrom, xrefs: 006FA927
removable, xrefs: 006FA93D
unknown, xrefs: 006FA996

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: a67cac32ba855513a49861811af6cfac43051e6b31bb5a2feba0cfdb23323e54
Instruction ID: bb402f14430789ddad754e6db06a5fcb265fa9e08acc8ed096e5200b0bb6d336
Opcode Fuzzy Hash: a67cac32ba855513a49861811af6cfac43051e6b31bb5a2feba0cfdb23323e54
Instruction Fuzzy Hash: C6519EB1128305AFC740EF54C992ABFB7AAFF85340F10482DF599572A2DB719909CB53

Function 00699837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00699862
__swprintf.LIBCMT ref: 006998AC
__i64tow.LIBCMT ref: 006CF5E6

Strings

0x%p, xrefs: 006CF5C8
%.15g, xrefs: 006998A6
False, xrefs: 006CF5AE
True, xrefs: 006CF5A7

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 6ab0f3bcd63557ad8530c810a08a59f8f9efdd5cf4657ad0ebc180c7a65170f6
Instruction ID: bff3435b1d5670fd9f22b7a941af073e270976984c490e5e0e8fc37b35de59b6
Opcode Fuzzy Hash: 6ab0f3bcd63557ad8530c810a08a59f8f9efdd5cf4657ad0ebc180c7a65170f6
Instruction Fuzzy Hash: 6241B8B1610205AEEF64DF38D941EBA77EFEF05300F64486EE549D7392EA319942CB21

Function 00717152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0071716A
CreateMenu.USER32 ref: 00717185
SetMenu.USER32(?,00000000), ref: 00717194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00717221
IsMenu.USER32(?), ref: 00717237
CreatePopupMenu.USER32 ref: 00717241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0071726E
DrawMenuBar.USER32 ref: 00717276

Strings

F, xrefs: 00717262
0, xrefs: 00717160

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 32ad6066feb77fd308cdd351c22c074117d900b6d96bf3714f3fc749b7cefb4d
Instruction ID: e641dd38633b1ecfd0c715552510ba820ca9b892686e13feed1fa56691e25446
Opcode Fuzzy Hash: 32ad6066feb77fd308cdd351c22c074117d900b6d96bf3714f3fc749b7cefb4d
Instruction Fuzzy Hash: 82414974A01209EFDB24DF68D845EDA7BF6FF48310F148029F905973A1D779A960CB94

Function 007174BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0071755E
CreateCompatibleDC.GDI32(00000000), ref: 00717565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00717578
SelectObject.GDI32(00000000,00000000), ref: 00717580
GetPixel.GDI32(00000000,00000000,00000000), ref: 0071758B
DeleteDC.GDI32(00000000), ref: 00717594
GetWindowLongW.USER32(?,000000EC), ref: 0071759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 007175B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 007175BE

Strings

static, xrefs: 007174F6

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 310235fb57f668dff3d5b9f63a947942e8b6b715be6bbb79e7e264b09988b7b9
Instruction ID: 566cf39b2384f6bb3cf0b3c55f6659be758d3a988b89116d7933eee7cc1efe08
Opcode Fuzzy Hash: 310235fb57f668dff3d5b9f63a947942e8b6b715be6bbb79e7e264b09988b7b9
Instruction Fuzzy Hash: 25316D72104219BBDF159F68DC09FDA3B7AFF09360F118224FA15A61E0C739D961DBA8

Function 006B6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006B6E3E

Part of subcall function 006B8B28: __getptd_noexit.LIBCMT ref: 006B8B28

__gmtime64_s.LIBCMT ref: 006B6ED7
__gmtime64_s.LIBCMT ref: 006B6F0D
__gmtime64_s.LIBCMT ref: 006B6F2A
__allrem.LIBCMT ref: 006B6F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006B6F9C
__allrem.LIBCMT ref: 006B6FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006B6FD1
__allrem.LIBCMT ref: 006B6FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006B7006
__invoke_watson.LIBCMT ref: 006B7077

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: df8dda4ae46ba3b49e28513ec6986ad9155f9991bc3fd1bc9c6a1ca70224fafc
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: F071F5F6A00716ABD714EE68DC41BEAB3BAEF44324F10812EF514D7381E774DA818B94

Function 006F2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006F2542
GetMenuItemInfoW.USER32(00755890,000000FF,00000000,00000030), ref: 006F25A3
SetMenuItemInfoW.USER32(00755890,00000004,00000000,00000030), ref: 006F25D9
Sleep.KERNEL32(000001F4), ref: 006F25EB
GetMenuItemCount.USER32(?), ref: 006F262F
GetMenuItemID.USER32(?,00000000), ref: 006F264B
GetMenuItemID.USER32(?,-00000001), ref: 006F2675
GetMenuItemID.USER32(?,?), ref: 006F26BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 006F2700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006F2714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006F2735

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: eb5e0f2ecfa076ab1e16ae395bf84ec627e218070c9c80b56c9262243d96506e
Instruction ID: 6e28de34d9e42cdcd499b4e231fcf2baad3b78d19d468fb1d6600e328f2084a3
Opcode Fuzzy Hash: eb5e0f2ecfa076ab1e16ae395bf84ec627e218070c9c80b56c9262243d96506e
Instruction Fuzzy Hash: A9617CB090024EAFDB11DFA8CCA89FEBBBAFB01304F144059EA41A7291D735AD15DF25

Function 00716F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00716FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00716FA8
GetWindowLongW.USER32(?,000000F0), ref: 00716FCC
_memset.LIBCMT ref: 00716FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00716FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00717067

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 68c33e043ba4969f096cc57fa81cc9cee153c561d4c6871deb23088e7e40bff6
Instruction ID: 6f3d744ba823046c87df4ee8a890a18beb710101778fbe241889e46297a154d3
Opcode Fuzzy Hash: 68c33e043ba4969f096cc57fa81cc9cee153c561d4c6871deb23088e7e40bff6
Instruction Fuzzy Hash: 5E617B75900208AFDB10DFA8CC81EEE77F8EB09710F104159FA14AB2E1C779AD85DBA4

Function 006E6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 006E6BBF
SafeArrayAllocData.OLEAUT32(?), ref: 006E6C18
VariantInit.OLEAUT32(?), ref: 006E6C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 006E6C4A
VariantCopy.OLEAUT32(?,?), ref: 006E6C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 006E6CB1
VariantClear.OLEAUT32(?), ref: 006E6CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 006E6CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006E6CDC
VariantClear.OLEAUT32(?), ref: 006E6CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006E6CF9

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 2c673698a52b7b5c22fd66c6dac6730e7d5ae9bb98d602c9ecb931a20aaa6690
Instruction ID: 67d63fea610e9c100f7bac48783bccd49da7aa722375d7e90744daa44d9839b3
Opcode Fuzzy Hash: 2c673698a52b7b5c22fd66c6dac6730e7d5ae9bb98d602c9ecb931a20aaa6690
Instruction Fuzzy Hash: 81416D31A002599FCF00DFA9D8449EEBBBAEF18354F10C069F955A7261DB34A945CFA4

Function 00705732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00705793
inet_addr.WSOCK32(?,?,?), ref: 007057D8
gethostbyname.WSOCK32(?), ref: 007057E4
IcmpCreateFile.IPHLPAPI ref: 007057F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00705862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00705878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 007058ED
WSACleanup.WSOCK32 ref: 007058F3

Strings

Ping, xrefs: 00705816

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 89b226bb870102ad8bd9d9044c6fa9f1d8a5ed3211828d3e068c2b86099b8229
Instruction ID: 8c466ea6518a57b0db040d812ed5d7fd950d4eeea280965c0cb3f158a62b8c54
Opcode Fuzzy Hash: 89b226bb870102ad8bd9d9044c6fa9f1d8a5ed3211828d3e068c2b86099b8229
Instruction Fuzzy Hash: AB516B31604700DFDB50EF29CC45B6A7BE5AB49720F048A29F956DB2E1DB38E800DF55

Function 006FB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006FB4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 006FB546
GetLastError.KERNEL32 ref: 006FB550
SetErrorMode.KERNEL32(00000000,READY), ref: 006FB5BD

Strings

NOTREADY, xrefs: 006FB57C
INVALID, xrefs: 006FB58F
READONLY, xrefs: 006FB588
READY, xrefs: 006FB596
UNKNOWN, xrefs: 006FB575

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 502da1fc4f3eecf199d56b62983247d60007d1c132f9e37e10a42a8ab073e04b
Instruction ID: 5ad116ff52a20ece41a31acd36e962aedd240240406a2473871abd5dc7fc9170
Opcode Fuzzy Hash: 502da1fc4f3eecf199d56b62983247d60007d1c132f9e37e10a42a8ab073e04b
Instruction Fuzzy Hash: 51318175A0020DEFDB40EF68C845AFD77BAFF05314F108129F60597291DB799A42CB55

Function 006E8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

Part of subcall function 006EAA99: GetClassNameW.USER32(?,?,000000FF), ref: 006EAABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 006E9014
GetDlgCtrlID.USER32 ref: 006E901F
GetParent.USER32 ref: 006E903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 006E903E
GetDlgCtrlID.USER32(?), ref: 006E9047
GetParent.USER32(?), ref: 006E9063
SendMessageW.USER32(00000000,?,?,00000111), ref: 006E9066

Strings

ComboBox, xrefs: 006E8F9C
ListBox, xrefs: 006E8FD1

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 4de8dc54c313ecb332077272e2cc899d19d2f84453f41ad793643bf2e2d5a59d
Instruction ID: 23afc22c8be4d9089ef553fcdafa5b53c72aac53480ba32927a7aff4d8b621df
Opcode Fuzzy Hash: 4de8dc54c313ecb332077272e2cc899d19d2f84453f41ad793643bf2e2d5a59d
Instruction Fuzzy Hash: 1621D670A00348BBDF05ABA5CC85EFEBB7AEF49310F104119F921972E1DB795819DB24

Function 006E907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

Part of subcall function 006EAA99: GetClassNameW.USER32(?,?,000000FF), ref: 006EAABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 006E90FD
GetDlgCtrlID.USER32 ref: 006E9108
GetParent.USER32 ref: 006E9124
SendMessageW.USER32(00000000,?,00000111,?), ref: 006E9127
GetDlgCtrlID.USER32(?), ref: 006E9130
GetParent.USER32(?), ref: 006E914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 006E914F

Strings

ComboBox, xrefs: 006E9087
ListBox, xrefs: 006E90BC

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 4df2d299a884746e3f9984e421f47fe806c42f4e682e8dcff735ec47dd040f09
Instruction ID: 32867e5520089961e0f993d72c993103674dfdca9c1ae60a428ba4debf3a90f8
Opcode Fuzzy Hash: 4df2d299a884746e3f9984e421f47fe806c42f4e682e8dcff735ec47dd040f09
Instruction Fuzzy Hash: 7A21C574A01348BBDF15ABA5CC85EFEBB7AEF48300F10801AF911972A1DB795819DB24

Function 006E9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 006E916F
GetClassNameW.USER32(00000000,?,00000100), ref: 006E9184
_wcscmp.LIBCMT ref: 006E9196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 006E9211

Strings

largeicons, xrefs: 006E91A5
list, xrefs: 006E91F3
details, xrefs: 006E91BF
smallicons, xrefs: 006E91D9
SHELLDLL_DefView, xrefs: 006E9190

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: b6a0222780e50b56b1e04e2eff55c61808e4d49143e5124ced2b3807ac9668d3
Instruction ID: bc62d5ab38e82830fd417bc0f9bcec811853f6cfbc748022132160914ec90f61
Opcode Fuzzy Hash: b6a0222780e50b56b1e04e2eff55c61808e4d49143e5124ced2b3807ac9668d3
Instruction Fuzzy Hash: 2C1150B624D387BDFE142626EC17DE7379E9F05320B200016FA00A41D1FF6669525668

Function 006F7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 006F7A6C

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 5be7fbcbbe08f326d9c0e05d25891407907c36de3133f4eb396086bd0c1760e0
Instruction ID: 51990767acf66374df3d27e9f2d29b552e3452704fd9929d2fc16f9a25c74178
Opcode Fuzzy Hash: 5be7fbcbbe08f326d9c0e05d25891407907c36de3133f4eb396086bd0c1760e0
Instruction Fuzzy Hash: CAB18B7190420E9FDB00DFA8D885BFEB7B6EF09321F244429EA11E7291D734A941CBA4

Function 006F11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 006F11F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,006F0268,?,00000001), ref: 006F1204
GetWindowThreadProcessId.USER32(00000000), ref: 006F120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006F0268,?,00000001), ref: 006F121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 006F122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006F0268,?,00000001), ref: 006F1245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006F0268,?,00000001), ref: 006F1257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,006F0268,?,00000001), ref: 006F129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,006F0268,?,00000001), ref: 006F12B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,006F0268,?,00000001), ref: 006F12BC

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: ed9c764da97b5286ba57108cd7b0c219500a8bcfbbd94f6d73f2bca5b6f0293e
Instruction ID: cc1d995471b594f83da0c28e7b842a83d6de4a3b8080ab4e0d4042737b0c6cd9
Opcode Fuzzy Hash: ed9c764da97b5286ba57108cd7b0c219500a8bcfbbd94f6d73f2bca5b6f0293e
Instruction Fuzzy Hash: 35315475A00308FBDB10DF94EC44BF977AAAB56362F50C115FA05DB2E0D7B89E808B54

Function 0069FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0069FAA6
OleUninitialize.OLE32(?,00000000), ref: 0069FB45
UnregisterHotKey.USER32(?), ref: 0069FC9C
DestroyWindow.USER32(?), ref: 006D45D6
FreeLibrary.KERNEL32(?), ref: 006D463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 006D4668

Strings

close all, xrefs: 0069FAA1

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: e938587d72700cb142dbbbfcd02bc86b1736fa07c6414e6665d46d74352d062b
Instruction ID: 24c007ea3e73fb1ba9cbc78c83bc8f55a4bb87e6b21409cf82c7a87759962500
Opcode Fuzzy Hash: e938587d72700cb142dbbbfcd02bc86b1736fa07c6414e6665d46d74352d062b
Instruction Fuzzy Hash: FBA16A30701212CFDB69EF14C595AA9F76AAF05710F1582AEE80AAB761DF30EC16CF54

Function 00709113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00709167
VariantInit.OLEAUT32(?), ref: 00709238
VariantInit.OLEAUT32(?), ref: 00709339
VariantClear.OLEAUT32(?), ref: 00709343
VariantClear.OLEAUT32(?), ref: 007093A0

Strings

,,r, xrefs: 007091E5
Null Object assignment in FOR..IN loop, xrefs: 007091C8, 007092F6, 007093AE
Incorrect Object type in FOR..IN loop, xrefs: 0070931C

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,r$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-2506191893
Opcode ID: 81b78619a8ae992e8bcd6ad5501a0b8ce29432d042c51d9d558ca99665a1b246
Instruction ID: 34ea8a09cfc8e999212274f7e83218e3d597b3db4feec6824a3f6b57f59f8ca1
Opcode Fuzzy Hash: 81b78619a8ae992e8bcd6ad5501a0b8ce29432d042c51d9d558ca99665a1b246
Instruction Fuzzy Hash: 1F918E71A00219EBDF24DFA5C848FAEB7B8EF45710F108619FA15AB2C1D7789945CFA0

Function 006EA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,006EA439), ref: 006EA377

Strings

CLASSNN, xrefs: 006EA119
INSTANCE, xrefs: 006EA285
NAME, xrefs: 006EA1A9
TEXT, xrefs: 006EA2AE
CLASS, xrefs: 006EA0F6
REGEXPCLASS, xrefs: 006EA13C

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 93df37cd5e3aa88566b909babbd088949008de56f3bf2e9c92457352a3a236bb
Instruction ID: 5307beff802f74bc9850096b52263c6e601c9afe1b0d01924e58d69a55b72619
Opcode Fuzzy Hash: 93df37cd5e3aa88566b909babbd088949008de56f3bf2e9c92457352a3a236bb
Instruction Fuzzy Hash: 1E91E330601745AEDB48EFE1C441BEEFBA7BF04300F54812DE95AA7241DB307A99CBA5

Function 00692E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00692EAE

Part of subcall function 00691DB3: GetClientRect.USER32(?,?), ref: 00691DDC
Part of subcall function 00691DB3: GetWindowRect.USER32(?,?), ref: 00691E1D
Part of subcall function 00691DB3: ScreenToClient.USER32(?,?), ref: 00691E45

GetDC.USER32 ref: 006CCD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 006CCD45
SelectObject.GDI32(00000000,00000000), ref: 006CCD53
SelectObject.GDI32(00000000,00000000), ref: 006CCD68
ReleaseDC.USER32(?,00000000), ref: 006CCD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 006CCDFB

Strings

U, xrefs: 006CCCD0

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 7d22232d72cb259713bbf59b836cce2fecdfbe4e729aee86c15e9c48264a27e5
Instruction ID: e378ebc4df6fb053eac382d41150bce9131d5d75e825cf8abfc8d3b7885c10bf
Opcode Fuzzy Hash: 7d22232d72cb259713bbf59b836cce2fecdfbe4e729aee86c15e9c48264a27e5
Instruction Fuzzy Hash: DF71A231500205EFCF218F64C894EFA7BB6FF49320F14826EED5A5A2A6D7309891DB60

Function 00701A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00701A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00701A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00701ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00701AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00701AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00701B10
InternetCloseHandle.WININET(00000000), ref: 00701B57

Part of subcall function 00702483: GetLastError.KERNEL32(?,?,00701817,00000000,00000000,00000001), ref: 00702498
Part of subcall function 00702483: SetEvent.KERNEL32(?,?,00701817,00000000,00000000,00000001), ref: 007024AD

Strings

, xrefs: 00701B01

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 8e8bdba6c0ef2cb5ce04b8e5a7d6db5747c276378063cc8e3dac04f70e30d4c4
Instruction ID: 0d98623e5f9e6f8015bc73bf82563328a1a354c8b4fa23a6fe59d2e118005d23
Opcode Fuzzy Hash: 8e8bdba6c0ef2cb5ce04b8e5a7d6db5747c276378063cc8e3dac04f70e30d4c4
Instruction Fuzzy Hash: 98414FB1501218FFEB129F64CC89FFA77ACEB08354F408226F9059A1C1E7789E449BA4

Function 00708C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0071F910), ref: 00708D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0071F910), ref: 00708D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00708ED6
SysFreeString.OLEAUT32(?), ref: 00708F00

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: c1e436f4743a31613baf3372ffd4c8badf65dea07a47bb7b8587f55fc85f4a78
Instruction ID: 35793ca80dd6b0994b4d625e73f4cf55a27757bdac69523e503a2b46c6e1fe60
Opcode Fuzzy Hash: c1e436f4743a31613baf3372ffd4c8badf65dea07a47bb7b8587f55fc85f4a78
Instruction Fuzzy Hash: 13F17C71A00209EFDF44DF94C884EAEB7BAFF48314F108198F945AB291DB35AE45CB61

Function 0070F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0070F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0070F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0070F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0070F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0070F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0070FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0070FA7C
CloseHandle.KERNEL32(?), ref: 0070FAAB
CloseHandle.KERNEL32(?), ref: 0070FB22

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: b7b562134f730df1746263e2908f01133a46c69fb6dba7baa527cd1d844b7cc6
Instruction ID: 9643f066e4f98d4858f611989c38abe196314d7a9e27ec55b850e11d10333934
Opcode Fuzzy Hash: b7b562134f730df1746263e2908f01133a46c69fb6dba7baa527cd1d844b7cc6
Instruction Fuzzy Hash: 58E1B071204301DFCB64EF24C891A6ABBE6AF85314F14866DF8998B6E1CB35EC41CB56

Function 006F4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 006F466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006F3697,?), ref: 006F468B

Part of subcall function 006F466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006F3697,?), ref: 006F46A4

Part of subcall function 006F4A31: GetFileAttributesW.KERNEL32(?,006F370B), ref: 006F4A32

lstrcmpiW.KERNEL32(?,?), ref: 006F4D40
_wcscmp.LIBCMT ref: 006F4D5A
MoveFileW.KERNEL32(?,?), ref: 006F4D75

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: dad6b095306be9c77c36dd410d5bccbbcbc751ac61d220976578da79d227f18a
Instruction ID: 401ff29607110f97c21a0758dca5e31afc064dfde43a78ce7f49d8f9a7633b67
Opcode Fuzzy Hash: dad6b095306be9c77c36dd410d5bccbbcbc751ac61d220976578da79d227f18a
Instruction Fuzzy Hash: E5518AB21083895BC765DB64D881DEF73EDAF85350F00492EF289D3551EF34A688C75A

Function 00718645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 007186FF

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 47deb86b98c3ba13f25a893b9da4e01e57475f7f016c51c57f762c493629e5a4
Instruction ID: 8cf7a9bb5d7cd47c1fd167aa6c0458f13d4dcdcbd83a4a407073c14bd28041c7
Opcode Fuzzy Hash: 47deb86b98c3ba13f25a893b9da4e01e57475f7f016c51c57f762c493629e5a4
Instruction Fuzzy Hash: 2751AF30510244BEEFA09B6CCC89FE93BA5AB05720F704216F910E61E1DB7DE9C0CB56

Function 00692B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 006CC2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 006CC319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 006CC331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 006CC34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 006CC370
DestroyIcon.USER32(00000000), ref: 006CC37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 006CC39C
DestroyIcon.USER32(?), ref: 006CC3AB

Part of subcall function 0071A4AF: DeleteObject.GDI32(00000000), ref: 0071A4E8

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 873130f321b8de9a356ce005524e92646a66594d2ae39181f6b051b2fc1f1f0b
Instruction ID: 98753c2df33356369a25b3919813a23783362371f639bde429927c2509a2b55b
Opcode Fuzzy Hash: 873130f321b8de9a356ce005524e92646a66594d2ae39181f6b051b2fc1f1f0b
Instruction Fuzzy Hash: B7514A70600206EFDF20DF68DC55FAA37EAEB54320F10852DF90697690D7B4A991DB94

Function 006E966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 006EA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 006EA84C
Part of subcall function 006EA82C: GetCurrentThreadId.KERNEL32 ref: 006EA853
Part of subcall function 006EA82C: AttachThreadInput.USER32(00000000,?,006E9683,?,00000001), ref: 006EA85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 006E968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 006E96AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 006E96AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 006E96B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 006E96D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 006E96D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 006E96E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 006E96F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 006E96FB

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 1a2cf19ab4f7bc533ca2fd7d369353b1c126091834afe0db377ae7aa8b1fceb5
Instruction ID: efacb8d2abcd5229bade6793797296b6d5fc66a0896001e4fc1bde93e34ef366
Opcode Fuzzy Hash: 1a2cf19ab4f7bc533ca2fd7d369353b1c126091834afe0db377ae7aa8b1fceb5
Instruction Fuzzy Hash: DE11E571910618BEF6106F65DC49FAA3F1EEB4C750F108429F244AB0E0C9F25C10DAB8

Function 006E8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,006E853C,00000B00,?,?), ref: 006E892A
HeapAlloc.KERNEL32(00000000,?,006E853C,00000B00,?,?), ref: 006E8931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,006E853C,00000B00,?,?), ref: 006E8946
GetCurrentProcess.KERNEL32(?,00000000,?,006E853C,00000B00,?,?), ref: 006E894E
DuplicateHandle.KERNEL32(00000000,?,006E853C,00000B00,?,?), ref: 006E8951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,006E853C,00000B00,?,?), ref: 006E8961
GetCurrentProcess.KERNEL32(006E853C,00000000,?,006E853C,00000B00,?,?), ref: 006E8969
DuplicateHandle.KERNEL32(00000000,?,006E853C,00000B00,?,?), ref: 006E896C
CreateThread.KERNEL32(00000000,00000000,006E8992,00000000,00000000,00000000), ref: 006E8986

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: e8ae9ebe34fe32be535aef3ff64b86083e17cb8c95a294794d22471bf1e547ea
Instruction ID: 12d7008a925920e7139f5068b770cb4378d4960bd45147a4237b3a15519c2560
Opcode Fuzzy Hash: e8ae9ebe34fe32be535aef3ff64b86083e17cb8c95a294794d22471bf1e547ea
Instruction Fuzzy Hash: 7401ACB5640348FFE610ABA9DC49FAB3B6DEB89711F41C421FA05DB191CA749C009A24

Function 00709B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00709BA4, 00709EC8
Not an Object type, xrefs: 00709B7B

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 4de7dd421ddf1df6062a553b5ca1a9e1b60484cb31be2a8ed54749064899fc44
Instruction ID: 4deab19170bfd62a331397ef0d6809a76034e213ca61ada0b26a264dfc760885
Opcode Fuzzy Hash: 4de7dd421ddf1df6062a553b5ca1a9e1b60484cb31be2a8ed54749064899fc44
Instruction Fuzzy Hash: 3DC172B1A00219DBDF10DF68D884AAEB7F5FB48314F148669EA05A72C2E774AD45CB60

Function 0070975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 006E710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E7044,80070057,?,?,?,006E7455), ref: 006E7127
Part of subcall function 006E710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E7044,80070057,?,?), ref: 006E7142
Part of subcall function 006E710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E7044,80070057,?,?), ref: 006E7150
Part of subcall function 006E710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E7044,80070057,?), ref: 006E7160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00709806
_memset.LIBCMT ref: 00709813
_memset.LIBCMT ref: 00709956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00709982
CoTaskMemFree.OLE32(?), ref: 0070998D

Strings

NULL Pointer assignment, xrefs: 007099DB

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: f02c82f9f0b5ef86a9910c99dc6d1d7a31ca6fb41b20180eb30e786189364c4b
Instruction ID: ba2f941c005ef0996d195c0a7cc31e90806cb2d148b2698a7d7ac1fee75c6038
Opcode Fuzzy Hash: f02c82f9f0b5ef86a9910c99dc6d1d7a31ca6fb41b20180eb30e786189364c4b
Instruction Fuzzy Hash: 86913871D00229EBDF10DFA5DC41EDEBBB9AF48310F10815AF519A7291EB75AA44CFA0

Function 00716D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00716E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00716E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00716E52
_wcscat.LIBCMT ref: 00716EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00716EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00716EF2

Strings

SysListView32, xrefs: 00716DF6

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 8e34254790418f5cda614e3d56ad30441b9885aa9f5897bf79b30f74ed085240
Instruction ID: dc2724c928bb8470eb41e8d074704e8875fa6c4676cde1940b565c1e43b17fa8
Opcode Fuzzy Hash: 8e34254790418f5cda614e3d56ad30441b9885aa9f5897bf79b30f74ed085240
Instruction Fuzzy Hash: 6A419E74A00348EBDF219F68CC85BEA77E9EF08350F10452AF984A72D1D6799DC88B64

Function 0070E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 006F3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 006F3C7A
Part of subcall function 006F3C55: Process32FirstW.KERNEL32(00000000,?), ref: 006F3C88
Part of subcall function 006F3C55: CloseHandle.KERNEL32(00000000), ref: 006F3D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0070E9A4
GetLastError.KERNEL32 ref: 0070E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0070E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 0070EA63
GetLastError.KERNEL32(00000000), ref: 0070EA6E
CloseHandle.KERNEL32(00000000), ref: 0070EAA3

Strings

SeDebugPrivilege, xrefs: 0070E9C2

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: a7fdbbe4d6a81622d35d56c50edac61b6a737529b6ed0b3933a05cacb448d679
Instruction ID: 78b0cf2cfa3b06736dd495b39459c9b084ed37154ee358bda4e8e31089dbcadf
Opcode Fuzzy Hash: a7fdbbe4d6a81622d35d56c50edac61b6a737529b6ed0b3933a05cacb448d679
Instruction Fuzzy Hash: AE418A713002019FDB15EF18CC95BAEB7E6AF45310F14C95CF9469B2D2DB79A804CB9A

Function 006F2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 006F3033

Strings

warning, xrefs: 006F301C
info, xrefs: 006F2FD4
stop, xrefs: 006F3004
blank, xrefs: 006F2FB5
question, xrefs: 006F2FEC

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 2b69aef462c04bd113e4605623df869346802e51295be7788110a0cff49b278d
Instruction ID: c50a7fd48aed6e91d5e5fe04e3635a2831e61957b63fcd6b44394eb30a6cbed8
Opcode Fuzzy Hash: 2b69aef462c04bd113e4605623df869346802e51295be7788110a0cff49b278d
Instruction Fuzzy Hash: F611F37124839FBAE7549A59EC42CFF679D9F15320B20002BFA00A6381DF649F4156A5

Function 006F42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 006F4312
LoadStringW.USER32(00000000), ref: 006F4319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 006F432F
LoadStringW.USER32(00000000), ref: 006F4336
_wprintf.LIBCMT ref: 006F435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 006F437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 006F4357

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: f1753738ce0b21a53c5b3e41f6fdb2a954c94b5b5a81726194d87f480b0b93b2
Instruction ID: c282b16699cdc3fe2e7a7f6dc6c7e3eae1192aec17874844d8627c4e1bdbd0e9
Opcode Fuzzy Hash: f1753738ce0b21a53c5b3e41f6fdb2a954c94b5b5a81726194d87f480b0b93b2
Instruction Fuzzy Hash: 380171F290020CBFD751A7949D89EE6766CD708300F0081A1FB05E2091EA785E854B74

Function 0071D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623

GetSystemMetrics.USER32(0000000F), ref: 0071D47C
GetSystemMetrics.USER32(0000000F), ref: 0071D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0071D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0071D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0071D716
ShowWindow.USER32(00000003,00000000), ref: 0071D735
InvalidateRect.USER32(?,00000000,00000001), ref: 0071D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 0071D77D

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: d64833fc6d6cc9ba507fddf96f1fdad447ac3e49080d95d4ee3f26795fc3048f
Instruction ID: 118a959a938f1350613ccbdb319a65b34f29101727ce0671cb59e2f48af6104c
Opcode Fuzzy Hash: d64833fc6d6cc9ba507fddf96f1fdad447ac3e49080d95d4ee3f26795fc3048f
Instruction Fuzzy Hash: B9B15775600229EBDF24CF6CC9957E97BB1BF08711F08C169EC489A295D778AD90CFA0

Function 00692A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,006CC1C7,00000004,00000000,00000000,00000000), ref: 00692ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,006CC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00692B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,006CC1C7,00000004,00000000,00000000,00000000), ref: 006CC21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,006CC1C7,00000004,00000000,00000000,00000000), ref: 006CC286

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e9d77d75c9873072b62870ba10d35a7ac9fd0beaa29ef93a8451d2f30bad72c3
Instruction ID: 64cea03d6589147a9d79f8835632bb255dda2bd2807ca58bfcbac44e3029778e
Opcode Fuzzy Hash: e9d77d75c9873072b62870ba10d35a7ac9fd0beaa29ef93a8451d2f30bad72c3
Instruction Fuzzy Hash: 1541DD32604A81BACF358B288CACBFB7B9BEB55314F54C41DE04786EA1C679A946D710

Function 006F70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 006F70DD

Part of subcall function 006B0DB6: std::exception::exception.LIBCMT ref: 006B0DEC
Part of subcall function 006B0DB6: __CxxThrowException@8.LIBCMT ref: 006B0E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 006F7114
EnterCriticalSection.KERNEL32(?), ref: 006F7130
_memmove.LIBCMT ref: 006F717E
_memmove.LIBCMT ref: 006F719B
LeaveCriticalSection.KERNEL32(?), ref: 006F71AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 006F71BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 006F71DE

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: b73c2b35cd72cd6475e5c288c5b0630eadc6e2240354790ea07967b5d4c27fda
Instruction ID: 1e699d15b1be2f54bd90bf61493c12c4f6c14519dbed44ac802c64fef3002611
Opcode Fuzzy Hash: b73c2b35cd72cd6475e5c288c5b0630eadc6e2240354790ea07967b5d4c27fda
Instruction Fuzzy Hash: A7316E71900205EBDB40DFA8DC85AEFBB79FF45310F1481B9E904AB286DB34DA55CB64

Function 007161D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007161EB
GetDC.USER32(00000000), ref: 007161F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007161FE
ReleaseDC.USER32(00000000,00000000), ref: 0071620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00716246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00716257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0071902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00716291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 007162B1

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: b079fcb51907fcef59a38ad07da7752d9072b86691c2f4bf0b1d439ac214aaf6
Instruction ID: 13cb825582aab943a7c8d5d7feb8780a68ce440978492ec67f8e676b6c5310f4
Opcode Fuzzy Hash: b079fcb51907fcef59a38ad07da7752d9072b86691c2f4bf0b1d439ac214aaf6
Instruction Fuzzy Hash: C1314F72101214BFEF118F58DC8AFEA3BA9FF49765F048065FE089A1D1D6799C41CB64

Function 006EBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 006EBBC4
_memcmp.LIBCMT ref: 006EBBE6
_memcmp.LIBCMT ref: 006EBBFE
_memcmp.LIBCMT ref: 006EBC11
_memcmp.LIBCMT ref: 006EBC2B
_memcmp.LIBCMT ref: 006EBC3E
_memcmp.LIBCMT ref: 006EBC56
_memcmp.LIBCMT ref: 006EBC71

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a0f8e4f98b456bbeb9cc4573ca7fc5ad80e41b16bdf9f2d09e56435e8d930cfe
Instruction ID: e1d660dcc52f6fe42989f4c829427fa9e5097f8fa6bcb44e6fa07962e97cc94d
Opcode Fuzzy Hash: a0f8e4f98b456bbeb9cc4573ca7fc5ad80e41b16bdf9f2d09e56435e8d930cfe
Instruction Fuzzy Hash: C72143F13063557BE2006612AD52FFB739F9E01748F185424FD049A343EF28CE5286E4

Function 006FEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00699837: __itow.LIBCMT ref: 00699862
Part of subcall function 00699837: __swprintf.LIBCMT ref: 006998AC

Part of subcall function 006AFC86: _wcscpy.LIBCMT ref: 006AFCA9

_wcstok.LIBCMT ref: 006FEC94
_wcscpy.LIBCMT ref: 006FED23
_memset.LIBCMT ref: 006FED56

Strings

X, xrefs: 006FED93

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 73e550f0331c2dbe56c71697c6ed2ef1a0c010dc647b64cb3fed726e63122da5
Instruction ID: e3c17126926c3aff4f17a979471595ddb40f6cfbdb77c53ca58957974a006fa8
Opcode Fuzzy Hash: 73e550f0331c2dbe56c71697c6ed2ef1a0c010dc647b64cb3fed726e63122da5
Instruction Fuzzy Hash: 77C1B3705083449FCB94EF24C841AAABBE6FF85310F00492DF999877A2DB31EC45CB56

Function 00691424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2682077bb806cb7e71ef99a02f2805f97d2334584a1d8765f42f4b8f66310f5
Instruction ID: f86fa98d22123a133208edec5d7ee49c5106d69a33be231effd553be0b66a08e
Opcode Fuzzy Hash: d2682077bb806cb7e71ef99a02f2805f97d2334584a1d8765f42f4b8f66310f5
Instruction Fuzzy Hash: C2714C7090010AEFCF049F98CC45EFEBBBAFF8A714F248159F915AA251C734AA51CB64

Function 00706B76 Relevance: 10.7, APIs: 7, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fd4291bbe103a3e7759262e3a781ad870893a2c65bb3863f7d43bf1b93e68fd
Instruction ID: a105cf9845d518380e3e051eeaf65e9f27dc979d1445ab23f9f8d458e78354df
Opcode Fuzzy Hash: 9fd4291bbe103a3e7759262e3a781ad870893a2c65bb3863f7d43bf1b93e68fd
Instruction Fuzzy Hash: 2361D171204300AFDB50EB24CC92EAFB7EAAF94714F104A1DF5469B2D2DA74ED04C796

Function 0071B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01015698), ref: 0071B3EB
IsWindowEnabled.USER32(01015698), ref: 0071B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0071B4DB
SendMessageW.USER32(01015698,000000B0,?,?), ref: 0071B512
IsDlgButtonChecked.USER32(?,?), ref: 0071B54F
GetWindowLongW.USER32(01015698,000000EC), ref: 0071B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0071B589

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: e1670364bd8c59ddc82c33017b12c2e5fcac54e1040a9fdcf459fa95c450f1bd
Instruction ID: f706dfdb321bbf4018bb0ac22f1439d8ac029b7612f84cef79c0849d9b2fb956
Opcode Fuzzy Hash: e1670364bd8c59ddc82c33017b12c2e5fcac54e1040a9fdcf459fa95c450f1bd
Instruction Fuzzy Hash: 8B719C38600244EFDB209FA9C894FFA7BB9EF09310F148069ED55972E2C779AD90CB50

Function 0070F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0070F448
_memset.LIBCMT ref: 0070F511
ShellExecuteExW.SHELL32(?), ref: 0070F556

Part of subcall function 00699837: __itow.LIBCMT ref: 00699862
Part of subcall function 00699837: __swprintf.LIBCMT ref: 006998AC

Part of subcall function 006AFC86: _wcscpy.LIBCMT ref: 006AFCA9

GetProcessId.KERNEL32(00000000), ref: 0070F5CD
CloseHandle.KERNEL32(00000000), ref: 0070F5FC

Strings

@, xrefs: 0070F525

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 700d3a92f87019d79247b1c01264190ca5d48a84243c514e8adb7135029146e5
Instruction ID: 26cb24fd5de850358d5fcf44b5bd5034a2040b0f81d7d5c2bf8e49229de8797f
Opcode Fuzzy Hash: 700d3a92f87019d79247b1c01264190ca5d48a84243c514e8adb7135029146e5
Instruction Fuzzy Hash: 14618B71A00619DFCF14DF68C8819AEBBFAFF49310B10856DE815ABB91DB34AD41CB94

Function 006F0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 006F0F8C
GetKeyboardState.USER32(?), ref: 006F0FA1
SetKeyboardState.USER32(?), ref: 006F1002
PostMessageW.USER32(?,00000101,00000010,?), ref: 006F1030
PostMessageW.USER32(?,00000101,00000011,?), ref: 006F104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 006F1095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 006F10B8

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 70c4a29a2f075291bd33db9735724482b3a8b0e6b0eeef1d0e116180a5dafa2d
Instruction ID: 15f0e1deaaea3e8d1190dc4a39936bde332fac40fe5e173c4649a91b85309ce7
Opcode Fuzzy Hash: 70c4a29a2f075291bd33db9735724482b3a8b0e6b0eeef1d0e116180a5dafa2d
Instruction Fuzzy Hash: A05113605047D9BDFB3282348C05BF6BEAB5B07344F08858DE2D58A9C3CA98DCC5D750

Function 006F0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 006F0DA5
GetKeyboardState.USER32(?), ref: 006F0DBA
SetKeyboardState.USER32(?), ref: 006F0E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 006F0E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 006F0E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 006F0EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 006F0EC9

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9b7023d97f5f1f56f40d211dc7954ddf2b953f56f03394eba0720a143997c112
Instruction ID: a4115f59cd0684b45347835aef03d05bb6f81a84828d1253eb371535368de651
Opcode Fuzzy Hash: 9b7023d97f5f1f56f40d211dc7954ddf2b953f56f03394eba0720a143997c112
Instruction Fuzzy Hash: A451D4A06487D97DFB3283648C55BFABEAA6F06300F088889E2D44A5C3D395EC98D750

Function 006F55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 006F560A
_wcsncpy.LIBCMT ref: 006F563F
_wcsncpy.LIBCMT ref: 006F5671
_wcsncpy.LIBCMT ref: 006F56A4
_wcsncpy.LIBCMT ref: 006F56E6
_wcsncpy.LIBCMT ref: 006F5720
_wcsncpy.LIBCMT ref: 006F574F

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 02995e83a3c178e9bedf599d0cd07ab435b57c5dcacb407ae585322bb1d2101e
Instruction ID: 9e41daa15a6dad246ca17533b602af1282c3003868e06fee2d2538dce3849823
Opcode Fuzzy Hash: 02995e83a3c178e9bedf599d0cd07ab435b57c5dcacb407ae585322bb1d2101e
Instruction Fuzzy Hash: 8D41D8A6C1021876CB51FBB48C469DFB3BA9F04310F50855AE615E3221FB34A685C7EE

Function 006ED56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 006ED5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 006ED60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 006ED61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 006ED69D

Strings

,,r, xrefs: 006ED578
DllGetClassObject, xrefs: 006ED610

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,r$DllGetClassObject
API String ID: 753597075-4218317632
Opcode ID: 05f122d309c96627314a07a8181e218d8cfb3125eb8106815fb8e566cd2f461d
Instruction ID: fd375ff123315b053f56117fc5b761604c9fa6253369fbec8dff5659aed0d82e
Opcode Fuzzy Hash: 05f122d309c96627314a07a8181e218d8cfb3125eb8106815fb8e566cd2f461d
Instruction Fuzzy Hash: 4141ACB1602354EFDB04CF25C884A9ABBAAEF44310F1181ADEC099F246D7B5D940CBA4

Function 006F3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 006F466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006F3697,?), ref: 006F468B

Part of subcall function 006F466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006F3697,?), ref: 006F46A4

lstrcmpiW.KERNEL32(?,?), ref: 006F36B7
_wcscmp.LIBCMT ref: 006F36D3
MoveFileW.KERNEL32(?,?), ref: 006F36EB
_wcscat.LIBCMT ref: 006F3733
SHFileOperationW.SHELL32(?), ref: 006F379F

Strings

\*.*, xrefs: 006F372D

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: e20576511cdd98ec92ecfc115d43d9d374d97b3bb4d624ca7b49e73b180ee5b4
Instruction ID: 465dd4096af47b5fb489998876169397533c6dde628ce8325127e38a73446231
Opcode Fuzzy Hash: e20576511cdd98ec92ecfc115d43d9d374d97b3bb4d624ca7b49e73b180ee5b4
Instruction Fuzzy Hash: FA4183B1508348AEC792EF64C441AEF77E9AF89340F00092EF599C7351EB34D689C75A

Function 00717291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007172AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00717351
IsMenu.USER32(?), ref: 00717369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007173B1
DrawMenuBar.USER32 ref: 007173C4

Strings

0, xrefs: 0071729E

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: fb6c28a95fd9a89f22af012a204f7b6508fccbb833fa5b5dbf5b8a2866cc16fc
Instruction ID: 8b5f867f2f83343a0dcb86097c07c6dc8fd7eb92aecac0308b9d05d90a717b26
Opcode Fuzzy Hash: fb6c28a95fd9a89f22af012a204f7b6508fccbb833fa5b5dbf5b8a2866cc16fc
Instruction Fuzzy Hash: DA413875A04249EFDB24DF58D884ADABBF9FB08310F14852AFD2597290D738AD90DF60

Function 00710FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00710FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00710FFE
FreeLibrary.KERNEL32(00000000), ref: 007110B5

Part of subcall function 00710FA5: RegCloseKey.ADVAPI32(?), ref: 0071101B
Part of subcall function 00710FA5: FreeLibrary.KERNEL32(?), ref: 0071106D
Part of subcall function 00710FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00711090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00711058

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: e4e32418c5dacfd6dae0c0f67c86b4d76ae2bf80c5688c3dd571504bf4d03ab2
Instruction ID: d392ce0c417e42e9ebdccecc1125ecd1d3e0d12a55ed1679386a03c2baf17401
Opcode Fuzzy Hash: e4e32418c5dacfd6dae0c0f67c86b4d76ae2bf80c5688c3dd571504bf4d03ab2
Instruction Fuzzy Hash: 87310C71D01109FFDB25DB98DC89AFFB7BCEF08300F404169E605A6191EA789EC59AA4

Function 007162CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 007162EC
GetWindowLongW.USER32(01015698,000000F0), ref: 0071631F
GetWindowLongW.USER32(01015698,000000F0), ref: 00716354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00716386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 007163B0
GetWindowLongW.USER32(00000000,000000F0), ref: 007163C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 007163DB

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 5691e03b6b51c0464b118457de3a7826c5127a294456614345c9f8e931a28482
Instruction ID: 77c1446b033c24ef3b9c38361bee80abc75dc79a74c88beb63a19ecb4eb969ef
Opcode Fuzzy Hash: 5691e03b6b51c0464b118457de3a7826c5127a294456614345c9f8e931a28482
Instruction Fuzzy Hash: 7731FE30644250EFDB20CF1DDC84F9837E1BB4A715F1981A8F9219B2F2CB7AA8809B54

Function 006EDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006EDB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006EDB54
SysAllocString.OLEAUT32(00000000), ref: 006EDB57
SysAllocString.OLEAUT32(?), ref: 006EDB75
SysFreeString.OLEAUT32(?), ref: 006EDB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 006EDBA3
SysAllocString.OLEAUT32(?), ref: 006EDBB1

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 58a99d063a5ad629567fb0b428b76359b42278f506fcd6869c6359e88cdd5ffb
Instruction ID: af63ab431f2592e03d6578c0ce5b07725ae3f1c5aff67394d46e3d6dea0b9dad
Opcode Fuzzy Hash: 58a99d063a5ad629567fb0b428b76359b42278f506fcd6869c6359e88cdd5ffb
Instruction Fuzzy Hash: BF218EB6601259AFAF10DFA9DC88CFB77ADEB09360B01C529FD14DB2A0E6749C418764

Function 00706173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00707D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00707DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 007061C6
WSAGetLastError.WSOCK32(00000000), ref: 007061D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0070620E
connect.WSOCK32(00000000,?,00000010), ref: 00706217
WSAGetLastError.WSOCK32 ref: 00706221
closesocket.WSOCK32(00000000), ref: 0070624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00706263

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: b561d6d2369d198dbfc38d647bdb890b3c853342726145e4953e8115637c6683
Instruction ID: f0d612537497207d94e017398c9f72cb70444040efb572bd26e26634b145b8a6
Opcode Fuzzy Hash: b561d6d2369d198dbfc38d647bdb890b3c853342726145e4953e8115637c6683
Instruction Fuzzy Hash: 66319E71600108EBDF10AF28CC95BBA7BEDEB45760F04812DF905A72D1DB78AC548AA5

Function 006EF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 006EF671
__wcsnicmp.LIBCMT ref: 006EF692
__wcsnicmp.LIBCMT ref: 006EF6AC

Strings

#OnAutoItStartRegister, xrefs: 006EF6A6
#requireadmin, xrefs: 006EF68C
#notrayicon, xrefs: 006EF669

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 6f5e27b532be1a028da15b68ebf3e719674f9b844974060ec80f9b5ed43e0f9d
Instruction ID: 92d3f7b0b4139e0153f14791a53a7e2a5433342dc4863ef60a6cb6aafead30c4
Opcode Fuzzy Hash: 6f5e27b532be1a028da15b68ebf3e719674f9b844974060ec80f9b5ed43e0f9d
Instruction Fuzzy Hash: D42137B22067A167DA20A736BC02EE773DBEF56350F50403DF44686251EBA19D82D399

Function 006EDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006EDC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006EDC2F
SysAllocString.OLEAUT32(00000000), ref: 006EDC32
SysAllocString.OLEAUT32 ref: 006EDC53
SysFreeString.OLEAUT32 ref: 006EDC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 006EDC76
SysAllocString.OLEAUT32(?), ref: 006EDC84

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: bd69ad0020a403550ad094a41610a6d3ea987ea281b028862b3730f72203df0c
Instruction ID: 15407c3de90d9ac0a337c00fb58baaee6a5cb7e63720e220232020b30334edc1
Opcode Fuzzy Hash: bd69ad0020a403550ad094a41610a6d3ea987ea281b028862b3730f72203df0c
Instruction Fuzzy Hash: B9216075605244AFAB10DBADDC88DEB77ADEB08760B10C125FD14CB2A0DAB4EC41C768

Function 007175CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00691D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00691D73
Part of subcall function 00691D35: GetStockObject.GDI32(00000011), ref: 00691D87
Part of subcall function 00691D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00691D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00717632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0071763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0071764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00717659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00717665

Strings

Msctls_Progress32, xrefs: 00717603

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: c6d09ff0905554609db88a51251a92f8db5454599b690d3e12d9c29cf12a9cd8
Instruction ID: afda9e763c3e15f52ab2b8ed3076ed14f787dfd99fcb8bdbed5a96869032c9cb
Opcode Fuzzy Hash: c6d09ff0905554609db88a51251a92f8db5454599b690d3e12d9c29cf12a9cd8
Instruction Fuzzy Hash: D311B6B1150219BFEF158F68CC85EE77F6DEF08798F114114F604A6090C7769C61DBA4

Function 006B9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 006B9AE6

Part of subcall function 006B3187: EncodePointer.KERNEL32(00000000), ref: 006B318A
Part of subcall function 006B3187: __initp_misc_winsig.LIBCMT ref: 006B31A5
Part of subcall function 006B3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 006B9EA0
Part of subcall function 006B3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 006B9EB4
Part of subcall function 006B3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 006B9EC7
Part of subcall function 006B3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 006B9EDA
Part of subcall function 006B3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 006B9EED
Part of subcall function 006B3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 006B9F00
Part of subcall function 006B3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 006B9F13
Part of subcall function 006B3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 006B9F26
Part of subcall function 006B3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 006B9F39
Part of subcall function 006B3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 006B9F4C
Part of subcall function 006B3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 006B9F5F
Part of subcall function 006B3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 006B9F72
Part of subcall function 006B3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 006B9F85
Part of subcall function 006B3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 006B9F98
Part of subcall function 006B3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 006B9FAB
Part of subcall function 006B3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 006B9FBE

__mtinitlocks.LIBCMT ref: 006B9AEB
__mtterm.LIBCMT ref: 006B9AF4

Part of subcall function 006B9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,006B9AF9,006B7CD0,0074A0B8,00000014), ref: 006B9C56
Part of subcall function 006B9B5C: _free.LIBCMT ref: 006B9C5D
Part of subcall function 006B9B5C: DeleteCriticalSection.KERNEL32(02u,?,?,006B9AF9,006B7CD0,0074A0B8,00000014), ref: 006B9C7F

__calloc_crt.LIBCMT ref: 006B9B19
__initptd.LIBCMT ref: 006B9B3B
GetCurrentThreadId.KERNEL32 ref: 006B9B42

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 6b4bcd5d647d5d1a01444176f2d01443b63289bb690b96fa4cc9e84d2534e0d8
Instruction ID: f8110212f0b758c187a2270f7ff4b370c33ec54baf435c2437a6dfad159ae8bb
Opcode Fuzzy Hash: 6b4bcd5d647d5d1a01444176f2d01443b63289bb690b96fa4cc9e84d2534e0d8
Instruction Fuzzy Hash: 17F096B25197116AE6B47775BC036CB36979F02734F204A1EF754C62D2EF1094C14779

Function 0071B635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0071B644
_memset.LIBCMT ref: 0071B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00756F20,00756F64), ref: 0071B682
CloseHandle.KERNEL32 ref: 0071B694

Strings

dou, xrefs: 0071B64D
ou, xrefs: 0071B63E

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: ou$dou
API String ID: 3277943733-952475036
Opcode ID: 334c0669c75ccb296aee165a0f028efc9e0b860716d17d451857f8cace628aa7
Instruction ID: 9f9469b6af089161bde6d36cc479db894cfa6ae6835ad29070c20fe3f33e8eea
Opcode Fuzzy Hash: 334c0669c75ccb296aee165a0f028efc9e0b860716d17d451857f8cace628aa7
Instruction Fuzzy Hash: 23F05EF29403007AE7102765BC06FFB7A9DEB08396F408430FA09E61E2D7BA4C0087AC

Function 006B406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,006B3F85), ref: 006B4085
GetProcAddress.KERNEL32(00000000), ref: 006B408C
EncodePointer.KERNEL32(00000000), ref: 006B4097
DecodePointer.KERNEL32(006B3F85), ref: 006B40B2

Strings

combase.dll, xrefs: 006B4080
RoUninitialize, xrefs: 006B4074

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 4bee32a39ab7a350848afb590f746924b023a09f0019f372c9e6b3b22bc479b0
Instruction ID: 9bf69dc713207ee11cd43fbbc52150892a99ff9f30ac7363417a493f985e59c5
Opcode Fuzzy Hash: 4bee32a39ab7a350848afb590f746924b023a09f0019f372c9e6b3b22bc479b0
Instruction Fuzzy Hash: 23E092B0681B04ABEA10AF75EC09BC53AA5BB14783F10C228F511E11F1CBBE8640AB18

Function 006F64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006F660B
_memmove.LIBCMT ref: 006F6546

Part of subcall function 00699837: __itow.LIBCMT ref: 00699862
Part of subcall function 00699837: __swprintf.LIBCMT ref: 006998AC

_memmove.LIBCMT ref: 006F65B9
_memmove.LIBCMT ref: 006F66A0
_memmove.LIBCMT ref: 006F66B9
_memmove.LIBCMT ref: 006F66D5

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 34dc75f1d360b63ce599dc2d496eca258b29278931950623ef800f25f87fbebb
Instruction ID: 96c956e523bdfc3707cb177b1b50145abf506c5583d1dc050451e94e4311f116
Opcode Fuzzy Hash: 34dc75f1d360b63ce599dc2d496eca258b29278931950623ef800f25f87fbebb
Instruction Fuzzy Hash: D1619D7050025A9BDF41EF64CC82AFE3BAAAF05308F04451DFA556B292DB35ED06CB69

Function 007101E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

Part of subcall function 00710E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0070FDAD,?,?), ref: 00710E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007102BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007102FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00710320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00710349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0071038C
RegCloseKey.ADVAPI32(00000000), ref: 00710399

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 977925befea7faccba588a5ac8feb172fdfba556a1fd23209c58561a551a106b
Instruction ID: 5a2b9e9994191eed63e50c19037b257a7b4c091b01f41c0c94680b5c55bd6e90
Opcode Fuzzy Hash: 977925befea7faccba588a5ac8feb172fdfba556a1fd23209c58561a551a106b
Instruction Fuzzy Hash: 37516A312082009FDB04EF68C885EAFBBE9FF89314F04491DF455872A2DB75E985CB96

Function 00715799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 007157FB
GetMenuItemCount.USER32(00000000), ref: 00715832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0071585A
GetMenuItemID.USER32(?,?), ref: 007158C9
GetSubMenu.USER32(?,?), ref: 007158D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00715928

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: dfecc02fc27def2c765edbc6988057ddd2ce5f0b2bc3ebe22c1b34082353bd68
Instruction ID: 1b79c111684a83f9116124dbce9600e34c1b8ec0036cd22e46fde364231b163c
Opcode Fuzzy Hash: dfecc02fc27def2c765edbc6988057ddd2ce5f0b2bc3ebe22c1b34082353bd68
Instruction Fuzzy Hash: 04515F71E00615EFCF15DF68C845AEEB7B5EF48320F104059E801BB391DB74AE818B94

Function 006EEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006EEF06
VariantClear.OLEAUT32(00000013), ref: 006EEF78
VariantClear.OLEAUT32(00000000), ref: 006EEFD3
_memmove.LIBCMT ref: 006EEFFD
VariantClear.OLEAUT32(?), ref: 006EF04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 006EF078

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: b5b86fa17d7846859e16d91290fe2ef05b137d6e9c6f991a95cf9bfb15c2db5f
Instruction ID: 50da531750bb274cef90c465855bd565ee387c3fed8b2f2f65bde68d68ab1d6d
Opcode Fuzzy Hash: b5b86fa17d7846859e16d91290fe2ef05b137d6e9c6f991a95cf9bfb15c2db5f
Instruction Fuzzy Hash: 5D5178B5A00249EFCB10CF58C890AAAB7B9FF4C310B15856AED49DB341E335E911CFA0

Function 006F220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006F2258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006F22A3
IsMenu.USER32(00000000), ref: 006F22C3
CreatePopupMenu.USER32 ref: 006F22F7
GetMenuItemCount.USER32(000000FF), ref: 006F2355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 006F2386

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 4103d84ac72fc3d1e6af1ac6312c107999183f3de39c490c9441d12480c005cb
Instruction ID: b7b83d3fdc385b29bf210fb0f4e2d64b4a21d27ae5acfab4cffe7c71dc8ed411
Opcode Fuzzy Hash: 4103d84ac72fc3d1e6af1ac6312c107999183f3de39c490c9441d12480c005cb
Instruction Fuzzy Hash: D0518BB160420EDBDF21CF68C8A8BFDBBE6AF45314F108129EA159B290D7789A45CF51

Function 00691765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0069179A
GetWindowRect.USER32(?,?), ref: 006917FE
ScreenToClient.USER32(?,?), ref: 0069181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0069182C
EndPaint.USER32(?,?), ref: 00691876

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 677c69cb454ca61a904303457b51ce41653a0801621a0e120beadce69b46a1bd
Instruction ID: 8a18d0b2960ce274e300d4adba362c6ae536baa9bb54072eed179658a5e831a4
Opcode Fuzzy Hash: 677c69cb454ca61a904303457b51ce41653a0801621a0e120beadce69b46a1bd
Instruction Fuzzy Hash: DE419030100701AFDB10DF24CC84FB67BE9EB56724F148668F5A58B2A1C774A845DB65

Function 0071B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(007557B0,00000000,01015698,?,?,007557B0,?,0071B5A8,?,?), ref: 0071B712
EnableWindow.USER32(00000000,00000000), ref: 0071B736
ShowWindow.USER32(007557B0,00000000,01015698,?,?,007557B0,?,0071B5A8,?,?), ref: 0071B796
ShowWindow.USER32(00000000,00000004,?,0071B5A8,?,?), ref: 0071B7A8
EnableWindow.USER32(00000000,00000001), ref: 0071B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0071B7EF

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 403933c3fb8a3753a623bbdef988f7c02a745896c90ee42e4789a499c621cd92
Instruction ID: 89638a8b0fabc1d7aa2c163c64b299bfd2c12b9f368aa67ba8840eaa113746d0
Opcode Fuzzy Hash: 403933c3fb8a3753a623bbdef988f7c02a745896c90ee42e4789a499c621cd92
Instruction Fuzzy Hash: 87414C34604240AFDB26CF28C499BD47BE1FB45310F5881AAE9488F6E2C739A896CB51

Function 0070709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00704E41,?,?,00000000,00000001), ref: 007070AC

Part of subcall function 007039A0: GetWindowRect.USER32(?,?), ref: 007039B3

GetDesktopWindow.USER32 ref: 007070D6
GetWindowRect.USER32(00000000), ref: 007070DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0070710F

Part of subcall function 006F5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006F52BC

GetCursorPos.USER32(?), ref: 0070713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00707199

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: ea387c2b92d303a2ef120c0fed89e2a67e0ec3939c0964ea725a27719fe31e28
Instruction ID: 77f64105e715cd125cbb72c73fafc1e1035d514b354ac33f0c178d62d2497b18
Opcode Fuzzy Hash: ea387c2b92d303a2ef120c0fed89e2a67e0ec3939c0964ea725a27719fe31e28
Instruction Fuzzy Hash: 0C31F272508309EBC724DF14C849B9BB7EAFFC8304F004A19F595971D1CA38EA19CB96

Function 006E8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006E80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006E80C0
Part of subcall function 006E80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006E80CA
Part of subcall function 006E80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006E80D9
Part of subcall function 006E80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006E80E0
Part of subcall function 006E80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006E80F6

GetLengthSid.ADVAPI32(?,00000000,006E842F), ref: 006E88CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 006E88D6
HeapAlloc.KERNEL32(00000000), ref: 006E88DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 006E88F6
GetProcessHeap.KERNEL32(00000000,00000000,006E842F), ref: 006E890A
HeapFree.KERNEL32(00000000), ref: 006E8911

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: db0527703e71859d9e40a455707a8388702e06bff3afaf941e310680ac8cb814
Instruction ID: b8feae2b25d9a3c2287c88c390bfdd067bd8cd86f4222d44e5baad12db951d9c
Opcode Fuzzy Hash: db0527703e71859d9e40a455707a8388702e06bff3afaf941e310680ac8cb814
Instruction Fuzzy Hash: 3E11B131902309FFDB109FA9DC09BFE77AAEB44311F10C168E84997251DB369D04DB60

Function 006E85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 006E85E2
OpenProcessToken.ADVAPI32(00000000), ref: 006E85E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 006E85F8
CloseHandle.KERNEL32(00000004), ref: 006E8603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 006E8632
DestroyEnvironmentBlock.USERENV(00000000), ref: 006E8646

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: aa1271459a5f9192587c05b0a80659e5e40e8e7e6f5d2ad674ad3103406cef98
Instruction ID: 5b2ae842588e41dbaa8cfcbe6f61b215d1639bc68c67d688af8f099cc722f5c2
Opcode Fuzzy Hash: aa1271459a5f9192587c05b0a80659e5e40e8e7e6f5d2ad674ad3103406cef98
Instruction Fuzzy Hash: 5E115C72501249AFDF01CFA9DD49BDE7BB9EF48304F048064FE08A21A0C7758E61DB60

Function 006EB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 006EB7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 006EB7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006EB7CD
ReleaseDC.USER32(00000000,00000000), ref: 006EB7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 006EB7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 006EB7FE

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 740a3637af31a61fa173468f3976b25275bf775670c06b4f034f2d8d61595836
Instruction ID: c9d3fd6843c902f69fd94e7b49e13d5a7e0302c59274958023793f7e48e01ed2
Opcode Fuzzy Hash: 740a3637af31a61fa173468f3976b25275bf775670c06b4f034f2d8d61595836
Instruction Fuzzy Hash: 30018475E00309BBEF109BA69C45A9EBFB8EB48311F008076FA04A7291D6309C00CF95

Function 006B0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 006B0193
MapVirtualKeyW.USER32(00000010,00000000), ref: 006B019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 006B01A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 006B01B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 006B01B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 006B01C1

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 3b0e8b14e3a1b2e06fbbc44636c631f29efde770f95560b55bf368e8f9a20cc0
Instruction ID: 75088a9c96e027d7591fd6da29afa6d99cfb27887eb8c3f74ddd1fa4b82ae84c
Opcode Fuzzy Hash: 3b0e8b14e3a1b2e06fbbc44636c631f29efde770f95560b55bf368e8f9a20cc0
Instruction Fuzzy Hash: 8E016CB0901B59BDE3008F5A8C85B52FFA8FF19354F00411BE15C47941C7F5A864CBE5

Function 006F53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 006F53F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 006F540F
GetWindowThreadProcessId.USER32(?,?), ref: 006F541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006F542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006F5437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006F543E

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 037e4ba104e8ffc4c66e2c369eb63d7f31e621cc0db78b096531ce5c39741ddc
Instruction ID: 563115b353ea61201c852182003276db20f7b235442bdffc13023d6577894229
Opcode Fuzzy Hash: 037e4ba104e8ffc4c66e2c369eb63d7f31e621cc0db78b096531ce5c39741ddc
Instruction Fuzzy Hash: 6CF09032240558BBE3215BA6DC0DEEF7F7CEFC6B11F008169FA04D10A1D7A81A0186B9

Function 006F7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 006F7243
EnterCriticalSection.KERNEL32(?,?,006A0EE4,?,?), ref: 006F7254
TerminateThread.KERNEL32(00000000,000001F6,?,006A0EE4,?,?), ref: 006F7261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,006A0EE4,?,?), ref: 006F726E

Part of subcall function 006F6C35: CloseHandle.KERNEL32(00000000,?,006F727B,?,006A0EE4,?,?), ref: 006F6C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 006F7281
LeaveCriticalSection.KERNEL32(?,?,006A0EE4,?,?), ref: 006F7288

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 29d86d9ad2a8373712d796c51c7e79762ab70c4eda716d43fb41c9375e0659d4
Instruction ID: fbba6d071da8879a5cf30f2820e7427e1db5af60c82b643d2cf69b441f1d2c36
Opcode Fuzzy Hash: 29d86d9ad2a8373712d796c51c7e79762ab70c4eda716d43fb41c9375e0659d4
Instruction Fuzzy Hash: 3DF08236544612EBD7511B68ED4D9EF773AFF55712B108632F603910E0CBBA5901CB54

Function 006E8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 006E899D
UnloadUserProfile.USERENV(?,?), ref: 006E89A9
CloseHandle.KERNEL32(?), ref: 006E89B2
CloseHandle.KERNEL32(?), ref: 006E89BA
GetProcessHeap.KERNEL32(00000000,?), ref: 006E89C3
HeapFree.KERNEL32(00000000), ref: 006E89CA

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: e8abda6adec859afff0b14cd45038d73d96607f42ac2a6042144b2a3a650fa60
Instruction ID: ce77af4089731de237d61aec11c390d9b3a285fa87f90ba35f5c7d2c199b7464
Opcode Fuzzy Hash: e8abda6adec859afff0b14cd45038d73d96607f42ac2a6042144b2a3a650fa60
Instruction Fuzzy Hash: D0E0C236104405FBDA011FE9EC0C98ABF79FB89322B50C230F229810B0CB3A9820EB58

Function 006E7530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00722C7C,?), ref: 006E76EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00722C7C,?), ref: 006E7702
CLSIDFromProgID.OLE32(?,?,00000000,0071FB80,000000FF,?,00000000,00000800,00000000,?,00722C7C,?), ref: 006E7727
_memcmp.LIBCMT ref: 006E7748

Strings

,,r, xrefs: 006E753D

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,r
API String ID: 314563124-1227627816
Opcode ID: a5400aaf95485c3016de9025b4d2096fbfbad3882865c02a0ae394e6bf6dcaf1
Instruction ID: 369ba486ee5610b7cba0104a95bfb933bb4444a32291b72f1fb77909e9fe0be8
Opcode Fuzzy Hash: a5400aaf95485c3016de9025b4d2096fbfbad3882865c02a0ae394e6bf6dcaf1
Instruction Fuzzy Hash: 69811E75A01209EFCF04DFA5C984EEEB7BAFF89315F204558E505AB250DB71AE06CB60

Function 007085ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00708613
CharUpperBuffW.USER32(?,?), ref: 00708722
VariantClear.OLEAUT32(?), ref: 0070889A

Part of subcall function 006F7562: VariantInit.OLEAUT32(00000000), ref: 006F75A2
Part of subcall function 006F7562: VariantCopy.OLEAUT32(00000000,?), ref: 006F75AB
Part of subcall function 006F7562: VariantClear.OLEAUT32(00000000), ref: 006F75B7

Strings

Incorrect Parameter format, xrefs: 0070864B, 0070880D
AUTOIT.ERROR, xrefs: 00708728

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 189aac47f911c6b264241173cec376e2d41fa5a9311c60c6b894d8efc817e460
Instruction ID: 1e07783689036d0e5cfb37bba53d1f87dc6885e4170c278f6e5098f912cb9363
Opcode Fuzzy Hash: 189aac47f911c6b264241173cec376e2d41fa5a9311c60c6b894d8efc817e460
Instruction Fuzzy Hash: 4391A270604301DFCB90DF24C48595AB7F9EF89714F148A2EF89A8B3A2DB35E905CB52

Function 006F2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006AFC86: _wcscpy.LIBCMT ref: 006AFCA9

_memset.LIBCMT ref: 006F2B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006F2BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006F2C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 006F2C97

Strings

0, xrefs: 006F2B73

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 58bae386f3a26864505ac3e7759bea40ae41ad0ab13ff3b6097b82d2d2cedc7b
Instruction ID: 07a50702555ce023683742feb93ef88309d27f18db6e2c67457ed477de5290f2
Opcode Fuzzy Hash: 58bae386f3a26864505ac3e7759bea40ae41ad0ab13ff3b6097b82d2d2cedc7b
Instruction Fuzzy Hash: 7A51FE7110830A9AD7A49F28C861ABFBBEAEF44310F040A2DFA91D3290DB64CC458F56

Function 006A3137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006A3277
_memmove.LIBCMT ref: 006A3310
_free.LIBCMT ref: 006A3336
_memmove.LIBCMT ref: 006A33E9

Strings

3cj, xrefs: 006A3225
_j, xrefs: 006A3322

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: _memmove$_free
String ID: 3cj$_j
API String ID: 2620147621-2927472950
Opcode ID: f1bcac8dd5596e51e020a5f06897c308e9ede575c9fcb84a4c1c10d67d595aac
Instruction ID: 2c41fbd4a5f9660cfb534765d44b36c09b93ce1c8aab2d5f7c3e7f09e54e6729
Opcode Fuzzy Hash: f1bcac8dd5596e51e020a5f06897c308e9ede575c9fcb84a4c1c10d67d595aac
Instruction Fuzzy Hash: C0513871A083518FDB65DF28C451AAABBE6EF8A310F08492DF98987351DB31ED41CF42

Function 006A6192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006A6248
_memmove.LIBCMT ref: 006A62E4
_memset.LIBCMT ref: 006A6308

Strings

ERCP, xrefs: 006A61B3
3cj, xrefs: 006A62AF

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3cj$ERCP
API String ID: 2532777613-987588500
Opcode ID: 76946dbd6511156c856a5fcf3db1629d22fb1541a4f179def994a6318a286177
Instruction ID: 45fca35c46b25d70fe836206724e2887dc3d5a95ad41ecfa5b3eb147a9577f89
Opcode Fuzzy Hash: 76946dbd6511156c856a5fcf3db1629d22fb1541a4f179def994a6318a286177
Instruction Fuzzy Hash: 18519E71A00305DBDB24DF65C8817EABBE6EF05314F24456EE54ACB240E770AA81CF50

Function 006F2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006F27C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 006F27DC
DeleteMenu.USER32(?,00000007,00000000), ref: 006F2822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00755890,00000000), ref: 006F286B

Strings

0, xrefs: 006F27B5

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: f97c089507206cf2ca00c65db4d15e984f52ef5fcfea80d370e87526bc9c6d74
Instruction ID: 7aad2956d94de607100a14a324bc0ce4c319d1f73f74a1f2b1c01972418bc294
Opcode Fuzzy Hash: f97c089507206cf2ca00c65db4d15e984f52ef5fcfea80d370e87526bc9c6d74
Instruction Fuzzy Hash: CA41B1702043069FD720DF28C895BAABBEAEF85354F04492DF66597391D730A809CB56

Function 0070D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0070D7C5

Part of subcall function 0069784B: _memmove.LIBCMT ref: 00697899

Strings

winapi, xrefs: 0070D836
none, xrefs: 0070D8A0
cdecl, xrefs: 0070D81C
stdcall, xrefs: 0070D847

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 349e8f94807fe5562628ac15a1998d8fde7dc85ef68425d26887fec644ac9e22
Instruction ID: f330de0e5f7b785039b4b47487c3975951d785bc69e8249716343f86e8f33536
Opcode Fuzzy Hash: 349e8f94807fe5562628ac15a1998d8fde7dc85ef68425d26887fec644ac9e22
Instruction Fuzzy Hash: 8031BE71914219EBDF10EFA4C8519EEB7FAFF00320B108B29E826976D1DB35AD05CB80

Function 006E8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

Part of subcall function 006EAA99: GetClassNameW.USER32(?,?,000000FF), ref: 006EAABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 006E8F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 006E8F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 006E8F57

Part of subcall function 00697BCC: _memmove.LIBCMT ref: 00697C06

Strings

ComboBox, xrefs: 006E8E9E
ListBox, xrefs: 006E8ED3

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: c5114ec409ad975df4ae52baca84a47ab943134894102a35057efcc21f4bda1c
Instruction ID: 91b66d023c8ffdf6ac47a2a76f964bd4afbd8c5baf4d141197d8c2226fd48e76
Opcode Fuzzy Hash: c5114ec409ad975df4ae52baca84a47ab943134894102a35057efcc21f4bda1c
Instruction Fuzzy Hash: F421F071A05208BEEF14ABB5DC86DFFB76ADF05360B04812DF429972E0DB39580AD614

Function 0070182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0070184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00701872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 007018A2
InternetCloseHandle.WININET(00000000), ref: 007018E9

Part of subcall function 00702483: GetLastError.KERNEL32(?,?,00701817,00000000,00000000,00000001), ref: 00702498
Part of subcall function 00702483: SetEvent.KERNEL32(?,?,00701817,00000000,00000000,00000001), ref: 007024AD

Strings

, xrefs: 00701893

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 637b9181e0fe37fdc470de3d197fce7ea9cec3bc1974f654f79306f0371c5326
Instruction ID: 938c35a481622bc1c42d536114d41d573ef77f86c69aa42e196f86592eca438b
Opcode Fuzzy Hash: 637b9181e0fe37fdc470de3d197fce7ea9cec3bc1974f654f79306f0371c5326
Instruction Fuzzy Hash: 192180B1500308FFEB119F64DC89EBF77EDEB48764F50822AF505962C0DA289E0597A5

Function 007163E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00691D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00691D73
Part of subcall function 00691D35: GetStockObject.GDI32(00000011), ref: 00691D87
Part of subcall function 00691D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00691D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00716461
LoadLibraryW.KERNEL32(?), ref: 00716468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0071647D
DestroyWindow.USER32(?), ref: 00716485

Strings

SysAnimate32, xrefs: 0071643C

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 2b44dbb6748478b4a73a6785dde267a6668d9f15e9493d9aa58cff51430b9be3
Instruction ID: 89194ac57f89edb45c13a82b1910445475b6f5d3f4eb19318b9222eeda32286b
Opcode Fuzzy Hash: 2b44dbb6748478b4a73a6785dde267a6668d9f15e9493d9aa58cff51430b9be3
Instruction Fuzzy Hash: 38218B71200245ABEF108FA8DC85EFB77ADEB59728F208629FA50920D0D779DC819760

Function 006F6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 006F6DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006F6DEF
GetStdHandle.KERNEL32(0000000C), ref: 006F6E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 006F6E3B

Strings

nul, xrefs: 006F6E36

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: cd38b4e24218b13ea8507c49778782efdddbc0551f01b4bdb2ea50098db14b39
Instruction ID: 02eb1d4ddf2e79c670bdddb591543206557e59a4a52a3c8e2f0063287692575a
Opcode Fuzzy Hash: cd38b4e24218b13ea8507c49778782efdddbc0551f01b4bdb2ea50098db14b39
Instruction Fuzzy Hash: E821B27560020DABDB209F29DC05AEA77F6FF44720F208619FEA1D73D0D77098109B54

Function 006F6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 006F6E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006F6EBB
GetStdHandle.KERNEL32(000000F6), ref: 006F6ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 006F6F06

Strings

nul, xrefs: 006F6F01

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: ee104b3a9f599abfc4407bce4c6a1e23e6ea3c021c9fa92e38c44e127e186939
Instruction ID: a3b0d9950a0b9fe5ac92262ad466746219a69dd5ff5f87c530cbc680c8074091
Opcode Fuzzy Hash: ee104b3a9f599abfc4407bce4c6a1e23e6ea3c021c9fa92e38c44e127e186939
Instruction Fuzzy Hash: 3721B07A60430D9BDB209F69DC04AFA77AAAF55724F204A19FEE0D33D0D770A841CB14

Function 006FAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006FAC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 006FACA8
__swprintf.LIBCMT ref: 006FACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,0071F910), ref: 006FACFF

Strings

%lu, xrefs: 006FACBB

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: f9986a3342c98339d55377363767fa2c36e097682f9a3070929b4d00f3b11da3
Instruction ID: a680481f0bb642f086886a17c0ed8760f23fd8f891c7464dadbe8881d72b61ee
Opcode Fuzzy Hash: f9986a3342c98339d55377363767fa2c36e097682f9a3070929b4d00f3b11da3
Instruction Fuzzy Hash: 6B216D70A0014DAFCB50EF69C945EEE7BB9EF49714B00806DF909AB252DA31EA41DB25

Function 006F1142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006EFCED,?,006F0D40,?,00008000), ref: 006F115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,006EFCED,?,006F0D40,?,00008000), ref: 006F1184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006EFCED,?,006F0D40,?,00008000), ref: 006F118E
Sleep.KERNEL32(?,?,?,?,?,?,?,006EFCED,?,006F0D40,?,00008000), ref: 006F11C1

Strings

@o, xrefs: 006F119D

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @o
API String ID: 2875609808-3883423318
Opcode ID: 3a91f577219b2ab7c452a6a0f28d5903508c5eb1c20ac0abda6c8fd5817b9620
Instruction ID: 904161b19df96d407713dbf0ff86c23115a07955e8950d96230d4388170a08c6
Opcode Fuzzy Hash: 3a91f577219b2ab7c452a6a0f28d5903508c5eb1c20ac0abda6c8fd5817b9620
Instruction Fuzzy Hash: D4111C31D0051DE7CF00DFA5D9446FEBB79FB0A751F008165DB41B6280CB7455519B95

Function 006F1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006F1B19

Strings

EXISTS, xrefs: 006F1B41
KEYS, xrefs: 006F1B30
REMOVE, xrefs: 006F1B1F
APPEND, xrefs: 006F1B52

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: c264fc1f70cda2c886d521b77815dd7e3d1157184ece0268062832ee2258f3a2
Instruction ID: 9a9485ce129a174970d5bb2c4f4dd6d6ac2c10d9424ad531f3be1e831bf6adfc
Opcode Fuzzy Hash: c264fc1f70cda2c886d521b77815dd7e3d1157184ece0268062832ee2258f3a2
Instruction Fuzzy Hash: D3115E7091010DCFCF40EF64D8619FEB7B6FF26744B2484A9D8156B692EB325D06CB54

Function 0070EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0070EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0070EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0070ED6A
CloseHandle.KERNEL32(?), ref: 0070EDEB

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: e4cb0035691f87a0117f48cd93f15aa955cb3323e0a2d17c83ad651e66bc3c75
Instruction ID: ad00295b8214b431e2e39c266fa1d7534b3e1423149c7fb3b89902c512c3f65c
Opcode Fuzzy Hash: e4cb0035691f87a0117f48cd93f15aa955cb3323e0a2d17c83ad651e66bc3c75
Instruction Fuzzy Hash: 3E8160716047009FDB60EF28C886F2AB7EAEF85710F04891DF999DB6D2D674AC40CB95

Function 00710037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

Part of subcall function 00710E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0070FDAD,?,?), ref: 00710E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007100FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0071013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00710183
RegCloseKey.ADVAPI32(?,?), ref: 007101AF
RegCloseKey.ADVAPI32(00000000), ref: 007101BC

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 1ed5edced4a6c57ef586f4ba6bb4c1e2b1587fa31c3b6e6282350ec7547d5dc6
Instruction ID: b81db293b0f369bcb1dca3f298abcb9ebd93c07d6bca92d721507ee7e2bedded
Opcode Fuzzy Hash: 1ed5edced4a6c57ef586f4ba6bb4c1e2b1587fa31c3b6e6282350ec7547d5dc6
Instruction Fuzzy Hash: AB516D71208204AFDB04EF68C881EAEB7E9FF84314F40891DF55587291DB75E984DB96

Function 0070D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00699837: __itow.LIBCMT ref: 00699862
Part of subcall function 00699837: __swprintf.LIBCMT ref: 006998AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0070D927
GetProcAddress.KERNEL32(00000000,?), ref: 0070D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0070D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 0070DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0070DA21

Part of subcall function 00695A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,006F7896,?,?,00000000), ref: 00695A2C
Part of subcall function 00695A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,006F7896,?,?,00000000,?,?), ref: 00695A50

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: b790f5bfe0d5a8540ce79ee6ef99add57d538108eaa6bc84cad3b0577133ccb2
Instruction ID: da0684e06d1e7ad857a743d675e0e38d1d2b22333370d4657e202472ea92ac3c
Opcode Fuzzy Hash: b790f5bfe0d5a8540ce79ee6ef99add57d538108eaa6bc84cad3b0577133ccb2
Instruction Fuzzy Hash: EF512575A00209DFCB50EFA8C4859ADB7F9FF09320B04C169E85AAB352DB35AD45CF94

Function 006FE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 006FE61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 006FE648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 006FE687

Part of subcall function 00699837: __itow.LIBCMT ref: 00699862
Part of subcall function 00699837: __swprintf.LIBCMT ref: 006998AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 006FE6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 006FE6B4

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: d57483b9dba42fb0566d0f0c7c7f8186426c95a7a076fe86bbed7dd22bfe7644
Instruction ID: 71775cdb0b98f75dc11f1e0a8f7dbe0b13896c8369b5844978aafcb3124c2002
Opcode Fuzzy Hash: d57483b9dba42fb0566d0f0c7c7f8186426c95a7a076fe86bbed7dd22bfe7644
Instruction Fuzzy Hash: 48511E35600109DFCF41DF68C9819ADBBFAFF09314B148469E909AB761DB31ED11CB64

Function 0071A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db2f2915c3b4d3ea9def9c3875abd13d3fb484da50f3af6af617be7e57830c9e
Instruction ID: e4e76ae071722c3ecacbabc491e7ceacdb4045aed5d4622aaa9ca4fda22619b7
Opcode Fuzzy Hash: db2f2915c3b4d3ea9def9c3875abd13d3fb484da50f3af6af617be7e57830c9e
Instruction Fuzzy Hash: 5241D035906208BFC721DB2CCC49FE9BBB9EB09320F144165E816A72E0D778AD81EA51

Function 00692344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00692357
ScreenToClient.USER32(007557B0,?), ref: 00692374
GetAsyncKeyState.USER32(00000001), ref: 00692399
GetAsyncKeyState.USER32(00000002), ref: 006923A7

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 78860724c21ce158cc4c0f957959a30ff6ca3c90152f428296e9988744aea648
Instruction ID: 22165d42bb53993bbc2bca4f547049b0f548df8f1e895e221bf353ddb5067cf7
Opcode Fuzzy Hash: 78860724c21ce158cc4c0f957959a30ff6ca3c90152f428296e9988744aea648
Instruction Fuzzy Hash: 3B415E3560411AFBDF159F68C844EF9BB7AFB05360F20835AF829922A0CB359D90DB91

Function 006E63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006E63E7
TranslateAcceleratorW.USER32(?,?,?), ref: 006E6433
TranslateMessage.USER32(?), ref: 006E645C
DispatchMessageW.USER32(?), ref: 006E6466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006E6475

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 1c4c2c34fe8f8483fa565b2f4ab697dfa6cea600cdd590a1357d1c676cb108e0
Instruction ID: 94bd3f6eaad05a244c4c636269b66b8588e274e8bb8ebccf5e101df3f15cda6e
Opcode Fuzzy Hash: 1c4c2c34fe8f8483fa565b2f4ab697dfa6cea600cdd590a1357d1c676cb108e0
Instruction Fuzzy Hash: 7931F471501782DFDB60CFB5CC44BE67BEAAB20381F14C165F421C22E1E7699445CB64

Function 006E8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 006E8A30
PostMessageW.USER32(?,00000201,00000001), ref: 006E8ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 006E8AE2
PostMessageW.USER32(?,00000202,00000000), ref: 006E8AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 006E8AF8

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 962663268c1e7db7808b4dc0a13f48552e4bdf7cf189b346e53c4e1205bba5c5
Instruction ID: 178f9b4315da45e053368a02b51cddb63639b38d8047839fcb9768e8c8c1c233
Opcode Fuzzy Hash: 962663268c1e7db7808b4dc0a13f48552e4bdf7cf189b346e53c4e1205bba5c5
Instruction Fuzzy Hash: 9031CB71500259EFDB14CFADD948ADE3BA6FB04315F10822AF928EB2D0CBB09910DB90

Function 006EB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 006EB204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 006EB221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 006EB259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 006EB27F
_wcsstr.LIBCMT ref: 006EB289

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 2a695c29a84759a01d28b48246d100dc8f484d9cb21906d6b0cb11cad9514a49
Instruction ID: bfb37b85a68fdd5fa89b6e29868ecefd68416d9e849ee587d4ae14a1162bb247
Opcode Fuzzy Hash: 2a695c29a84759a01d28b48246d100dc8f484d9cb21906d6b0cb11cad9514a49
Instruction Fuzzy Hash: 1C213371205340AEEB119B3A9C09ABF7B9ADF49760F00812DF904CA2A1EB61CD419364

Function 0071B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623

GetWindowLongW.USER32(?,000000F0), ref: 0071B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0071B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0071B1CF
GetSystemMetrics.USER32(00000004), ref: 0071B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00700E90,00000000), ref: 0071B216

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 7a679aa13fceccb98458b9ffa5a99049a051fdcc9ca84f4274f897c347b7b897
Instruction ID: 0f9702e459f3a37a47c9795b804a66d2447dd8fc5ed1e3856d1e089b95991e40
Opcode Fuzzy Hash: 7a679aa13fceccb98458b9ffa5a99049a051fdcc9ca84f4274f897c347b7b897
Instruction Fuzzy Hash: 63216B71A14655AFCB109F3C9C18AEA3BA5FB05361F158728F926D71E0E73898A09B90

Function 006E9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006E9320

Part of subcall function 00697BCC: _memmove.LIBCMT ref: 00697C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006E9352
__itow.LIBCMT ref: 006E936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006E9392
__itow.LIBCMT ref: 006E93A3

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 123c8a1f66b8ff7e9be54cabe5bc70a4daa57f8a08097436f3e463709948246f
Instruction ID: 6da03f272631a60a3836b9b4f9714acfb268f4ec0cae2526bff295a819ac61fa
Opcode Fuzzy Hash: 123c8a1f66b8ff7e9be54cabe5bc70a4daa57f8a08097436f3e463709948246f
Instruction Fuzzy Hash: 7021D731701348ABDB20AE659C86EEE7BAEEF48710F048029FD05DB2D1D6B08D4587A5

Function 00705A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00705A6E
GetForegroundWindow.USER32 ref: 00705A85
GetDC.USER32(00000000), ref: 00705AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00705ACD
ReleaseDC.USER32(00000000,00000003), ref: 00705B08

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 5f67a58d10eb7a0e1fea354418614b388959fa519afc0efc0b7922e07fa694df
Instruction ID: 2a623f59e8a1c6e03bf53ffefb3d47ad9a8c30cff5d18a4ecdc69902b4d30d5b
Opcode Fuzzy Hash: 5f67a58d10eb7a0e1fea354418614b388959fa519afc0efc0b7922e07fa694df
Instruction Fuzzy Hash: 75218475A00504EFDB14EF69DC85AAABBE9EF48310F14C57DF84997392DA34AD00CB94

Function 006912F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0069134D
SelectObject.GDI32(?,00000000), ref: 0069135C
BeginPath.GDI32(?), ref: 00691373
SelectObject.GDI32(?,00000000), ref: 0069139C

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 2b301a6b46e1cd077eef0c8fcbda767cfe1daaace55ccab7c66369bfd5e469cb
Instruction ID: 99801f8cf0f0d8be3fb3401636df4c24a51ba84b6c9a6711c88b85704383ad9f
Opcode Fuzzy Hash: 2b301a6b46e1cd077eef0c8fcbda767cfe1daaace55ccab7c66369bfd5e469cb
Instruction Fuzzy Hash: 46215130810709EBDF108F19DD147E97BB9EB11322F24C216F8119A6B0D3B9A991DF58

Function 006F4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 006F4ABA
__beginthreadex.LIBCMT ref: 006F4AD8
MessageBoxW.USER32(?,?,?,?), ref: 006F4AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 006F4B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 006F4B0A

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 2ba40e38ef6418288a54d1a73e2cba456c3ca94c3b1445d1c0a468e8bfeec9b2
Instruction ID: b63aeb2ab0ef4ac5a815e64caf79c78f9ca96f7cc43932afdb7d88084bf3f8bc
Opcode Fuzzy Hash: 2ba40e38ef6418288a54d1a73e2cba456c3ca94c3b1445d1c0a468e8bfeec9b2
Instruction Fuzzy Hash: E11108B6905618BBD7018FAC9C04AEB7FADEB49321F14C269F914D3391DAB9CD0087A4

Function 006E8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006E821E
GetLastError.KERNEL32(?,006E7CE2,?,?,?), ref: 006E8228
GetProcessHeap.KERNEL32(00000008,?,?,006E7CE2,?,?,?), ref: 006E8237
HeapAlloc.KERNEL32(00000000,?,006E7CE2,?,?,?), ref: 006E823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006E8255

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: ffc1156bfff9dc7c50cef5bf29c2443a732ef869cb58f93ecbe80ec8d1d44d18
Instruction ID: 2928097c11b3032855c3f238e1d37f8102f0ab1282e51372af439511e6d86a57
Opcode Fuzzy Hash: ffc1156bfff9dc7c50cef5bf29c2443a732ef869cb58f93ecbe80ec8d1d44d18
Instruction Fuzzy Hash: DA016D71201348BFDB204FAADC48DAB7BADEF8A754B508569F90DC3260DA318D00DAA0

Function 006E710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E7044,80070057,?,?,?,006E7455), ref: 006E7127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E7044,80070057,?,?), ref: 006E7142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E7044,80070057,?,?), ref: 006E7150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E7044,80070057,?), ref: 006E7160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E7044,80070057,?,?), ref: 006E716C

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 30181561ffd2dafda6b988f9c4595291de12f0ba29a4519f34e7f6e157125a96
Instruction ID: 069ca48e6bdd0da0ebd80abb82ff90d7b8a79ed13f357fba77e46c1ef9458b99
Opcode Fuzzy Hash: 30181561ffd2dafda6b988f9c4595291de12f0ba29a4519f34e7f6e157125a96
Instruction Fuzzy Hash: 7B018F76612304BBDB118F69DC44BEA7BAEEF45791F188064FD08D3260E735DD419BA0

Function 006F5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006F5260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 006F526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 006F5276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 006F5280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006F52BC

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 129940652b9d850a88f451aba6a68e42befdbf057b405968b3e7d379676dab01
Instruction ID: 5d6d4daf0d7d81cd707096d3dec822048b5c8160c863680dce32c6abe9acba6a
Opcode Fuzzy Hash: 129940652b9d850a88f451aba6a68e42befdbf057b405968b3e7d379676dab01
Instruction Fuzzy Hash: 06012131D01A1DEBCF00EFE8D8495FDBB79FB0D711F418255D646B2281CB345A5097A5

Function 006E810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 006E8121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 006E812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006E813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 006E8141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006E8157

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 1815d7d2d36fa9f89cb3d04e3d26aa7868fca0f39210839ba56e7f91eb6a52f6
Instruction ID: e34d73919b83dbed38e84c8a9c00c9e7768fa19abda9f72a4ca54a8966435b29
Opcode Fuzzy Hash: 1815d7d2d36fa9f89cb3d04e3d26aa7868fca0f39210839ba56e7f91eb6a52f6
Instruction Fuzzy Hash: 67F0C270211305BFEB110FA9EC88EE73BADFF49754B008025F949C3290CB649D01EA60

Function 006EC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 006EC1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 006EC20E
MessageBeep.USER32(00000000), ref: 006EC226
KillTimer.USER32(?,0000040A), ref: 006EC242
EndDialog.USER32(?,00000001), ref: 006EC25C

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: eea5710c76a25a8a0586afbd2c41d49a4cfa654ef890691e4706fb283dc2e9e6
Instruction ID: d26c7a333f2fc5a14e1b94cb56b820997dc2693bbb5485adb80fe2a94968b1a6
Opcode Fuzzy Hash: eea5710c76a25a8a0586afbd2c41d49a4cfa654ef890691e4706fb283dc2e9e6
Instruction Fuzzy Hash: A101D630514B04ABEB245B69ED4EFD677B9FF00B16F008269F642A14E0DBF46A458B94

Function 006913B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 006913BF
StrokeAndFillPath.GDI32(?,?,006CB888,00000000,?), ref: 006913DB
SelectObject.GDI32(?,00000000), ref: 006913EE
DeleteObject.GDI32 ref: 00691401
StrokePath.GDI32(?), ref: 0069141C

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 291acff922e29950927bd9431a2998ffd214c19441c3d69c94f1b9e8c6113a78
Instruction ID: 12e0f20f96c7ae02464f22da3bbe3a5dcb828ff9f1e8d5d5b63a5d0c87b83f7b
Opcode Fuzzy Hash: 291acff922e29950927bd9431a2998ffd214c19441c3d69c94f1b9e8c6113a78
Instruction Fuzzy Hash: 87F01930000B49EBDF115F2AEC5C7E83BE9A725326F18C324E42A485F1C77999A5DF18

Function 006FC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 006FC432
CoCreateInstance.OLE32(00722D6C,00000000,00000001,00722BDC,?), ref: 006FC44A

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

CoUninitialize.OLE32 ref: 006FC6B7

Strings

.lnk, xrefs: 006FC3C6, 006FC3EE, 006FC3F8

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 2b26a9244d4757b093f11d45844ea0dafc8acc38ae6de3aeb615e714623d75c2
Instruction ID: 9098daea968386b7153bf33a3113203d421a6e9a663c937d64351817f4f7f63e
Opcode Fuzzy Hash: 2b26a9244d4757b093f11d45844ea0dafc8acc38ae6de3aeb615e714623d75c2
Instruction Fuzzy Hash: 28A15BB1108205AFDB40EF64C881EAFB7EDEF85354F00491DF156871A2EB71EA09CB66

Function 006A2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 006B0DB6: std::exception::exception.LIBCMT ref: 006B0DEC
Part of subcall function 006B0DB6: __CxxThrowException@8.LIBCMT ref: 006B0E01

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

Part of subcall function 00697A51: _memmove.LIBCMT ref: 00697AAB

__swprintf.LIBCMT ref: 006A2ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 006A2D66

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 4d35a581ee937a6a5ece32783d517dae6cfa384cca677448694659aa61f824c2
Instruction ID: 1f066a78372df5703184fb45f8b7a805c7d0b83365c986e3d3dc21c0e4216109
Opcode Fuzzy Hash: 4d35a581ee937a6a5ece32783d517dae6cfa384cca677448694659aa61f824c2
Instruction Fuzzy Hash: A7917C715182029FCB54FF28C895CAFB7AAEF96310F00491EF4469B2A1EB30ED45CB56

Function 006FB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00694750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00694743,?,?,006937AE,?), ref: 00694770

CoInitialize.OLE32(00000000), ref: 006FB9BB
CoCreateInstance.OLE32(00722D6C,00000000,00000001,00722BDC,?), ref: 006FB9D4
CoUninitialize.OLE32 ref: 006FB9F1

Part of subcall function 00699837: __itow.LIBCMT ref: 00699862
Part of subcall function 00699837: __swprintf.LIBCMT ref: 006998AC

Strings

.lnk, xrefs: 006FB99D, 006FB9AB

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: deb1d15a28ba2a67be687d7d06a4b58b60f269f6a36fda3420c149d10b42fdf5
Instruction ID: 82ecb63bb3554d2891664820a949df073a919cbed0f2a643ff28871eb42f9182
Opcode Fuzzy Hash: deb1d15a28ba2a67be687d7d06a4b58b60f269f6a36fda3420c149d10b42fdf5
Instruction Fuzzy Hash: A6A134756042059FCB00DF28C885D6AB7EAFF89314F04899CF9999B3A1DB31ED46CB91

Function 006EB2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 006EB4BE

Strings

AutoIt3GUI, xrefs: 006EB436
%r, xrefs: 006EB561
Container, xrefs: 006EB43B

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%r
API String ID: 3565006973-1282070598
Opcode ID: 84a4b142e25a67ce2acc2046ebb05d820e405d3cdb9d6ae3ed9084a770bb16ee
Instruction ID: eceb78ae972e25dea6705c53e41a77154c8abf3f7627b82e0f00e4689d4df833
Opcode Fuzzy Hash: 84a4b142e25a67ce2acc2046ebb05d820e405d3cdb9d6ae3ed9084a770bb16ee
Instruction Fuzzy Hash: 529138B0601701AFDB54DF65C885AABBBEAFF48710F20956DE94ACB391DB70E841CB50

Function 006B501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 006B50AD

Part of subcall function 006C00F0: __87except.LIBCMT ref: 006C012B

Strings

pow, xrefs: 006B5085, 006B50A2

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: f1fa5ad4848123a1400c61b36bef296405c95ec1ce5ecd82dc1346df619ca532
Instruction ID: ed8463161a211f0e49decefeb4d971958bc114ca3151fa0b1b0a2fe70d97dcae
Opcode Fuzzy Hash: f1fa5ad4848123a1400c61b36bef296405c95ec1ce5ecd82dc1346df619ca532
Instruction Fuzzy Hash: D9514BB1908601C6EB217728C9057FE6B97DB40710F24895DE4D7863A9EF388AC5978A

Function 006D8584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006D862B
_memmove.LIBCMT ref: 006D8685

Strings

3cj, xrefs: 006D860C
_j, xrefs: 006D86FF, 006DDFDC, 006DDFF8

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: _memmove
String ID: 3cj$_j
API String ID: 4104443479-2927472950
Opcode ID: e330191add47d25d4a88bebfec2cb3540a93d5d6c74c51e4c326abc9ac466e3c
Instruction ID: 74c550003d2e37b954a5436c50f980cd2350c76edf97b04b670458485721a4fd
Opcode Fuzzy Hash: e330191add47d25d4a88bebfec2cb3540a93d5d6c74c51e4c326abc9ac466e3c
Instruction Fuzzy Hash: C1518CB0D006099FDB64DF68D884AEEBBB2FF44304F14852AE85AD7350EB31E965CB51

Function 006E97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006E9296,?,?,00000034,00000800,?,00000034), ref: 006F14E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 006E983F

Part of subcall function 006F1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006E92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 006F14B1

Part of subcall function 006F13DE: GetWindowThreadProcessId.USER32(?,?), ref: 006F1409
Part of subcall function 006F13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,006E925A,00000034,?,?,00001004,00000000,00000000), ref: 006F1419
Part of subcall function 006F13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,006E925A,00000034,?,?,00001004,00000000,00000000), ref: 006F142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006E98AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006E98F9

Strings

@, xrefs: 006E9911

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 31d1c865f4ac99c9489c91dd68baca0baec61031aa4cb766dbc3406c15d14735
Instruction ID: 41895c8824aca12a032ab98e32e40cc9093fdacb7e08d8bf7bc7bd524af6a883
Opcode Fuzzy Hash: 31d1c865f4ac99c9489c91dd68baca0baec61031aa4cb766dbc3406c15d14735
Instruction Fuzzy Hash: 3F41627690121CBFCB10DFA4CC45AEEBBB9EF46340F044059FA45B7191DA706E45CBA4

Function 00717946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0071F910,00000000,?,?,?,?), ref: 007179DF
GetWindowLongW.USER32 ref: 007179FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00717A0C

Strings

SysTreeView32, xrefs: 007179B1

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 58cf7e7772f319d040e2662e75eec462b929fe5a21704f3e0f37fab586f015fb
Instruction ID: d92f22206d3f24f668c669c06bbee4df048a3769cf73d2457d7376cd2d0979a6
Opcode Fuzzy Hash: 58cf7e7772f319d040e2662e75eec462b929fe5a21704f3e0f37fab586f015fb
Instruction Fuzzy Hash: 38318B71204606ABDF158E3CCC45BEA77A9EF09324F248729F875A22E0D739ED95CB50

Function 007173D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00717461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00717475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00717499

Strings

SysMonthCal32, xrefs: 0071742C

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: faf71e5a3806f861143c0739f2d90d5cf58a4573fe3ce3449680999e411260f3
Instruction ID: e56d3ea0fc11066b64bce1de0b1bc1f1599b11a0b9ca6c685978cbf8ceed6c36
Opcode Fuzzy Hash: faf71e5a3806f861143c0739f2d90d5cf58a4573fe3ce3449680999e411260f3
Instruction Fuzzy Hash: 5F21A332500259ABDF15CF98CC46FEA3B7AEF48724F114114FE156B1D0DA79AC91DBA0

Function 00717B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00717C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00717C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00717C5F

Strings

msctls_updown32, xrefs: 00717BC4

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: d31d56269991bc8bfa95fd075e4b4ba1ac70769f1f105719217cc21f8d0c4d0b
Instruction ID: 0ac03a9abcb0aa82f7b422fdc67b6d0b738802ef09a5afc9ae3f158fdc23a04f
Opcode Fuzzy Hash: d31d56269991bc8bfa95fd075e4b4ba1ac70769f1f105719217cc21f8d0c4d0b
Instruction Fuzzy Hash: CE2189B1204208AFDB10DF28DCC1CA637BDEF5A3A4B104019FA009B3A1CB76EC41CAA0

Function 00716CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00716D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00716D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00716D70

Strings

Listbox, xrefs: 00716D08

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 9ab01e6cef254e0ec921a222e33069f7699c1a7d0cf846d86acb6f6e4e30d78d
Instruction ID: b356b01838df5b0af3ec7341d9160bb6ece94b197f8c7c4c1ae3489b8b6878c6
Opcode Fuzzy Hash: 9ab01e6cef254e0ec921a222e33069f7699c1a7d0cf846d86acb6f6e4e30d78d
Instruction Fuzzy Hash: 1C21C232700118BFDF118F58DC45EEB3BBAEF89760F018128FA459B1E0C675AC9187A0

Function 007039E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00703A66

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 00703A58
%r, xrefs: 007039F4
, $, xrefs: 00703AA6

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%r
API String ID: 3506404897-1855777976
Opcode ID: 50383d618f89eb8b17b91bbbffb9cd8bee096a4f5b7a49ede0194b747bbabd0f
Instruction ID: 05e640ca508e22dcb37edbd4611e6955a91702cbcae30c79ee28820b983e065b
Opcode Fuzzy Hash: 50383d618f89eb8b17b91bbbffb9cd8bee096a4f5b7a49ede0194b747bbabd0f
Instruction Fuzzy Hash: F9218FB0700219EFCF54EF64CC82AAE77FAAF45710F004459F455AB182EB38EA45CB65

Function 0071770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00717772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00717787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00717794

Strings

msctls_trackbar32, xrefs: 00717749

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: a942ee6c03b28ea51df2b005f5a1607bef0015357620f4d67597400d3fea1afc
Instruction ID: babcbe0d720de236d4dc74245e43b257bc8cc787779f1a27883e95c165ade558
Opcode Fuzzy Hash: a942ee6c03b28ea51df2b005f5a1607bef0015357620f4d67597400d3fea1afc
Instruction Fuzzy Hash: 3F11E372244209BAEF249F69CC05FEB77B9EF89B64F114528FA41A60D0D676E851CB20

Function 006B6B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 006B6B93
__calloc_crt.LIBCMT ref: 006B6BAC

Strings

t, xrefs: 006B6BD1
@Bu, xrefs: 006B6BC3

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: __calloc_crt
String ID: t$@Bu
API String ID: 3494438863-4292462000
Opcode ID: f7c9a34dfa01171d5258231ad272ce6db97de07b488135d5da0f3ea39b7b200c
Instruction ID: 8a805f77bb450edb7d86c20f03994fbe53676ebc07cdf6ae9303e28a1e5e75e8
Opcode Fuzzy Hash: f7c9a34dfa01171d5258231ad272ce6db97de07b488135d5da0f3ea39b7b200c
Instruction Fuzzy Hash: 4DF031F16447129AE7648F54FC61AD627A6F710734F50442AF101CF290EBBC98D18799

Function 006B9B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 006B9B94

Part of subcall function 006B9C0B: __mtinitlocknum.LIBCMT ref: 006B9C1D
Part of subcall function 006B9C0B: EnterCriticalSection.KERNEL32(00000000,?,006B9A7C,0000000D), ref: 006B9C36

__updatetlocinfoEx_nolock.LIBCMT ref: 006B9BA4

Part of subcall function 006B9100: ___addlocaleref.LIBCMT ref: 006B911C
Part of subcall function 006B9100: ___removelocaleref.LIBCMT ref: 006B9127
Part of subcall function 006B9100: ___freetlocinfo.LIBCMT ref: 006B913B

Strings

8t, xrefs: 006B9B8A, 006B9B9F, 006B9BAB
8t, xrefs: 006B9B85

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
String ID: 8t$8t
API String ID: 547918592-3065990335
Opcode ID: d6b7c6015f3c52b941355fb8aa9fc443fe4b549464dbfabb82d8d471a0c3c56d
Instruction ID: 4e7995dde0ee44190a2a78204be4845c82225788bf15eb0c0964acc97e8f269c
Opcode Fuzzy Hash: d6b7c6015f3c52b941355fb8aa9fc443fe4b549464dbfabb82d8d471a0c3c56d
Instruction Fuzzy Hash: 69E046F1982304AAEAA0BBE86903B892766EB01B31F20415EF155560C18B680480C72F

Function 00694C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00694B83,?), ref: 00694C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00694C56

Strings

kernel32.dll, xrefs: 00694C3F
Wow64RevertWow64FsRedirection, xrefs: 00694C50

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 3c6b015efe6d49c4b56cbb365a9c63490eb275954ca024e8dfcb1976bb2f34e7
Instruction ID: e870d4c8f9a6260261a9febe8ecc1dc4c97d3f70b181bdebd15605a51007b062
Opcode Fuzzy Hash: 3c6b015efe6d49c4b56cbb365a9c63490eb275954ca024e8dfcb1976bb2f34e7
Instruction Fuzzy Hash: C1D02B70504B13DFCB204F35D80868673DAAF01340B10C83DD495C67A0EB78C4C0C610

Function 00694C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00694BD0,?,00694DEF,?,007552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00694C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00694C23

Strings

kernel32.dll, xrefs: 00694C0C
Wow64DisableWow64FsRedirection, xrefs: 00694C1D

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 7933880695b2b2d3cad29b26ec7302e5fc8588dead84d8ed659d1203b8dc4ab6
Instruction ID: 0d9edfa39fcf6e09e206f1327efd40ec94edc5041c2a086a121c93242fe89f05
Opcode Fuzzy Hash: 7933880695b2b2d3cad29b26ec7302e5fc8588dead84d8ed659d1203b8dc4ab6
Instruction Fuzzy Hash: AED0C270501B13DFCB205F74D808686B6DBEF08342B00CC39D485C2690EBB8C481CA10

Function 00710DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00711039), ref: 00710DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00710E07

Strings

RegDeleteKeyExW, xrefs: 00710E01
advapi32.dll, xrefs: 00710DF0

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 0c2b0fb69786d9ccd2c560aaac7e4eaaa3d7716807c763d2df615d335fc2bb25
Instruction ID: 6db4f7f789449cd880ac8324d51f08d5beb55ef2529e0693ec08fc8f466d279e
Opcode Fuzzy Hash: 0c2b0fb69786d9ccd2c560aaac7e4eaaa3d7716807c763d2df615d335fc2bb25
Instruction Fuzzy Hash: E0D0EC70510716DFD7205B79C808687B6D5AF04751F11CC6DE585D21D0D7B8D4E08654

Function 007090E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00708CF4,?,0071F910), ref: 007090EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00709100

Strings

kernel32.dll, xrefs: 007090E9
GetModuleHandleExW, xrefs: 007090FA

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 24060a5ddf1b257b2d9a3cbc78f2c0f09c9c8b372b09460e8610b7d7c98e5dfd
Instruction ID: f812044cbc925af3df829f024074600160a2a8efc817926b1f69432d8d11a71d
Opcode Fuzzy Hash: 24060a5ddf1b257b2d9a3cbc78f2c0f09c9c8b372b09460e8610b7d7c98e5dfd
Instruction Fuzzy Hash: 34D0C7B0610B1BDFCB208F38D80828672E5AF00341B22C83AD486C21D0EBBCC880CA90

Function 006D1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 006D1718
__swprintf.LIBCMT ref: 006D1749

Strings

%.3d, xrefs: 006D1723
WIN_XPe, xrefs: 006D1788

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 0054bb3cd71ff5d0ddb93c447c85c1e41aea24636814913ed64559ffe0cb9aaa
Instruction ID: 699785358dd7ca081da0398280d28fe51c717dbabca8a4709fb4c25a7dee5716
Opcode Fuzzy Hash: 0054bb3cd71ff5d0ddb93c447c85c1e41aea24636814913ed64559ffe0cb9aaa
Instruction Fuzzy Hash: 38D012B1D04118FACB449B9098888F9777DA70A311F100553F50296261E2B59B96D625

Function 006E717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d48d461c34593fd73d4dbc3fec4a6203cc7486d793842d435b3ed71ce41aeb42
Instruction ID: 8f33e704924a17d2d220303683fdc7a883f60017d555e204572ad99df7c6bd68
Opcode Fuzzy Hash: d48d461c34593fd73d4dbc3fec4a6203cc7486d793842d435b3ed71ce41aeb42
Instruction Fuzzy Hash: 56C15C74A05256EFDB14CFA9C884AAEBBF6FF48704B148598E805DB351D730ED81DB90

Function 0070E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0070E0BE
CharLowerBuffW.USER32(?,?), ref: 0070E101

Part of subcall function 0070D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0070D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0070E301
_memmove.LIBCMT ref: 0070E314

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: a214710bc4b6c2273f9f6328c85fdb835f996284cd2675d9c3ff7fdd64a145e1
Instruction ID: 74076e72ab778611ff0b2a8f86929f809ccaa2e407b3d3e62143d02ffcbbc057
Opcode Fuzzy Hash: a214710bc4b6c2273f9f6328c85fdb835f996284cd2675d9c3ff7fdd64a145e1
Instruction Fuzzy Hash: CEC16A71608301DFC754DF28C480A6ABBE5FF89714F148A6EF8999B391D734E946CB82

Function 00708093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007080C3
CoUninitialize.OLE32 ref: 007080CE

Part of subcall function 006ED56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 006ED5D4

VariantInit.OLEAUT32(?), ref: 007080D9
VariantClear.OLEAUT32(?), ref: 007083AA

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 89a9a14cf6b511096a2507d99096a95bd2fe8b660e8dd6fa83ef241378309b3d
Instruction ID: 3d7e97cfddb0f793510a89a841d843039382151e15e52ffdb3c15712ec4e2b64
Opcode Fuzzy Hash: 89a9a14cf6b511096a2507d99096a95bd2fe8b660e8dd6fa83ef241378309b3d
Instruction Fuzzy Hash: 5FA15975204701DFCB80DF28C481A2AB7E9BF89324F04895CF9959B7A1DB34ED05CB96

Function 006E687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006E688E
SysAllocString.OLEAUT32(00000000), ref: 006E6937
VariantCopy.OLEAUT32 ref: 006E6966
VariantClear.OLEAUT32(?), ref: 006E698D

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: fabd8e4268ab06f458d0a6aac6244ace41676945dc982707a0dae2696f3814f9
Instruction ID: 89cba7b801b27e73cc9918129c46ef3acbb44fab1575222eb87b4e60e3ba5a70
Opcode Fuzzy Hash: fabd8e4268ab06f458d0a6aac6244ace41676945dc982707a0dae2696f3814f9
Instruction Fuzzy Hash: 8B510974B013819EDF60AF6AC89167AB7E7AF24350F20D82FF586DB291EB34D8418715

Function 007197F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0101E6E0,?), ref: 00719863
ScreenToClient.USER32(00000002,00000002), ref: 00719896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00719903

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 51995a103ccd57ef1a8e556334e8747866ac2a877999a33aec2472706b7506fb
Instruction ID: 045b959b995ab39481ef4c65b64c0a53d6c1488c8f7ba9625db52b3ee9b14a2e
Opcode Fuzzy Hash: 51995a103ccd57ef1a8e556334e8747866ac2a877999a33aec2472706b7506fb
Instruction Fuzzy Hash: ED513D34A00209EFCF14CF68C894AEE7BB5FF95360F148169F9559B2A0D735AD82CB90

Function 006E9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 006E9AD2
__itow.LIBCMT ref: 006E9B03

Part of subcall function 006E9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 006E9DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 006E9B6C
__itow.LIBCMT ref: 006E9BC3

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: b630ded3fe0844c45e7fc474a08b4091ec98205b86975ec458bd1cac5591380e
Instruction ID: be4ea1fe2da74c735e974d69b75ce87dc9b90494776bf000f180fdd8740b5985
Opcode Fuzzy Hash: b630ded3fe0844c45e7fc474a08b4091ec98205b86975ec458bd1cac5591380e
Instruction Fuzzy Hash: EF418F70A00349ABDF25EF65D846BFE7BBAEF44720F000069F905A7391DB709A45CBA5

Function 007069AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 007069D1
WSAGetLastError.WSOCK32(00000000), ref: 007069E1

Part of subcall function 00699837: __itow.LIBCMT ref: 00699862
Part of subcall function 00699837: __swprintf.LIBCMT ref: 006998AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00706A45
WSAGetLastError.WSOCK32(00000000), ref: 00706A51

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 9b7f9bf6eb2b4d889111cc0abdfe972605732129466c4eaa9c27f7f473d5c24f
Instruction ID: 0c3fd4bd8dfea33ec09e1de9952ea5c52d5e91719e0aa88169ac1b9bf5140ea8
Opcode Fuzzy Hash: 9b7f9bf6eb2b4d889111cc0abdfe972605732129466c4eaa9c27f7f473d5c24f
Instruction Fuzzy Hash: 0B418F75740200AFEBA0AF28CC86F7A77E99F45B14F04C51CFA19AB6C2DA749D008795

Function 0070641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0071F910), ref: 007064A7
_strlen.LIBCMT ref: 007064D9

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: a3d284da022b16028a0ce4a0c5fa4092f2ac464f5ff4805dd2ea213e2b690434
Instruction ID: ad957b9b24fd16e269dd65c79bb3bc8aafffd617669aef31e13176eb7969c034
Opcode Fuzzy Hash: a3d284da022b16028a0ce4a0c5fa4092f2ac464f5ff4805dd2ea213e2b690434
Instruction Fuzzy Hash: EE419571600104EBCB54EBA8DC95EBEB7EAAF04310F14825DF915972D6DB34AD10C754

Function 006FB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 006FB89E
GetLastError.KERNEL32(?,00000000), ref: 006FB8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 006FB8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 006FB915

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 8d1c4a6eee54dbf7e8e7dd28da894645d2828607a39d6c2e7ce4bc898f670fda
Instruction ID: e5d07dc3d16c9c316e5520a74f4527a0fa7addc5a0b52409e1f75df7390d07d3
Opcode Fuzzy Hash: 8d1c4a6eee54dbf7e8e7dd28da894645d2828607a39d6c2e7ce4bc898f670fda
Instruction Fuzzy Hash: A0412A39600514DFCF50EF28C585A59BBEAAF4A310F09849CED4A9B762DB34FD01CBA5

Function 00718851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007188DE

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: ffaf8c922f291f37ee09ad0863f32ac74f962191212f45a8aa5a39f9f8f82893
Instruction ID: 77acadb1626f7480bf126594a8669e0a1daf42b358ca3aac4e3e5ecf4e6c2bef
Opcode Fuzzy Hash: ffaf8c922f291f37ee09ad0863f32ac74f962191212f45a8aa5a39f9f8f82893
Instruction Fuzzy Hash: 9031B434610108AFEFA09A5CCC45BF877A5EB06350F544112FA15E62E1CE7CF9C09757

Function 0071AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0071AB60
GetWindowRect.USER32(?,?), ref: 0071ABD6
PtInRect.USER32(?,?,0071C014), ref: 0071ABE6
MessageBeep.USER32(00000000), ref: 0071AC57

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 9f0daf691a3cd21bae834b09fe8a94d82b4a869faafeeaa967e949d4383e51e0
Instruction ID: 9e77c19b3417b83baa5596e5acfeed1d04773bf455dcf8ee9dc25bf12acf8d85
Opcode Fuzzy Hash: 9f0daf691a3cd21bae834b09fe8a94d82b4a869faafeeaa967e949d4383e51e0
Instruction Fuzzy Hash: F5416170601219EFCB21DF5CD894AE97BF6FB49311F1480A5E4159B2A1D738A881CBA2

Function 006F0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 006F0B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 006F0B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 006F0BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 006F0BFB

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 97acd75d246a9250857afd4c72cb5dd647d37c12b8f3523322109af52d44938f
Instruction ID: f3434602075986d8e5fd3935d61e968cce80cdc67a4426d0e1fee2fa619ac84d
Opcode Fuzzy Hash: 97acd75d246a9250857afd4c72cb5dd647d37c12b8f3523322109af52d44938f
Instruction Fuzzy Hash: A6316C70D4031CAFFF308B298C05BFABBA7AB45318F14835AF680522D3C37A89559755

Function 006F0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 006F0C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 006F0C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 006F0CE1
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 006F0D33

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a121f8ee64c42ead1890e1874d69154c2c2746db417ddc61eb19069f74ab95c0
Instruction ID: d2f827c14605326d33ccc4a072c2104f29bf8a6f30f7cd9702151d2324cb8811
Opcode Fuzzy Hash: a121f8ee64c42ead1890e1874d69154c2c2746db417ddc61eb19069f74ab95c0
Instruction Fuzzy Hash: 5B31587094431CAEFF308B698C157FEBBA7AF49320F14831EE694522D3C33999558755

Function 006C61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 006C61FB
__isleadbyte_l.LIBCMT ref: 006C6229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 006C6257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 006C628D

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: e43ce311e9bc2e159ae4d75c27df9c6f143c0549c5770f05ee5807298bed7c43
Instruction ID: 14a742546517d1be47782577e26ee6c718a356bd3bb01608bd7ddb92e16f8c56
Opcode Fuzzy Hash: e43ce311e9bc2e159ae4d75c27df9c6f143c0549c5770f05ee5807298bed7c43
Instruction Fuzzy Hash: C431CE31604246AFDB218F69CC48FBA7BAAFF41310F15402CF864872A1E735DA91DB98

Function 00714EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00714F02

Part of subcall function 006F3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 006F365B
Part of subcall function 006F3641: GetCurrentThreadId.KERNEL32 ref: 006F3662
Part of subcall function 006F3641: AttachThreadInput.USER32(00000000,?,006F5005), ref: 006F3669

GetCaretPos.USER32(?), ref: 00714F13
ClientToScreen.USER32(00000000,?), ref: 00714F4E
GetForegroundWindow.USER32 ref: 00714F54

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 551b36dc17493eeed563482666ca0126d518633fc8a91c69854c629145e17424
Instruction ID: b61372312ff9784a33dfb5cd8d6b115688d7f06e30843c9b6057c496582eee09
Opcode Fuzzy Hash: 551b36dc17493eeed563482666ca0126d518633fc8a91c69854c629145e17424
Instruction Fuzzy Hash: 0D312C71D00108AFCB40EFA9C9859EFB7FEEF99300F10446EE415E7241EA759E458BA4

Function 006F3C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 006F3C7A
Process32FirstW.KERNEL32(00000000,?), ref: 006F3C88
Process32NextW.KERNEL32(00000000,?), ref: 006F3CA8
CloseHandle.KERNEL32(00000000), ref: 006F3D52

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: eb329469e1b2adaa3f52b57acbf002f83a60d46cd2f69f51735a205e2655ca1f
Instruction ID: 065c1d9abd554460fafb1f2def512b6c069dc66d166c23533663613adceb116b
Opcode Fuzzy Hash: eb329469e1b2adaa3f52b57acbf002f83a60d46cd2f69f51735a205e2655ca1f
Instruction Fuzzy Hash: 7631D1311083499FD700EF64C881AFFBBEDEF95310F50082DF582862A1EB719A49CB92

Function 0071C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623

GetCursorPos.USER32(?), ref: 0071C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,006CB9AB,?,?,?,?,?), ref: 0071C4E7
GetCursorPos.USER32(?), ref: 0071C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,006CB9AB,?,?,?), ref: 0071C56E

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: d6fe52c799384b1d7ded31277471532cb3811a670ec5babbc45b93951a80653a
Instruction ID: efb7a51e872c4a4ff7ef23dfce0141cd74d764cac722f408449d72fff963db76
Opcode Fuzzy Hash: d6fe52c799384b1d7ded31277471532cb3811a670ec5babbc45b93951a80653a
Instruction Fuzzy Hash: CD31A735500458BFCF16CF9CD854DEA7BB7EB09310F548069F9058B2A1C7396DA0DBA4

Function 006E8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006E810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 006E8121
Part of subcall function 006E810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 006E812B
Part of subcall function 006E810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006E813A
Part of subcall function 006E810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 006E8141
Part of subcall function 006E810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006E8157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 006E86A3
_memcmp.LIBCMT ref: 006E86C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 006E86FC
HeapFree.KERNEL32(00000000), ref: 006E8703

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 59a1fdc158a94917fcc3da4a63bfdfe116029d87717ba13ef180a79771cb03a9
Instruction ID: e40bf867e3c9c1d1d3bb18b5571d0b34ad12523f3bc7ee4b0fb7b9184983402d
Opcode Fuzzy Hash: 59a1fdc158a94917fcc3da4a63bfdfe116029d87717ba13ef180a79771cb03a9
Instruction Fuzzy Hash: 2621A471D41249EFDB10DF99C949BEEB7B9FF54308F158059E448A7240DB31AE05CB54

Function 006B098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 006B09AE

Part of subcall function 00695A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,006F7896,?,?,00000000), ref: 00695A2C
Part of subcall function 00695A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,006F7896,?,?,00000000,?,?), ref: 00695A50

_fprintf.LIBCMT ref: 006B09E5
OutputDebugStringW.KERNEL32(?), ref: 006E5DBB

Part of subcall function 006B4AAA: _flsall.LIBCMT ref: 006B4AC3

__setmode.LIBCMT ref: 006B0A1A

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 1df36e92690e4f9ba927a0e45b6f12aec979d116e164b0767965539a65e818ef
Instruction ID: e083597968ec207ac2a2d3af18dc4c593d9e976aa4d282335da6b66dbad76107
Opcode Fuzzy Hash: 1df36e92690e4f9ba927a0e45b6f12aec979d116e164b0767965539a65e818ef
Instruction Fuzzy Hash: 2F1136B2A046086FEB44B7B89C879FE7BAF9F41320F20015DF10557283EE70588287AD

Function 00701767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007017A3

Part of subcall function 0070182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0070184C
Part of subcall function 0070182D: InternetCloseHandle.WININET(00000000), ref: 007018E9

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 819036aadfec4f457c65f96ffa6ae940980c67ab96323092917d361d7cd33015
Instruction ID: 9c3981818baff76ec13fa9b90cbe0f6155b84fecffe1ba43f693fdbcb42a2cae
Opcode Fuzzy Hash: 819036aadfec4f457c65f96ffa6ae940980c67ab96323092917d361d7cd33015
Instruction Fuzzy Hash: EE21D732200601FFDB125F64CC05FBAB7E9FF48B10F508229F905966D1DB7999119790

Function 006F3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0071FAC0), ref: 006F3A64
GetLastError.KERNEL32 ref: 006F3A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 006F3A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0071FAC0), ref: 006F3ADF

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 223be4851fbb6ffa4042b8e4a1121a93fe0eda32d910be8ea24126eb97a7233a
Instruction ID: 7b68bedc2fc8ad5812d4c6b2fabcd631a3ee67586bf5727391052d298375cdb9
Opcode Fuzzy Hash: 223be4851fbb6ffa4042b8e4a1121a93fe0eda32d910be8ea24126eb97a7233a
Instruction Fuzzy Hash: 842191745082159F8700EF39C8818BAB7E9BE56364F108A2DF599C73E1D731DA46CB46

Function 006EDCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 006EF0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,006EDCD3,?,?,?,006EEAC6,00000000,000000EF,00000119,?,?), ref: 006EF0CB
Part of subcall function 006EF0BC: lstrcpyW.KERNEL32(00000000,?,?,006EDCD3,?,?,?,006EEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 006EF0F1
Part of subcall function 006EF0BC: lstrcmpiW.KERNEL32(00000000,?,006EDCD3,?,?,?,006EEAC6,00000000,000000EF,00000119,?,?), ref: 006EF122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,006EEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 006EDCEC
lstrcpyW.KERNEL32(00000000,?,?,006EEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 006EDD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,006EEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 006EDD46

Strings

cdecl, xrefs: 006EDD3D

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 81c26d0017f4dddcf104e50cebbb9c9a02f9c74300951bf8979cb39a7277a021
Instruction ID: 844bdda268cf421b7245de7225fa6a8198364943cb25af09fa298afbc331bd92
Opcode Fuzzy Hash: 81c26d0017f4dddcf104e50cebbb9c9a02f9c74300951bf8979cb39a7277a021
Instruction Fuzzy Hash: 9E11DD3A201345EFDB25AF35CC45DBA77AAFF45350B40842AF806CB2A0EB719851D7A8

Function 006C50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006C5101

Part of subcall function 006B571C: __FF_MSGBANNER.LIBCMT ref: 006B5733
Part of subcall function 006B571C: __NMSG_WRITE.LIBCMT ref: 006B573A
Part of subcall function 006B571C: RtlAllocateHeap.NTDLL(01000000,00000000,00000001,00000000,?,?,?,006B0DD3,?), ref: 006B575F

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 168dfac6e901eb54d297dee3559e6f2b50157cdc8d4f7727f677ca4ac235dbec
Instruction ID: 0b931f564060435ca3086ef617a40ede732ca02ade610d720d67afe849910a07
Opcode Fuzzy Hash: 168dfac6e901eb54d297dee3559e6f2b50157cdc8d4f7727f677ca4ac235dbec
Instruction Fuzzy Hash: B011E7B1500A15AFCB712F74AC09FFE3B9ADF003A1B14452EF9069B650DE34D9C18798

Function 00706369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00695A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,006F7896,?,?,00000000), ref: 00695A2C
Part of subcall function 00695A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,006F7896,?,?,00000000,?,?), ref: 00695A50

gethostbyname.WSOCK32(?,?,?), ref: 00706399
WSAGetLastError.WSOCK32(00000000), ref: 007063A4
_memmove.LIBCMT ref: 007063D1
inet_ntoa.WSOCK32(?), ref: 007063DC

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 5ed0d3f11390d4fd7bf0667e344073367acca3378e622c27863c2aead0b37ba6
Instruction ID: ed077d8cc425e49fa2bb7bb5b8dce1a1f83b76c51e5e32723121f77737cf5d64
Opcode Fuzzy Hash: 5ed0d3f11390d4fd7bf0667e344073367acca3378e622c27863c2aead0b37ba6
Instruction Fuzzy Hash: 5B118E31900109EFCF04FBA8DD46CEEB7BDAF04320B008129F506A71A1DB34AE14CB65

Function 006E8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 006E8B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 006E8B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 006E8B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 006E8BA4

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c65a6f208035f703a754aff219547e6faa073b1c8ad3d5fb3a48433355829e9e
Instruction ID: ce188be3c85f8b632a6ddb4fb10728dc7a9d053fd71762fb1881f27e4e434b93
Opcode Fuzzy Hash: c65a6f208035f703a754aff219547e6faa073b1c8ad3d5fb3a48433355829e9e
Instruction Fuzzy Hash: 6B111C79901218FFDB11DF95CC85F9DBB75FB48710F204095E904B7290DA716E11DB94

Function 00691290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623

DefDlgProcW.USER32(?,00000020,?), ref: 006912D8
GetClientRect.USER32(?,?), ref: 006CB5FB
GetCursorPos.USER32(?), ref: 006CB605
ScreenToClient.USER32(?,?), ref: 006CB610

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 612fdde8d8c161f24cfbf7da72f690f08e28c9055252fe5b5fc4795baff7c9d9
Instruction ID: 423182b24db2fdea47b3e18cc797887a5a43d4ae6b96546ae34ed47d7d7da243
Opcode Fuzzy Hash: 612fdde8d8c161f24cfbf7da72f690f08e28c9055252fe5b5fc4795baff7c9d9
Instruction Fuzzy Hash: 04112B3550001AEBCF00EFA8D8859FE77BAEB06301F504465F901EB641D734BA918BA9

Function 006ED831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 006ED84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 006ED864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 006ED879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 006ED897

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: fb40364bd3d7206c398476d23f2070723d2b9902f6cdab844740ecd9c9665e09
Instruction ID: 3e3058a0fb09f5c81a68fc4bece4fe74263fe5edfa2a38abb0207352f31a3c70
Opcode Fuzzy Hash: fb40364bd3d7206c398476d23f2070723d2b9902f6cdab844740ecd9c9665e09
Instruction Fuzzy Hash: 221161B5606354EBE320CF56DC08F93BBBDEB00B00F108569E916D6190D7B5E5499BA1

Function 006C6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 006C6FDB

Part of subcall function 006C76C2: __fltout2.LIBCMT ref: 006C76EB

__cftog_l.LIBCMT ref: 006C7001
__cftoe_l.LIBCMT ref: 006C7033

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 4870b902e72ed76d9f2998e36c2c63348b6b9e98c57754224fb282e6885fbb04
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 5C017BB214814ABBCF125E85CC05DEE3F63FB18390B488419FA1859131C636C9B1AF81

Function 0071B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0071B2E4
ScreenToClient.USER32(?,?), ref: 0071B2FC
ScreenToClient.USER32(?,?), ref: 0071B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0071B33B

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 2bec43f42d4f33bc7f50b7448ba930a34a463701839a2bd1e7b4d2f0ceba649b
Instruction ID: 8fe13473690d8c291b35f365e11271bc1e68086c8e995317c925a70d0678d1b8
Opcode Fuzzy Hash: 2bec43f42d4f33bc7f50b7448ba930a34a463701839a2bd1e7b4d2f0ceba649b
Instruction Fuzzy Hash: 5A1144B9D00209EFDB41CFA9C8849EEBBF9FF08310F108166E914E3260D735AA658F54

Function 006F6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 006F6BE6

Part of subcall function 006F76C4: _memset.LIBCMT ref: 006F76F9

_memmove.LIBCMT ref: 006F6C09
_memset.LIBCMT ref: 006F6C16
LeaveCriticalSection.KERNEL32(?), ref: 006F6C26

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: c8904b0cd9d811693be894f02fd8090b04aec19899d1059f2a3619ff1793dd3d
Instruction ID: c4f933b25b605df6d97ad38b0894d3eb9688e189ebdbc82d0004b958f7c12335
Opcode Fuzzy Hash: c8904b0cd9d811693be894f02fd8090b04aec19899d1059f2a3619ff1793dd3d
Instruction Fuzzy Hash: 54F03A7A200104ABCF416F55DC85A8ABB2AEF45321B04C0A5FE089E266C735E851CBB8

Function 00692218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00692231
SetTextColor.GDI32(?,000000FF), ref: 0069223B
SetBkMode.GDI32(?,00000001), ref: 00692250
GetStockObject.GDI32(00000005), ref: 00692258
GetWindowDC.USER32(?,00000000), ref: 006CBE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 006CBE90
GetPixel.GDI32(00000000,?,00000000), ref: 006CBEA9
GetPixel.GDI32(00000000,00000000,?), ref: 006CBEC2
GetPixel.GDI32(00000000,?,?), ref: 006CBEE2
ReleaseDC.USER32(?,00000000), ref: 006CBEED

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: f28c55eabf4c516a3132085dfe21a076a580ab7bfda4e7674d84eb53be25ccc6
Instruction ID: b2521d9683128116387c45d30b384dc401663771b5120047e1ab7b61060612ae
Opcode Fuzzy Hash: f28c55eabf4c516a3132085dfe21a076a580ab7bfda4e7674d84eb53be25ccc6
Instruction Fuzzy Hash: 93E03932144248FADF215FA8FC0DBE83B12EB05332F10C36AFA69880E1C7754990EB12

Function 006E8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 006E871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,006E82E6), ref: 006E8722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,006E82E6), ref: 006E872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,006E82E6), ref: 006E8736

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: d2c4388b59a69907c1452b4e728b265e41477846f5122732679a0380a500ebb9
Instruction ID: 916b4921ba3a832865cb40d184cd275d40301619cb00518f2711c08a5d401669
Opcode Fuzzy Hash: d2c4388b59a69907c1452b4e728b265e41477846f5122732679a0380a500ebb9
Instruction Fuzzy Hash: DAE04F366123119FDB205FB55D0CBDA3BA8EF54791F15C828E649CA090DA3884428754

Function 00696240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%r, xrefs: 0069624E

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID:
String ID: %r
API String ID: 0-2999538795
Opcode ID: 0ae4fa7075a1ab6df4b07a88fe28f0698fd7c6b7f6821dbd248f4ef20b13b43c
Instruction ID: b13af2218a1cd67bd75b3332d5a1c918cefd86f36d4916b971011878357077aa
Opcode Fuzzy Hash: 0ae4fa7075a1ab6df4b07a88fe28f0698fd7c6b7f6821dbd248f4ef20b13b43c
Instruction Fuzzy Hash: 14B180719002099ACF15EF94C485AFEB7BFFF44710F10802AF516ABA91DB349E86CB95

Function 0070AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0070AFAE

Strings

xbu, xrefs: 0070B010
xbu, xrefs: 0070AFE4

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: __itow_s
String ID: xbu$xbu
API String ID: 3653519197-888344011
Opcode ID: 475afe96c8b50650e2f23c7497e9fbcca6e233effeedf7ad1119c143bff2651f
Instruction ID: b886a031ac0db30d64aec558ee6022d60f03f72dd9315f3dc810e9117e9abe65
Opcode Fuzzy Hash: 475afe96c8b50650e2f23c7497e9fbcca6e233effeedf7ad1119c143bff2651f
Instruction Fuzzy Hash: E0B16D70A0020AEBCF14DF54C891EAABBFAFF58310F148159F9459B291EB74EA41CB64

Function 006FAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 006AFC86: _wcscpy.LIBCMT ref: 006AFCA9

Part of subcall function 00699837: __itow.LIBCMT ref: 00699862
Part of subcall function 00699837: __swprintf.LIBCMT ref: 006998AC

__wcsnicmp.LIBCMT ref: 006FB02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 006FB0F6

Strings

LPT, xrefs: 006FB027

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: dfeff488a4f22fe2590ae7aca444b3f207f8b913b35d36653bf2e6617f968edb
Instruction ID: 477523e172bf8f3a3ae930306525871e239b967d42d25cb82288c3ee8ce827fb
Opcode Fuzzy Hash: dfeff488a4f22fe2590ae7aca444b3f207f8b913b35d36653bf2e6617f968edb
Instruction Fuzzy Hash: 5C617075A00219AFCB14DF98C891EFEB7BAEB09310F10416DF916AB351DB70AE81CB55

Function 006A2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 006A2968
GlobalMemoryStatusEx.KERNEL32(?), ref: 006A2981

Strings

@, xrefs: 006A2975

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 503f429636b11a3f5e153709cf8308a0a2e3b7f3499e4b129f014e4f8dc453dd
Instruction ID: 2d009bf9c9b4716e12eb81314afea6900efc3cabe21818d32a006e41f6737a8b
Opcode Fuzzy Hash: 503f429636b11a3f5e153709cf8308a0a2e3b7f3499e4b129f014e4f8dc453dd
Instruction Fuzzy Hash: EC5159714187449FDB60EF14D885BAFB7ECFB85340F41885DF2D8810A1EB309929CB6A

Function 006F9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00694F0B: __fread_nolock.LIBCMT ref: 00694F29

_wcscmp.LIBCMT ref: 006F9824
_wcscmp.LIBCMT ref: 006F9837

Strings

FILE, xrefs: 006F9770

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 5cc39ef7cd7bfc8e83f1fb5a029ff4900b6044e62a84c0b09bf6370aecb2d58d
Instruction ID: 617cf7e2c166d74e3b039cf2f793b7385cafcbf3dee706506f6de02b91817b07
Opcode Fuzzy Hash: 5cc39ef7cd7bfc8e83f1fb5a029ff4900b6044e62a84c0b09bf6370aecb2d58d
Instruction Fuzzy Hash: 8841A871A0021EBADF659AA4CC85FEFB7BEDF85710F00047DFA04A7181DA7199058B65

Function 006D0574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 006D057F

Strings

Ddu, xrefs: 0069A317
Ddu, xrefs: 0069A151

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ClearVariant
String ID: Ddu$Ddu
API String ID: 1473721057-4131560066
Opcode ID: a8b69dc1a4df87c0c95df840e22aa14f1c322d775f67f1c34a7d81d7f17e6cbc
Instruction ID: a5d35257765c3cc5dba0c99e4e10b48304891da7a050d14aa929603e0177d916
Opcode Fuzzy Hash: a8b69dc1a4df87c0c95df840e22aa14f1c322d775f67f1c34a7d81d7f17e6cbc
Instruction Fuzzy Hash: 46512478A083418FDB54CF58C580AAABBF6FB99754F54881DE8858B720D331EC81CF82

Function 0070258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0070259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 007025D4

Strings

|, xrefs: 007025A5

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 5bfbea10db7db9b1baa5139352b6a1c4e4d7aa821fe671c4a48e0d87d95ab4ab
Instruction ID: 14de2470f1696b23aa25a0ed3e35938356f521a0b22a60d90d184ec243da6d66
Opcode Fuzzy Hash: 5bfbea10db7db9b1baa5139352b6a1c4e4d7aa821fe671c4a48e0d87d95ab4ab
Instruction Fuzzy Hash: FD313A71810119EBCF41EFA0CC89EEEBFBAFF08310F100159F915AA162EB355956DB64

Function 00717A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00717B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00717B76

Strings

', xrefs: 00717ACA

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 47216c6340d8089ec0e1a8096a7324db5037d275264bc1ff485660b056e2f0dd
Instruction ID: dead9369ce0f697828f51896eea14335e6a0274139cfb4aabd156c058dbd051d
Opcode Fuzzy Hash: 47216c6340d8089ec0e1a8096a7324db5037d275264bc1ff485660b056e2f0dd
Instruction Fuzzy Hash: 3A410874A0930A9FDB14CF68C891BDABBB5FF08300F10416AE905AB391D774AA91CF90

Function 00716A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00716B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00716B53

Strings

static, xrefs: 00716AB3

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 8664f75e3843e95ac24914b4399d7d49743bfa0576a3c50ac35a954b21dd5742
Instruction ID: 4057577c72777f2a43528d0180b47e3501c984df1494b4d37176c7151359af3d
Opcode Fuzzy Hash: 8664f75e3843e95ac24914b4399d7d49743bfa0576a3c50ac35a954b21dd5742
Instruction Fuzzy Hash: 7A316BB1200604AEDB109F68DC81AFB77A9FF48760F10C61DF9A9D7190DA39AC91CB64

Function 006F28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006F2911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006F294C

Strings

0, xrefs: 006F290A

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 8f686a48ae21cf6db0bf29a5d3eb62ae1b97b39977e9988d3605806757f35bda
Instruction ID: 636d3409c934f7ce2f84f88b07815c5293de7c640a94128d3ce39002973c55f8
Opcode Fuzzy Hash: 8f686a48ae21cf6db0bf29a5d3eb62ae1b97b39977e9988d3605806757f35bda
Instruction Fuzzy Hash: BD31C331A0030E9FEB24CF99C895BFEBBB6EF45350F144029EA95A72A0D7B09944CF51

Function 007166D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00716761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0071676C

Strings

Combobox, xrefs: 0071672E

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 569beb44ee4781aaafcaa77acd30d093dc3e4d1411358b74347f5c676150a74a
Instruction ID: b6b78555ffd5037314e956d8e70fb6b5d111deb34b6514a03832886ad91da88e
Opcode Fuzzy Hash: 569beb44ee4781aaafcaa77acd30d093dc3e4d1411358b74347f5c676150a74a
Instruction Fuzzy Hash: DD118275300209AFEF11DF58DC81EFB376EEB493A8F104529F914972D0D6799C9187A0

Function 00716C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00691D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00691D73
Part of subcall function 00691D35: GetStockObject.GDI32(00000011), ref: 00691D87
Part of subcall function 00691D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00691D91

GetWindowRect.USER32(00000000,?), ref: 00716C71
GetSysColor.USER32(00000012), ref: 00716C8B

Strings

static, xrefs: 00716C4E

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 305e60b922bd9a03403802a1923165410e751f6891079b02df69bd4f0871224c
Instruction ID: 75976a7818bd5c59de92e64993aba173dcb67cd4d3b867e912121751cbe936fc
Opcode Fuzzy Hash: 305e60b922bd9a03403802a1923165410e751f6891079b02df69bd4f0871224c
Instruction Fuzzy Hash: 2221FC72510209AFDF04DFA8CC45AFA7BA9FB08715F104529F955D2290E639E851DB60

Function 00716920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007169A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007169B1

Strings

edit, xrefs: 00716986

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 8f95b888b04aaaa634a6e3440d8474a7a82f59eaf325c453c9e97c1e566d97e9
Instruction ID: 57c5446605b86ecb4077cf531158b0e122fe291b2c41a78d25d5f40275e9ead4
Opcode Fuzzy Hash: 8f95b888b04aaaa634a6e3440d8474a7a82f59eaf325c453c9e97c1e566d97e9
Instruction Fuzzy Hash: 92114F71510204ABEF108F78DC45AEB376AEF053B4F508728F9A5971E0C779EC919B60

Function 006F29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006F2A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 006F2A41

Strings

0, xrefs: 006F2A18

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 5d26c006013370fd58646daf7a46c1b34c44b825025eae9fe19b94753fa38eab
Instruction ID: 09618357b408570f523c4e197214142d35f3ec92040e2ce5715542f4fe3f1fb8
Opcode Fuzzy Hash: 5d26c006013370fd58646daf7a46c1b34c44b825025eae9fe19b94753fa38eab
Instruction Fuzzy Hash: 9511D03291121EABCB30DA9CD865BFA77BAAB45300F048021EA55E7390D774AD0ACB95

Function 007021D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0070222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00702255

Strings

<local>, xrefs: 0070221D

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: dc5e145151c65bc9b5395c75d9d79be064d0f9ba5f201e47d9ce902ad455af16
Instruction ID: f291391c534d83e0bf717d37bc261486fce1b429fcacd20c1dbfe11fecd97fcb
Opcode Fuzzy Hash: dc5e145151c65bc9b5395c75d9d79be064d0f9ba5f201e47d9ce902ad455af16
Instruction Fuzzy Hash: DF11E072541225FADB248F91CC89EFBFBE8FF16751F10832AFA0486081D2785896D6F0

Function 006A092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00693C14,007552F8,?,?,?), ref: 006A096E

Part of subcall function 00697BCC: _memmove.LIBCMT ref: 00697C06

_wcscat.LIBCMT ref: 006D4CB7

Strings

Su, xrefs: 006A09AE

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: Su
API String ID: 257928180-1439178680
Opcode ID: f36ab44981d5c0afb02533e261094b75473bc04a842cdb119db5e71fa89e7c9c
Instruction ID: 0f4589e4c45fe15c6f4d73598f46d7a21df07b23407af7ff1265849efa7cbd60
Opcode Fuzzy Hash: f36ab44981d5c0afb02533e261094b75473bc04a842cdb119db5e71fa89e7c9c
Instruction Fuzzy Hash: 0711A9309052099B9F80FB64C815EDE73FAEF09351B0054A9F948D7285DAB4AB844B15

Function 006E8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

Part of subcall function 006EAA99: GetClassNameW.USER32(?,?,000000FF), ref: 006EAABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 006E8E73

Strings

ComboBox, xrefs: 006E8E12
ListBox, xrefs: 006E8E3D

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: f9fa1643639c7a6332e32adb039eeb36fa51e0bd4dd1972f372489c84dae7b19
Instruction ID: 43e376c7ff0ab62cbe3dc24fbca1aa9863fb917ac57ca20ab08307b36e1662b1
Opcode Fuzzy Hash: f9fa1643639c7a6332e32adb039eeb36fa51e0bd4dd1972f372489c84dae7b19
Instruction Fuzzy Hash: A201F1B1602358AB9F15EBA5CC469FE736EAF05320B040A1DF826672E1DF355808C650

Function 006E8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

Part of subcall function 006EAA99: GetClassNameW.USER32(?,?,000000FF), ref: 006EAABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 006E8D6B

Strings

ComboBox, xrefs: 006E8D0A
ListBox, xrefs: 006E8D35

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 262cdaece8b267518722becc46c5eea29387c251fb05977856644759702dc44c
Instruction ID: 9af2d59cf1025c444fc53d2994cd794ad9a84597d0921a3a4db9e38553da7381
Opcode Fuzzy Hash: 262cdaece8b267518722becc46c5eea29387c251fb05977856644759702dc44c
Instruction Fuzzy Hash: 6201D4B1A42208ABDF15EBE1CD56AFE73AE9F15300F100029B806632D1DE155E08D275

Function 006E8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

Part of subcall function 006EAA99: GetClassNameW.USER32(?,?,000000FF), ref: 006EAABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 006E8DEE

Strings

ComboBox, xrefs: 006E8D8F
ListBox, xrefs: 006E8DBA

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 0e705ab8167dc496ef407df1b002aaaf7fe411678bda6bbcab033558ac48f9e8
Instruction ID: d0a29b38fbbbc71113e14fe072f6ca462c58f06dd449a4c562072d33d5da1e81
Opcode Fuzzy Hash: 0e705ab8167dc496ef407df1b002aaaf7fe411678bda6bbcab033558ac48f9e8
Instruction Fuzzy Hash: B301F7B1A42248ABDF15E6A5CD42AFE73AE8F15300F104019F806A32D1DE155E08D275

Function 006EC4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006EC534

Part of subcall function 006EC816: _memmove.LIBCMT ref: 006EC860
Part of subcall function 006EC816: VariantInit.OLEAUT32(00000000), ref: 006EC882
Part of subcall function 006EC816: VariantCopy.OLEAUT32(00000000,?), ref: 006EC88C

VariantClear.OLEAUT32(?), ref: 006EC556

Strings

d}t, xrefs: 006EC517

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}t
API String ID: 2932060187-2103838832
Opcode ID: af5fbf8599f2c744cac2209cee57390f080991a6a251f41d13e780452e3bd98e
Instruction ID: 8e778d0d777d3b541acdf5aebe187301811005ca9d6249e27f2748a2e641273a
Opcode Fuzzy Hash: af5fbf8599f2c744cac2209cee57390f080991a6a251f41d13e780452e3bd98e
Instruction Fuzzy Hash: 011100719007089FCB10DF9AD88489AF7F8FF08310B50862EE58AD7651E771AA45CF94

Function 006F4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 006F4F46
_wcscmp.LIBCMT ref: 006F4F58

Strings

#32770, xrefs: 006F4F52

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 3f340aac350ecc35a93d7959622ab032bca567c448c514b5726b6d41a78e6510
Instruction ID: d7cefe37e6e70902bfb6e3f8e39c7739ee6d11930e4908f495e64ada02c07068
Opcode Fuzzy Hash: 3f340aac350ecc35a93d7959622ab032bca567c448c514b5726b6d41a78e6510
Instruction Fuzzy Hash: 55E0227260022C2AD320AA99AC09BE7F7ACEB81B20F00002AFD04D3180EA609A5187E4

Function 006CB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 006CB314: _memset.LIBCMT ref: 006CB321

Part of subcall function 006B0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,006CB2F0,?,?,?,0069100A), ref: 006B0945

IsDebuggerPresent.KERNEL32(?,?,?,0069100A), ref: 006CB2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0069100A), ref: 006CB303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 006CB2FE

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: c813ccdb4eccc7efcf79fea5dbd59714df43f1f0ccbff1c6e29b33679fe1d10e
Instruction ID: 4f0d2c2adba88511a4efab4770b44735299bbbf57716d5cfddb9c8a47b07a730
Opcode Fuzzy Hash: c813ccdb4eccc7efcf79fea5dbd59714df43f1f0ccbff1c6e29b33679fe1d10e
Instruction Fuzzy Hash: 31E06DB02007808FE760EF28E4097967AE8FF00304F04CA6CE45AC7642EBB8E444CBA1

Function 006E7C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 006E7C82

Part of subcall function 006B3358: _doexit.LIBCMT ref: 006B3362

Strings

AutoIt, xrefs: 006E7C76
Error allocating memory., xrefs: 006E7C7B

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 80246036bd4aafd76c35d4d79c831d9f491380e89f7189be4751371cd941c1e9
Instruction ID: 89fb24336a54c5b6350eb54631a5c1890b4b76fc5ee125e04aa90f3edb2b4765
Opcode Fuzzy Hash: 80246036bd4aafd76c35d4d79c831d9f491380e89f7189be4751371cd941c1e9
Instruction Fuzzy Hash: 05D0C2723C436836D15532A9AC06FCA29894B15B56F004019FB04595D34AD585C142EC

Function 006D1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 006D1775

Part of subcall function 0070BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,006D195E,?), ref: 0070BFFE
Part of subcall function 0070BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0070C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 006D196D

Strings

WIN_XPe, xrefs: 006D1788

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: c2cb29e2c03458fb8b8cc8bb820a3e1acf30675bc446dd0e17f2cfdcdff3bb94
Instruction ID: 1f9eae8d15fe540949d132d27c39cf46d92e9149ab67d2a6246cbfffbedfec66
Opcode Fuzzy Hash: c2cb29e2c03458fb8b8cc8bb820a3e1acf30675bc446dd0e17f2cfdcdff3bb94
Instruction Fuzzy Hash: 89F0C970C04109EFDB15DB95C988AECBBF9BB09301F544096E102A72A1D7B55F85DF64

Function 00715964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0071596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00715981

Part of subcall function 006F5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006F52BC

Strings

Shell_TrayWnd, xrefs: 00715967

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: da5847e0ea525442600f47ed305010fefcbe6e6cad774b33452a7c898370e523
Instruction ID: 1c0cdf975f776e0b640778eeb9d582b7747b12b506403f0c99a017a827248e3d
Opcode Fuzzy Hash: da5847e0ea525442600f47ed305010fefcbe6e6cad774b33452a7c898370e523
Instruction Fuzzy Hash: 6ED01231784715BBE7A4BB749C0FFE7AA15BF00B50F008839F34EAA1D1C9E89810C658

Function 00715998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007159AE
PostMessageW.USER32(00000000), ref: 007159B5

Part of subcall function 006F5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006F52BC

Strings

Shell_TrayWnd, xrefs: 007159A7

Memory Dump Source

Source File: 00000000.00000002.1699412074.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1699396414.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699472114.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699506284.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699519772.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_bcUcEm7AqP.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 4d9dbe2683a19f432b9e6469e76a1b4adcf7434a2781b8962ba0df4a820b1b81
Instruction ID: a69a987a50df52c842f9a5fd51c4d68a5a984f2c3c2ff23e84a7ea0e5f424e5f
Opcode Fuzzy Hash: 4d9dbe2683a19f432b9e6469e76a1b4adcf7434a2781b8962ba0df4a820b1b81
Instruction Fuzzy Hash: 61D0C9317807157AE6A4AB749C0BFD6A615BB04B50F008829F34AAA1D1C9E8A810C658

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bcUcEm7AqP.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

C:\Users\user\AppData\Local\Temp\aut2827.tmp

C:\Users\user\AppData\Local\Temp\autDB6F.tmp

C:\Users\user\AppData\Local\Temp\autE9F5.tmp

C:\Users\user\AppData\Local\Temp\bezzo

C:\Users\user\AppData\Local\undiscernibleness\tabulations.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tabulations.vbs

Static File Info

General

File Icon

Windows Analysis Report
bcUcEm7AqP.exe

Function 00693B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 006949A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00694E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 006F9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00693015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00693041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 0069708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00693633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 00693A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00693766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 0069F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre