Edit tour

Windows Analysis Report
W7ZBbzV7A5.exe

Overview

General Information

Sample name:	W7ZBbzV7A5.exe renamed because original name is a hash value
Original sample name:	0064e7befb41f52b9f050e06bd6bbeecfbdfaf18d3fbd3ab3678417a8a82a462.exe
Analysis ID:	1571791
MD5:	fdf35b2e3e30f50b6cff5c52e12cd613
SHA1:	cc10e3aead57db26ae8a15b4ae881a1715ba9a29
SHA256:	0064e7befb41f52b9f050e06bd6bbeecfbdfaf18d3fbd3ab3678417a8a82a462
Tags:	185-215-113-17exeRedLineStealeruser-JAMESWT_MHT
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (overwrites its own PE header)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Evader

AI detected suspicious sample

Contains functionality to register a low level keyboard hook

Machine Learning detection for sample

Sample or dropped binary is a compiled AutoHotkey binary

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to detect sandboxes (foreground window change detection)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries information about the installed CPU (vendor, model number etc)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara signature match

Classification

Process Tree

System is w10x64

W7ZBbzV7A5.exe (PID: 7736 cmdline: "C:\Users\user\Desktop\W7ZBbzV7A5.exe" MD5: FDF35B2E3E30F50B6CFF5C52E12CD613)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1438415452.0000000002290000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Evader	Yara detected Evader	Joe Security
00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Evader	Yara detected Evader	Joe Security
00000000.00000002.2627434216.00000000021C1000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Evader	Yara detected Evader	Joe Security
00000000.00000002.2627243778.000000000056C000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xe08:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Process Memory Space: W7ZBbzV7A5.exe PID: 7736	JoeSecurity_Evader	Yara detected Evader	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.W7ZBbzV7A5.exe.400000.0.unpack	JoeSecurity_Evader	Yara detected Evader	Joe Security
0.2.W7ZBbzV7A5.exe.400000.0.unpack	MALWARE_Win_RedLineDropperAHK	Detects AutoIt/AutoHotKey executables dropping RedLine infostealer	ditekSHen	0xcc4cb:$s1: .SetRequestHeader("User-Agent"," ( " OSName " \| " bit " \| " CPUNAme "" 0xcbde5:$s2: := " \| Windows Defender" 0xabda8:$s3: WindowSpy.ahk 0xabe02:$s3: WindowSpy.ahk 0xa70d0:$s4: >AUTOHOTKEY SCRIPT< 0xc7032:$s4: >AUTOHOTKEY SCRIPT<

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T17:45:13.813721+0100	2028371	3	Unknown Traffic	192.168.2.9	49732	104.26.3.46	443	TCP

ET MALWARE AutoHotkey Downloader Checkin via IPLogger

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T17:45:14.619063+0100	2030163	1	Malware Command and Control Activity Detected	192.168.2.9	49732	104.26.3.46	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: W7ZBbzV7A5.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: W7ZBbzV7A5.exe

ReversingLabs: Detection: 96%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for sample

Source: W7ZBbzV7A5.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Unpacked PE file: 0.2.W7ZBbzV7A5.exe.400000.0.unpack

Source: W7ZBbzV7A5.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 104.26.3.46:443 -> 192.168.2.9:49732 version: TLS 1.2

Source:	Binary string: C:\dagomoxi_helefacejapi\kol\vujixemag\zapotesahus.pdb source: W7ZBbzV7A5.exe
Source:	Binary string: "C:\dagomoxi_helefacejapi\kol\vujixemag\zapotesahus.pdb source: W7ZBbzV7A5.exe

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_004770E0 FindFirstFileW,FindClose,GetFileAttributesW,	0_2_004770E0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00477170 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,	0_2_00477170
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00444070 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,	0_2_00444070
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_004443B0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,	0_2_004443B0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_004558D0 GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,_wcsrchr,_wcsrchr,_wcsncpy,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,FindNextFileW,FindClose,	0_2_004558D0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00472A90 FindFirstFileW,FindClose,GetFileAttributesW,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle,	0_2_00472A90
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00454C60 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize,	0_2_00454C60
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00443D90 FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	0_2_00443D90
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00455E40 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00455E40
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0042DF00 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,__wcstoi64,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,	0_2_0042DF00
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_02187330 FindFirstFileW,FindClose,GetFileAttributesW,	0_2_02187330
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_021873C0 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,	0_2_021873C0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_02154600 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,	0_2_02154600
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_02164EB0 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize,	0_2_02164EB0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_02182CE0 FindFirstFileW,FindClose,GetFileAttributesW,CreateFileW,CloseHandle,	0_2_02182CE0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2030163 - Severity 1 - ET MALWARE AutoHotkey Downloader Checkin via IPLogger : 192.168.2.9:49732 -> 104.26.3.46:443

Source: Joe Sandbox View

IP Address: 104.26.3.46 104.26.3.46

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown

DNS query: name: iplogger.org

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49732 -> 104.26.3.46:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Code function: 0_2_004545D0 __wcstoi64,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetReadFile,InternetReadFile,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,InternetReadFile,InternetReadFileExA,InternetReadFileExA,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,DeleteFileW,

0_2_004545D0

Source: global traffic

HTTP traffic detected: GET /1jhxh7 HTTP/1.1Cache-Control: no-cache, no-storeConnection: Keep-AlivePragma: no-cacheAccept: */*If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMTUser-Agent: ( Windows 10 Enterprise | x64 | Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz | Windows Defender | Chrome )Host: iplogger.org

Source: global traffic	DNS traffic detected: DNS query: iplogger.org
Source: global traffic	DNS traffic detected: DNS query: nailedpizza.top

Source: W7ZBbzV7A5.exe, 00000000.00000002.2627279381.0000000000649000.00000004.00000020.00020000.00000000.sdmp, W7ZBbzV7A5.exe, 00000000.00000002.2627841624.0000000002950000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nailedpizza.top/
Source: W7ZBbzV7A5.exe, 00000000.00000002.2627841624.0000000002950000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nailedpizza.top/C
Source: W7ZBbzV7A5.exe, 00000000.00000002.2627841624.0000000002950000.00000004.00000020.00020000.00000000.sdmp, W7ZBbzV7A5.exe, 00000000.00000003.1438415452.0000000002290000.00000004.00001000.00020000.00000000.sdmp, W7ZBbzV7A5.exe, 00000000.00000002.2627841624.0000000002920000.00000004.00000020.00020000.00000000.sdmp, W7ZBbzV7A5.exe, 00000000.00000002.2627434216.00000000021C1000.00000040.00001000.00020000.00000000.sdmp, W7ZBbzV7A5.exe, 00000000.00000002.2627841624.000000000295E000.00000004.00000020.00020000.00000000.sdmp, W7ZBbzV7A5.exe, 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nailedpizza.top/bestof/mixx.exe
Source: W7ZBbzV7A5.exe, 00000000.00000002.2627841624.0000000002920000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nailedpizza.top/bestof/mixx.exe%
Source: W7ZBbzV7A5.exe, 00000000.00000002.2627841624.000000000295E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nailedpizza.top/bestof/mixx.exe:
Source: W7ZBbzV7A5.exe, 00000000.00000002.2627841624.0000000002950000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nailedpizza.top/bestof/mixx.exeL
Source: W7ZBbzV7A5.exe, 00000000.00000002.2627841624.0000000002920000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nailedpizza.top/bestof/mixx.exeW
Source: W7ZBbzV7A5.exe, 00000000.00000002.2627673551.00000000023B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nailedpizza.top/bestof/mixx.exeedspolishpp.exe?
Source: W7ZBbzV7A5.exe, 00000000.00000002.2627841624.0000000002920000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nailedpizza.top/bestof/mixx.exev
Source: W7ZBbzV7A5.exe, W7ZBbzV7A5.exe, 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, W7ZBbzV7A5.exe, 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, W7ZBbzV7A5.exe, 00000000.00000003.1438415452.00000000021E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://autohotkey.com
Source: W7ZBbzV7A5.exe, 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, W7ZBbzV7A5.exe, 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, W7ZBbzV7A5.exe, 00000000.00000003.1438415452.00000000021E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://autohotkey.comCould
Source: W7ZBbzV7A5.exe, 00000000.00000002.2627279381.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, W7ZBbzV7A5.exe, 00000000.00000002.2627279381.0000000000613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/
Source: W7ZBbzV7A5.exe, 00000000.00000002.2627673551.00000000023B0000.00000004.00000020.00020000.00000000.sdmp, W7ZBbzV7A5.exe, 00000000.00000002.2627434216.00000000021C1000.00000040.00001000.00020000.00000000.sdmp, W7ZBbzV7A5.exe, 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://iplogger.org/1jhxh7
Source: W7ZBbzV7A5.exe, 00000000.00000002.2627279381.00000000005D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/1jhxh78
Source: W7ZBbzV7A5.exe, 00000000.00000002.2627279381.0000000000613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org:443/1jhxh7v

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443

Source: unknown

HTTPS traffic detected: 104.26.3.46:443 -> 192.168.2.9:49732 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Code function: 0_2_00409200 SetWindowsHookExW 0000000D,Function_00004BF0,00400000,00000000

0_2_00409200

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Code function: 0_2_00404990 GetTickCount,GetTickCount,OpenClipboard,OpenClipboard,GetTickCount,OpenClipboard,

0_2_00404990

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00479220 EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,GlobalFree,GlobalUnlock,CloseClipboard,	0_2_00479220
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_004046C0 EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalUnlock,GlobalUnlock,GlobalFree,GlobalUnlock,CloseClipboard,SetClipboardData,GlobalUnlock,CloseClipboard,	0_2_004046C0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_02114910 EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalFree,CloseClipboard,SetClipboardData,CloseClipboard,	0_2_02114910
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_02189470 EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,GlobalFree,GlobalUnlock,CloseClipboard,	0_2_02189470

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Code function: 0_2_00404890 GetClipboardFormatNameW,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,GetClipboardData,

0_2_00404890

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Code function: 0_2_0043A490 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,SelectObject,DeleteDC,DeleteObject,_free,GetPixel,ReleaseDC,

0_2_0043A490

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Code function: 0_2_0040F250 __wcsnicmp,__wcsnicmp,GetWindowThreadProcessId,AttachThreadInput,GetKeyboardLayout,GetTickCount,GetCurrentThreadId,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetTickCount,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,__wcsnicmp,_wcschr,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsicoll,PostMessageW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__wcsnicmp,__wcsnicmp,__fassign,PostMessageW,PostMessageW,PostMessageW,__itow,PostMessageW,_free,GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetForegroundWindow,GetWindowThreadProcessId,

0_2_0040F250

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_004013F4 GlobalUnlock,CloseClipboard,SetTimer,GetTickCount,GetTickCount,GetMessageW,GetTickCount,GetFocus,TranslateAcceleratorW,GetKeyState,GetWindowLongW,IsWindowEnabled,GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,IsDialogMessageW,ShowWindow,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,KillTimer,DragQueryFileW,DragFinish,GetTickCount,DragFinish,DragFinish,_wcsncpy,_wcsncpy,GetTickCount,_wcsncpy,GetTickCount,IsDialogMessageW,SetCurrentDirectoryW,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,	0_2_004013F4
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0040F250 __wcsnicmp,__wcsnicmp,GetWindowThreadProcessId,AttachThreadInput,GetKeyboardLayout,GetTickCount,GetCurrentThreadId,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetTickCount,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,__wcsnicmp,_wcschr,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsicoll,PostMessageW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__wcsnicmp,__wcsnicmp,__fassign,PostMessageW,PostMessageW,PostMessageW,__itow,PostMessageW,_free,GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetForegroundWindow,GetWindowThreadProcessId,	0_2_0040F250
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0040F686 GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,	0_2_0040F686
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00412B00 GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetKeyState,	0_2_00412B00

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.W7ZBbzV7A5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AutoIt/AutoHotKey executables dropping RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.2627243778.000000000056C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Sample or dropped binary is a compiled AutoHotkey binary

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Window found: window name: AutoHotkey

Jump to behavior

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0214B9D0 RegisterClipboardFormatW,ShowWindow,MoveWindow,GetSysColor,SetBkColor,SetTextColor,GetSysColorBrush,CreateCompatibleDC,SelectObject,BitBlt,SelectObject,DeleteDC,DrawIconEx,ExcludeClipRect,CreateRectRgn,GetClipRgn,GetSysColorBrush,FillRgn,DeleteObject,GetClipBox,FillRect,GetClientRect,MoveWindow,MoveWindow,MoveWindow,InvalidateRect,ShowWindow,GetMenu,CheckMenuItem,NtdllDefWindowProc_W,SendMessageTimeoutW,PostMessageW,PostMessageW,SendMessageTimeoutW,		0_2_0214B9D0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_021785C0 _memset,DragQueryPoint,ClientToScreen,EnumChildWindows,GetDlgCtrlID,PostMessageW,DragFinish,PostMessageW,NtdllDialogWndProc_W,		0_2_021785C0

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Code function: 0_2_00440560: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00440560

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Code function: 0_2_00455EB0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

0_2_00455EB0

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_004013F4	0_2_004013F4
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00408140	0_2_00408140
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_004201C0	0_2_004201C0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0040F250	0_2_0040F250
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00442260	0_2_00442260
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00492262	0_2_00492262
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0048E2B0	0_2_0048E2B0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_004183E0	0_2_004183E0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00482405	0_2_00482405
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0041C430	0_2_0041C430
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0043A490	0_2_0043A490
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0048949E	0_2_0048949E
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0040C530	0_2_0040C530
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0049D58D	0_2_0049D58D
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00482675	0_2_00482675
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00484620	0_2_00484620
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_004966C5	0_2_004966C5
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_004996AF	0_2_004996AF
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0040D770	0_2_0040D770
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_004147F1	0_2_004147F1
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_004147F0	0_2_004147F0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00432AC0	0_2_00432AC0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00481AFB	0_2_00481AFB
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00475BB0	0_2_00475BB0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00499C00	0_2_00499C00
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0049ECD0	0_2_0049ECD0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0049AD4C	0_2_0049AD4C
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0045FE30	0_2_0045FE30
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0049CEB1	0_2_0049CEB1
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00447F40	0_2_00447F40
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0040BF10	0_2_0040BF10
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0047EF10	0_2_0047EF10
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00404F20	0_2_00404F20
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0042EF90	0_2_0042EF90
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_02124A40	0_2_02124A40
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_02124A41	0_2_02124A41
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_02194870	0_2_02194870
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_021A98FF	0_2_021A98FF
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_021AD101	0_2_021AD101
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0211D9C0	0_2_0211D9C0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_02185E00	0_2_02185E00
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_021A9E50	0_2_021A9E50
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0214A6E0	0_2_0214A6E0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_021AAF9C	0_2_021AAF9C
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_02130410	0_2_02130410
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_02169C10	0_2_02169C10
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_021A24B2	0_2_021A24B2
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0219E500	0_2_0219E500

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: String function: 00476360 appears 73 times
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: String function: 00430370 appears 78 times
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: String function: 0049AF30 appears 44 times
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: String function: 00430620 appears 262 times
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: String function: 0048FE1D appears 53 times
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: String function: 0048FC19 appears 346 times
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: String function: 00476400 appears 50 times
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: String function: 00494550 appears 33 times

Source: W7ZBbzV7A5.exe, 00000000.00000003.1438415452.0000000002290000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs W7ZBbzV7A5.exe
Source: W7ZBbzV7A5.exe, 00000000.00000002.2627434216.00000000021C1000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs W7ZBbzV7A5.exe
Source: W7ZBbzV7A5.exe, 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs W7ZBbzV7A5.exe

Source: W7ZBbzV7A5.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.W7ZBbzV7A5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLineDropperAHK author = ditekSHen, description = Detects AutoIt/AutoHotKey executables dropping RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLineDropper-AHK
Source: 00000000.00000002.2627243778.000000000056C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: W7ZBbzV7A5.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.spyw.evad.winEXE@1/0@2/1

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Code function: 0_2_00431310 __wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,_memset,CreateProcessW,CloseHandle,CloseHandle,GetLastError,_memset,__wcsicoll,_wcschr,SetCurrentDirectoryW,_wcschr,_wcschr,GetFileAttributesW,_wcschr,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetLastError,FormatMessageW,

0_2_00431310

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Code function: 0_2_00455EB0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

0_2_00455EB0

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Code function: 0_2_00440200 _wcsncpy,GetDiskFreeSpaceExW,

0_2_00440200

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Code function: 0_2_004560C0 CreateToolhelp32Snapshot,Process32FirstW,__wcstoi64,Process32NextW,__wsplitpath,__wcsicoll,Process32NextW,CloseHandle,CloseHandle,CloseHandle,

0_2_004560C0

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Code function: 0_2_00456430 CLSIDFromString,CLSIDFromProgID,CLSIDFromString,CoCreateInstance,CoCreateInstance,

0_2_00456430

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Code function: 0_2_004781C0 SystemParametersInfoW,LoadLibraryExW,EnumResourceNamesW,FindResourceW,LoadResource,LockResource,GetSystemMetrics,FindResourceW,LoadResource,LockResource,SizeofResource,CreateIconFromResourceEx,FreeLibrary,ExtractIconW,ExtractIconW,

0_2_004781C0

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

File created: C:\Users\user\AppData\Roaming\nailedp

Jump to behavior

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Command line argument: /restart	0_2_00403D20
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Command line argument: /force	0_2_00403D20
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Command line argument: /ErrorStdOut	0_2_00403D20
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Command line argument: A_Args	0_2_00403D20
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Command line argument: A_Args	0_2_00403D20
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Command line argument: AutoHotkey	0_2_00403D20
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Command line argument: AutoHotkey	0_2_00403D20
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Command line argument: Clipboard	0_2_00403D20

Source: W7ZBbzV7A5.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: W7ZBbzV7A5.exe

ReversingLabs: Detection: 96%

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: W7ZBbzV7A5.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\dagomoxi_helefacejapi\kol\vujixemag\zapotesahus.pdb source: W7ZBbzV7A5.exe
Source:	Binary string: "C:\dagomoxi_helefacejapi\kol\vujixemag\zapotesahus.pdb source: W7ZBbzV7A5.exe

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Unpacked PE file: 0.2.W7ZBbzV7A5.exe.400000.0.unpack

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Code function: 0_2_0046A020 LoadLibraryW,GetProcAddress,FreeLibrary,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetSysColor,SendMessageW,

0_2_0046A020

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00494595 push ecx; ret	0_2_004945A8
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0056F627 push ecx; ret	0_2_0056F628
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_005718D2 push edx; ret	0_2_005718ED
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0056E9E3 push es; ret	0_2_0056EA12
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0211CEC4 push esi; retf 0040h	0_2_0211CEC5
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_021A47E5 push ecx; ret	0_2_021A47F8

Source: W7ZBbzV7A5.exe

Static PE information: section name: .text entropy: 7.830965994043891

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_004630C0 GetWindowLongW,GetWindowLongW,GetWindowLongW,__wcsnicmp,__wcsnicmp,__wcsicoll,SetWindowPos,__wcsicoll,__wcsicoll,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,EnableWindow,__wcsnicmp,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,__wcsnicmp,MulDiv,MulDiv,__wcsnicmp,MulDiv,MulDiv,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcstoi64,IsWindow,SetParent,SetWindowLongW,SetParent,IsWindowVisible,IsIconic,SetWindowLongW,SetWindowLongW,SetWindowPos,InvalidateRect,	0_2_004630C0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0047A090 GetForegroundWindow,IsWindowVisible,IsIconic,ShowWindow,	0_2_0047A090
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0047A1D0 GetWindowThreadProcessId,GetWindowThreadProcessId,GetForegroundWindow,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,SetForegroundWindow,SetForegroundWindow,GetForegroundWindow,GetWindow,AttachThreadInput,AttachThreadInput,BringWindowToTop,	0_2_0047A1D0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00439180 GetForegroundWindow,IsWindowVisible,GetWindowThreadProcessId,IsZoomed,IsIconic,GetWindowLongW,GetModuleHandleW,GetProcAddress,	0_2_00439180
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0046A240 SendMessageW,SendMessageW,SendMessageW,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,GetPropW,ShowWindow,GetUpdateRect,SendMessageW,GetWindowLongW,ShowWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,PtInRect,SetFocus,SendMessageW,SendMessageW,ShowWindow,SetFocus,InvalidateRect,InvalidateRect,InvalidateRect,MapWindowPoints,InvalidateRect,	0_2_0046A240
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_004663F0 SetWindowTextW,IsZoomed,IsIconic,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus,	0_2_004663F0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_004663F0 SetWindowTextW,IsZoomed,IsIconic,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus,	0_2_004663F0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0043D4F0 GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,WindowFromPoint,EnumChildWindows,_memset,EnumChildWindows,GetClassNameW,EnumChildWindows,	0_2_0043D4F0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0043A490 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,SelectObject,DeleteDC,DeleteObject,_free,GetPixel,ReleaseDC,	0_2_0043A490
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0043C660 SendMessageW,SendMessageW,SendMessageW,IsWindowVisible,ShowWindow,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,SendMessageW,	0_2_0043C660
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00477760 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,	0_2_00477760
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_004777C0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,	0_2_004777C0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0043ACA0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,_wcsrchr,__wcsicoll,__wcsicoll,__wcsicoll,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,__wcsnicmp,__fassign,__wcsnicmp,_wcsncpy,__fassign,__fassign,__fassign,__fassign,GetDC,DestroyIcon,DeleteObject,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,_free,_free,_free,	0_2_0043ACA0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00452E00 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,CreateDCW,GetDC,GetPixel,DeleteDC,ReleaseDC,	0_2_00452E00
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0045FE30 MulDiv,MulDiv,MulDiv,_wcschr,__wcsicoll,MulDiv,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,_wcschr,DrawTextW,DrawTextW,GetCharABCWidthsW,MulDiv,GetSystemMetrics,GetSystemMetrics,MulDiv,MulDiv,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetWindowLongW,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,CreateWindowExW,CreateWindowExW,CreateWindowExW,CreateWindowExW,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,CreateWindowExW,SendMessageW,CreateWindowExW,SendMessageW,SendMessageW,MulDiv,MulDiv,MulDiv,MoveWindow,SelectObject,ReleaseDC,SendMessageW,SendMessageW,GetClientRect,SetWindowLongW,SendMessageW,SetWindowLongW,MoveWindow,GetWindowRect,SendMessageW,SetWindowPos,GetWindowRect,MapWindowPoints,InvalidateRect,SetWindowPos,SetWindowPos,MapWindowPoints,	0_2_0045FE30
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_02187A10 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,	0_2_02187A10
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_021879B0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,	0_2_021879B0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0214AEF0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,_wcsrchr,__wcsicoll,__wcsicoll,__wcsicoll,__wcsnicmp,__fassign,__wcsnicmp,_wcsncpy,__fassign,__fassign,__fassign,__fassign,GetDC,DestroyCursor,DeleteObject,GetIconInfo,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,_free,_free,_free,	0_2_0214AEF0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0214A6E0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,SelectObject,DeleteDC,DeleteObject,_free,GetPixel,ReleaseDC,	0_2_0214A6E0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0214D740 GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,WindowFromPoint,_memset,GetClassNameW,	0_2_0214D740
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0218A420 GetForegroundWindow,IsIconic,ShowWindow,AttachThreadInput,AttachThreadInput,GetForegroundWindow,GetWindow,AttachThreadInput,AttachThreadInput,BringWindowToTop,	0_2_0218A420
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0217A490 GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,GetPropW,ShowWindow,GetUpdateRect,GetWindowLongW,ShowWindow,EnableWindow,GetWindowRect,SetFocus,ShowWindow,SetFocus,InvalidateRect,MapWindowPoints,	0_2_0217A490

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Code function: SetTimer,GetMessageW,GetFocus,TranslateAcceleratorW,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,GetFocus,GetClassNameW,__wcsicoll,__wcsicoll,PeekMessageW,Sleep,Sleep,Sleep,GetKeyState,GetWindowLongW,IsWindowEnabled,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,IsDialogMessageW,ShowWindow,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,KillTimer,GetTickCount,DragFinish,DragFinish,GetTickCount,_wcsncpy,GetTickCount,IsDialogMessageW,SetCurrentDirectoryW,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,

0_2_021116EB

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Window / User API: foregroundWindowGot 891

Jump to behavior

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

API coverage: 1.8 %

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00413B80 GetKeyboardLayout followed by cmp: cmp al, 19h and CTI: ja 00413C6Fh country: Russian (ru)	0_2_00413B80
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00406DD0 GetKeyboardLayout followed by cmp: cmp dword ptr [004cc1fch], ebx and CTI: je 00406F90h	0_2_00406DD0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_02117020 GetKeyboardLayout followed by cmp: cmp dword ptr [004cc1fch], ebx and CTI: je 021171E0h	0_2_02117020
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_02123DD0 GetKeyboardLayout followed by cmp: cmp al, 19h and CTI: ja 02123EBFh country: Russian (ru)	0_2_02123DD0

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_004770E0 FindFirstFileW,FindClose,GetFileAttributesW,	0_2_004770E0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00477170 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,	0_2_00477170
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00444070 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,	0_2_00444070
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_004443B0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,	0_2_004443B0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_004558D0 GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,_wcsrchr,_wcsrchr,_wcsncpy,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,FindNextFileW,FindClose,	0_2_004558D0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00472A90 FindFirstFileW,FindClose,GetFileAttributesW,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle,	0_2_00472A90
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00454C60 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize,	0_2_00454C60
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00443D90 FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	0_2_00443D90
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00455E40 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00455E40
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0042DF00 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,__wcstoi64,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,	0_2_0042DF00
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_02187330 FindFirstFileW,FindClose,GetFileAttributesW,	0_2_02187330
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_021873C0 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,	0_2_021873C0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_02154600 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,	0_2_02154600
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_02164EB0 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize,	0_2_02164EB0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_02182CE0 FindFirstFileW,FindClose,GetFileAttributesW,CreateFileW,CloseHandle,	0_2_02182CE0

Source: W7ZBbzV7A5.exe, 00000000.00000002.2627279381.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, W7ZBbzV7A5.exe, 00000000.00000003.1480525173.0000000000649000.00000004.00000020.00020000.00000000.sdmp, W7ZBbzV7A5.exe, 00000000.00000002.2627279381.0000000000649000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

0_2_0040F250

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Code function: 0_2_004966B6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_004966B6

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Code function: 0_2_0046A020 LoadLibraryW,GetProcAddress,FreeLibrary,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetSysColor,SendMessageW,

0_2_0046A020

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0056C713 push dword ptr fs:[00000030h]	0_2_0056C713
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_0211092B mov eax, dword ptr fs:[00000030h]	0_2_0211092B
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_02110D90 mov eax, dword ptr fs:[00000030h]	0_2_02110D90

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Code function: 0_2_0049C54E __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_0049C54E

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_004981F2 SetUnhandledExceptionFilter,	0_2_004981F2
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_004966B6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004966B6
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00493AA5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00493AA5
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_021A6906 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_021A6906
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_021A3CF5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_021A3CF5

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

0_2_00431310

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Code function: 0_2_00412300 keybd_event,

0_2_00412300

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Code function: 0_2_004122A0 mouse_event,

0_2_004122A0

Source: W7ZBbzV7A5.exe	Binary or memory string: Program Manager
Source: W7ZBbzV7A5.exe	Binary or memory string: Shell_TrayWnd
Source: W7ZBbzV7A5.exe	Binary or memory string: Progman
Source: W7ZBbzV7A5.exe, 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowDwmGetWindowAttributedwmapi.dllahk_idpidgroup%s%uProgram ManagerProgmanWorkerWError text not found (please report)Q\E{0,DEFINEUTF16)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 8 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory

Language, Device and Operating System Detection

Yara detected Evader

Source: Yara match	File source: 0.2.W7ZBbzV7A5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1438415452.0000000002290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2627434216.00000000021C1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: W7ZBbzV7A5.exe PID: 7736, type: MEMORYSTR

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Code function: 0_2_004760E0 SystemTimeToFileTime,SystemTimeToFileTime,GetSystemTimeAsFileTime,FileTimeToLocalFileTime,SystemTimeToFileTime,GetSystemTimeAsFileTime,FileTimeToLocalFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

0_2_004760E0

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Code function: 0_2_00445C20 GetComputerNameW,GetUserNameW,

0_2_00445C20

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Code function: 0_2_00414971 GetModuleHandleW,GetProcAddress,GetVersionExW,__snwprintf,

0_2_00414971

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: W7ZBbzV7A5.exe	Binary or memory string: WIN_XP
Source: W7ZBbzV7A5.exe, 00000000.00000003.1438415452.00000000021E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ?A Goto/Gosub must not jump into a block that doesn't enclose it.ddddddd%02d%dmsSlowLogoffSingle1.1.33.02\AutoHotkey.exeWIN32_NTWIN_8.1WIN_8WIN_7WIN_VISTAWIN_XPWIN_2003WIN_2000%04hX0x%IxpPIntStrPtrShortInt64DoubleAStrWStrgdi32comctl32kernel32W-3-4CDecl-2This DllCall requires a prior VarSetCapacity.Pos%sLen%sPos%dLen%dLenMarkpcre_calloutCompile error %d at offset %d: %hs-+0 #diouxXeEfgGaAcCpULlTt%0.*fCcFfSelectVisCenterUniDescLogicalNoSortAutoHdrFirstBoldExpandGDI+JoyJoyXJoyYJoyZJoyRJoyUJoyVJoyPOVJoyNameJoyButtonsJoyAxesJoyInfoGetProcessImageFileNameWpsapi
Source: W7ZBbzV7A5.exe	Binary or memory string: WIN_VISTA
Source: W7ZBbzV7A5.exe	Binary or memory string: WIN_7
Source: W7ZBbzV7A5.exe	Binary or memory string: WIN_8
Source: W7ZBbzV7A5.exe	Binary or memory string: WIN_8.1

Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_004175E0 AddClipboardFormatListener,PostMessageW,SetClipboardViewer,RemoveClipboardFormatListener,ChangeClipboardChain,		0_2_004175E0
Source: C:\Users\user\Desktop\W7ZBbzV7A5.exe	Code function: 0_2_00416D40 Shell_NotifyIconW,DeleteObject,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DeleteObject,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,RemoveClipboardFormatListener,ChangeClipboardChain,mciSendStringW,mciSendStringW,mciSendStringW,DeleteCriticalSection,OleUninitialize,_free,_free,_free,		0_2_00416D40

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	121 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	121 Input Capture	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Process Injection	12 Software Packing	NTDS	25 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	31 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	11 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Process Injection	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
W7ZBbzV7A5.exe	96%	ReversingLabs	Win32.Trojan.AZORult
W7ZBbzV7A5.exe	100%	Avira	TR/Crypt.ZPACK.Gen
W7ZBbzV7A5.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://nailedpizza.top/bestof/mixx.exeedspolishpp.exe?	0%	Avira URL Cloud	safe
http://nailedpizza.top/bestof/mixx.exe%	0%	Avira URL Cloud	safe
http://nailedpizza.top/bestof/mixx.exeW	0%	Avira URL Cloud	safe
http://nailedpizza.top/	0%	Avira URL Cloud	safe
http://nailedpizza.top/bestof/mixx.exe	0%	Avira URL Cloud	safe
http://nailedpizza.top/C	0%	Avira URL Cloud	safe
http://nailedpizza.top/bestof/mixx.exev	0%	Avira URL Cloud	safe
http://nailedpizza.top/bestof/mixx.exeL	0%	Avira URL Cloud	safe
http://nailedpizza.top/bestof/mixx.exe:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
iplogger.org	104.26.3.46	true	false	high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
nailedpizza.top	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://iplogger.org/1jhxh7	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nailedpizza.top/bestof/mixx.exeedspolishpp.exe?	W7ZBbzV7A5.exe, 00000000.00000002.2627673551.00000000023B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nailedpizza.top/bestof/mixx.exeW	W7ZBbzV7A5.exe, 00000000.00000002.2627841624.0000000002920000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://autohotkey.com	W7ZBbzV7A5.exe, W7ZBbzV7A5.exe, 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, W7ZBbzV7A5.exe, 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, W7ZBbzV7A5.exe, 00000000.00000003.1438415452.00000000021E0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://nailedpizza.top/bestof/mixx.exev	W7ZBbzV7A5.exe, 00000000.00000002.2627841624.0000000002920000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nailedpizza.top/bestof/mixx.exe:	W7ZBbzV7A5.exe, 00000000.00000002.2627841624.000000000295E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nailedpizza.top/	W7ZBbzV7A5.exe, 00000000.00000002.2627279381.0000000000649000.00000004.00000020.00020000.00000000.sdmp, W7ZBbzV7A5.exe, 00000000.00000002.2627841624.0000000002950000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nailedpizza.top/bestof/mixx.exe	W7ZBbzV7A5.exe, 00000000.00000002.2627841624.0000000002950000.00000004.00000020.00020000.00000000.sdmp, W7ZBbzV7A5.exe, 00000000.00000003.1438415452.0000000002290000.00000004.00001000.00020000.00000000.sdmp, W7ZBbzV7A5.exe, 00000000.00000002.2627841624.0000000002920000.00000004.00000020.00020000.00000000.sdmp, W7ZBbzV7A5.exe, 00000000.00000002.2627434216.00000000021C1000.00000040.00001000.00020000.00000000.sdmp, W7ZBbzV7A5.exe, 00000000.00000002.2627841624.000000000295E000.00000004.00000020.00020000.00000000.sdmp, W7ZBbzV7A5.exe, 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://nailedpizza.top/C	W7ZBbzV7A5.exe, 00000000.00000002.2627841624.0000000002950000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://iplogger.org/	W7ZBbzV7A5.exe, 00000000.00000002.2627279381.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, W7ZBbzV7A5.exe, 00000000.00000002.2627279381.0000000000613000.00000004.00000020.00020000.00000000.sdmp	false		high
https://iplogger.org:443/1jhxh7v	W7ZBbzV7A5.exe, 00000000.00000002.2627279381.0000000000613000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nailedpizza.top/bestof/mixx.exe%	W7ZBbzV7A5.exe, 00000000.00000002.2627841624.0000000002920000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nailedpizza.top/bestof/mixx.exeL	W7ZBbzV7A5.exe, 00000000.00000002.2627841624.0000000002950000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://autohotkey.comCould	W7ZBbzV7A5.exe, 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, W7ZBbzV7A5.exe, 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, W7ZBbzV7A5.exe, 00000000.00000003.1438415452.00000000021E0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://iplogger.org/1jhxh78	W7ZBbzV7A5.exe, 00000000.00000002.2627279381.00000000005D8000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.3.46	iplogger.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1571791
Start date and time:	2024-12-09 17:44:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	W7ZBbzV7A5.exe renamed because original name is a hash value
Original Sample Name:	0064e7befb41f52b9f050e06bd6bbeecfbdfaf18d3fbd3ab3678417a8a82a462.exe
Detection:	MAL
Classification:	mal100.spyw.evad.winEXE@1/0@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 43 Number of non-executed functions: 259
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.109.210.53
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: W7ZBbzV7A5.exe

Simulations

Behavior and APIs

Time	Type	Description
11:45:09	API Interceptor	602x Sleep call for process: W7ZBbzV7A5.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.26.3.46	d1bc91bd44a0.exe	Get hash	malicious	PrivateLoader, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	RDPWrap Tool, Amadey, Socks5Systemz, Stealc, Vidar, Xmrig	Browse
	66fb252fe232b_Patksl.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar, Xmrig	Browse
	SecuriteInfo.com.Trojan.DownLoaderNET.786.26034.14743.exe	Get hash	malicious	Unknown	Browse
	kqS23MOytx.exe	Get hash	malicious	Socks5Systemz, Stealc, Vidar, XWorm, Xmrig	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0035.t-0009.t-msedge.net	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	https://maya-lopez.filemail.com/t/BLFGBJSQ	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	13.107.246.63
	AWB_5771388044 Documente de expediere.exe	Get hash	malicious	FormBook	Browse	13.107.246.63
	lLNOwu1HG4.js	Get hash	malicious	RHADAMANTHYS	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63
	file.exe	Get hash	malicious	Stealc	Browse	13.107.246.63
	cwqqRXEhZb.msi	Get hash	malicious	Unknown	Browse	13.107.246.63
	Aktarma,pdf.vbs	Get hash	malicious	Remcos	Browse	13.107.246.63
	Need Price Order No.17084 PARLOK.exe	Get hash	malicious	FormBook	Browse	13.107.246.63
iplogger.org	care.rtf	Get hash	malicious	Unknown	Browse	172.67.74.161
	d1bc91bd44a0.exe	Get hash	malicious	PrivateLoader, Stealc, Vidar	Browse	104.26.3.46
	file.exe	Get hash	malicious	RDPWrap Tool, Amadey, Socks5Systemz, Stealc, Vidar, Xmrig	Browse	104.26.3.46
	66fb252fe232b_Patksl.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	104.26.3.46
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	104.26.3.46
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	104.26.2.46
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	172.67.74.161
	SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog Stealer	Browse	172.67.74.161
	SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog Stealer	Browse	104.26.2.46
	file.exe	Get hash	malicious	LummaC, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar, Xmrig	Browse	104.26.3.46

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	file.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	https://maya-lopez.filemail.com/t/BLFGBJSQ	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	BPzptjK1aF.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.139.78
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.16.9
	file.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	https://mpleho.com/wd/	Get hash	malicious	Phisher	Browse	104.21.56.67
	file.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	download.ps1	Get hash	malicious	Unknown	Browse	104.20.22.46
	download.ps1	Get hash	malicious	Unknown	Browse	104.20.22.46

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	BPzptjK1aF.exe	Get hash	malicious	LummaC Stealer	Browse	104.26.3.46
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.26.3.46
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.26.3.46
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, Vidar, XWorm	Browse	104.26.3.46
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.26.3.46
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.26.3.46
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.26.3.46
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.26.3.46
	List of required items pdf.vbs	Get hash	malicious	GuLoader	Browse	104.26.3.46
	List of required items and services pdf.vbs	Get hash	malicious	GuLoader	Browse	104.26.3.46

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.470632646045231
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	W7ZBbzV7A5.exe
File size:	754'688 bytes
MD5:	fdf35b2e3e30f50b6cff5c52e12cd613
SHA1:	cc10e3aead57db26ae8a15b4ae881a1715ba9a29
SHA256:	0064e7befb41f52b9f050e06bd6bbeecfbdfaf18d3fbd3ab3678417a8a82a462
SHA512:	6cab175f0970787e37890d665252406bdc52fbe6edc18987b052b99ac9559033f33b76d830c0a2e4ad198cff1de8cb2a6d4caea62b6907440fc6ff8105a84d6c
SSDEEP:	12288:hpLmR4EzqBiLusWum2OYcdWlfG1xp/jWlekdWMcjNktAVde/IetsqfEc3Fqdo3m:hg4EzqBBsnOYNUprGKYAV2Bzp3FqdoW
TLSH:	7CF4E10077A1C034F1F212F6C5BA9AB8582D7DA16F2895CF1BC42AEE56746E0AC31F57
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.)...z...z...z.uYz...z.ulz...z.umz...z.{Tz...z...z...z.uhz...z.u]z...z.uZz...zRich...z................PE..L...k.c^...........

File Icon


Icon Hash:	6a5c2c5e66e6f80d

Static PE Info

General

Entrypoint:	0x405180
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5E639A6B [Sat Mar 7 12:58:19 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	39d2476c53e56eec83f63ff721436109

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
call 00007FAE8CE6544Bh
call 00007FAE8CE5A106h
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
push FFFFFFFEh
push 0049B300h
push 0040C7D0h
mov eax, dword ptr fs:[00000000h]
push eax
add esp, FFFFFF98h
push ebx
push esi
push edi
mov eax, dword ptr [0049D110h]
xor dword ptr [ebp-08h], eax
xor eax, ebp
push eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
mov dword ptr [ebp-18h], esp
mov dword ptr [ebp-70h], 00000000h
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [00491174h]
cmp dword ptr [004A6504h], 00000000h
jne 00007FAE8CE5A100h
push 00000000h
push 00000000h
push 00000001h
push 00000000h
call dword ptr [00491170h]
call 00007FAE8CE5A283h
mov dword ptr [ebp-6Ch], eax
call 00007FAE8CE6637Bh
test eax, eax
jne 00007FAE8CE5A0FCh
push 0000001Ch
call 00007FAE8CE5A240h
add esp, 04h
call 00007FAE8CE64C48h
test eax, eax
jne 00007FAE8CE5A0FCh
push 00000010h
call 00007FAE8CE5A22Dh
add esp, 04h
push 00000001h
call 00007FAE8CE5C6D3h
add esp, 04h
call 00007FAE8CE662EBh
mov dword ptr [ebp-04h], 00000000h
call 00007FAE8CE65ECFh
test eax, eax

Rich Headers

Programming Language:

[ASM] VS2010 build 30319
[C++] VS2010 build 30319
[ C ] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9ba4c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa8000	0x175d9	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x912c0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x91000	0x240	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8fdc1	0x8fe00	42d55f6c8446ba30a83690cda52a1db7	False	0.8653820047784535	data	7.830965994043891	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x91000	0xb7bc	0xb800	a51b896423c373d536b628e6a126ae73	False	0.41323454483695654	data	5.334283107335279	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9d000	0xa508	0x5400	73c0a9a90dfd3dc5f3e79c561ce6b4bf	False	0.09319196428571429	Matlab v4 mat-file (little endian) _Locimp@locale@std@@, text, rows 4294967295, columns 4789908	1.1637757321404343	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xa8000	0x2c5d9	0x17600	a5fc9be5d1b96e9c4a0f1dae02c632a5	False	0.5336313502673797	data	5.7007263934783	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
BUKOKOVOTOSO	0xa88ec	0x6f0	ASCII text, with very long lines (1776), with no line terminators	0.6137387387387387
NOCOZOLUKUSIDIGE	0xa8fdc	0x127b	ASCII text, with very long lines (4731), with no line terminators	0.5971253434791799
RT_CURSOR	0xaa258	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0	0.4276315789473684
RT_CURSOR	0xaa388	0xf0	Device independent bitmap graphic, 24 x 48 x 1, image size 0	0.44166666666666665
RT_CURSOR	0xaa478	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.08794559099437148
RT_ICON	0xab520	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.7316390041493775
RT_ICON	0xadac8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.4229744136460554
RT_ICON	0xae970	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.6064981949458483
RT_ICON	0xaf218	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.6860599078341014
RT_ICON	0xaf8e0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.7601156069364162
RT_ICON	0xafe48	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.5076763485477178
RT_ICON	0xb23f0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.6585365853658537
RT_ICON	0xb3498	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.6963114754098361
RT_ICON	0xb3e20	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.8093971631205674
RT_ICON	0xb4288	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	0.44429637526652455
RT_ICON	0xb5130	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	0.5956678700361011
RT_ICON	0xb59d8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	0.6394009216589862
RT_ICON	0xb60a0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	0.6221098265895953
RT_ICON	0xb6608	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.3039419087136929
RT_ICON	0xb8bb0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.38109756097560976
RT_ICON	0xb9c58	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.41147540983606556
RT_ICON	0xba5e0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.45478723404255317
RT_ICON	0xbaa48	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.5717509025270758
RT_ICON	0xbb2f0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.6347926267281107
RT_ICON	0xbb9b8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.6365606936416185
RT_ICON	0xbbf20	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.6402439024390244
RT_ICON	0xbcfc8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.6196721311475409
RT_ICON	0xbd950	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.6675531914893617
RT_STRING	0xbddb8	0x150	data	0.5208333333333334
RT_STRING	0xbdf08	0x506	data	0.4401244167962675
RT_STRING	0xbe410	0x24e	data	0.4847457627118644
RT_STRING	0xbe660	0x676	data	0.4274486094316808
RT_STRING	0xbecd8	0x2e	data	0.5217391304347826
RT_ACCELERATOR	0xbed08	0x50	data	0.825
RT_GROUP_CURSOR	0xbed58	0x30	data	1.0
RT_GROUP_ICON	0xbed88	0x14	data	1.15
RT_GROUP_ICON	0xbed9c	0x76	data	0.6694915254237288
RT_GROUP_ICON	0xbee14	0x76	data	0.6694915254237288
RT_GROUP_ICON	0xbee8c	0x5a	data	0.7444444444444445
RT_VERSION	0xbeee8	0x144	data	0.5925925925925926
RT_MANIFEST	0xbf02c	0x5ad	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1393), with CRLF line terminators	0.4542326221610461

Imports

DLL

Import

KERNEL32.dll

GetComputerNameA, FillConsoleOutputCharacterA, GetPrivateProfileSectionNamesW, GetFileSize, SetPriorityClass, WriteConsoleInputW, lstrlenA, GetConsoleAliasesLengthW, TlsGetValue, CommConfigDialogA, FindResourceExW, CallNamedPipeA, SetConsoleTextAttribute, ZombifyActCtx, WritePrivateProfileSectionA, SetEnvironmentVariableW, GetModuleHandleExW, SetComputerNameW, AddConsoleAliasW, CreateDirectoryExA, GetWindowsDirectoryA, EnumTimeFormatsA, WriteFile, SetProcessPriorityBoost, ActivateActCtx, ReadConsoleInputA, CopyFileW, SetVolumeMountPointA, GetVersionExW, GlobalFlags, SetConsoleMode, GetFileAttributesW, WriteConsoleW, IsDBCSLeadByte, CompareStringW, SetThreadPriority, VerifyVersionInfoW, ReleaseActCtx, SetCurrentDirectoryA, SetThreadLocale, GetStdHandle, FindFirstFileExA, GetHandleInformation, GetLastError, GetCurrentDirectoryW, GetProcAddress, GetProcessHeaps, VirtualAlloc, MoveFileW, WriteProfileSectionA, LoadLibraryA, OpenMutexA, ProcessIdToSessionId, OpenWaitableTimerW, LocalAlloc, DnsHostnameToComputerNameA, SetFileApisToANSI, AddAtomA, GlobalWire, SetConsoleCursorInfo, DebugSetProcessKillOnExit, SetConsoleTitleW, ContinueDebugEvent, FreeEnvironmentStringsW, BuildCommDCBA, CompareStringA, GetCurrentThreadId, SetProcessShutdownParameters, OpenSemaphoreW, GetVersionExA, LocalSize, FindAtomW, FindActCtxSectionStringW, ReadConsoleOutputCharacterW, OpenFileMappingA, GlobalReAlloc, GetProfileSectionW, GetVolumeInformationW, CloseHandle, CreateFileW, SetStdHandle, InterlockedIncrement, InterlockedDecrement, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, EncodePointer, DecodePointer, DeleteFileA, MultiByteToWideChar, GetCommandLineA, HeapSetInformation, GetStartupInfoW, HeapValidate, IsBadReadPtr, RaiseException, RtlUnwind, IsProcessorFeaturePresent, GetModuleHandleW, ExitProcess, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleFileNameW, InitializeCriticalSectionAndSpinCount, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, TlsAlloc, TlsSetValue, TlsFree, SetLastError, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetModuleFileNameA, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, HeapCreate, HeapAlloc, HeapReAlloc, HeapSize, HeapQueryInformation, HeapFree, GetStringTypeW, LoadLibraryW, SetFilePointer, GetConsoleCP, GetConsoleMode, OutputDebugStringA, OutputDebugStringW, LCMapStringW, FlushFileBuffers

USER32.dll

GetComboBoxInfo, GetMenuBarInfo

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-09T17:45:13.813721+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49732	104.26.3.46	443	TCP
2024-12-09T17:45:14.619063+0100	2030163	ET MALWARE AutoHotkey Downloader Checkin via IPLogger	1	192.168.2.9	49732	104.26.3.46	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 17:45:12.362688065 CET	49732	443	192.168.2.9	104.26.3.46
Dec 9, 2024 17:45:12.362741947 CET	443	49732	104.26.3.46	192.168.2.9
Dec 9, 2024 17:45:12.362871885 CET	49732	443	192.168.2.9	104.26.3.46
Dec 9, 2024 17:45:12.365961075 CET	49732	443	192.168.2.9	104.26.3.46
Dec 9, 2024 17:45:12.365974903 CET	443	49732	104.26.3.46	192.168.2.9
Dec 9, 2024 17:45:13.813637972 CET	443	49732	104.26.3.46	192.168.2.9
Dec 9, 2024 17:45:13.813720942 CET	49732	443	192.168.2.9	104.26.3.46
Dec 9, 2024 17:45:13.817142963 CET	49732	443	192.168.2.9	104.26.3.46
Dec 9, 2024 17:45:13.817157030 CET	443	49732	104.26.3.46	192.168.2.9
Dec 9, 2024 17:45:13.817451954 CET	443	49732	104.26.3.46	192.168.2.9
Dec 9, 2024 17:45:13.857764959 CET	49732	443	192.168.2.9	104.26.3.46
Dec 9, 2024 17:45:13.893948078 CET	49732	443	192.168.2.9	104.26.3.46
Dec 9, 2024 17:45:13.935326099 CET	443	49732	104.26.3.46	192.168.2.9
Dec 9, 2024 17:45:14.619122028 CET	443	49732	104.26.3.46	192.168.2.9
Dec 9, 2024 17:45:14.619277000 CET	443	49732	104.26.3.46	192.168.2.9
Dec 9, 2024 17:45:14.619354010 CET	49732	443	192.168.2.9	104.26.3.46
Dec 9, 2024 17:45:14.621329069 CET	49732	443	192.168.2.9	104.26.3.46
Dec 9, 2024 17:45:14.621351004 CET	443	49732	104.26.3.46	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 17:45:11.896359921 CET	52535	53	192.168.2.9	1.1.1.1
Dec 9, 2024 17:45:12.357064962 CET	53	52535	1.1.1.1	192.168.2.9
Dec 9, 2024 17:45:15.074098110 CET	59199	53	192.168.2.9	1.1.1.1
Dec 9, 2024 17:45:15.301760912 CET	53	59199	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 9, 2024 17:45:11.896359921 CET	192.168.2.9	1.1.1.1	0xc338	Standard query (0)	iplogger.org	A (IP address)	IN (0x0001)	false
Dec 9, 2024 17:45:15.074098110 CET	192.168.2.9	1.1.1.1	0x4f39	Standard query (0)	nailedpizza.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 9, 2024 17:44:58.933099985 CET	1.1.1.1	192.168.2.9	0x803b	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 9, 2024 17:44:58.933099985 CET	1.1.1.1	192.168.2.9	0x803b	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 9, 2024 17:45:12.357064962 CET	1.1.1.1	192.168.2.9	0xc338	No error (0)	iplogger.org		104.26.3.46	A (IP address)	IN (0x0001)	false
Dec 9, 2024 17:45:12.357064962 CET	1.1.1.1	192.168.2.9	0xc338	No error (0)	iplogger.org		104.26.2.46	A (IP address)	IN (0x0001)	false
Dec 9, 2024 17:45:12.357064962 CET	1.1.1.1	192.168.2.9	0xc338	No error (0)	iplogger.org		172.67.74.161	A (IP address)	IN (0x0001)	false
Dec 9, 2024 17:45:15.301760912 CET	1.1.1.1	192.168.2.9	0x4f39	Name error (3)	nailedpizza.top	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

iplogger.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49732	104.26.3.46	443	7736	C:\Users\user\Desktop\W7ZBbzV7A5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-09 16:45:13 UTC	298	OUT	GET /1jhxh7 HTTP/1.1 Cache-Control: no-cache, no-store Connection: Keep-Alive Pragma: no-cache Accept: / If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT User-Agent: ( Windows 10 Enterprise \| x64 \| Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz \| Windows Defender \| Chrome ) Host: iplogger.org
2024-12-09 16:45:14 UTC	1240	IN	HTTP/1.1 200 OK Date: Mon, 09 Dec 2024 16:45:14 GMT Content-Type: image/png Transfer-Encoding: chunked Connection: close Set-Cookie: 25991339137264100=3; expires=Tue, 09 Dec 2025 16:45:14 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict Set-Cookie: clhf03028ja=8.46.123.228; expires=Tue, 09 Dec 2025 16:45:14 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict memory: 0.629913330078125 expires: Mon, 09 Dec 2024 16:45:14 +0000 Cache-Control: no-store, no-cache, must-revalidate strict-transport-security: max-age=31536000 x-frame-options: SAMEORIGIN CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Zbb4zQNSgGnydY4H%2FMPzsY%2BX%2BNnRmq1f8i2pI8W9Oof%2FB85%2BWn9cA2v7bqxDFeoDpD4hRleYpCl5%2FUIsDhXhQGgQFCV3NWVrBv9bVf9ojkiCBmfc6voJs2IFYU6F6F8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ef676e30c3042b5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2209&min_rtt=2200&rtt_var=844&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2828&recv_bytes=912&delivery_rate=1282952&cwnd=214&unsent_bytes=0&cid=a999e55be977304b&ts=820&x=0"
2024-12-09 16:45:14 UTC	122	IN	Data Raw: 37 34 0d 0a 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 01 00 00 00 01 01 03 00 00 00 25 db 56 ca 00 00 00 03 50 4c 54 45 00 00 00 a7 7a 3d da 00 00 00 01 74 52 4e 53 00 40 e6 d8 66 00 00 00 09 70 48 59 73 00 00 0e c4 00 00 0e c4 01 95 2b 0e 1b 00 00 00 0a 49 44 41 54 08 99 63 60 00 00 00 02 00 01 f4 71 64 a6 00 00 00 00 49 45 4e 44 ae 42 60 82 0d 0a Data Ascii: 74PNGIHDR%VPLTEz=tRNS@fpHYs+IDATc`qdIENDB`
2024-12-09 16:45:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	11:45:02
Start date:	09/12/2024
Path:	C:\Users\user\Desktop\W7ZBbzV7A5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\W7ZBbzV7A5.exe"
Imagebase:	0x400000
File size:	754'688 bytes
MD5 hash:	FDF35B2E3E30F50B6CFF5C52E12CD613
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Evader, Description: Yara detected Evader, Source: 00000000.00000003.1438415452.0000000002290000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Evader, Description: Yara detected Evader, Source: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Evader, Description: Yara detected Evader, Source: 00000000.00000002.2627434216.00000000021C1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2627243778.000000000056C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	0.8%
Dynamic/Decrypted Code Coverage:	3%
Signature Coverage:	15%
Total number of Nodes:	998
Total number of Limit Nodes:	74

Executed Functions

Function 004013F4 Relevance: 72.8, APIs: 39, Strings: 2, Instructions: 1056windowtimeclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32(00000000), ref: 0040141F
CloseClipboard.USER32 ref: 0040142B
SetTimer.USER32(000201FC,00000009,0000000A), ref: 004014D4
GetTickCount.KERNEL32 ref: 004014F9
GetMessageW.USER32(?,00000000,00000000,-00000311), ref: 00401540
GetTickCount.KERNEL32 ref: 0040154B
GetFocus.USER32 ref: 004015E4

Strings

($, xrefs: 00401523
#32770, xrefs: 00401CC4

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CountTick$ClipboardCloseFocusGlobalMessageTimerUnlock
String ID: #32770$($
API String ID: 2919891889-2076150920
Opcode ID: 051e06493d8f332dcaa3daf75cbbeb1ac6d13b62581473dc23e4a76dd9f8ddae
Instruction ID: c17640c86631ef91bf924e6f65113a71a92f21ef9af2a24d404cb9c54e7460d8
Opcode Fuzzy Hash: 051e06493d8f332dcaa3daf75cbbeb1ac6d13b62581473dc23e4a76dd9f8ddae
Instruction Fuzzy Hash: F4928F705083419FD724CF68C988B6ABBE1BB85304F18457EE885A73F1D778E845CB9A

Function 00403D20 Relevance: 53.0, APIs: 21, Strings: 9, Instructions: 464
sleepwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(004C9458), ref: 00403D39
SetErrorMode.KERNEL32(00000001), ref: 00403D41

Part of subcall function 00442220: GetCurrentDirectoryW.KERNEL32(00008000,?,?,00403D4E), ref: 00442237

__wcsicoll.LIBCMT ref: 00403E9E
__wcsicoll.LIBCMT ref: 00403EB4
__wcsicoll.LIBCMT ref: 00403EC6
__wcsicoll.LIBCMT ref: 00403ED8
__wcsnicmp.LIBCMT ref: 00403EEC
FindWindowW.USER32(AutoHotkey,023B0158), ref: 00404137
FindWindowW.USER32(AutoHotkey,023B0158), ref: 0040419C
PostMessageW.USER32(00000000,00000044,00000406,00000000), ref: 004041B3
Sleep.KERNEL32(00000014), ref: 004041C3
IsWindow.USER32(00000000), ref: 004041C6
Sleep.KERNEL32(00000014), ref: 004041FE
IsWindow.USER32(00000000), ref: 00404201
Sleep.KERNEL32(00000064), ref: 0040420D
SystemParametersInfoW.USER32(00002000,00000000,004C90A4,00000000), ref: 00404223
SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040423D
_setvbuf.LIBCMT ref: 00404261
_malloc.LIBCMT ref: 0040427A
_memset.LIBCMT ref: 0040428F
InitCommonControlsEx.COMCTL32 ref: 004042B5

Strings

A_Args, xrefs: 0040400A, 00404038
/force, xrefs: 00403ED2
AutoHotkey, xrefs: 00404132, 00404197
Out of memory., xrefs: 00403D97
/restart, xrefs: 00403EAE
An older instance of this script is already running. Replace it with this instance?Note: To avoid this message, see #SingleInsta, xrefs: 0040416C
Could not close the previous instance of this script. Keep waiting?, xrefs: 004041E3
Clipboard, xrefs: 004042C4
/ErrorStdOut, xrefs: 00403EE6

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Window__wcsicoll$Sleep$FindInfoParametersSystem$CommonControlsCriticalCurrentDirectoryErrorInitInitializeMessageModePostSection__wcsnicmp_malloc_memset_setvbuf
String ID: /ErrorStdOut$/force$/restart$A_Args$An older instance of this script is already running. Replace it with this instance?Note: To avoid this message, see #SingleInsta$AutoHotkey$Clipboard$Could not close the previous instance of this script. Keep waiting?$Out of memory.
API String ID: 3533460038-3657834485
Opcode ID: ce4ae06d2b0e2b210ff19182fc2fc78c9cae346bf2a388d5097870e2ff097eae
Instruction ID: 19c657e957c55ece5ba3bdf52c417eb4c71f6cfeaee47b27091bc999d4e63d3a
Opcode Fuzzy Hash: ce4ae06d2b0e2b210ff19182fc2fc78c9cae346bf2a388d5097870e2ff097eae
Instruction Fuzzy Hash: C9E127B06043016BD720AF649C46F2B7BA89B95749F04053FFA41A73D1E7B8DE4087AE

Function 004545D0 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 281
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wcstoi64.LIBCMT ref: 0045460C
InternetOpenW.WININET(AutoHotkey,00000004,00000000,00000000,00000000), ref: 00454652

Part of subcall function 00490F11: __wcstoi64.LIBCMT ref: 00490F1D

Strings

(, xrefs: 00454770
AutoHotkey, xrefs: 0045464D

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcstoi64$InternetOpen
String ID: ($AutoHotkey
API String ID: 469112803-2766205875
Opcode ID: 45b75f5efd0c2ee69ebd9200eb4c0355ec10b853962da110a003773f4ad0e2e6
Instruction ID: 511ce2a3250b50d758c192210ccdfdc9710fa3806f5c0ae307ade1585caab08e
Opcode Fuzzy Hash: 45b75f5efd0c2ee69ebd9200eb4c0355ec10b853962da110a003773f4ad0e2e6
Instruction Fuzzy Hash: 129139726003006BD220EB54DC81F6B77D4ABD5719F14452FFE44AB2D1E7B9988887AE

Function 004781C0 Relevance: 21.2, APIs: 14, Instructions: 174
windowlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,753D4BD0,?,004CB508,00000000,FFFFFF61,00000000,00000000,00000000,004CB508,753D4BD0,004CB508), ref: 004781D9
EnumResourceNamesW.KERNEL32 ref: 00478226
FindResourceW.KERNEL32(00400000,00400000,0000000E), ref: 0047823F
LoadResource.KERNEL32(00400000,00000000), ref: 0047824F
LockResource.KERNEL32(00000000), ref: 0047825E
GetSystemMetrics.USER32(0000000B), ref: 00478286
FindResourceW.KERNEL32(00400000,?,00000003), ref: 004782E6
LoadResource.KERNEL32(00400000,00000000), ref: 004782F4
LockResource.KERNEL32(00000000), ref: 004782FF
SizeofResource.KERNEL32(00400000,00000000,00000001,00030000,00000000,00000000,00000000), ref: 0047831A
CreateIconFromResourceEx.USER32(00000000,00000000), ref: 00478322
FreeLibrary.KERNEL32(00400000), ref: 0047834D
ExtractIconW.SHELL32(00000000,?,?), ref: 00478362
ExtractIconW.SHELL32(00000000,?,-00000001), ref: 0047837F

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Resource$IconLoad$ExtractFindLibraryLock$CreateEnumFreeFromMetricsNamesSizeofSystem
String ID:
API String ID: 2349713634-0
Opcode ID: 048a3a54ad9021aff99276b9801c452cb05ba59a72117d3b1ce05db86fb240f6
Instruction ID: ddda88a0a171fd663872b22fb917e663124b121c35252d310746a5e8971c997b
Opcode Fuzzy Hash: 048a3a54ad9021aff99276b9801c452cb05ba59a72117d3b1ce05db86fb240f6
Instruction Fuzzy Hash: 065128356853106BD3205F689C4CBBBBB98EB89B51F44892FFD49D2291DB7CC80186A9

Function 00477170 Relevance: 12.2, APIs: 8, Instructions: 164
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcschr.LIBCMT ref: 0047723A
FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004CB508), ref: 00477262
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004CB508), ref: 0047727A
_wcschr.LIBCMT ref: 004772CD
FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004CB508), ref: 004772F2
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004CB508), ref: 00477302

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Find$CloseFileFirst_wcschr
String ID:
API String ID: 1717823228-0
Opcode ID: bb8840001aca15b1d9c53c9927e5d2b3bef0dcdd194a184511ab2478488e10e6
Instruction ID: 83c57101cf1baddc5cda1578e358c0cd2aa86382bd672b015f0fc99a57747e32
Opcode Fuzzy Hash: bb8840001aca15b1d9c53c9927e5d2b3bef0dcdd194a184511ab2478488e10e6
Instruction Fuzzy Hash: 93512B365043019BCB10AB60CC85BE777A8EF94314F85C92AFD589B392F778D90987D9

Function 00456430 Relevance: 7.7, APIs: 5, Instructions: 177comCOMMON

Download Yara Rule

APIs

CLSIDFromString.OLE32(?,?), ref: 0045648F
CLSIDFromProgID.COMBASE(004A3890,?), ref: 004564B8
CLSIDFromString.OLE32(004A3890,?), ref: 0045654E
CoCreateInstance.OLE32(?,00000000,00000015,?,?), ref: 0045656F
CoCreateInstance.OLE32(?,00000000,00000015,004BF1B0,?), ref: 004565A6

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: From$CreateInstanceString$Prog
String ID:
API String ID: 3834119650-0
Opcode ID: 2caf9f07a21217bbb55fc8bc2def97bde76f671f012690214e3d876ce7572556
Instruction ID: 1e2d796b76f7073d299edd74a2dbae3de67f53d7d8225a3891cb984c16471ea0
Opcode Fuzzy Hash: 2caf9f07a21217bbb55fc8bc2def97bde76f671f012690214e3d876ce7572556
Instruction Fuzzy Hash: 9E51F1706042049BDB148F18D844B27B7E4AB4631AF9581AFFC498B352D339ED4AC79E

Function 004770E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,?), ref: 0047711E
FindClose.KERNEL32(00000000,?,?,?), ref: 0047712A
GetFileAttributesW.KERNEL32(00000000,?,?,?), ref: 00477145

Strings

\\?\, xrefs: 004770F3

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: FileFind$AttributesCloseFirst
String ID: \\?\
API String ID: 48322524-4282027825
Opcode ID: f9d28f410f3c2a2c6cffb47fcff3e5785957c4cdb329ea3f69a4ebec03519aa5
Instruction ID: 67e671ad70fb2bd755f551236e9da5c240c8b9bf29b10deae060ea40fdc1fb43
Opcode Fuzzy Hash: f9d28f410f3c2a2c6cffb47fcff3e5785957c4cdb329ea3f69a4ebec03519aa5
Instruction Fuzzy Hash: 8401F735600A1157D7216A249C896EB3754EF85320FD4C626EC6CD23D0EB3C8C46939D

Function 0043B780 Relevance: 81.4, APIs: 45, Strings: 1, Instructions: 869registrywindowCOMMON

Download Yara Rule

APIs

RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0043B7A1
DefWindowProcW.USER32(?,?,?,?), ref: 0043BE23

Part of subcall function 00417AF0: _wcsncpy.LIBCMT ref: 00417B43
Part of subcall function 00417AF0: SetCurrentDirectoryW.KERNEL32(004A3890,00000000,?,023A50F0,00000000), ref: 00417BAF

Strings

TaskbarCreated, xrefs: 0043B79C

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Window$CurrentDirectoryMessageProcRegister_wcsncpy
String ID: TaskbarCreated
API String ID: 4277639754-2362178303
Opcode ID: 14646357b3904c74b70c3b3d10b4d36e829de5070795bf67238526b000b841a3
Instruction ID: 7ec160cd6dff5e23fdfc1ff990be64f2ab95c3da9a6b7e6da61a6dd844015197
Opcode Fuzzy Hash: 14646357b3904c74b70c3b3d10b4d36e829de5070795bf67238526b000b841a3
Instruction Fuzzy Hash: 2852C3727002049FD720DF69EC85FAB77A8EB88311F14452BFA46D7391D735AC508BA9

Function 00417290 Relevance: 58.0, APIs: 24, Strings: 9, Instructions: 244
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 004172C1

Part of subcall function 004781C0: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,753D4BD0,?,004CB508,00000000,FFFFFF61,00000000,00000000,00000000,004CB508,753D4BD0,004CB508), ref: 004781D9
Part of subcall function 004781C0: FindResourceW.KERNEL32(00400000,00400000,0000000E), ref: 0047823F
Part of subcall function 004781C0: LoadResource.KERNEL32(00400000,00000000), ref: 0047824F
Part of subcall function 004781C0: LockResource.KERNEL32(00000000), ref: 0047825E
Part of subcall function 004781C0: GetSystemMetrics.USER32(0000000B), ref: 00478286
Part of subcall function 004781C0: FindResourceW.KERNEL32(00400000,?,00000003), ref: 004782E6
Part of subcall function 004781C0: LoadResource.KERNEL32(00400000,00000000), ref: 004782F4
Part of subcall function 004781C0: LockResource.KERNEL32(00000000), ref: 004782FF

GetSystemMetrics.USER32(00000031), ref: 0041730B

Part of subcall function 004781C0: EnumResourceNamesW.KERNEL32 ref: 00478226
Part of subcall function 004781C0: SizeofResource.KERNEL32(00400000,00000000,00000001,00030000,00000000,00000000,00000000), ref: 0047831A
Part of subcall function 004781C0: CreateIconFromResourceEx.USER32(00000000,00000000), ref: 00478322
Part of subcall function 004781C0: ExtractIconW.SHELL32(00000000,?,?), ref: 00478362

LoadCursorW.USER32(00000000,00007F00), ref: 0041733B
RegisterClassExW.USER32 ref: 00417360
RegisterClassExW.USER32(?), ref: 004173A8
GetForegroundWindow.USER32 ref: 004173AF
GetClassNameW.USER32(00000000,?,00000040), ref: 004173C1
__wcsicoll.LIBCMT ref: 004173D5
CreateWindowExW.USER32(00000001,AutoHotkey,?,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00400000,00000000), ref: 00417434
GetMenu.USER32(00000000), ref: 0041745B
EnableMenuItem.USER32(00000000,0000FF79,00000003), ref: 0041746B
CreateWindowExW.USER32(00000000,edit,00000000,50A00804,00000000,00000000,00000000,00000000,000201FC,00000001,00400000,00000000), ref: 004174A3
GetDC.USER32(00000000), ref: 004174AF
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004174E8
MulDiv.KERNEL32(0000000A,00000000), ref: 004174F1
CreateFontW.GDI32(00000000), ref: 004174FA
ReleaseDC.USER32(0003043A,00000000), ref: 0041750C
SendMessageW.USER32(0003043A,00000030,9E0A0E42,00000000), ref: 0041752A
SendMessageW.USER32(0003043A,000000C5,00000000,00000000), ref: 0041753B
ShowWindow.USER32(000201FC,00000000), ref: 0041754C
ShowWindow.USER32(000201FC,00000000), ref: 00417557
ShowWindow.USER32(000201FC,00000006), ref: 00417568
SetWindowLongW.USER32(000201FC,000000EC,00000000), ref: 00417575
LoadAcceleratorsW.USER32(00400000,000000D4), ref: 00417587

Part of subcall function 004176C0: _memset.LIBCMT ref: 004176D0
Part of subcall function 004176C0: _wcsncpy.LIBCMT ref: 00417742
Part of subcall function 004176C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00417755

Strings

AutoHotkey2, xrefs: 00417398
Shell_TrayWnd, xrefs: 004173CF
0, xrefs: 004172DC
AutoHotkey, xrefs: 004172E4, 00417429
RegClass, xrefs: 00417378
CreateWindow, xrefs: 00417450
Consolas, xrefs: 004174BE
edit, xrefs: 0041749C
Lucida Console, xrefs: 004174C5, 004174CA

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Resource$Window$Load$Create$ClassIconShow$FindLockMenuMessageMetricsRegisterSendSystem_memset$AcceleratorsCapsCursorDeviceEnableEnumExtractFontForegroundFromItemLibraryLongNameNamesNotifyReleaseShell_Sizeof__wcsicoll_wcsncpy
String ID: 0$AutoHotkey$AutoHotkey2$Consolas$CreateWindow$Lucida Console$RegClass$Shell_TrayWnd$edit
API String ID: 2663150501-3882032541
Opcode ID: a859c8a00cbc69611a0eea23d238f97866340177c1da3e387591ca0d7fc89e2c
Instruction ID: c4a391df5bc3dd0045b20c79f103117fff068bb8be1f86ddeed78df9e62d10ae
Opcode Fuzzy Hash: a859c8a00cbc69611a0eea23d238f97866340177c1da3e387591ca0d7fc89e2c
Instruction Fuzzy Hash: C881F670B48300BFE7209B64DC4AF967BB4EB45744F14452EFA44A72D0D7B8A854CB6E

Function 00401DE0 Relevance: 28.5, APIs: 14, Strings: 2, Instructions: 515windowthreadCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004014F9
GetMessageW.USER32(?,00000000,00000000,-00000311), ref: 00401540
GetTickCount.KERNEL32 ref: 0040154B
GetForegroundWindow.USER32 ref: 00401C8E
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00401CA1
GetClassNameW.USER32(00000000,?,00000020), ref: 00401CBE
IsDialogMessageW.USER32(00000000,?), ref: 00402F39
SetCurrentDirectoryW.KERNEL32(004A3890), ref: 00402F61

Strings

($, xrefs: 00401523
#32770, xrefs: 00401CC4

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CountMessageTickWindow$ClassCurrentDialogDirectoryForegroundNameProcessThread
String ID: #32770$($
API String ID: 3752270653-2076150920
Opcode ID: 891610f23284f0dc155f3508c5861c2f589933b7554299101bf17fe4d1020f28
Instruction ID: c717b072d53977dded448c521543f2fdc67cbae5896261c1b276aef6ab5f8f43
Opcode Fuzzy Hash: 891610f23284f0dc155f3508c5861c2f589933b7554299101bf17fe4d1020f28
Instruction Fuzzy Hash: A4129E719083418BD7218F68C588A6BB7E1BB85304F59457FE885A73F1D778EC42CB8A

Function 0042740E Relevance: 26.8, APIs: 9, Strings: 6, Instructions: 580windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32(00000000), ref: 00426E68
CloseClipboard.USER32 ref: 00426E78
GetTickCount.KERNEL32 ref: 00426E8A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00426EB6
GetTickCount.KERNEL32 ref: 00426ECC

Part of subcall function 00416240: __fassign.LIBCMT ref: 00416250

__wcsicoll.LIBCMT ref: 004276EE

Part of subcall function 0042EA90: _wcsncpy.LIBCMT ref: 0042EB43
Part of subcall function 0042EA90: _wcschr.LIBCMT ref: 0042EB8A
Part of subcall function 0042EA90: _memmove.LIBCMT ref: 0042EBD6
Part of subcall function 0042EA90: _wcschr.LIBCMT ref: 0042EBE3

__wcsicoll.LIBCMT ref: 0042747E

Part of subcall function 004159B0: __wcsicoll.LIBCMT ref: 00415ABC
Part of subcall function 004159B0: __wcsicoll.LIBCMT ref: 00415AD4

Strings

CSV, xrefs: 004276E8
Read, xrefs: 00427478
$cJ, xrefs: 00427444, 00427472, 00427494, 004274BC, 004274D5, 004277CA, 0042780A
Parameter #2 invalid., xrefs: 0042B5D9
v1j, xrefs: 00426EA4
Parameter #3 invalid., xrefs: 0042B603

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll$CountTick_wcschr$ClipboardCloseGlobalMessagePeekUnlock__fassign_memmove_wcsncpy
String ID: $cJ$CSV$Parameter #2 invalid.$Parameter #3 invalid.$Read$v1j
API String ID: 1197092883-423423522
Opcode ID: 95d4efba3d1e22a3e1b8d808e35dae841c55cf83beddb207a5a14c445dc76007
Instruction ID: 81533ff737187c5554f09210e9d8bf06e33d38ca1a8986d2c8c61e5f12c412f5
Opcode Fuzzy Hash: 95d4efba3d1e22a3e1b8d808e35dae841c55cf83beddb207a5a14c445dc76007
Instruction Fuzzy Hash: 9B32CB71608350DFD724CF64E880F6BB7E5AB88314F50892EF98587391D778E885CB9A

Function 00427B5E Relevance: 25.2, APIs: 11, Strings: 3, Instructions: 666COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00427DE8
_free.LIBCMT ref: 00427E26

Strings

A, xrefs: 00427C72
SMHD, xrefs: 00428072
v1j, xrefs: 00426EA4

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: _free
String ID: A$SMHD$v1j
API String ID: 269201875-3925140012
Opcode ID: 978318b576444ef6d9f0e20db79651e2ce52bdda614da1b976fbec298f6571a8
Instruction ID: 1966955e6f4b4ddd05699856f2ef6d4797c23de199e38c924a273258681dba29
Opcode Fuzzy Hash: 978318b576444ef6d9f0e20db79651e2ce52bdda614da1b976fbec298f6571a8
Instruction Fuzzy Hash: 9842CF70708360CBD724DF21E881B6BB7E1BB84314F95496EF48597392DB38D885CB9A

Function 0042AC4D Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 248
windowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalUnlock.KERNEL32(00000000), ref: 00426E68
CloseClipboard.USER32 ref: 00426E78
GetTickCount.KERNEL32 ref: 00426E8A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00426EB6
GetTickCount.KERNEL32 ref: 00426ECC
GetTickCount.KERNEL32 ref: 00426F86
__wcsnicmp.LIBCMT ref: 0042AC5B
_wcschr.LIBCMT ref: 0042AC93

Part of subcall function 00414D50: __wcstoi64.LIBCMT ref: 00414D60

__wcsnicmp.LIBCMT ref: 0042AD43

Strings

Integer, xrefs: 0042AD3D
$cJ, xrefs: 0042AC4D, 0042AD36
Float, xrefs: 0042AC55
%%%s%s%s, xrefs: 0042AD1A
v1j, xrefs: 00426EA4

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CountTick$__wcsnicmp$ClipboardCloseGlobalMessagePeekUnlock__wcstoi64_wcschr
String ID: $cJ$%%%s%s%s$Float$Integer$v1j
API String ID: 3735567320-2576696436
Opcode ID: 5c807fafef20308e732769182f0a2e435d3454c7f3d810d725c8fd0866ded791
Instruction ID: 4b65478055d3a066ae23ab8b16bd8b60f94c82c132972d64c1aa03a91121abf7
Opcode Fuzzy Hash: 5c807fafef20308e732769182f0a2e435d3454c7f3d810d725c8fd0866ded791
Instruction Fuzzy Hash: 219122317043619BDB24CF61FC85B6A37A2AB41318F96052EF955873E2D77CA840CB9E

Function 00472DA0 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 318
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(?,?,00000000,00000000,?), ref: 00472E17
RegQueryValueExW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,?), ref: 00472E39

Strings

0123456789ABCDEF, xrefs: 0047308C
W, xrefs: 00472DC5

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: OpenQueryValue
String ID: 0123456789ABCDEF$W
API String ID: 4153817207-1680953536
Opcode ID: 5b8f8fb0e62c09d1a26544afe6ace262212e2574f0744f00af8e3db05eef9e6f
Instruction ID: 3d0b4e3b83c5a0b3213536c5a8a83579687e3827d1c13e2dbf78f5734f0e1225
Opcode Fuzzy Hash: 5b8f8fb0e62c09d1a26544afe6ace262212e2574f0744f00af8e3db05eef9e6f
Instruction Fuzzy Hash: 78B1A0716083019BD724DF24DC85FAB77E8EB88344F00892EF589DB291D6B8D945C7AA

Function 00427284 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 286
windowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalUnlock.KERNEL32(00000000), ref: 00426E68
CloseClipboard.USER32 ref: 00426E78
GetTickCount.KERNEL32 ref: 00426E8A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00426EB6
GetTickCount.KERNEL32 ref: 00426ECC
__wcsicoll.LIBCMT ref: 004272BA
__wcsicoll.LIBCMT ref: 004272F5

Strings

A Goto/Gosub must not jump into a block that doesn't enclose it., xrefs: 00427352
$cJ, xrefs: 0042729F
v1j, xrefs: 00426EA4

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CountTick__wcsicoll$ClipboardCloseGlobalMessagePeekUnlock
String ID: $cJ$A Goto/Gosub must not jump into a block that doesn't enclose it.$v1j
API String ID: 3567954741-3836395255
Opcode ID: 55f36eeaf0d086d39213d42289d4d105e4e73a9abe3f5039bb3b30855ece2361
Instruction ID: 1d1e4a4402f9fb7a7c5af05af5215c105d02ba1cf2fa55c2ece5096d2f24686a
Opcode Fuzzy Hash: 55f36eeaf0d086d39213d42289d4d105e4e73a9abe3f5039bb3b30855ece2361
Instruction Fuzzy Hash: E2B10F317083608BDB24CF65F880B6B77A6FB81314F96452EE959873A2D738E840CB5D

Function 00427939 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 341windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32(00000000), ref: 00426E68
CloseClipboard.USER32 ref: 00426E78
GetTickCount.KERNEL32 ref: 00426E8A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00426EB6
GetTickCount.KERNEL32 ref: 00426ECC
_free.LIBCMT ref: 00427ACC

Strings

Jumps cannot exit a FINALLY block., xrefs: 0042B654
v1j, xrefs: 00426EA4

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock_free
String ID: Jumps cannot exit a FINALLY block.$v1j
API String ID: 1585972641-1623723626
Opcode ID: d2a66fd0cc74bb7ed28043191c92915ac62bdabfee8337be8665f4c07e45aeb8
Instruction ID: 243a7bb7935039845f492452cca96680bd2741c6a1556b804308f8f06d32d09a
Opcode Fuzzy Hash: d2a66fd0cc74bb7ed28043191c92915ac62bdabfee8337be8665f4c07e45aeb8
Instruction Fuzzy Hash: 6BD1C371B08350CFDB24CF64E880B6B77E1FB85314F91496EE89987391D779A840CB5A

Function 0042B16B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 198
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalUnlock.KERNEL32(00000000), ref: 00426E68
CloseClipboard.USER32 ref: 00426E78
GetTickCount.KERNEL32 ref: 00426E8A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00426EB6
GetTickCount.KERNEL32 ref: 00426ECC
RegCloseKey.ADVAPI32(00000000), ref: 0042B1EC

Strings

v1j, xrefs: 00426EA4

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CloseCountTick$ClipboardGlobalMessagePeekUnlock
String ID: v1j
API String ID: 4107439908-3288809988
Opcode ID: 8f20c42e93d9edfc0ed6a1f8652c54da14efeb5a92a6470ae0d73085c23f9334
Instruction ID: 5aa98a78301c45bdef57c640f86ef0b8025277831813cdf329ea322fb6bf0166
Opcode Fuzzy Hash: 8f20c42e93d9edfc0ed6a1f8652c54da14efeb5a92a6470ae0d73085c23f9334
Instruction Fuzzy Hash: 91711630704261DBDB24CF24FD94B6B7BA2EB41318F96462EE455873E1D738A840CB9E

Function 0211003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0211024D

Strings

kernel32.dll, xrefs: 0211008F, 02110095
cess, xrefs: 0211018D

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: 1bc5c981d6fea912fcc7dcc340e60fde74e519195c6ec5c7e407c243dd4fdd56
Instruction ID: cb6e4576c6f42de689f56335750bf445eb49197ef0e401d2b033a5892e155ae3
Opcode Fuzzy Hash: 1bc5c981d6fea912fcc7dcc340e60fde74e519195c6ec5c7e407c243dd4fdd56
Instruction Fuzzy Hash: AF525874E41229DFDB64CF58C984BA8BBB1BF09304F1580E9E94DAB351DB30AA85CF15

Function 00426E22 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 349
windowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalUnlock.KERNEL32(00000000), ref: 00426E68
CloseClipboard.USER32 ref: 00426E78

Part of subcall function 00444790: __wcsicoll.LIBCMT ref: 004447BA

GetTickCount.KERNEL32 ref: 00426E8A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00426EB6
GetTickCount.KERNEL32 ref: 00426ECC
GetTickCount.KERNEL32 ref: 00426F86

Strings

v1j, xrefs: 00426EA4

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock__wcsicoll
String ID: v1j
API String ID: 2029973422-3288809988
Opcode ID: ac74217368039711589757d3ed3ce7c752e1035cf5d995391c515213f47e51cd
Instruction ID: 577d209b60b0e305f694127d93cb4f9e212cf47ed499887f71f8cd5782e9f476
Opcode Fuzzy Hash: ac74217368039711589757d3ed3ce7c752e1035cf5d995391c515213f47e51cd
Instruction Fuzzy Hash: 07D1BD31708351CBDB24CF65E880B6B77E2FB84314F95456EE8598B392D738D841CB9A

Function 00427EB1 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 194
windowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalUnlock.KERNEL32(00000000), ref: 00426E68
CloseClipboard.USER32 ref: 00426E78
GetTickCount.KERNEL32 ref: 00426E8A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00426EB6
GetTickCount.KERNEL32 ref: 00426ECC

Strings

v1j, xrefs: 00426EA4

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID: v1j
API String ID: 1623861271-3288809988
Opcode ID: 2835f73984154a3414e95f4a748b9add606521c8e6b154603e247de07738a9b3
Instruction ID: 31c2687664371598502a5b531453e8e1439d8a9e852998b8438cba0f908d182f
Opcode Fuzzy Hash: 2835f73984154a3414e95f4a748b9add606521c8e6b154603e247de07738a9b3
Instruction Fuzzy Hash: A8710531704361CBDB24CF64F984B6A3BA2FB45314F92066EE856873E1C7389841CB9D

Function 0040146B Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 162windowtimeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(000201FC,00000009,0000000A), ref: 004014D4
GetTickCount.KERNEL32 ref: 004014F9
GetMessageW.USER32(?,00000000,00000000,-00000311), ref: 00401540
GetTickCount.KERNEL32 ref: 0040154B
GetFocus.USER32 ref: 004015E4

Part of subcall function 00403380: joyGetPosEx.WINMM ref: 004033AF

TranslateAcceleratorW.USER32(00000000,?,?), ref: 0040162A
IsDialogMessageW.USER32(?,?), ref: 00401BBB

Part of subcall function 0046A850: SendMessageW.USER32(00000000,00001304,00000000,00000000), ref: 0046A86A

Strings

($, xrefs: 00401523

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Message$CountTick$AcceleratorDialogFocusSendTimerTranslate
String ID: ($
API String ID: 3283625497-2238701287
Opcode ID: f4061c6a45dc52200af8a418c29571a8dbdb8272d0c418b773f43cd224975d58
Instruction ID: d580d6ea65c684af17787d48f7abcc2f526893975b6fad532898008a2ea5a279
Opcode Fuzzy Hash: f4061c6a45dc52200af8a418c29571a8dbdb8272d0c418b773f43cd224975d58
Instruction Fuzzy Hash: E4517071A043409BD7219F28C884B6F7AE4AB95708F08093FF585A73F1D77D9885CB9A

Function 00427B52 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 154
windowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalUnlock.KERNEL32(00000000), ref: 00426E68
CloseClipboard.USER32 ref: 00426E78
GetTickCount.KERNEL32 ref: 00426E8A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00426EB6
GetTickCount.KERNEL32 ref: 00426ECC
GetTickCount.KERNEL32 ref: 00426F86

Strings

v1j, xrefs: 00426EA4

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID: v1j
API String ID: 1623861271-3288809988
Opcode ID: 88ffd0a27205ac72f16484c5f9186b0db8d7d728dabc208a82813e14528db1ff
Instruction ID: 276ea68a65f414a29b9231cd5f2a7ef4dd815cb13fef6da4b65e5c1804468698
Opcode Fuzzy Hash: 88ffd0a27205ac72f16484c5f9186b0db8d7d728dabc208a82813e14528db1ff
Instruction Fuzzy Hash: 1B51D630704361CBDF64CF65FD85B6A3BA2AB01314F96062EE465973E1C7389845CB5D

Function 00417870 Relevance: 10.7, APIs: 7, Instructions: 161
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 00417883

Part of subcall function 0048FCA4: __FF_MSGBANNER.LIBCMT ref: 0048FCBD
Part of subcall function 0048FCA4: __NMSG_WRITE.LIBCMT ref: 0048FCC4
Part of subcall function 0048FCA4: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00495598,004011D4,00000001,004011D4,?,00494023,00000018,004C1C20,0000000C,004940B3), ref: 0048FCE9

SetTimer.USER32(000201FC,0000000E,04EF6D80,00403BA0), ref: 004178CA
_free.LIBCMT ref: 004179B6

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: AllocateHeapTimer_free_malloc
String ID:
API String ID: 92111083-0
Opcode ID: 9d8263df4cbc072d8507a47316a4b4a09a1eb0e44a88d49c6767c5e0d3393ce5
Instruction ID: fbe78b82f48f7f733fea3c01a39f5578ea0d00d6650b71bacc94d44b1de2376f
Opcode Fuzzy Hash: 9d8263df4cbc072d8507a47316a4b4a09a1eb0e44a88d49c6767c5e0d3393ce5
Instruction Fuzzy Hash: 6C51B0B1A042449FD350DF29EC84FA27BB5FB15308F5980BEE5498B362D3799884CF59

Function 00416A90 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 132
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00416CD2
OleInitialize.OLE32(00000000), ref: 00416D1C

Part of subcall function 00417AF0: _wcsncpy.LIBCMT ref: 00417B43
Part of subcall function 00417AF0: SetCurrentDirectoryW.KERNEL32(004A3890,00000000,?,023A50F0,00000000), ref: 00417BAF

Strings

Tray, xrefs: 00416CDF
No tray mem, xrefs: 00416CF9
%E, xrefs: 00416AB7

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CurrentDirectoryInitialize_memset_wcsncpy
String ID: No tray mem$Tray$%E
API String ID: 613146505-1286056905
Opcode ID: 0f4f20f2888725397845d3e26465219afce152eca6e053a07f023b2c469328d6
Instruction ID: aaab1662004d8440c1c75f66d450961280571f6039720277f048bb5b25b5375a
Opcode Fuzzy Hash: 0f4f20f2888725397845d3e26465219afce152eca6e053a07f023b2c469328d6
Instruction Fuzzy Hash: AA6150B4802384EAC3908F6AADD2E15BAA8F759309F90823FE448C3361D7B801448FDD

Function 0045C30A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0045C327
_malloc.LIBCMT ref: 0045C341
_free.LIBCMT ref: 0045C5E0
SetTimer.USER32(000201FC,0000000D,00002710,0043D4E0), ref: 0045C62C

Strings

Out of memory., xrefs: 0045C358

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: _free$Timer_malloc
String ID: Out of memory.
API String ID: 2288515124-4087320997
Opcode ID: 8b42eef779f5021ae25284b8053e9d349c125c261127b9f0fb9699a20262a356
Instruction ID: 49bb5786690396244c9ba4e0863c8e9ec505ffb6c14bf44d43acb8d3a775e7c9
Opcode Fuzzy Hash: 8b42eef779f5021ae25284b8053e9d349c125c261127b9f0fb9699a20262a356
Instruction Fuzzy Hash: 3431B271A083099FD744CF29A881B6A37E4E79430AF04803BEC85D7352E73E9559DB9D

Function 004428E0 Relevance: 7.6, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?), ref: 004428FC
SetLastError.KERNEL32(000000B7), ref: 0044290E
_wcsrchr.LIBCMT ref: 00442927
CreateDirectoryW.KERNEL32(?,00000000), ref: 00442990
SetLastError.KERNEL32(00000057), ref: 004429A5

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: ErrorLast$AttributesCreateDirectoryFile_wcsrchr
String ID:
API String ID: 1861573484-0
Opcode ID: 2e8b3f2ca5c88a69b3a2a066295587a62f8c89f17cd218adf8a81c392199c089
Instruction ID: 201aa1d45fc2b5c267c7c5c3f8dcc34e55949bf9b4c780faeebfaa4df4c5171f
Opcode Fuzzy Hash: 2e8b3f2ca5c88a69b3a2a066295587a62f8c89f17cd218adf8a81c392199c089
Instruction Fuzzy Hash: 55214572B00300ABEB202F64DD457DBF7A4EB44365F48853AFA1997290D3B88945CBD9

Function 00458610 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 403memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00458010: VariantClear.OLEAUT32(?), ref: 00458025

SysAllocString.OLEAUT32(?), ref: 00458779
SysFreeString.OLEAUT32(00000000), ref: 00458797

Strings

_NewEnum, xrefs: 004586FA

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: String$AllocClearFreeVariant
String ID: _NewEnum
API String ID: 1665868789-1628654690
Opcode ID: 4c4994b1da5992b47152a213289a29bb39b461c10b0b39ec9186dc46d79ca9b8
Instruction ID: c2668fa6f6fad35b8756d28ed0efac4badd6527d9cd6525d23c6b130372f5c06
Opcode Fuzzy Hash: 4c4994b1da5992b47152a213289a29bb39b461c10b0b39ec9186dc46d79ca9b8
Instruction Fuzzy Hash: 4FE18F75E002099FDB04DF99D881AAEB7B5FF88311F10816EED04AB351DB39AD49CB94

Function 0042D5C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

__wcstoi64.LIBCMT ref: 0042D648
GetTickCount.KERNEL32 ref: 0042D6CF

Strings

$cJ, xrefs: 0042D5E4

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CountTick__wcstoi64
String ID: $cJ
API String ID: 1339278519-417114052
Opcode ID: 738700d3e8f00f8505546d4b3544afa0d16049c911eb0461f3829c3c9b244dd5
Instruction ID: bef6d51c6ff47f481dd1438523297b6b7c5e2ae73701c27c6a0695669888bc1f
Opcode Fuzzy Hash: 738700d3e8f00f8505546d4b3544afa0d16049c911eb0461f3829c3c9b244dd5
Instruction Fuzzy Hash: C7412370B002116ADB289B15BC85F3F3765EB92715F60802FF4498A7D1D7BA9841CA5E

Function 00429807 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0042981A
PostMessageW.USER32(00000000), ref: 00429821

Strings

Shell_TrayWnd, xrefs: 00429815

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: FindMessagePostWindow
String ID: Shell_TrayWnd
API String ID: 2578315405-2988720461
Opcode ID: 6926a05c434e0ba5dc9a93a737fb233ac6880a8a52adbda75f70410a32ebccde
Instruction ID: ebd0a3946cb67554b6160152ff8e4069b5e72b06b152f5631506da9ccc4beb04
Opcode Fuzzy Hash: 6926a05c434e0ba5dc9a93a737fb233ac6880a8a52adbda75f70410a32ebccde
Instruction Fuzzy Hash: A8E02B30F802007BF2001721FD47F9936019B06B10F200121F611FA2E2C5F9E840821E

Function 00471AD0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

Part of subcall function 004716C0: __wcsicoll.LIBCMT ref: 004716E8

__wcsicoll.LIBCMT ref: 00471C3E

Strings

base, xrefs: 00471C38

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll
String ID: base
API String ID: 3832890014-3233087073
Opcode ID: 041a1525aa314a719f7fd6378d1b0e383f0442330399e793b57acd6ce698c038
Instruction ID: 34630770a3e52e1c2c4bcfa53fad844edd7e2a3b7524a3fdc5e8edb9de452a6b
Opcode Fuzzy Hash: 041a1525aa314a719f7fd6378d1b0e383f0442330399e793b57acd6ce698c038
Instruction Fuzzy Hash: 7C51E0706042059FD721DF9CC880FAB77A5EF85354F24814AE8499B361D338FC81CBAA

Function 004421A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNEL32(004A6324), ref: 004421D5

Strings

:, xrefs: 004421C3

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 4700560e11ba25c23d9192ab955168636ae4106476855d529c354684ca59f343
Instruction ID: bb1a0e2f6ef9a9da7fc0a3520f49256627144e11ff800699070c311a2d583478
Opcode Fuzzy Hash: 4700560e11ba25c23d9192ab955168636ae4106476855d529c354684ca59f343
Instruction Fuzzy Hash: C3F0F42050425065EF21EB986D02FA776E0AF4171AF84849FF884A72D0F3F89888C39E

Function 00459F4C Relevance: 3.2, APIs: 2, Instructions: 231COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00459F67

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 9fdce0842d93cf44065fb8ac07dbfb2e74a91ed261ad68d49ccd2a1a9ebfcf00
Instruction ID: b4e3c6e9d4dc25af992b957f1612e206b02c8cfd6410816648f2569a6619da82
Opcode Fuzzy Hash: 9fdce0842d93cf44065fb8ac07dbfb2e74a91ed261ad68d49ccd2a1a9ebfcf00
Instruction Fuzzy Hash: C1915D71A002159FDB24CF54C881BAEB7B5FF45315F28819AE809AB343D739DC49CB99

Function 00457E50 Relevance: 3.2, APIs: 2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e01596d711b1d3c656434c00f8e2c6b912cb9ac7392919ac9f6a4686bf3c1db
Instruction ID: 4ddbf8b0e37a36613ad0fc08a91a580f2c302b5f0ef6ca8762b65f60e1103e05
Opcode Fuzzy Hash: 6e01596d711b1d3c656434c00f8e2c6b912cb9ac7392919ac9f6a4686bf3c1db
Instruction Fuzzy Hash: 3B5117356087128BD714EF29D490767B7A0FF88304F64C8AED89987762E339D854CB89

Function 0045C466 Relevance: 3.1, APIs: 2, Instructions: 105timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0045C5E0
SetTimer.USER32(000201FC,0000000D,00002710,0043D4E0), ref: 0045C62C

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Timer_free
String ID:
API String ID: 2702591383-0
Opcode ID: 7ffefa2201147f186b4651fd50c9cb71d59206d04f266079f65ba9c50ea6470b
Instruction ID: 1aeeb222a3b3ab5ba74e445a33930422449077a2eb704a29599955a7c0ceee65
Opcode Fuzzy Hash: 7ffefa2201147f186b4651fd50c9cb71d59206d04f266079f65ba9c50ea6470b
Instruction Fuzzy Hash: F441DDB15083049FD714CF15E894F6B77E4BB9430AF08852FE88687252E738D949CB8A

Function 0045C4D3 Relevance: 3.1, APIs: 2, Instructions: 103timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0045C5E0
SetTimer.USER32(000201FC,0000000D,00002710,0043D4E0), ref: 0045C62C

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Timer_free
String ID:
API String ID: 2702591383-0
Opcode ID: 86f813f019eddccca512adee127f64c1b5059cb4e45481856e6560f412819d70
Instruction ID: 70b59a4e492b68ac8dbe2a30065a2a426509558463175c2685b7247edac3cbb2
Opcode Fuzzy Hash: 86f813f019eddccca512adee127f64c1b5059cb4e45481856e6560f412819d70
Instruction Fuzzy Hash: A2419F71508354AFC714CF14D8C4BAB77E4BB9530AF04892FE88697252E338E94ADB5E

Function 0045C44E Relevance: 3.1, APIs: 2, Instructions: 77timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0045C5E0

Part of subcall function 00490561: HeapFree.KERNEL32(00000000,00000000,?,00493723,00000000,?,004949B2,?,~cG), ref: 00490577
Part of subcall function 00490561: GetLastError.KERNEL32(00000000,?,00493723,00000000,?,004949B2,?,~cG), ref: 00490589

SetTimer.USER32(000201FC,0000000D,00002710,0043D4E0), ref: 0045C62C

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapLastTimer_free
String ID:
API String ID: 702773638-0
Opcode ID: d39b96cd37cb6071c1c10a5d7a4c98bb6bb898730ad8e8d70dc662939826db9d
Instruction ID: 1ddeaebf6c08e647a2b7eed64485f68ee4913f570c514a41a13423e0aca1610c
Opcode Fuzzy Hash: d39b96cd37cb6071c1c10a5d7a4c98bb6bb898730ad8e8d70dc662939826db9d
Instruction Fuzzy Hash: 9E316FB1508304AFD304DF15E884F5B77E4FB9430AF04892EF88697252E339E949CB9A

Function 0045C428 Relevance: 3.1, APIs: 2, Instructions: 75timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0045C5E0
SetTimer.USER32(000201FC,0000000D,00002710,0043D4E0), ref: 0045C62C

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Timer_free
String ID:
API String ID: 2702591383-0
Opcode ID: 4c0d08aa7e5de1a2c3f5023af2b5c3023b24443eebc7dab2293c221aabf72939
Instruction ID: 8f70222fbd286e1074c05fff3599318cbb111fc6b1464ce7e2581ebbd233ff0f
Opcode Fuzzy Hash: 4c0d08aa7e5de1a2c3f5023af2b5c3023b24443eebc7dab2293c221aabf72939
Instruction Fuzzy Hash: DB2150B1508304AFD314CF15D885F5B77E4FB94709F04892EF88597252E339E949CB9A

Function 0056CE36 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0056CE5E
Module32First.KERNEL32(00000000,00000224), ref: 0056CE7E

Memory Dump Source

Source File: 00000000.00000002.2627243778.000000000056C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0056C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 5539b1d95d85a06048579fc0349efe06e2df85b610a407ba51a8b978f4640b36
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 96F06231200715ABD7217AF9988DA7B7EFCBF49725F100628E692D24C0DB71EC458661

Function 0042A28F Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

Part of subcall function 004428E0: GetFileAttributesW.KERNEL32(?), ref: 004428FC
Part of subcall function 004428E0: SetLastError.KERNEL32(000000B7), ref: 0044290E

GetLastError.KERNEL32 ref: 0042A2A8

Strings

$cJ, xrefs: 0042A28F

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: ErrorLast$AttributesFile
String ID: $cJ
API String ID: 2642427456-417114052
Opcode ID: 94b655aa1d4b974b7336a02c0b3d8f49292e02ab474d041341b466ee093eb01d
Instruction ID: a41f4e7d21578ee3dd49418d9290a1123cd8fecee42b2950285fb270d79969ff
Opcode Fuzzy Hash: 94b655aa1d4b974b7336a02c0b3d8f49292e02ab474d041341b466ee093eb01d
Instruction Fuzzy Hash: 7AD0C2759042009FE2509B30AD80B193BD8EB04344F14485EB950D3222C234D0008B2A

Function 02110DF8 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,02110223,?,?), ref: 02110E02
SetErrorMode.KERNEL32(00000000,?,?,02110223,?,?), ref: 02110E07

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 3dc0d650258f77e74df07641c15034dff2f9eaa93d2b56bfa814fc505f0da8b3
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 54D0123154512C77D7002A95DC09BCD7B1C9F05B66F108021FB0DD9181CB70994046E5

Function 00473AD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00473ADD

Part of subcall function 0048FCA4: __FF_MSGBANNER.LIBCMT ref: 0048FCBD
Part of subcall function 0048FCA4: __NMSG_WRITE.LIBCMT ref: 0048FCC4
Part of subcall function 0048FCA4: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00495598,004011D4,00000001,004011D4,?,00494023,00000018,004C1C20,0000000C,004940B3), ref: 0048FCE9

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: fbd788fde5c7a03836223f0ebbbba8f0bfb339def231a07eec2ac87ceef1a1be
Instruction ID: 93d676223c3575ddf1ffbfd14c61795bc367894d3b16f047fe3352ec2489d9c7
Opcode Fuzzy Hash: fbd788fde5c7a03836223f0ebbbba8f0bfb339def231a07eec2ac87ceef1a1be
Instruction Fuzzy Hash: 95F05E716006028FEBA0CB39D891B2BB3E6BFD0310B14852EE48E83B45E738F945CA04

Function 00473770 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 00491078: _malloc.LIBCMT ref: 00491092

_malloc.LIBCMT ref: 0047378D

Part of subcall function 0048FCA4: __FF_MSGBANNER.LIBCMT ref: 0048FCBD
Part of subcall function 0048FCA4: __NMSG_WRITE.LIBCMT ref: 0048FCC4
Part of subcall function 0048FCA4: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00495598,004011D4,00000001,004011D4,?,00494023,00000018,004C1C20,0000000C,004940B3), ref: 0048FCE9

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: _malloc$AllocateHeap
String ID:
API String ID: 680241177-0
Opcode ID: 46071de27b3b18367afdd9e5638da9c5a82c5076efc544d57178a87389760198
Instruction ID: 75d2558b1877979aae163230b704275fd009bd8c4d7380a67554ebce3f4d9ff1
Opcode Fuzzy Hash: 46071de27b3b18367afdd9e5638da9c5a82c5076efc544d57178a87389760198
Instruction Fuzzy Hash: DDE09BF19056114ED760AF65BC0278775D09F00B64F05843FF88987312E779D58487CA

Function 0056CAF5 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 0056CB46

Memory Dump Source

Source File: 00000000.00000002.2627243778.000000000056C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0056C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: e2ab7184e6fbd645d531c4f978019bbad4f883721467c356a00210fe53393fc0
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 6E113F79A00208EFDB01DF98C985E98BFF5AF08351F058094F9489B361D371EA50DF90

Non-executed Functions

Function 004630C0 Relevance: 114.5, APIs: 41, Strings: 24, Instructions: 713COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 004630DF
GetWindowLongW.USER32(?,000000EC), ref: 004630EA
__wcsnicmp.LIBCMT ref: 00463183
__wcsnicmp.LIBCMT ref: 004631A4
__wcsicoll.LIBCMT ref: 004631BA
SetWindowPos.USER32(?,-000000FE,00000000,00000000,00000000,00000000,00000013,?,?,?,?,?,00000000,00000000,00000000), ref: 004631EB

Strings

MinSize, xrefs: 00463443
Label, xrefs: 0046338B
SysMenu, xrefs: 00463697
MinimizeBox, xrefs: 0046340C
Tab, xrefs: 00463296
MaximizeBox, xrefs: 004633D7
Theme, xrefs: 004636CC
MaxSize, xrefs: 00463540
Invalid option., xrefs: 004639A1
Hwnd, xrefs: 0046335B
Invalid or nonexistent owner or parent window., xrefs: 004639BB
ToolWindow, xrefs: 004636EE
Owner, xrefs: 00463176
Caption, xrefs: 0046324A
LastFound, xrefs: 004633B9
Space, xrefs: 004632BA
DPIScale, xrefs: 00463723
AlwaysOnTop, xrefs: 004631B4
OwnDialogs, xrefs: 0046363D
Delimiter, xrefs: 00463281
Disabled, xrefs: 004632F9
Border, xrefs: 00463215
Resize, xrefs: 00463662
Parent, xrefs: 0046319E

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Window$Long__wcsnicmp$__wcsicoll
String ID: AlwaysOnTop$Border$Caption$DPIScale$Delimiter$Disabled$Hwnd$Invalid option.$Invalid or nonexistent owner or parent window.$Label$LastFound$MaxSize$MaximizeBox$MinSize$MinimizeBox$OwnDialogs$Owner$Parent$Resize$Space$SysMenu$Tab$Theme$ToolWindow
API String ID: 736084551-994823521
Opcode ID: 5b487a832655923f534c1a5e646aab6b536ed262329e1ab32c2ce9f372ee5bc0
Instruction ID: 7ca6eb842a226a16558028c00db40ef4785d1c4c8fca12bfa1af7e9f57d7095e
Opcode Fuzzy Hash: 5b487a832655923f534c1a5e646aab6b536ed262329e1ab32c2ce9f372ee5bc0
Instruction Fuzzy Hash: B84217B1604380ABD7609F218C41B6777E4AF40716F14452FF88697392F7ACEE498B5B

Function 021116EB Relevance: 74.5, APIs: 40, Strings: 2, Instructions: 998windowtimeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(004CA564,00000009,0000000A), ref: 02111724
GetMessageW.USER32(?,00000000,00000000,-00000311), ref: 02111790
GetFocus.USER32 ref: 02111834
TranslateAcceleratorW.USER32(00000000,?,?), ref: 0211187A

Strings

D, xrefs: 021116EB
#32770, xrefs: 02111980, 02111F14

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: AcceleratorFocusMessageTimerTranslate
String ID: #32770$D
API String ID: 2746933510-405636740
Opcode ID: e3e3c9259a20f72c680b5485f64fd1a51d5160d60657c960e92df5ece4d21830
Instruction ID: a79ed07c59ab696291c6cf0a457864a3f41630dc9591afdc5ba53016cd3d7a14
Opcode Fuzzy Hash: e3e3c9259a20f72c680b5485f64fd1a51d5160d60657c960e92df5ece4d21830
Instruction Fuzzy Hash: 80823D30684354AFDB24CF28DC88BAAFBF5BF85308F084579EA49872A0D774D485CB56

Function 004201C0 Relevance: 56.8, APIs: 8, Strings: 24, Instructions: 784COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 004201DF
__snwprintf.LIBCMT ref: 00420212
_memmove.LIBCMT ref: 004207FA
_wcsncpy.LIBCMT ref: 0042084F
__wcsicoll.LIBCMT ref: 0042086E
__wcsicoll.LIBCMT ref: 004208A1

Strings

Duplicate parameter., xrefs: 004209D3
Too many params., xrefs: 004209A9
ByRef, xrefs: 004205C5
this, xrefs: 004204D9
true, xrefs: 0042089B
, =), xrefs: 0042081A
Parameter default required., xrefs: 00420BBE
A label must not point to a function., xrefs: 00420B3B
Missing close-quote, xrefs: 00420BA4
Missing comma, xrefs: 00420974
Unsupported parameter default., xrefs: 00420BB3
false, xrefs: 00420860
, :=*), xrefs: 0042059A, 00420605
Expected ":=", xrefs: 00420B9C
Parameters of hotkey functions must be optional., xrefs: 00420B64
Out of memory., xrefs: 004203FE, 0042044E, 00420A34
Missing ")", xrefs: 00420BDC
%s.%s, xrefs: 004201FD
value, xrefs: 00420527
Duplicate function definition., xrefs: 004202CE
Function name too long., xrefs: 00420341
Blank parameter, xrefs: 004209C8, 00420BCD
Invalid function declaration., xrefs: 00420A06
Duplicate declaration., xrefs: 00420255

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll$__snwprintf_memmove_wcschr_wcsncpy
String ID: %s.%s$, :=*)$, =)$A label must not point to a function.$Blank parameter$ByRef$Duplicate declaration.$Duplicate function definition.$Duplicate parameter.$Expected ":="$Function name too long.$Invalid function declaration.$Missing ")"$Missing close-quote$Missing comma$Out of memory.$Parameter default required.$Parameters of hotkey functions must be optional.$Too many params.$Unsupported parameter default.$false$this$true$value
API String ID: 1179507668-1825772190
Opcode ID: 72dbb3c72d424932b573dd88278363bafa185e5ab1e2bb86c4ecbf75d679d8e8
Instruction ID: 516ed0bf7d3a7bf17d1c41303015cf4e5c152632f94a89df11198284350d979b
Opcode Fuzzy Hash: 72dbb3c72d424932b573dd88278363bafa185e5ab1e2bb86c4ecbf75d679d8e8
Instruction Fuzzy Hash: 1752D171704221ABD724DF14E881A6BB3E0EF94304F94852FE8459B393E778ED81C79A

Function 0214B9D0 Relevance: 51.6, APIs: 34, Instructions: 593registryclipboardCOMMON

Download Yara Rule

APIs

RegisterClipboardFormatW.USER32(004AD358), ref: 0214B9F1

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: ClipboardFormatRegister
String ID:
API String ID: 1228543026-0
Opcode ID: 34a3b431461120e8628017451c978d94467888d3a0bbf673c14f2cc8e63f2920
Instruction ID: fa09c67c9a5cb0b36f190da7a69d09aec0c521c4b3c3349c1f7da96ef71dd34a
Opcode Fuzzy Hash: 34a3b431461120e8628017451c978d94467888d3a0bbf673c14f2cc8e63f2920
Instruction Fuzzy Hash: 5212F776B44204AFD720CF68EC88F6777A9EB84715F14853AF94AD7250DB31E900CBA5

Function 0214AEF0 Relevance: 48.9, APIs: 32, Instructions: 881windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0214AF57
IsIconic.USER32(00000000), ref: 0214AF68
GetWindowRect.USER32(?,?), ref: 0214AF80
ClientToScreen.USER32(?,?), ref: 0214AFA2
_wcsrchr.LIBCMT ref: 0214AFEB
__wcsicoll.LIBCMT ref: 0214B002
__wcsicoll.LIBCMT ref: 0214B014
__wcsicoll.LIBCMT ref: 0214B026
__wcsnicmp.LIBCMT ref: 0214B099
__fassign.LIBCMT ref: 0214B0B8
__wcsnicmp.LIBCMT ref: 0214B0E0
_wcsncpy.LIBCMT ref: 0214B0FE
__fassign.LIBCMT ref: 0214B142
__fassign.LIBCMT ref: 0214B221

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __fassign__wcsicoll$Window__wcsnicmp$ClientForegroundIconicRectScreen_wcsncpy_wcsrchr
String ID:
API String ID: 4100256352-0
Opcode ID: 7f73180a36183d9854ac139516008d3652771ef7370f1e036a3c3c470a3f04ec
Instruction ID: 263efa3eed0c564fe9bc524b3c013f1f0e88629ac3a27bbb15daf5ca5605a1ef
Opcode Fuzzy Hash: 7f73180a36183d9854ac139516008d3652771ef7370f1e036a3c3c470a3f04ec
Instruction Fuzzy Hash: EF62E17198C3419FC724CF28C890B6FBBE1AF89718F14492DF89997290DB74DA45CB92

Function 0214A6E0 Relevance: 39.2, APIs: 16, Strings: 6, Instructions: 698windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0214A7CF
IsIconic.USER32(00000000), ref: 0214A7DC
GetWindowRect.USER32(00000000,?), ref: 0214A7F0
ClientToScreen.USER32(00000000,?), ref: 0214A808
GetDC.USER32(00000000), ref: 0214A8B4
CreateCompatibleDC.GDI32(?), ref: 0214A8F3
CreateCompatibleBitmap.GDI32(?,?,?), ref: 0214A90E
SelectObject.GDI32(00000000,00000000), ref: 0214A924
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 0214A951
ReleaseDC.USER32(00000000,?), ref: 0214ABFF
SelectObject.GDI32(?,?), ref: 0214AC17
DeleteDC.GDI32(?), ref: 0214AC1E
DeleteObject.GDI32(?), ref: 0214AC2D
_free.LIBCMT ref: 0214AC43

Strings

|hJ, xrefs: 0214ACD4
$cJ, xrefs: 0214ACCD
Fast, xrefs: 0214A6FC
9J, xrefs: 0214ACA1
RGB, xrefs: 0214A714
$cJ, xrefs: 0214ACA8

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Object$CompatibleCreateDeleteSelectWindow$BitmapClientForegroundIconicRectReleaseScreen_free
String ID: 9J$$cJ$$cJ$Fast$RGB$|hJ
API String ID: 2647761896-1257331509
Opcode ID: 019b84ae6b11314afa46737dc391902eaa07c72c87b9d5374cad2353dff5aed2
Instruction ID: 3055a89713978d5f9f3373f45ac3a2726831c84c2d47bf645ef59b2df6cdde23
Opcode Fuzzy Hash: 019b84ae6b11314afa46737dc391902eaa07c72c87b9d5374cad2353dff5aed2
Instruction Fuzzy Hash: BB32F63168C3815FD724CF2888A076BBBE2AFC5214F16495DF8D997281CB75C949CB92

Function 0217A490 Relevance: 25.8, APIs: 17, Instructions: 276windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 0217A4B9
IsWindowVisible.USER32(?), ref: 0217A4DA
IsIconic.USER32(?), ref: 0217A4ED
GetFocus.USER32 ref: 0217A521
GetWindowRect.USER32(?,?), ref: 0217A551
GetPropW.USER32(?,004BF710), ref: 0217A560
ShowWindow.USER32(00000000,00000000,?,004BF710,?,?), ref: 0217A574
GetUpdateRect.USER32(?,?,00000000), ref: 0217A59C
GetWindowLongW.USER32(?,000000F0), ref: 0217A61D
ShowWindow.USER32(00000000,?,?,004BF710,?,?), ref: 0217A64D
EnableWindow.USER32(00000000,00000000), ref: 0217A664
GetWindowRect.USER32(00000000,?), ref: 0217A678
SetFocus.USER32(00000000,?,004BF710,?,?), ref: 0217A6EA
ShowWindow.USER32(00000000,00000005,?,004BF710,?,?), ref: 0217A735
SetFocus.USER32(?,?,004BF710,?,?), ref: 0217A749
InvalidateRect.USER32(?,00000000,00000001,?,004BF710,?,?), ref: 0217A765
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0217A79E

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Window$Rect$FocusShow$Long$EnableIconicInvalidatePointsPropUpdateVisible
String ID:
API String ID: 805697895-0
Opcode ID: 06d737ea6ea5637906f4b3aca56556984f50b29f047ed9fe22b60b96950088e3
Instruction ID: b101e033dc8c82d8e85d47cc7c6c20da8ee1bdf0273b66c824f2ef7aee99825d
Opcode Fuzzy Hash: 06d737ea6ea5637906f4b3aca56556984f50b29f047ed9fe22b60b96950088e3
Instruction Fuzzy Hash: 31A18D75548380AFD710CB64C858B6ABFF8AFC6348F08890DF9D587291C7B5E548CB92

Function 0211D9C0 Relevance: 25.1, APIs: 9, Strings: 5, Instructions: 595COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0211DA46
_malloc.LIBCMT ref: 0211DA85

Part of subcall function 0219FEF4: __FF_MSGBANNER.LIBCMT ref: 0219FF0D
Part of subcall function 0219FEF4: __NMSG_WRITE.LIBCMT ref: 0219FF14
Part of subcall function 0219FEF4: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 0219FF39

_wcsncpy.LIBCMT ref: 0211DAD9
__wcsicoll.LIBCMT ref: 0211DAF6
__wcsicoll.LIBCMT ref: 0211DC0E

Strings

Parameter #2 must not be blank in this case., xrefs: 0211DFA5
-()[]{}:;'"/\,.?! , xrefs: 0211DA56, 0211DA9E, 0211DAA3, 0211DAD4
Parameter #1 invalid., xrefs: 0211DCD8
Hotstring not found., xrefs: 0211DFAC, 0211DFB6
EndChars, xrefs: 0211DA40

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll$AllocateHeap_malloc_wcsncpy
String ID: -()[]{}:;'"/\,.?! $EndChars$Hotstring not found.$Parameter #1 invalid.$Parameter #2 must not be blank in this case.
API String ID: 482388181-1465017980
Opcode ID: dd940c8f0a8e8bfbcab3c84c176e3b0f666027bbf811c1331efad9ad837fa628
Instruction ID: 37ca407b0413fd37104f807751dbd193168f80619d09609c31b79129fadf3610
Opcode Fuzzy Hash: dd940c8f0a8e8bfbcab3c84c176e3b0f666027bbf811c1331efad9ad837fa628
Instruction Fuzzy Hash: 1A1257756843029FC720DF68E880B6BB7E1EFD5358F18897DE88987280E771D905CB96

Function 00439180 Relevance: 25.0, APIs: 8, Strings: 6, Instructions: 453windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00432850: __wcsicoll.LIBCMT ref: 0043286B
Part of subcall function 00432850: __wcsicoll.LIBCMT ref: 00432881

GetForegroundWindow.USER32 ref: 004391F9
IsWindowVisible.USER32(00000000), ref: 00439214

Strings

user32, xrefs: 004395BD
GetLayeredWindowAttributes, xrefs: 004395B8
0x%06X, xrefs: 00439632
Parameter #2 invalid., xrefs: 004391B5
0x%08X, xrefs: 00439552
%s1, xrefs: 004393E3

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Window__wcsicoll$ForegroundVisible
String ID: %s1$0x%06X$0x%08X$GetLayeredWindowAttributes$Parameter #2 invalid.$user32
API String ID: 1910143062-141734719
Opcode ID: 8fb82d22e399b84acd34a95c0c670a96e6b4e883b32cfc8f925c40b0a79fbf20
Instruction ID: 7139e1a205a3835274907bc1a73ee8bbe098f6ac71207684c2b1641db0ecd920
Opcode Fuzzy Hash: 8fb82d22e399b84acd34a95c0c670a96e6b4e883b32cfc8f925c40b0a79fbf20
Instruction Fuzzy Hash: FCD145727083052BD720DA69AC81F6B73D8ABDD314F14496FFA44972C1D6F8DC4487AA

Function 02189470 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 136clipboardCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 021894A0
GlobalUnlock.KERNEL32(004CC048), ref: 021894D2
CloseClipboard.USER32 ref: 021894DE

Strings

GlobalLock, xrefs: 02189614

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseEmptyGlobalUnlock
String ID: GlobalLock
API String ID: 219879227-2848605275
Opcode ID: 2efe591a42643f5ca382abad1f116e147d7ae98fa6ecd258224c72993317b6cc
Instruction ID: 939b3fbf25376577d98090dbb04e64af16a5a6f3fd3a2530a7c816d8e30ce8b9
Opcode Fuzzy Hash: 2efe591a42643f5ca382abad1f116e147d7ae98fa6ecd258224c72993317b6cc
Instruction Fuzzy Hash: D44181B6A40310DBC750AFA9FCC4B6A7BA4F785B49F00053AF80992360E7788845CB9D

Function 0047A1D0 Relevance: 19.7, APIs: 13, Instructions: 161threadwindowCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0047A1EA
GetForegroundWindow.USER32(?,00000000,753C5170,?,?,?,?,00000000,?,?,00000000,0040FFFD,?,00000000,?,00000002), ref: 0047A207
IsIconic.USER32(00000000), ref: 0047A210
ShowWindow.USER32(00000000,00000009,?,00000000,753C5170,?,?,?,?,00000000,?,?,00000000,0040FFFD,?,00000000), ref: 0047A21D
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0047A25C
AttachThreadInput.USER32(00001E3C,00000000,00000001), ref: 0047A284
AttachThreadInput.USER32(00000000,?,00000001), ref: 0047A2A1
SetForegroundWindow.USER32(00000000), ref: 0047A2BD
GetForegroundWindow.USER32(?,?,?,00000000,753C5170,?,?,?,?,00000000,?,?,00000000,0040FFFD,?,00000000), ref: 0047A2DF
GetWindow.USER32(00000000,00000004), ref: 0047A2F6
AttachThreadInput.USER32(00001E3C,?,00000000), ref: 0047A35A
AttachThreadInput.USER32(?,?,00000000), ref: 0047A373
BringWindowToTop.USER32(00000000), ref: 0047A37E

Part of subcall function 0047A170: SetForegroundWindow.USER32(00000000), ref: 0047A172
Part of subcall function 0047A170: GetForegroundWindow.USER32(?,?,?,?,?,00000000,753C5170,?,?,?,?,00000000,?,?,00000000,0040FFFD), ref: 0047A198

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Window$Thread$Foreground$AttachInput$Process$BringIconicShow
String ID:
API String ID: 2800171079-0
Opcode ID: 8547cf8a207538732f5142beff319aa9c362607ebd2652fa2b0a1477a5643b86
Instruction ID: 17429e58e888e940572dc26b2deb07df03c943be040ae62c52dc4e4a82a2be25
Opcode Fuzzy Hash: 8547cf8a207538732f5142beff319aa9c362607ebd2652fa2b0a1477a5643b86
Instruction Fuzzy Hash: 994119717443046BE320AF61AC45BAF7B98ABC1704F44446EFD09963A2E7BDD81486AF

Function 02130410 Relevance: 18.3, APIs: 6, Strings: 4, Instructions: 767COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 0213042F
__snwprintf.LIBCMT ref: 02130462

Strings

ByRef, xrefs: 02130815
, :=*), xrefs: 021307EA, 02130855
, =), xrefs: 02130A6A
Parameters of hotkey functions must be optional., xrefs: 02130DB4

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __snwprintf_wcschr
String ID: , :=*)$, =)$ByRef$Parameters of hotkey functions must be optional.
API String ID: 1333472643-784389657
Opcode ID: 799778324e15fd4bd9d564c5f87624465aec5e8ed1b12ff5ac35523e9795f330
Instruction ID: b290463534c11296cfd57a345b14ccd30676217268b28ea82a0911d2843220d5
Opcode Fuzzy Hash: 799778324e15fd4bd9d564c5f87624465aec5e8ed1b12ff5ac35523e9795f330
Instruction Fuzzy Hash: EA423571A84301AFC735DF14D880BBBB3E6EF88314F14856DE8898B291E775E945CB92

Function 0046A020 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110windowlibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(uxtheme,?,?,?,00000000,?,00465C4F,?,00000000,?,0000041D,00000000,00000000,?,0000000B,00000000), ref: 0046A04F
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0046A061
FreeLibrary.KERNEL32(00000000,?,0000041D,00000000,00000000,?,0000000B,00000000,00000000), ref: 0046A079
SendMessageW.USER32(?,00000406,?,?), ref: 0046A0D1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0046A0EA
SendMessageW.USER32(?,00002001,00000000,?), ref: 0046A107
GetSysColor.USER32(0000000F), ref: 0046A121
SendMessageW.USER32(?,00002001,00000000,?), ref: 0046A137

Strings

uxtheme, xrefs: 0046A04A
SetWindowTheme, xrefs: 0046A05B

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: MessageSend$Library$AddressColorFreeLoadProc
String ID: SetWindowTheme$uxtheme
API String ID: 2745204275-1369271589
Opcode ID: bc8fd5fb37f945784390bae8e6c4ebbbed511f63bcebccefae0619b0e65411b7
Instruction ID: 0c98885233e324aa85396c276109a4b44d240bcd2a1bbc61294b01052b2a8841
Opcode Fuzzy Hash: bc8fd5fb37f945784390bae8e6c4ebbbed511f63bcebccefae0619b0e65411b7
Instruction Fuzzy Hash: 5431C671200B00AEE6209A258C85B67B798EF01324F20061FF652A76D1F7B9EC91CB5F

Function 02194870 Relevance: 17.1, Strings: 13, Instructions: 825COMMON

Download Yara Rule

Strings

Error text not found (please report), xrefs: 02195242
UCP), xrefs: 021949C3
BSR_ANYCRLF), xrefs: 02194CA8
CR), xrefs: 02194A73
UTF16), xrefs: 02194965
LF), xrefs: 02194AC7
no error, xrefs: 02195225
$, xrefs: 021951CF
ANY), xrefs: 02194BBB
BSR_UNICODE), xrefs: 02194D41
CRLF), xrefs: 02194B43
ANYCRLF), xrefs: 02194C33
NO_START_OPT), xrefs: 02194A1B

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID:
String ID: $$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$Error text not found (please report)$LF)$NO_START_OPT)$UCP)$UTF16)$no error
API String ID: 0-3688278424
Opcode ID: dc7e4e8ba2595484d4e9e087d88513841886303a6c139d61aa3aab16971cf310
Instruction ID: 37e14a606ab9763c8f5fa3ac6e83a0b70d418c8b95a2605c59632c980a919b2c
Opcode Fuzzy Hash: dc7e4e8ba2595484d4e9e087d88513841886303a6c139d61aa3aab16971cf310
Instruction Fuzzy Hash: 1762F471A487859FCB298F18C8507BBB7E1FF84304F954A2EE4DA87380E7749545CB92

Function 02117020 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 395keyboardwindowthreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(004CA564,0000041E,004CAD70,00000000), ref: 021170DA
GetForegroundWindow.USER32 ref: 02117155
GetGUIThreadInfo.USER32(00000000,?), ref: 02117181
GetKeyboardLayout.USER32(00000000), ref: 0211719B
GetClassNameW.USER32(00000000,?,0000001C), ref: 021171BC
__wcsicoll.LIBCMT ref: 021171CF
GetKeyState.USER32(00000014), ref: 0211729B
_memset.LIBCMT ref: 021174FD

Strings

0, xrefs: 02117179

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: ClassForegroundInfoKeyboardLayoutMessageNamePostStateThreadWindow__wcsicoll_memset
String ID: 0
API String ID: 2278213348-4108050209
Opcode ID: d090e6ca451d25e10e170e707db30bd7b9c7091e9048aa6b59827ed99cb335eb
Instruction ID: 09d53d2c72c86dc8646bf9adaca991f90b649d20b04a87a508ef8d7fb606c3e8
Opcode Fuzzy Hash: d090e6ca451d25e10e170e707db30bd7b9c7091e9048aa6b59827ed99cb335eb
Instruction Fuzzy Hash: B2E133319883819FE735CB65D854FA7BBE4AB86308F08447CE888473D2D774954BCBA6

Function 0218A420 Relevance: 15.2, APIs: 10, Instructions: 161threadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,0214D50F), ref: 0218A457
IsIconic.USER32(?), ref: 0218A460
ShowWindow.USER32(?,00000009,?,?,?,?,?,?,0214D50F), ref: 0218A46D
AttachThreadInput.USER32(004CB4F0,00000000,00000001), ref: 0218A4D4
AttachThreadInput.USER32(00000000,?,00000001), ref: 0218A4F1
GetForegroundWindow.USER32(?,?,?,?,?,?,0214D50F), ref: 0218A52F
GetWindow.USER32(00000000,00000004), ref: 0218A546
AttachThreadInput.USER32(004CB4F0,?,00000000), ref: 0218A5AA
AttachThreadInput.USER32(?,?,00000000), ref: 0218A5C3
BringWindowToTop.USER32(?), ref: 0218A5CE

Part of subcall function 0218A3C0: SetForegroundWindow.USER32(?), ref: 0218A3C2
Part of subcall function 0218A3C0: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,0214D50F), ref: 0218A3E8

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Window$AttachForegroundInputThread$BringIconicShow
String ID:
API String ID: 2023223573-0
Opcode ID: c7ec9a2515987fbe8d7cf564c87f77003f22eba3ced6b31050cb7459ae62b522
Instruction ID: 1d7780c8a965a85a411677b153d9b626d3d2e08fbfcf4642c8e0b79f55981c9f
Opcode Fuzzy Hash: c7ec9a2515987fbe8d7cf564c87f77003f22eba3ced6b31050cb7459ae62b522
Instruction Fuzzy Hash: EA4128717C43446FD720BF64AC89B2A7BD9AF81705F08043AFE41961A2EBB5D4448FA9

Function 004560C0 Relevance: 15.1, APIs: 10, Instructions: 123processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 004560D5
Process32FirstW.KERNEL32(00000000,00000000), ref: 004560E7
__wcstoi64.LIBCMT ref: 00456113

Part of subcall function 00491933: wcstoxq.LIBCMT ref: 00491954

Process32NextW.KERNEL32(00000000,?), ref: 00456134
__wsplitpath.LIBCMT ref: 00456175
__wcsicoll.LIBCMT ref: 004561C5
Process32NextW.KERNEL32(?,?), ref: 004561DB
CloseHandle.KERNEL32(00000000), ref: 004561EE
CloseHandle.KERNEL32(00000000), ref: 00456201
CloseHandle.KERNEL32(?), ref: 00456218

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess32$Next$CreateFirstSnapshotToolhelp32__wcsicoll__wcstoi64__wsplitpathwcstoxq
String ID:
API String ID: 2291101207-0
Opcode ID: 88545c9bef7bae8dc7d8807c7e105aa4174bab01dd0a21c669607c046b9bf7f7
Instruction ID: 036c12701fcd6cf66a8ce1279056cbf7d6e515b3a8726fccb7ba67edbfa94fc8
Opcode Fuzzy Hash: 88545c9bef7bae8dc7d8807c7e105aa4174bab01dd0a21c669607c046b9bf7f7
Instruction Fuzzy Hash: A23102726043056BD720EB609C45BFF77A8EB85301F44492EFA06D7282E779DA0CC79A

Function 021785C0 Relevance: 13.7, APIs: 9, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd0ca851aa29bbd844c3614b23e5e271a1bbac944d08adabe11153cbb632429f
Instruction ID: c75cc6158a59c1ff333161c73fd5d610ddbc1b685a1fd413a4c5d4899e3f4584
Opcode Fuzzy Hash: dd0ca851aa29bbd844c3614b23e5e271a1bbac944d08adabe11153cbb632429f
Instruction Fuzzy Hash: F87112726842189FD720EF68E888FAA77B9EBC5324F044566FD058B290D770DC18CBE1

Function 02169C10 Relevance: 13.5, APIs: 5, Strings: 2, Instructions: 1262COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0216BC8C

Strings

$cJ, xrefs: 0216BD15
`vD, xrefs: 02169FC0

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: _free
String ID: $cJ$`vD
API String ID: 269201875-1441683293
Opcode ID: 8ad9f42f84856b013ef9741288a65e88980550c3beaab711370d3bbcc8bdc435
Instruction ID: ceccd541e07986a7797d0d166aa8ad5706ac3e011f42f891716df568f8786b5a
Opcode Fuzzy Hash: 8ad9f42f84856b013ef9741288a65e88980550c3beaab711370d3bbcc8bdc435
Instruction Fuzzy Hash: E4B29B71944205CFDB24CF58C888BBEB7B2EF49318F2981A9D809AB355D735E991CF90

Function 00408140 Relevance: 13.0, APIs: 3, Strings: 4, Instructions: 799COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004081FD
_memset.LIBCMT ref: 0040821F
_memset.LIBCMT ref: 00408231

Part of subcall function 00408ED0: CreateThread.KERNEL32(00000000,00002000,00409200,00000000,00000000,004C9470), ref: 00408F2A
Part of subcall function 00408ED0: SetThreadPriority.KERNEL32(00000000,0000000F,?,?,?,?,?,?,?,?,?,00000000,00408D46,?,00000000), ref: 00408F40
Part of subcall function 00408ED0: PostThreadMessageW.USER32(00000000,00000417,?,00000000), ref: 00408F64
Part of subcall function 00408ED0: Sleep.KERNEL32(0000000A,?,?,?,?,?,?,?,?,?,00000000,00408D46,?,00000000,?,00000000), ref: 00408F70
Part of subcall function 00408ED0: GetTickCount.KERNEL32 ref: 00408F87
Part of subcall function 00408ED0: PeekMessageW.USER32(?,00000000,00000417,00000417,00000001), ref: 00408FAA

Strings

t{L, xrefs: 004083DD
LjL, xrefs: 004082C6
HjL, xrefs: 004082D0
PjL, xrefs: 004082BC

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Thread$Message_memset$CountCreatePeekPostPrioritySleepTick_malloc
String ID: HjL$LjL$PjL$t{L
API String ID: 2797994793-938905590
Opcode ID: f7dac126c0f655bff1d16471c5db8f6fc25da5ac3cd5f33c276d3626b51e7ba6
Instruction ID: ffa0d5355a4f67753e3a21702c250b05d4e2a096a4fe72fb4fc13edf58fa1f0e
Opcode Fuzzy Hash: f7dac126c0f655bff1d16471c5db8f6fc25da5ac3cd5f33c276d3626b51e7ba6
Instruction Fuzzy Hash: 3C7235704083818EE725CF24C5547B2BBE1AF51308F0981BED8C95B3E2DB7DA999C75A

Function 02164EB0 Relevance: 12.3, APIs: 8, Instructions: 317comfileCOMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 02164F98
_wcschr.LIBCMT ref: 02164FAA
GetFileAttributesW.KERNEL32(?), ref: 02164FBA
FindFirstFileW.KERNEL32(?,?), ref: 02164FD6
FindClose.KERNEL32(00000000), ref: 02164FE6
CoInitialize.OLE32(00000000), ref: 02164FEE
CoCreateInstance.COMBASE(004A17C8,00000000,00000001,004A17B8,?), ref: 02165007
CoUninitialize.COMBASE ref: 021651CB

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: FileFind_wcschr$AttributesCloseCreateFirstInitializeInstanceUninitialize
String ID:
API String ID: 1700229770-0
Opcode ID: cb5910261d48cb7db90d4ddefa7eb160039014c3355fab72c523a965e632ac90
Instruction ID: 69f6c7e916579d5f57ceff15a805698520dbc81bc3facfc6ab6e448d5d175eba
Opcode Fuzzy Hash: cb5910261d48cb7db90d4ddefa7eb160039014c3355fab72c523a965e632ac90
Instruction Fuzzy Hash: 67B1BB71284301AFD614EF68CC84F7A73AAABC8B14F50861CF9559B2D0DB70E8198B96

Function 0214D740 Relevance: 12.2, APIs: 8, Instructions: 221windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0214D788
GetForegroundWindow.USER32 ref: 0214D7B0
IsIconic.USER32(00000000), ref: 0214D7BF
GetWindowRect.USER32(?,?), ref: 0214D7D7
ClientToScreen.USER32(?,?), ref: 0214D805
WindowFromPoint.USER32(?,?), ref: 0214D869
_memset.LIBCMT ref: 0214D8D6
GetClassNameW.USER32(00000000,?,000000FC), ref: 0214D94A

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Window$ClassClientCursorForegroundFromIconicNamePointRectScreen_memset
String ID:
API String ID: 247462549-0
Opcode ID: 5a07e403cf189baff5b24ab41dfe8479df392b4fca16e53a58607d2a5a948e72
Instruction ID: 58bb438d2958c19ca6ce7446a1335f10c63c045e3608d4ed0883ea489c56d66d
Opcode Fuzzy Hash: 5a07e403cf189baff5b24ab41dfe8479df392b4fca16e53a58607d2a5a948e72
Instruction Fuzzy Hash: 9871D0726483019BC714DF68E884B7BB7E9ABC9714F044A3EF989C7250DB75D808CB96

Function 021873C0 Relevance: 12.2, APIs: 8, Instructions: 164fileCOMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 0218748A
FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004CB508), ref: 021874B2
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004CB508), ref: 021874CA
_wcschr.LIBCMT ref: 0218751D
FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004CB508), ref: 02187542
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004CB508), ref: 02187552

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Find$CloseFileFirst_wcschr
String ID:
API String ID: 1717823228-0
Opcode ID: c8c1045d508bce00743c90e9b0b0598b8ee3e344abcbea2d898b3a5c5e9f3741
Instruction ID: 2ae82f41a5307b82dd890833c76a781ba42dc7c12878d6ad3390b7ff2984498e
Opcode Fuzzy Hash: c8c1045d508bce00743c90e9b0b0598b8ee3e344abcbea2d898b3a5c5e9f3741
Instruction Fuzzy Hash: D151293A9403019BC710BB60CCC5FABB7A9EF84355F598A28ED549B1D0F774E50ACBA1

Function 02154600 Relevance: 10.6, APIs: 7, Instructions: 143fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000007,00000000,00000003,00000000,00000000), ref: 0215463B
GetFileSizeEx.KERNEL32(00000000,?,?,00000080,00000007,00000000,00000003,00000000,00000000), ref: 0215464E
CloseHandle.KERNEL32(00000000,?,00000080,00000007,00000000,00000003,00000000,00000000), ref: 02154657
FindFirstFileW.KERNEL32(?,00000000,?,00000080,00000007,00000000,00000003,00000000,00000000), ref: 02154667
GetLastError.KERNEL32(?,00000000,?,00000080,00000007,00000000,00000003,00000000,00000000), ref: 02154672
FindClose.KERNEL32(00000000,?,00000000,?,00000080,00000007,00000000,00000003,00000000,00000000), ref: 021546AE
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0215471A

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: File$CloseFind$CreateErrorFirstHandleLastSizeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 1680075938-0
Opcode ID: cd8f7bcb35db625a6ed9b051ebb112c66d3d8faf1ac26d9a42cb608c12cfdbfb
Instruction ID: bc948bff01e802047e76058ff51b67cec5a488b5061aec3d1471667d61ae3298
Opcode Fuzzy Hash: cd8f7bcb35db625a6ed9b051ebb112c66d3d8faf1ac26d9a42cb608c12cfdbfb
Instruction Fuzzy Hash: 82414A31794310BFD220DF68DC85F6AB7E5EB8A725F108359FE64AB2D0C7B094408B99

Function 02114910 Relevance: 10.6, APIs: 7, Instructions: 99clipboardCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 02114933
GlobalUnlock.KERNEL32(00000000), ref: 0211494A
CloseClipboard.USER32 ref: 02114953
GlobalFree.KERNEL32(00000000), ref: 0211499C
CloseClipboard.USER32 ref: 021149B7

Part of subcall function 02114A10: CloseClipboard.USER32 ref: 02114A31
Part of subcall function 02114A10: GlobalFree.KERNEL32(00000000), ref: 02114A55

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobal$Free$EmptyUnlock
String ID:
API String ID: 3602016276-0
Opcode ID: 6e0d18064490e9cc9fc47cac1d4288dd2eeab42c5373861d4703ab5c7c3b8c66
Instruction ID: e1511e2ffa5a823880f564f3b138b6d2211e6710e3b125618d4211edce40bfc3
Opcode Fuzzy Hash: 6e0d18064490e9cc9fc47cac1d4288dd2eeab42c5373861d4703ab5c7c3b8c66
Instruction Fuzzy Hash: 273161B26447069FD7309FA6E8C0516FBE4FF99B15B20893FE18782A64C730E480CB55

Function 004760E0 Relevance: 10.6, APIs: 7, Instructions: 82timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,00428364,00000000,00000001,00000000), ref: 00476117
GetSystemTimeAsFileTime.KERNEL32(?,023B2640,?,?,?,?,?,?,?,?,?,00428364,00000000,00000001,00000000), ref: 0047612D
FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00428364,00000000,00000001,00000000), ref: 0047613D
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,00428364,00000000,00000001,00000000), ref: 00476162
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,00428364,00000000,00000001,00000000), ref: 00476176
FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00428364,00000000,00000001,00000000), ref: 00476186
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004761A8

Part of subcall function 00475E40: _wcsncpy.LIBCMT ref: 00475E69
Part of subcall function 00475E40: _wcsncpy.LIBCMT ref: 00475E95
Part of subcall function 00475E40: _wcsncpy.LIBCMT ref: 00475ECD
Part of subcall function 00475E40: _wcsncpy.LIBCMT ref: 00475F01
Part of subcall function 00475E40: _wcsncpy.LIBCMT ref: 00475F36
Part of subcall function 00475E40: _wcsncpy.LIBCMT ref: 00475F6B

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Time$File$_wcsncpy$System$Local$Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 1899144181-0
Opcode ID: de809b3cdc4eab887e5475d36ad2b7d2b50763ecfed09794ae83ccc3c9da1975
Instruction ID: b4b5e26bd7235a2b9c8f8a9be33654a6ff7a6b78bf7fa078ce0078da724f1c59
Opcode Fuzzy Hash: de809b3cdc4eab887e5475d36ad2b7d2b50763ecfed09794ae83ccc3c9da1975
Instruction Fuzzy Hash: 0621F1726043015BD700EB29DC44BEB7BA9EBC8344F44892DF548D2211E678E60CCBA6

Function 02182CE0 Relevance: 7.6, APIs: 5, Instructions: 110fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?), ref: 02182D2C
FindClose.KERNEL32(00000000), ref: 02182D38
GetFileAttributesW.KERNEL32(?,?), ref: 02182D4C
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000000,00000000,?,?), ref: 02182D6C
CloseHandle.KERNEL32(00000000), ref: 02182DEB

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: File$CloseFind$AttributesCreateFirstHandle
String ID:
API String ID: 2368773240-0
Opcode ID: 8ef67fb86e7cfb53ddda021e31bd1e255b2da095c10377ed57261963219d52de
Instruction ID: 01e537d12e607b8fdeaf4441d8b6e19c5f10601977c1a0876b67749352e86346
Opcode Fuzzy Hash: 8ef67fb86e7cfb53ddda021e31bd1e255b2da095c10377ed57261963219d52de
Instruction Fuzzy Hash: 3F312435280341ABE331AB18DC84BAB7BA8EF85764F10072AFE50D71E0F775D9068A95

Function 021A6906 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 021AAF51
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 021AAF66
UnhandledExceptionFilter.KERNEL32(004A37EC), ref: 021AAF71
GetCurrentProcess.KERNEL32(C0000409), ref: 021AAF8D
TerminateProcess.KERNEL32(00000000), ref: 021AAF94

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: d79cb2de0cd95a64b14553f2be4021d180462ae28f75077c9fd83984ff13d5bb
Instruction ID: 0c935445a9c792f757ae424ac163d9603852ee9df887303b520ca572e50bbe5e
Opcode Fuzzy Hash: d79cb2de0cd95a64b14553f2be4021d180462ae28f75077c9fd83984ff13d5bb
Instruction Fuzzy Hash: 8B21CAB9841324DFD780EF64E888A597BB4BB59355F61403EE50AC72B0EBB199808F4D

Function 0219E500 Relevance: 7.2, Strings: 5, Instructions: 1000COMMON

Download Yara Rule

Strings

VUUU, xrefs: 0219E9AC
VUUU, xrefs: 0219E973
ERCP, xrefs: 0219E5D9
VUUU, xrefs: 0219E9FF
VUUU, xrefs: 0219E988

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: d686b31caea2ab6f13d2d795aa8851bc5ec71db7b80f89c2f618eff3f2bac86a
Instruction ID: 89d6118a49da0458fb10577f4954dd61b875f20353b4a729b9844f91f6d8c61c
Opcode Fuzzy Hash: d686b31caea2ab6f13d2d795aa8851bc5ec71db7b80f89c2f618eff3f2bac86a
Instruction Fuzzy Hash: 918271716483418BDF34CF18C4907AAB7E2FB84319F188A2FE99987390D775D885CB92

Function 00444070 Relevance: 6.1, APIs: 4, Instructions: 108filetimeCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(023B2640,?), ref: 0044409C
GetLastError.KERNEL32 ref: 004440A7
FindClose.KERNEL32(00000000), ref: 004440E5
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0044413C

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: File$FindTime$CloseErrorFirstLastLocal
String ID:
API String ID: 1380247339-0
Opcode ID: ca23051393882d4136f75d9a3ee6569a51491ec7af40c4a0d427826f3cfb1cc1
Instruction ID: e4b9cdb8433bc524a64689125bc5d6290bfd951b95cd09f2084f24f87c0194b9
Opcode Fuzzy Hash: ca23051393882d4136f75d9a3ee6569a51491ec7af40c4a0d427826f3cfb1cc1
Instruction Fuzzy Hash: 523168721043016BE320DB24DC46FE737A8ABA532DF14872FF9546A2E0D7B89540C38D

Function 0047A090 Relevance: 6.1, APIs: 4, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,0047C4FA,023A50F0,?,00000001,00000000,00000000), ref: 0047A0BE
IsWindowVisible.USER32(00000000), ref: 0047A0D8
IsIconic.USER32(00000000), ref: 0047A0F0
ShowWindow.USER32(00000000,00000009), ref: 0047A0FD

Part of subcall function 0047A720: GetForegroundWindow.USER32(?,?,?,00409D0F,004C91B0,004A3890,00000000,00000000,00000000,00000000), ref: 0047A761
Part of subcall function 0047A720: IsWindowVisible.USER32(00000000), ref: 0047A776

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Window$ForegroundVisible$IconicShow
String ID:
API String ID: 4166660966-0
Opcode ID: 9fd2a1f583c8370908ad67f14b09a1257fb0a0e02fc4437555c4086be6048092
Instruction ID: ae7e11206276414c0d485b99f2c00ecbcac3dcdcd5e6f38e61c5981dbb390e15
Opcode Fuzzy Hash: 9fd2a1f583c8370908ad67f14b09a1257fb0a0e02fc4437555c4086be6048092
Instruction Fuzzy Hash: BD216020A042055EFB209F15D8007AF77E8EBD2355F94C81BE88D87391E778DCA5866B

Function 02187A10 Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,?), ref: 02187A2F
IsIconic.USER32(00000000), ref: 02187A3C
GetWindowRect.USER32(00000000,?), ref: 02187A50
ClientToScreen.USER32 ref: 02187A6E

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Window$ClientForegroundIconicRectScreen
String ID:
API String ID: 4031265896-0
Opcode ID: 760de7af4a8b37d3d73448798450031f28f3f25e901512f845b8e37386971a51
Instruction ID: 3693a17d2a89e70deeec68000a289c5811e4d3f97bbcab12201c52fe997ac24e
Opcode Fuzzy Hash: 760de7af4a8b37d3d73448798450031f28f3f25e901512f845b8e37386971a51
Instruction Fuzzy Hash: 9301A2395442119BD310EF68CC88BBBBBF8EFC5654F19852CFC9592261E730C906CB92

Function 021879B0 Relevance: 6.0, APIs: 4, Instructions: 32windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,0212024D,?), ref: 021879B4
IsIconic.USER32(00000000), ref: 021879C1
GetWindowRect.USER32(00000000,?), ref: 021879D7
ClientToScreen.USER32 ref: 021879F5

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Window$ClientForegroundIconicRectScreen
String ID:
API String ID: 4031265896-0
Opcode ID: 3ebc524c6c6a218fc2b62e2b68d5937c10ba475563134175d26723ce69d41a63
Instruction ID: a0a64610c3c7187f26920eb529055fab86d898a604a69a0b7791468f1176a1f3
Opcode Fuzzy Hash: 3ebc524c6c6a218fc2b62e2b68d5937c10ba475563134175d26723ce69d41a63
Instruction Fuzzy Hash: B1F09038404312DFD312EF14CC8479BBBE8AF85398F448828E84181260E334CA068FA6

Function 02123DD0 Relevance: 4.6, APIs: 3, Instructions: 105keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32(00000000), ref: 02123DDC
_memset.LIBCMT ref: 02123DFD
MapVirtualKeyExW.USER32(?,00000002,00000000), ref: 02123EC6

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutVirtual_memset
String ID:
API String ID: 864426193-0
Opcode ID: 8513564c3313c591a2c7cca2330690e911b8bcfccf49020e5d82ee4055b193a1
Instruction ID: 4a8fd7a4cc7c171f40e3c840b34b90bfe5d60f4fcb58cfde51d98312e13628c8
Opcode Fuzzy Hash: 8513564c3313c591a2c7cca2330690e911b8bcfccf49020e5d82ee4055b193a1
Instruction Fuzzy Hash: ED31D1326813107AE324DB529C46FEB77A8EBC5F14F444819B6919A0C0E379E61DC7B6

Function 02187330 Relevance: 4.6, APIs: 3, Instructions: 50fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,?), ref: 0218736E
FindClose.KERNEL32(00000000,?,?,?), ref: 0218737A
GetFileAttributesW.KERNEL32(00000000,?,?,?), ref: 02187395

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: dca11533afd82922be7dd366876d59251fd28c1c61952bd83731f9f2bffba0a9
Instruction ID: 1ddb499040ccb4bd1baa85fa9be625553f76f63906d451394bb41ef18cc16899
Opcode Fuzzy Hash: dca11533afd82922be7dd366876d59251fd28c1c61952bd83731f9f2bffba0a9
Instruction Fuzzy Hash: 90014E3D5C0A0157D7217B24DCC57AFB755AF85331F744224EC68922D0F73C80479A66

Function 0211092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 0211095F
l, xrefs: 02110966
GetProcAddress., xrefs: 021109DC, 021109DF, 021109E4

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: d486d75307bc883e2e3f020181736d47453b96a2fc3586c5d122d2491ae3b294
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: DD316CB6900609DFDB10CF99C880AAEBBF5FF48324F15405AD845AB314D771EA85CFA4

Function 02124A41 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 02124A4F

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CountTick
String ID:
API String ID: 536389180-0
Opcode ID: 09e10f347fb4de67ab11833470fbe0e5969e7ce1195d3ab2e3671124570c9cea
Instruction ID: 3f1b71a485ae7ad70e678dc47a2973ba57dc96c8f551c34710cbbe170beb5e59
Opcode Fuzzy Hash: 09e10f347fb4de67ab11833470fbe0e5969e7ce1195d3ab2e3671124570c9cea
Instruction Fuzzy Hash: 1011E6325755218BE324CF3ACC81556B7E2EBD4304724CBADE4A3872D5DA39A906DB88

Function 02124A40 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 02124A4F

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CountTick
String ID:
API String ID: 536389180-0
Opcode ID: fdef99ca3e814b9f2efecba622b042c935186b35e85c4f31d65665be6ffd0582
Instruction ID: 4f15ce218b470de870cec51280ad78f8b60257648f5f467b4911db22c36a48b6
Opcode Fuzzy Hash: fdef99ca3e814b9f2efecba622b042c935186b35e85c4f31d65665be6ffd0582
Instruction Fuzzy Hash: D111E9315715208BE314CF3ADC8165673E2E7D4305B24CB7DE4A3832D4DB39A906DB88

Function 004981F2 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000981B0), ref: 004981F7

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: cf844d523f961588a1c7548d3fa2ebb8ae1b6a6ed957c2ff30a3db27bc0a8a02
Instruction ID: 021c6d52382ca28787a27ed5fc3266060751a9f8a54b99470d6765a1e8ab81d2
Opcode Fuzzy Hash: cf844d523f961588a1c7548d3fa2ebb8ae1b6a6ed957c2ff30a3db27bc0a8a02
Instruction Fuzzy Hash: 9B9002662521104ACB4017765C0A6457D905BCA642B5584B5A001D5078DF6480155519

Function 02185E00 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1b6c8dcd1fa6505b02d100f0cfa9bebda4992a6bc8538c07f690c2cb3bc5d55
Instruction ID: d4626f5f6baadc693402effd8bcbd379ad1abf2815bd1abf302eef3871043d73
Opcode Fuzzy Hash: e1b6c8dcd1fa6505b02d100f0cfa9bebda4992a6bc8538c07f690c2cb3bc5d55
Instruction Fuzzy Hash: C041E962B5011657D70C983DCDD6392A98BEBD8604F9AC636E284CF3D9EF20ED054AC0

Function 0056C713 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2627243778.000000000056C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0056C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: e56d2326fb955286f1f2067dba04c89630adfeb1ee9054b31f2d78cd8f903110
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 91117C72340100AFDB54DE55DC81EA67BEAFB89320B2980A9ED44CB312D775E841CB60

Function 02110D90 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da1566a2f6af9372ef5ff0064129cc8c7bd33331f23317b37220a35c5510ad97
Instruction ID: 26b807cc2e022fa720d3a71b3601b917d4ef4b55e9eba8d944ae4e56a50321b7
Opcode Fuzzy Hash: da1566a2f6af9372ef5ff0064129cc8c7bd33331f23317b37220a35c5510ad97
Instruction Fuzzy Hash: A6F0CD76A406149FDF21CF24C805BAE73F9FB89215F0441B8DC0AD7242D331E9828B90

Function 0045D0B0 Relevance: 94.7, APIs: 27, Strings: 27, Instructions: 219COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0045D0C8
__wcsicoll.LIBCMT ref: 0045D0DD

Strings

Text, xrefs: 0045D0C2
Tab2, xrefs: 0045D1FF
Tab, xrefs: 0045D1EA
Radio, xrefs: 0045D116
GroupBox, xrefs: 0045D229
DDL, xrefs: 0045D12B
ComboBox, xrefs: 0045D157
Custom, xrefs: 0045D2E8
ListBox, xrefs: 0045D16C
Pic, xrefs: 0045D23E
ActiveX, xrefs: 0045D2BE
Tab3, xrefs: 0045D214
TreeView, xrefs: 0045D196
Link, xrefs: 0045D2D3
DateTime, xrefs: 0045D26A
Button, xrefs: 0045D0EC
UpDown, xrefs: 0045D1AB
Slider, xrefs: 0045D1C0
DropDownList, xrefs: 0045D141
MonthCal, xrefs: 0045D27F
Picture, xrefs: 0045D254
Hotkey, xrefs: 0045D294
Progress, xrefs: 0045D1D5
Checkbox, xrefs: 0045D101
Edit, xrefs: 0045D0D7
StatusBar, xrefs: 0045D2A9
ListView, xrefs: 0045D181

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll
String ID: ActiveX$Button$Checkbox$ComboBox$Custom$DDL$DateTime$DropDownList$Edit$GroupBox$Hotkey$Link$ListBox$ListView$MonthCal$Pic$Picture$Progress$Radio$Slider$StatusBar$Tab$Tab2$Tab3$Text$TreeView$UpDown
API String ID: 3832890014-2446625512
Opcode ID: 05998e2bf40298e05412c69ee4ccec4e51171e1a594c8263a79989ee3e2bf4cd
Instruction ID: b644e71329dbc9069807f060f6f62ee20423c9fd87c4a688b797254deea0c125
Opcode Fuzzy Hash: 05998e2bf40298e05412c69ee4ccec4e51171e1a594c8263a79989ee3e2bf4cd
Instruction Fuzzy Hash: FB516A4DE41A15215DA035362D03BDF22482C71B4FBC8547BFD0895743F68EA7AEA2BE

Function 02125FA0 Relevance: 39.2, APIs: 26, Instructions: 215COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 02125FB8
__wcsicoll.LIBCMT ref: 02125FD0

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll
String ID:
API String ID: 3832890014-0
Opcode ID: 69694fa98078b1d067c214e58a306f53fd20f2fecaf1e339aacc250acb128ac1
Instruction ID: 637ddcdb99d92791a1c683680b8f7625544094a31117aacfced32aeb4612390c
Opcode Fuzzy Hash: 69694fa98078b1d067c214e58a306f53fd20f2fecaf1e339aacc250acb128ac1
Instruction Fuzzy Hash: 3F517075BC162576EF1121394C02B9E204EEF62747FE58078FC08C56C2FB8DD62B61AA

Function 02150F60 Relevance: 37.2, APIs: 17, Strings: 4, Instructions: 486COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 02150F8B
__wcstoi64.LIBCMT ref: 02150FC3
mixerOpen.WINMM(?,00000000,00000000,00000000,00000000), ref: 0215102F
mixerGetDevCapsW.WINMM(?,?,00000050), ref: 02151092
_memset.LIBCMT ref: 021510BB
mixerGetLineInfoW.WINMM(?,?,00000003), ref: 021510ED
mixerClose.WINMM(?), ref: 02151100
mixerGetLineInfoW.WINMM(?,?,00000000), ref: 0215114C
mixerGetLineInfoW.WINMM(?,?,00000001), ref: 02151189
mixerClose.WINMM(?), ref: 021511CF
mixerGetLineControlsW.WINMM(?,?,00000002), ref: 02151260
mixerClose.WINMM(?), ref: 0215126F
mixerGetControlDetailsW.WINMM(?,?,00000000), ref: 02151341
mixerClose.WINMM(?), ref: 02151350
mixerSetControlDetails.WINMM(?,?,00000000), ref: 021513EF
mixerClose.WINMM(?), ref: 021513FC
mixerClose.WINMM(?), ref: 021514A2

Strings

Off, xrefs: 021514CF, 021514DE
9J, xrefs: 02151402
Can't Change Setting, xrefs: 0215140B, 02151413
Can't Get Current Setting, xrefs: 02151359

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: mixer$Close$Line$Info$ControlDetails$CapsControlsOpen__fassign__wcstoi64_memset
String ID: 9J$Can't Change Setting$Can't Get Current Setting$Off
API String ID: 1407323690-312032509
Opcode ID: 617bc19ba311237f7e83c4fabe314323277bb2985cc1e831e26138c74418c644
Instruction ID: 04e17d082bb4f31ed8132b5957e89c400da1e2d74149ff7a6c32ee35bcdee885
Opcode Fuzzy Hash: 617bc19ba311237f7e83c4fabe314323277bb2985cc1e831e26138c74418c644
Instruction Fuzzy Hash: DB024471688350EFC721DF54D880BAEB7E1BBC8710F004AAEF9A997290D7719844CB96

Function 021274E0 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 244windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 02127511

Part of subcall function 02188410: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004A1654,?,004CB508,00000000,FFFFFF61,00000000,00000000,00000000,004CB508,004A1654,004CB508), ref: 02188429
Part of subcall function 02188410: FindResourceW.KERNEL32(004CA55C,004CA55C,0000000E), ref: 0218848F
Part of subcall function 02188410: LoadResource.KERNEL32(004CA55C,00000000), ref: 0218849F
Part of subcall function 02188410: LockResource.KERNEL32(00000000), ref: 021884AE
Part of subcall function 02188410: GetSystemMetrics.USER32(0000000B), ref: 021884D6
Part of subcall function 02188410: FindResourceW.KERNEL32(004CA55C,?,00000003), ref: 02188536
Part of subcall function 02188410: LoadResource.KERNEL32(004CA55C,00000000), ref: 02188544
Part of subcall function 02188410: LockResource.KERNEL32(00000000), ref: 0218854F

GetSystemMetrics.USER32(00000031), ref: 0212755B

Part of subcall function 02188410: EnumResourceNamesW.KERNEL32 ref: 02188476
Part of subcall function 02188410: SizeofResource.KERNEL32(004CA55C,00000000,00000001,00030000,00000000,00000000,00000000), ref: 0218856A
Part of subcall function 02188410: CreateIconFromResourceEx.USER32(00000000,00000000), ref: 02188572
Part of subcall function 02188410: ExtractIconW.SHELL32(00000000,?,?), ref: 021885B2

LoadCursorW.USER32(00000000,00007F00), ref: 0212758B
GetForegroundWindow.USER32 ref: 021275FF
GetClassNameW.USER32(00000000,?,00000040), ref: 02127611
__wcsicoll.LIBCMT ref: 02127625
GetMenu.USER32(00000000), ref: 021276AB
EnableMenuItem.USER32(00000000,0000FF79,00000003), ref: 021276BB
GetDC.USER32(00000000), ref: 021276FF
GetDeviceCaps.GDI32(00000000,0000005A), ref: 02127738
MulDiv.KERNEL32(0000000A,00000000), ref: 02127741
CreateFontW.GDI32(00000000), ref: 0212774A
ReleaseDC.USER32(004CA568,00000000), ref: 0212775C
SetWindowLongW.USER32(004CA564,000000EC,00000000), ref: 021277C5
LoadAcceleratorsW.USER32(004CA55C,000000D4), ref: 021277D7

Part of subcall function 02127910: _memset.LIBCMT ref: 02127920
Part of subcall function 02127910: _wcsncpy.LIBCMT ref: 02127992
Part of subcall function 02127910: Shell_NotifyIconW.SHELL32(00000000,?), ref: 021279A5

Strings

AutoHotkey, xrefs: 02127534, 02127679
Lucida Console, xrefs: 02127715, 0212771A
0, xrefs: 0212752C
Consolas, xrefs: 0212770E

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Resource$Load$Icon$CreateFindLockMenuMetricsSystemWindow_memset$AcceleratorsCapsClassCursorDeviceEnableEnumExtractFontForegroundFromItemLibraryLongNameNamesNotifyReleaseShell_Sizeof__wcsicoll_wcsncpy
String ID: 0$AutoHotkey$Consolas$Lucida Console
API String ID: 2593902739-2828415984
Opcode ID: 0fcba408fbe9a4d6741a8c3944e1225a8a43b2592bf6812f5b7c7262be9d5cbe
Instruction ID: f6fa811abb4c940f8218a48c817ab56d0955d66a3774838e1c80b94484a2f07b
Opcode Fuzzy Hash: 0fcba408fbe9a4d6741a8c3944e1225a8a43b2592bf6812f5b7c7262be9d5cbe
Instruction Fuzzy Hash: 91810670A84310BFF3209B64DC49F67BBA8EB45B44F14442AF641A72E0D7B4A415CFAE

Function 00446180 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

GetCursorInfo.USER32 ref: 004461A2
_wcsncpy.LIBCMT ref: 004461BC

Strings

Unknown, xrefs: 004461B6

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CursorInfo_wcsncpy
String ID: Unknown
API String ID: 437400337-1654365787
Opcode ID: fc493116bc683cded7e268044b68874f89d91ff70af54ca53691fd7c4bd50eaa
Instruction ID: 46b3d5fbc9bfc14c85e7ed5a46a3168f958799a1367b2d0f904bd814c3e03f3a
Opcode Fuzzy Hash: fc493116bc683cded7e268044b68874f89d91ff70af54ca53691fd7c4bd50eaa
Instruction Fuzzy Hash: A241E9B0E48305AAE7509FB99C86F573E94E741B50F040577E50D9F2D1E6BE9004CF9A

Function 0045F0A0 Relevance: 30.2, APIs: 13, Strings: 4, Instructions: 415COMMON

Download Yara Rule

Strings

%sY, xrefs: 0045F2DE
%sH, xrefs: 0045F3AF
%sW, xrefs: 0045F347
%sX, xrefs: 0045F275

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcstoui64
String ID: %sH$%sW$%sX$%sY
API String ID: 3882282163-2562685033
Opcode ID: daedca77e798d1172f481326697df5ce9e249a18959a95b72b764f077cf6f8e8
Instruction ID: 1d4e8a5fa73456e31df366311e2d192d29e107d47f06bc0ba10bff167f73240c
Opcode Fuzzy Hash: daedca77e798d1172f481326697df5ce9e249a18959a95b72b764f077cf6f8e8
Instruction Fuzzy Hash: 69E1E371708205ABD714DF24DC81F6B77A9EB88715F104A2EF8459B392D778EC08CB9A

Function 02113F70 Relevance: 28.5, APIs: 15, Strings: 1, Instructions: 464windowCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(004C9458), ref: 02113F89
SetErrorMode.KERNEL32(00000001), ref: 02113F91

Part of subcall function 02152470: GetCurrentDirectoryW.KERNEL32(00008000,?,?,02113F9E), ref: 02152487

__wcsicoll.LIBCMT ref: 021140EE
__wcsicoll.LIBCMT ref: 02114104
__wcsicoll.LIBCMT ref: 02114116
__wcsicoll.LIBCMT ref: 02114128
__wcsnicmp.LIBCMT ref: 0211413C
FindWindowW.USER32(AutoHotkey,004CBFE4), ref: 02114387
FindWindowW.USER32(AutoHotkey,004CBFE4), ref: 021143EC
PostMessageW.USER32(00000000,00000044,00000406,00000000), ref: 02114403
IsWindow.USER32(00000000), ref: 02114416
IsWindow.USER32(00000000), ref: 02114451
_setvbuf.LIBCMT ref: 021144B1
_malloc.LIBCMT ref: 021144CA
_memset.LIBCMT ref: 021144DF

Strings

AutoHotkey, xrefs: 02114382, 021143E7

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Window__wcsicoll$Find$CriticalCurrentDirectoryErrorInitializeMessageModePostSection__wcsnicmp_malloc_memset_setvbuf
String ID: AutoHotkey
API String ID: 3985478116-348589305
Opcode ID: f9ca806fb31f3e95242ba44cfadcbdc757ea43321a82213c7a6d103d435f31fb
Instruction ID: 272dd86065aace173afafe891f7d7a4ffe689ab194ac9696c9703fcf77740012
Opcode Fuzzy Hash: f9ca806fb31f3e95242ba44cfadcbdc757ea43321a82213c7a6d103d435f31fb
Instruction Fuzzy Hash: 85E15871684300AFE760AB649C46F2B77A5DB85B08F08053DF945DB2D1EBB4D904CB9A

Function 00462093 Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 255windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,SysMonthCal32,004A3890,?,?,?,?,?,?,?,00400000,00000000), ref: 0046211C
SendMessageW.USER32(00000000,00001004,0000016E,00000000), ref: 00462145
SendMessageW.USER32(?,00001012,?,?), ref: 00462168
SendMessageW.USER32(?,00001002,00000000,?), ref: 004621E2
SendMessageW.USER32(?,0000100A,00000001,?), ref: 00462204
SendMessageW.USER32(?,00000030,?,?), ref: 0046222F
SendMessageW.USER32(?,00001009,00000000,?), ref: 00462264
SendMessageW.USER32(?,00001015,00000000,00000000), ref: 00462290
GetDC.USER32(?), ref: 0046231F
SelectObject.GDI32(00000000,?), ref: 00462341
GetTextMetricsW.GDI32(00000000,?), ref: 00462358
MoveWindow.USER32(00000000,?,?,00000000,?,00000001,?,00001009,00000000,?,?,?,00400000,00000000), ref: 004623EB

Strings

Can't create control., xrefs: 00462AC7
SysMonthCal32, xrefs: 00462116

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: MessageSend$Window$CreateMetricsMoveObjectSelectText
String ID: Can't create control.$SysMonthCal32
API String ID: 291046171-3692857110
Opcode ID: 99232d5ea3048cd0cee8d1d62dca7b0721d93b94c7fabca8c0f0c58578985b5b
Instruction ID: efd519e78a8c8aa6ab9e6559d19160f9a86486466bc844c10a5d886b8cb9d41f
Opcode Fuzzy Hash: 99232d5ea3048cd0cee8d1d62dca7b0721d93b94c7fabca8c0f0c58578985b5b
Instruction Fuzzy Hash: BBA17E74A08741AFD734CF54C985FAB77E5FB89700F10891EE98987390E7B89840CB5A

Function 0218B730 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 345COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0218B7F4
__wcstoui64.LIBCMT ref: 0218B873
IsWindow.USER32(00000000), ref: 0218B88D
__wcsnicmp.LIBCMT ref: 0218B8B8
__wcstoi64.LIBCMT ref: 0218B8DA

Part of subcall function 021A1B83: wcstoxq.LIBCMT ref: 021A1BA4

__wcsnicmp.LIBCMT ref: 0218B911
_wcsncpy.LIBCMT ref: 0218B944
__wcsicoll.LIBCMT ref: 0218B989
_wcsncpy.LIBCMT ref: 0218BAD2
_wcsncpy.LIBCMT ref: 0218BB38

Strings

ahk_, xrefs: 0218B7A3, 0218BA21, 0218BA46, 0218BB07

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsnicmp_wcsncpy$Window__wcsicoll__wcstoi64__wcstoui64wcstoxq
String ID: ahk_
API String ID: 3421470534-2579966955
Opcode ID: fb6d2e8ffca4b7901bfa4ce3410d003090297f37bda1653f95d9fc307ca779c0
Instruction ID: d31051cd4303d8fa7046e99ce13dcb489c4db9e7ae538bf1553a2fc76bc7ce08
Opcode Fuzzy Hash: fb6d2e8ffca4b7901bfa4ce3410d003090297f37bda1653f95d9fc307ca779c0
Instruction Fuzzy Hash: 4FC1E6759883029AD738AF2488D57BB73E5EF85708F14482DE89AC72A0F774D684CF52

Function 00432050 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 209COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00432059
__fassign.LIBCMT ref: 0043209B

Part of subcall function 00490F06: __fassign.LIBCMT ref: 00490EFC

Strings

Headphones, xrefs: 004320F5
Wave, xrefs: 004321E5
Speakers, xrefs: 004320DB
Telephone, xrefs: 004321A9
Line, xrefs: 00432131
N/A, xrefs: 0043223F
PCSpeaker, xrefs: 004321C7
Digital, xrefs: 00432113
Master, xrefs: 004320C1
Microphone, xrefs: 0043214F
Synth, xrefs: 0043216D
Analog, xrefs: 00432221
Aux, xrefs: 00432203

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __fassign$_wcschr
String ID: Analog$Aux$Digital$Headphones$Line$Master$Microphone$N/A$PCSpeaker$Speakers$Synth$Telephone$Wave
API String ID: 3927346847-2477456585
Opcode ID: d598d0e755e760c58cc40369a864a245b9900337e6e8afd83d07863273dcf1c1
Instruction ID: d02e9d1e3281b1cdde8dd7962346593324612ce12881eaee76393b94655b3876
Opcode Fuzzy Hash: d598d0e755e760c58cc40369a864a245b9900337e6e8afd83d07863273dcf1c1
Instruction Fuzzy Hash: 6751A7B271452112DF20101D2E416FB318E4BAA33EF15936BF86DDA3C2FA8DC955529D

Function 02161770 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 199COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 021617C6
__wcsnicmp.LIBCMT ref: 021617ED
__fassign.LIBCMT ref: 0216181E

Part of subcall function 021A1156: __fassign.LIBCMT ref: 021A114C

__wcsicoll.LIBCMT ref: 02161851

Strings

$cJ, xrefs: 021617C5, 021617D0, 021617EC, 02161850, 0216186A, 02161884, 0216189E, 021618B8, 021618D2, 021618EC, 02161906, 02161920, 0216193A, 02161954

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __fassign$__wcsicoll__wcsnicmp
String ID: $cJ
API String ID: 3933591233-417114052
Opcode ID: f655f65f083e092cdd04ce75a72253164f90d290f96cbc9c0dd1bad7d30e1469
Instruction ID: b8d8f98436dd330efed69a17bbc15dc03a76a9f8b0d6825abcb8bd1d130a8883
Opcode Fuzzy Hash: f655f65f083e092cdd04ce75a72253164f90d290f96cbc9c0dd1bad7d30e1469
Instruction Fuzzy Hash: 0B41B463AC022076EF21212E7C45BFE529E4FA2766F194476FC1CD9381F788D5A384D6

Function 02188720 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 168windowCOMMON

Download Yara Rule

APIs

GetIconInfo.USER32(?,?), ref: 02188731
GetObjectW.GDI32(00000000,00000018,?), ref: 02188756
CreateCompatibleDC.GDI32(00000000), ref: 0218876C
CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 021887C0
SelectObject.GDI32(00000000,00000000), ref: 021887D3
DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000003), ref: 021887F7
GdiFlush.GDI32 ref: 021887FD
GetDIBits.GDI32(?,?,00000000,?,?,00000028,00000000), ref: 0218883E

Strings

(, xrefs: 021887AC

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CreateIconObject$BitsCompatibleDrawFlushInfoSectionSelect
String ID: (
API String ID: 1804173336-3887548279
Opcode ID: 061f37e25bd5a33774d6968a2fc616f16147bd4721569f5703f99e6527a25c30
Instruction ID: 0f8c19bb263fe16550255c36540a6197d9003e7f419d8736b48760dfb672c2bc
Opcode Fuzzy Hash: 061f37e25bd5a33774d6968a2fc616f16147bd4721569f5703f99e6527a25c30
Instruction Fuzzy Hash: F1513BB5E40319AFEB10DFA4DC85BAEBBB8FB49705F114429E906E7290D770A940CF64

Function 02187780 Relevance: 25.6, APIs: 17, Instructions: 142COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 02187798
__wcsicoll.LIBCMT ref: 021877AB

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll
String ID:
API String ID: 3832890014-0
Opcode ID: d0c358ebf6895ff03f568f9c1efc16f68fc90612bc43564d6cc40a0cdb50b885
Instruction ID: 50c5970cddb8f27a87814a1bc98fd37f3a28c1f9bcaa7cfe5103489b06e93fe7
Opcode Fuzzy Hash: d0c358ebf6895ff03f568f9c1efc16f68fc90612bc43564d6cc40a0cdb50b885
Instruction Fuzzy Hash: 8131391DAC1A15A2DF5132381C42BAE504A5F62747FF58179EC18D16C2FB8CC21B99FA

Function 0215FAE0 Relevance: 25.0, APIs: 12, Strings: 2, Instructions: 458windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001101,00000000,00000000), ref: 0215FBAE
__wcsicoll.LIBCMT ref: 0215FCEE
__wcsnicmp.LIBCMT ref: 0215FD19
__wcsicoll.LIBCMT ref: 0215FD2E

Strings

", xrefs: 0215FE8C
$cJ, xrefs: 0215FB40

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll$MessageSend__wcsnicmp
String ID: "$$cJ
API String ID: 3944189851-3052326342
Opcode ID: 30395a9efb1ca5d06cdf862ba683e6d18385a395c962001bcf11521cf6fdee94
Instruction ID: c39b575dfa3f98b2ba80b2848f2ee7a37ab75ef53f7c82fe03ffd4341d95808b
Opcode Fuzzy Hash: 30395a9efb1ca5d06cdf862ba683e6d18385a395c962001bcf11521cf6fdee94
Instruction Fuzzy Hash: 94F1F571A84351EFD720CF24C845B2AB7E5EF86344F1488AEFCA997681E374D942CB52

Function 02126F90 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 264comwindowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 02119120: CreateThread.KERNEL32(00000000,00002000,00409200,00000000,00000000,004C9470), ref: 0211917A
Part of subcall function 02119120: SetThreadPriority.KERNEL32(00000000,0000000F,?,00000100,00000000,02128051,02127F1F,?,00000100,?,00000000,02127F1F,00000100,004CB508,021406F5), ref: 02119190
Part of subcall function 02119120: PostThreadMessageW.USER32(004C9470,00000417,00000002,00000000), ref: 021191B4
Part of subcall function 02119120: Sleep.KERNEL32(0000000A,?,00000100,00000000,02128051,02127F1F,?,00000100,?,00000000,02127F1F,00000100,004CB508,021406F5), ref: 021191C0

Shell_NotifyIconW.SHELL32(00000002,004CB782), ref: 02126FD9
IsWindow.USER32(00000000), ref: 02126FF7
DestroyWindow.USER32(00000000,?,?,?,00000000,00000000), ref: 02127004
IsWindow.USER32(00000000), ref: 0212705B
DestroyWindow.USER32(00000000,?,?,?,?,00000000,00000000), ref: 02127069
IsWindow.USER32(004CC02C), ref: 02127137
DestroyWindow.USER32(00000000,?,?,?,00000000,00000000), ref: 02127144
ChangeClipboardChain.USER32(004CA564,004CBF9C), ref: 021271A6
RtlDeleteCriticalSection.NTDLL(004C9458), ref: 021271EF
OleUninitialize.OLE32(?,?,?,00000000,00000000), ref: 021271F5
_free.LIBCMT ref: 0212722B
_free.LIBCMT ref: 02127267

Part of subcall function 021A07B1: HeapFree.KERNEL32(00000000,00000000,?,021A3973,00000000,?,021A4C02,?,021865CE), ref: 021A07C7
Part of subcall function 021A07B1: GetLastError.KERNEL32(00000000,?,021A3973,00000000,?,021A4C02,?,021865CE), ref: 021A07D9

_free.LIBCMT ref: 021272A6

Strings

%E, xrefs: 02127208

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Window$DestroyThread_free$ChainChangeClipboardCreateCriticalDeleteErrorFreeHeapIconLastMessageNotifyPostPrioritySectionShell_SleepUninitialize
String ID: %E
API String ID: 1476608191-175436132
Opcode ID: 7e77eac20b4c0cf51beb5c6c381c3f11989bd2a3d91e0a1f1543f48f627b3eba
Instruction ID: b342ba918245ad33015cfeb3c29497289aa86f796126f2ea0a8f37624a865536
Opcode Fuzzy Hash: 7e77eac20b4c0cf51beb5c6c381c3f11989bd2a3d91e0a1f1543f48f627b3eba
Instruction Fuzzy Hash: 1F918FB5A803219BDB60DF69DC89F57B7E8AF45748F040428F845D32D0DB34E45ACBA9

Function 0211EF4A Relevance: 24.1, APIs: 16, Instructions: 126COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0211EF50
__wcsicoll.LIBCMT ref: 0211EF66
__wcsicoll.LIBCMT ref: 0211EF7C

Part of subcall function 0219FE69: __wcsicmp_l.LIBCMT ref: 0219FEE9

__wcsicoll.LIBCMT ref: 0211EF92
__wcsicoll.LIBCMT ref: 0211EFA8
__wcsicoll.LIBCMT ref: 0211EFBE
__wcsicoll.LIBCMT ref: 0211EFD4
__wcsicoll.LIBCMT ref: 0211EFEC

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll$__wcsicmp_l
String ID:
API String ID: 3172861507-0
Opcode ID: 9e641ab71462be267643f0b24931c8af59533eae0b7323605385d8d3933f82e4
Instruction ID: 41b87d0a12caae35bb1f23fdb71a31ed57f51f906c865dc9b878a54ddf86f640
Opcode Fuzzy Hash: 9e641ab71462be267643f0b24931c8af59533eae0b7323605385d8d3933f82e4
Instruction Fuzzy Hash: 8931BC6AAC171579EF2126359D02B5F108E0F32747FAE0175BC08E09C1FB9DD61B84BA

Function 02184B20 Relevance: 22.7, APIs: 15, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1655106ba314d673acc3bc3302a9c729f680f589154d6060e59c09f1f7b20a0
Instruction ID: 1d34444655bc006b1c11f2b43f043e0cbce228db965fb49176aa8ceef5937283
Opcode Fuzzy Hash: c1655106ba314d673acc3bc3302a9c729f680f589154d6060e59c09f1f7b20a0
Instruction Fuzzy Hash: 36514D79EC0206EACB20B7319CC1F6A72685B21709F164169DD08F7141FBA6F915CEE5

Function 02162B30 Relevance: 22.6, APIs: 15, Instructions: 127COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 02162B48
__wcsicoll.LIBCMT ref: 02162B60

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll
String ID:
API String ID: 3832890014-0
Opcode ID: 9ffbb126177cbce27a919969c034249650b9f1fd56411891ef97f50f950c4977
Instruction ID: 6132077dc19e244dc4d448c8e4a438ff68469318adcd9992ad6038d111ff165a
Opcode Fuzzy Hash: 9ffbb126177cbce27a919969c034249650b9f1fd56411891ef97f50f950c4977
Instruction Fuzzy Hash: 8031A255FC161976EF2120396C16BAE204E9F72B0BFE58070FC08D5682F79DD32684AB

Function 02157C90 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 234COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 02157CF3
__wcsicoll.LIBCMT ref: 02157D8D
__wcsicoll.LIBCMT ref: 02157DA7
__wcsicoll.LIBCMT ref: 02157DC1
__wcsicoll.LIBCMT ref: 02157DDB
__wcsicoll.LIBCMT ref: 02157DF5
__wcsicoll.LIBCMT ref: 02157E0F
__wcsicoll.LIBCMT ref: 02157E29
__wcsicoll.LIBCMT ref: 02157E43
__wcsicoll.LIBCMT ref: 02157E5D
__wcsicoll.LIBCMT ref: 02157E77

Strings

*pP, xrefs: 02157CFD

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll$_wcsncpy
String ID: *pP
API String ID: 1630244902-2395943462
Opcode ID: dfda745490470ced70b8fd5104b1091128ecafbf68f93390c581268ebf96236c
Instruction ID: 1f846aff57d94378dd59fcb66bcbf82afb6516010dcf77055f9385861507b1f1
Opcode Fuzzy Hash: dfda745490470ced70b8fd5104b1091128ecafbf68f93390c581268ebf96236c
Instruction Fuzzy Hash: 08613B72A80315DACB20DE24DC827AEF395EF91355F54447AEC29862C0E77AD14EC6A2

Function 0216F840 Relevance: 21.2, APIs: 14, Instructions: 196windowCOMMON

Download Yara Rule

APIs

DestroyCursor.USER32(00000000), ref: 0216F8B3
IsWindow.USER32(00000000), ref: 0216F8C2
ShowWindow.USER32(00000000,00000000,?,004CA9EC,004A1104,004A14F0,021270B1,00000000,?,?,?,?,00000000,00000000), ref: 0216F8D2
SetMenu.USER32(00000000,00000000), ref: 0216F8DE
DestroyWindow.USER32(00000000,?,004CA9EC,004A1104,004A14F0,021270B1,00000000,?,?,?,?,00000000,00000000), ref: 0216F8F8
DeleteObject.GDI32(?), ref: 0216F93F
DeleteObject.GDI32(?), ref: 0216F953
DragFinish.SHELL32(?,?,004CA9EC,004A1104,004A14F0,021270B1,00000000,?,?,?,?,00000000,00000000), ref: 0216F967
DestroyCursor.USER32(?), ref: 0216F99B
DeleteObject.GDI32(?), ref: 0216F9A3
_free.LIBCMT ref: 0216F9B3
DestroyAcceleratorTable.USER32(?), ref: 0216FA2B
_free.LIBCMT ref: 0216FA44

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Destroy$DeleteObjectWindow$Cursor_free$AcceleratorDragFinishMenuShowTable
String ID:
API String ID: 477100570-0
Opcode ID: 43299b5fae3ed141e4c3cb15f5b0b3339bc7b578aa0ec48daa3c7fca159ca565
Instruction ID: b5dfcb88751d13735b49e5a86352702572b3e53ca9fdeae23fd4259b6012066e
Opcode Fuzzy Hash: 43299b5fae3ed141e4c3cb15f5b0b3339bc7b578aa0ec48daa3c7fca159ca565
Instruction Fuzzy Hash: 4D619E75A40309AFDB20DF64EC88B7E77A9BF49308F148428F94787660C731E862CB95

Function 02188410 Relevance: 21.2, APIs: 14, Instructions: 174windowlibraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004A1654,?,004CB508,00000000,FFFFFF61,00000000,00000000,00000000,004CB508,004A1654,004CB508), ref: 02188429
EnumResourceNamesW.KERNEL32 ref: 02188476
FindResourceW.KERNEL32(004CA55C,004CA55C,0000000E), ref: 0218848F
LoadResource.KERNEL32(004CA55C,00000000), ref: 0218849F
LockResource.KERNEL32(00000000), ref: 021884AE
GetSystemMetrics.USER32(0000000B), ref: 021884D6
FindResourceW.KERNEL32(004CA55C,?,00000003), ref: 02188536
LoadResource.KERNEL32(004CA55C,00000000), ref: 02188544
LockResource.KERNEL32(00000000), ref: 0218854F
SizeofResource.KERNEL32(004CA55C,00000000,00000001,00030000,00000000,00000000,00000000), ref: 0218856A
CreateIconFromResourceEx.USER32(00000000,00000000), ref: 02188572
FreeLibrary.KERNEL32(004CA55C), ref: 0218859D
ExtractIconW.SHELL32(00000000,?,?), ref: 021885B2
ExtractIconW.SHELL32(00000000,?,-00000001), ref: 021885CF

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Resource$IconLoad$ExtractFindLibraryLock$CreateEnumFreeFromMetricsNamesSizeofSystem
String ID:
API String ID: 2349713634-0
Opcode ID: 048a3a54ad9021aff99276b9801c452cb05ba59a72117d3b1ce05db86fb240f6
Instruction ID: 96b1162cc7606b07a4d42e7afc7ae101b114487bb9e5f908997a663c067197d2
Opcode Fuzzy Hash: 048a3a54ad9021aff99276b9801c452cb05ba59a72117d3b1ce05db86fb240f6
Instruction Fuzzy Hash: D75127766853186BC3207F28DCC4B2BBBD9EB89B55F860929FD41D2291D774C8008FA5

Function 004310D0 Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 170COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(753D5540,?,?,00000001), ref: 004310DA
GetWindowTextW.USER32(00000000,?,00000064), ref: 004310EF
_wcsncpy.LIBCMT ref: 00431196

Strings

Object, xrefs: 0043112F
, xrefs: 004311A6
(preempted: they will resume when the current thread finishes), xrefs: 004311E4
yes, xrefs: 0043120D, 00431220, 00431276
Key History has been disabled via #KeyHistory 0., xrefs: 004312D2, 004312E2
..., xrefs: 00431190
Window: %sKeybd hook: %sMouse hook: %sEnabled Timers: %u of %u (%s)Interrupted threads: %d%sPaused threads: %d of %d (%d, xrefs: 0043127F
Press [F5] to refresh., xrefs: 004312CB
%s , xrefs: 00431143

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Window$ForegroundText_wcsncpy
String ID: Key History has been disabled via #KeyHistory 0.$Press [F5] to refresh.$ $ (preempted: they will resume when the current thread finishes)$%s $...$Object$Window: %sKeybd hook: %sMouse hook: %sEnabled Timers: %u of %u (%s)Interrupted threads: %d%sPaused threads: %d of %d (%d$yes
API String ID: 216113120-1761195949
Opcode ID: bb7442268a7a5b734a4db2436c13b12395e86c7d6ac0d06ef2212b31d7e9908b
Instruction ID: 60b5086598c6e8fd7d8ca0f0e81e75a26701332749775db91bfce0b7b5b64f9b
Opcode Fuzzy Hash: bb7442268a7a5b734a4db2436c13b12395e86c7d6ac0d06ef2212b31d7e9908b
Instruction Fuzzy Hash: B0510671A002009BD724DB18DD49FABB7A5EF9D304F08853AE945D7360D778AA48C7DA

Function 02142AA0 Relevance: 21.1, APIs: 14, Instructions: 139COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 02142ABB
__wcsicoll.LIBCMT ref: 02142AD1
__wcsicoll.LIBCMT ref: 02142AEA

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll
String ID:
API String ID: 3832890014-0
Opcode ID: 70447c881cf2ee9db9f7f36cd032d4538b702ec2ea2e796e39445dbc06042209
Instruction ID: 10549d8eeddf4a516e99e6794d5c5a52a72b8897e2d065fdb52a7ad55b3fa833
Opcode Fuzzy Hash: 70447c881cf2ee9db9f7f36cd032d4538b702ec2ea2e796e39445dbc06042209
Instruction Fuzzy Hash: 58318472BC062466EE71253C7D02BDE114A4F62756F264072FC0CE5280FB9DDAC345EA

Function 021885F0 Relevance: 21.1, APIs: 14, Instructions: 110windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0218860C
CreateCompatibleDC.GDI32(00000000), ref: 02188619
GetIconInfo.USER32(?,?), ref: 0218862F
GetObjectW.GDI32(?,00000018,?), ref: 02188649
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 02188662
SelectObject.GDI32(00000000,00000000), ref: 02188670
CreateSolidBrush.GDI32(FF000000), ref: 0218869B
FillRect.USER32(00000000,?,00000000), ref: 021886AA
DeleteObject.GDI32(00000000), ref: 021886B1
DrawIconEx.USER32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000003), ref: 021886D1
SelectObject.GDI32(00000000,00000000), ref: 021886D9
DeleteDC.GDI32(00000000), ref: 021886FC
ReleaseDC.USER32(00000000,00000000), ref: 02188705
DestroyCursor.USER32(?), ref: 0218870C

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Object$Create$CompatibleDeleteIconSelect$BitmapBrushCursorDestroyDrawFillInfoRectReleaseSolid
String ID:
API String ID: 3843881724-0
Opcode ID: 961a9039a57507e2d9bee586b1ec26e23ef3233729ab50ee2e99d6abf860a2a3
Instruction ID: 3cc123627b6cee3813b7307545653548872e73b6dce766c817d9c8d6c1fe56f9
Opcode Fuzzy Hash: 961a9039a57507e2d9bee586b1ec26e23ef3233729ab50ee2e99d6abf860a2a3
Instruction Fuzzy Hash: F4318175608341AFD3009F65DD88F6BBBF8FBCA641F50452DFA45C2260DB74D8058BAA

Function 02142820 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 02142838
__wcsicoll.LIBCMT ref: 02142850
__wcsicoll.LIBCMT ref: 02142866
__wcsicoll.LIBCMT ref: 0214287C

Strings

Label, xrefs: 02142876

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll
String ID: Label
API String ID: 3832890014-3479601132
Opcode ID: d83fb8575d3ad96bb67cf47fa031fba4794f3df92d1c3330c37acadb1c1c532b
Instruction ID: 5435418ca5214321c2a0180721910b43810954be61a5370da42a16a85f7cfab4
Opcode Fuzzy Hash: d83fb8575d3ad96bb67cf47fa031fba4794f3df92d1c3330c37acadb1c1c532b
Instruction Fuzzy Hash: 01118E51FC162536EF1121345E02B9F208E5F22B07FE54075FC0CE4282FFADD68681AA

Function 00416100 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 004099C0: __wcsicoll.LIBCMT ref: 004099D8
Part of subcall function 004099C0: __wcsicoll.LIBCMT ref: 00409A25

__wcsicoll.LIBCMT ref: 0041611B
__wcsicoll.LIBCMT ref: 00416134

Strings

Default, xrefs: 00416160
SendAndMouse, xrefs: 00416147
MouseMove, xrefs: 00416179
Mouse, xrefs: 0041612E
Send, xrefs: 00416115
MouseMoveOff, xrefs: 00416192

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll
String ID: Default$Mouse$MouseMove$MouseMoveOff$Send$SendAndMouse
API String ID: 3832890014-605279031
Opcode ID: de8cfa3b36694bf235ae80368e368d37fb12e24f4299b2e130a036159bd821f2
Instruction ID: d4ae0d7396227b5d84992748cad4d750fe59f52535ecd0d333a2d8a851c1c425
Opcode Fuzzy Hash: de8cfa3b36694bf235ae80368e368d37fb12e24f4299b2e130a036159bd821f2
Instruction Fuzzy Hash: CF018FA6A40A2422EDD030397C03BDB11485B3271EF09457BFD04D8286F68DDAE941EE

Function 00473150 Relevance: 19.8, APIs: 13, Instructions: 265registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,00000000,004A3890,00000000,00000000,00000000,?,?,?,004A6324,?,00000000,?,023B1ACC,023B1B28), ref: 004731A0
RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?,?,?,004A6324,?,00000000,?,023B1ACC,023B1B28), ref: 004731F3
_malloc.LIBCMT ref: 00473248
RegSetValueExW.ADVAPI32(?,?,00000000,00000007,00000000,00000000), ref: 004732C1
_free.LIBCMT ref: 004732CA
RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004), ref: 00473309
_malloc.LIBCMT ref: 0047334F
RegCloseKey.ADVAPI32(?,?,004A6324,?,00000000,?,023B1ACC,023B1B28), ref: 00473434
GetLastError.KERNEL32(?,004A6324,?,00000000,?,023B1ACC,023B1B28), ref: 0047343F

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Value$_malloc$CloseCreateErrorLast_free
String ID:
API String ID: 1054883360-0
Opcode ID: 2661be5ea765783d10fb68eebbc9c28203c77e90397dbe84c124a3e8f2aa7f80
Instruction ID: 83c4b8d5925f87eec5492b8964fea605b917884717f824344403eeeacf0f359a
Opcode Fuzzy Hash: 2661be5ea765783d10fb68eebbc9c28203c77e90397dbe84c124a3e8f2aa7f80
Instruction Fuzzy Hash: 059102312043019BD724CF64CC85BAB73A5EF88319F04C66AFD09DB291EB78EB45975A

Function 0045E0D0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 328COMMON

Download Yara Rule

Strings

Icon, xrefs: 0045E313

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcstoui64
String ID: Icon
API String ID: 3882282163-3316025061
Opcode ID: 3db59b03080ad47d72f36b57564becc4f558e853a6f7fa4e173e7eb94a0bddea
Instruction ID: 4f6babe3b5fe45cf5f3f6e45856ab9ee7210e229121f7f643785480292ca5597
Opcode Fuzzy Hash: 3db59b03080ad47d72f36b57564becc4f558e853a6f7fa4e173e7eb94a0bddea
Instruction Fuzzy Hash: 94C13771604300ABC324DF26CC81B6B77E4EB99705F04492EFD859B392D779DA09CB9A

Function 00457150 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 243COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 004572B9
__wcsicoll.LIBCMT ref: 004572D2
__wcsicoll.LIBCMT ref: 00457326
SysStringLen.OLEAUT32(?), ref: 00457358
SysFreeString.OLEAUT32(?), ref: 0045736C
__wcsicoll.LIBCMT ref: 0045738B
StringFromGUID2.OLE32(?,?,00000100,?,?,?,?,?,?,?,?), ref: 004573BC

Strings

name, xrefs: 004572C5, 00457320
clsid, xrefs: 004572CC
class, xrefs: 004572B3
iid, xrefs: 004572DE, 00457385

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll$String$FreeFrom
String ID: class$clsid$iid$name
API String ID: 2668509760-3724380462
Opcode ID: 0d8363571a9b94f0f062ebf02e92d519a477cbd72faa21943773d79acff67e1b
Instruction ID: 5b4971c27b761cd22cfbd2a14c83a76d94b2813b845eb074291525b59ea35b39
Opcode Fuzzy Hash: 0d8363571a9b94f0f062ebf02e92d519a477cbd72faa21943773d79acff67e1b
Instruction Fuzzy Hash: 0981B1747082019FDB10DF65E881B6B73A4AF84326F1485BAFD048B392D779EC49C7A9

Function 02114640 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 186fileclipboardCOMMON

Download Yara Rule

APIs

IsClipboardFormatAvailable.USER32(0000000D), ref: 0211465A
IsClipboardFormatAvailable.USER32(0000000F), ref: 02114668

Part of subcall function 02114AE0: GetClipboardFormatNameW.USER32(0000000D,00000104,00000104), ref: 02114B0C
Part of subcall function 02114AE0: __wcsnicmp.LIBCMT ref: 02114B1E
Part of subcall function 02114AE0: __wcsicoll.LIBCMT ref: 02114B37
Part of subcall function 02114AE0: __wcsicoll.LIBCMT ref: 02114B4C
Part of subcall function 02114AE0: __wcsicoll.LIBCMT ref: 02114B61
Part of subcall function 02114AE0: __wcsicoll.LIBCMT ref: 02114B76
Part of subcall function 02114AE0: __wcsicoll.LIBCMT ref: 02114B8B
Part of subcall function 02114AE0: __wcsicoll.LIBCMT ref: 02114BA0

GlobalUnlock.KERNEL32(00000000), ref: 021146D5
CloseClipboard.USER32 ref: 021146DE
GlobalLock.KERNEL32(00000000), ref: 021146F6
DragQueryFileW.SHELL32(00000000,000000FF,004A3890,00000000), ref: 02114741
DragQueryFileW.SHELL32(00000000,00000000,00000000,00000000), ref: 02114761
DragQueryFileW.SHELL32(00000000,000000FF,004A3890,00000000), ref: 021147BB
DragQueryFileW.SHELL32(00000000,00000000,00000100,000003E7), ref: 021147DB

Strings

GlobalLock, xrefs: 02114703
Can't open clipboard for reading., xrefs: 0211469A

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll$ClipboardDragFileQuery$Format$AvailableGlobal$CloseLockNameUnlock__wcsnicmp
String ID: Can't open clipboard for reading.$GlobalLock
API String ID: 1478223189-2469064134
Opcode ID: dd29e0b7d8c111da3b5b2db40538746cf8f750d538a33f8fca12f5ac384fccd6
Instruction ID: 7ca3e8b9aefe5caee542592e0db0669ce693cd2c8fd3d9cd6569f53470093296
Opcode Fuzzy Hash: dd29e0b7d8c111da3b5b2db40538746cf8f750d538a33f8fca12f5ac384fccd6
Instruction Fuzzy Hash: 16511A7B6803214BCB209F28EC8466AB7A4EF82B75F15477AED25DB294E730C850C7D5

Function 0212654C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 021265D8
__wcsicoll.LIBCMT ref: 021265F0
__wcsicoll.LIBCMT ref: 02126608

Strings

Timeout, xrefs: 021266AA

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll
String ID: Timeout
API String ID: 3832890014-1325157390
Opcode ID: 2f10b2dc45a8f9fffb0e716a691594df527dd572d06910d19ea4718503983bc4
Instruction ID: 44ae968efd3bfbe3b7da1f85954ff08b43a8fb1d45a9319f755474562d3def41
Opcode Fuzzy Hash: 2f10b2dc45a8f9fffb0e716a691594df527dd572d06910d19ea4718503983bc4
Instruction Fuzzy Hash: 293173B3AC1664A7DF111124DC6B78F225DDB21B46FEA4069FC04C52C1FB4ED12B829A

Function 0212E8F0 Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 85COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0212E9EC

Strings

&, xrefs: 0212E947
., xrefs: 0212E957
:, xrefs: 0212E927
{, xrefs: 0212E95F
*, xrefs: 0212E937
(, xrefs: 0212E917
<, xrefs: 0212E91F
!, xrefs: 0212E93F
+, xrefs: 0212E92F
^, xrefs: 0212E94F

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: _wcsncpy
String ID: !$&$($*$+$.$:$<$^${
API String ID: 1735881322-1765617229
Opcode ID: cb873b86e073b1a1373f77e5bf22a28e4949832ca99d9483de71b99a266ba19c
Instruction ID: 66711fc1a24e773341ce86a8c0ff1c29059b8e1f4ac8408df31cc4ff6c49c239
Opcode Fuzzy Hash: cb873b86e073b1a1373f77e5bf22a28e4949832ca99d9483de71b99a266ba19c
Instruction Fuzzy Hash: BD21E1729443148BCB609F29988476FBBE4EFC9304F04092FF99593240E7B6E95CCB92

Function 02168CC0 Relevance: 18.2, APIs: 12, Instructions: 249COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 02168D60
SafeArrayGetDim.OLEAUT32(?), ref: 02168EE8

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: ArraySafe__wcsicoll
String ID:
API String ID: 2999837010-0
Opcode ID: 0aacecf6d83e9b75125e9f54ecaca64f9976bec8ae3af8df902332ebbfc92828
Instruction ID: d29cf0437f4791252dd5754436b15ce16aa7b74298ab4a341a64e158c5174b1f
Opcode Fuzzy Hash: 0aacecf6d83e9b75125e9f54ecaca64f9976bec8ae3af8df902332ebbfc92828
Instruction Fuzzy Hash: 6981FF726402019FC700DF64D888A7FB7E9EF89314F168429FD058B350E776E929CBA2

Function 00466020 Relevance: 18.2, APIs: 12, Instructions: 217windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001304,00000000,00000000), ref: 0046605E
GetWindowLongW.USER32 ref: 0046608D
_wcschr.LIBCMT ref: 004660D1
SendMessageW.USER32(?,?,00000000,?), ref: 0046611C
SendMessageW.USER32(?,00001061,?,?), ref: 00466157
SendMessageW.USER32(?,?,00000000,00000000), ref: 004661B9
SendMessageW.USER32(?,0000108F,00000000,00000000), ref: 004661F2
GetWindowLongW.USER32(?,000000F0), ref: 004661F9
SendMessageW.USER32(?,0000101E,00000000,0000FFFE), ref: 0046621E
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00466240
SendMessageW.USER32(?,0000014E,00000001,?), ref: 0046625E
SendMessageW.USER32(0000014E,0000014E,?,00000000), ref: 00466270

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: MessageSend$LongWindow$_wcschr
String ID:
API String ID: 958538355-0
Opcode ID: 1606e40a3e9bd4938cf5ebdbdc43ffc24b456b6e63cc2bea668fa35e6ead4b79
Instruction ID: 0f73592dcf8f3297690ef9fa844bdd87fc029de1837e21c3ba2a72d06ca17557
Opcode Fuzzy Hash: 1606e40a3e9bd4938cf5ebdbdc43ffc24b456b6e63cc2bea668fa35e6ead4b79
Instruction Fuzzy Hash: 0871DEB0208341ABE320CF24CC91B77B7E9EF86710F154A1EF991862C1E779D845876A

Function 02126820 Relevance: 18.1, APIs: 12, Instructions: 101COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 02126838
__wcsicoll.LIBCMT ref: 02126850

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll
String ID:
API String ID: 3832890014-0
Opcode ID: 763b4a08367fb80ab68c97f41caea54974778ca69c2d2e876e7be94ba8099526
Instruction ID: c41111b65b9be446a30a2275b8e1dc8a657c6862234e9afe0352bd6c0ced9414
Opcode Fuzzy Hash: 763b4a08367fb80ab68c97f41caea54974778ca69c2d2e876e7be94ba8099526
Instruction Fuzzy Hash: BE21C665FC1766B6DF1121384C02B9E204E9F22B47FE48078FC08D42C1FB8DD62AD4AA

Function 0215EC00 Relevance: 17.9, APIs: 6, Strings: 4, Instructions: 405COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0215ED9A
__wcsnicmp.LIBCMT ref: 0215EDE4
__wcsnicmp.LIBCMT ref: 0215EE31
__wcsnicmp.LIBCMT ref: 0215EEC3
__wcsnicmp.LIBCMT ref: 0215EE90

Part of subcall function 0211EF10: __fassign.LIBCMT ref: 0211EF20

__wcsicoll.LIBCMT ref: 0215EEF2

Strings

M, xrefs: 0215EC8E
I, xrefs: 0215F18A
$cJ, xrefs: 0215ECB1
A, xrefs: 0215EC59

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsnicmp$__fassign__wcsicoll
String ID: $cJ$A$I$M
API String ID: 2762105059-3610979866
Opcode ID: d5452061242496e1760dee8bdc8edb3d9229d7e0e4f6e459b9cece3e4ef19fbc
Instruction ID: 569422a5ad028e5854688129daebf824598b89ab6530495bff2ef34042a39e2a
Opcode Fuzzy Hash: d5452061242496e1760dee8bdc8edb3d9229d7e0e4f6e459b9cece3e4ef19fbc
Instruction Fuzzy Hash: 0AE1F370E88361DFD720CF24C88472ABBE6EF46304F1448AEEDA587291E7B5D540CB56

Function 02112079 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 290windowthreadCOMMON

Download Yara Rule

APIs

GetMessageW.USER32(?,00000000,00000000,-00000311), ref: 02111790
GetForegroundWindow.USER32 ref: 02111EDE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 02111EF1
GetClassNameW.USER32(00000000,?,00000020), ref: 02111F0E
IsDialogMessageW.USER32(00000000,?), ref: 02113189
SetCurrentDirectoryW.KERNEL32(004A3890), ref: 021131B1

Strings

#32770, xrefs: 02111F14

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: MessageWindow$ClassCurrentDialogDirectoryForegroundNameProcessThread
String ID: #32770
API String ID: 2321113096-463685578
Opcode ID: 117f863355fcd52777c20b819e5933bd310008fddda94180c0a30c0bc9e525ba
Instruction ID: 7af00d99e4170e7c93c56c063776aef53e88c1221066cfa87726e8360551cb0a
Opcode Fuzzy Hash: 117f863355fcd52777c20b819e5933bd310008fddda94180c0a30c0bc9e525ba
Instruction Fuzzy Hash: 6AB10571588351AFD724CF28C8887AEF7E5BF85308F48453DEA9987264D370D885CB46

Function 02112214 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 265windowthreadCOMMON

Download Yara Rule

APIs

GetMessageW.USER32(?,00000000,00000000,-00000311), ref: 02111790
GetFocus.USER32 ref: 02111834
GetForegroundWindow.USER32 ref: 02111EDE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 02111EF1
GetClassNameW.USER32(00000000,?,00000020), ref: 02111F0E
DragFinish.SHELL32(?), ref: 0211254D
IsDialogMessageW.USER32(00000000,?), ref: 02113189
SetCurrentDirectoryW.KERNEL32(004A3890), ref: 021131B1

Strings

#32770, xrefs: 02111F14

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: MessageWindow$ClassCurrentDialogDirectoryDragFinishFocusForegroundNameProcessThread
String ID: #32770
API String ID: 985188229-463685578
Opcode ID: 7cd0ee11d296b2da490e3e09071073419012d8596fc39099f7fbc25560c7a98f
Instruction ID: b822b89a746bb1655f6b585ddf94ad72ee184d9141f396bee86462eed49e785b
Opcode Fuzzy Hash: 7cd0ee11d296b2da490e3e09071073419012d8596fc39099f7fbc25560c7a98f
Instruction Fuzzy Hash: 839118716C4311AFDB74DF28C8D87AEB7E5AF85308F484539EA5987264D330D881CB96

Function 0214A4D0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 182windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32 ref: 0214A4DD
GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0214A521
_malloc.LIBCMT ref: 0214A574
SelectObject.GDI32(?,?), ref: 0214A5B7
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 0214A5D7
GetSystemPaletteEntries.GDI32(?,00000000,00000100), ref: 0214A607

Strings

(, xrefs: 0214A510

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Bits$CompatibleCreateEntriesObjectPaletteSelectSystem_malloc
String ID: (
API String ID: 1101625044-3887548279
Opcode ID: 2b9e0e64f3c37e92d7b74bc8201751dc7ff7d92c1a64efae3f7101dc6e3b9b1f
Instruction ID: f489611bee248e061af9bb4053575f3ed6d721dbebf78efabfe2897985e51ddc
Opcode Fuzzy Hash: 2b9e0e64f3c37e92d7b74bc8201751dc7ff7d92c1a64efae3f7101dc6e3b9b1f
Instruction Fuzzy Hash: 1461D5B5A402599FDF10CFA5CC54BEEBBB5EF49300F0040A9E909A7350DB74A945CFA4

Function 02161FA0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleBaseNameW.PSAPI(00000000,00000000,00011A58,00000104), ref: 02161FF5
GetModuleFileNameExW.PSAPI(00000000,00000000,00011A58,00000104), ref: 02161FFD
GetModuleHandleW.KERNEL32(004AE374,004AE358), ref: 0216201F
GetProcAddress.KERNEL32(00000000), ref: 02162026
_wcsrchr.LIBCMT ref: 02162068
CloseHandle.KERNEL32(00000000), ref: 021620A0
QueryDosDeviceW.KERNEL32(?,?,00000104), ref: 021620D4
CloseHandle.KERNEL32(00000000), ref: 02162111

Strings

:, xrefs: 021620B8

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: HandleModule$CloseName$AddressBaseDeviceFileProcQuery_wcsrchr
String ID: :
API String ID: 2886984124-336475711
Opcode ID: af99027420f5eb7d4ccc41bc78355274f1e55d394ab43dd538d794298f5d7af5
Instruction ID: 54c196b3d185fc320b5151ef6e0193a9a233d93b4aa1d18823e5c03f18e7d9e6
Opcode Fuzzy Hash: af99027420f5eb7d4ccc41bc78355274f1e55d394ab43dd538d794298f5d7af5
Instruction Fuzzy Hash: FE4147766843026BD724AF64EC8DFFF7BA8EB95714F040039EE0982254E7B69458C3A5

Function 02162E30 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 130networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 02162E7E

Strings

0.0.0.0, xrefs: 02162EE7
%E, xrefs: 02162F6D
,J, xrefs: 02162F2D

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Startup
String ID: ,J$0.0.0.0$%E
API String ID: 724789610-2394399986
Opcode ID: 7b5a2044fdb4c7d4298ffca59cc3d3f8db3f1b4a783874253397923c3bb69bda
Instruction ID: 4c3599e90f1d7af120a3097ecbcc714937b7d33f3066352ecb9d65aeaa1c34f5
Opcode Fuzzy Hash: 7b5a2044fdb4c7d4298ffca59cc3d3f8db3f1b4a783874253397923c3bb69bda
Instruction Fuzzy Hash: B241CE756443418FC720DF68C849BAAB7A8FF85714F044A69FC9ACB290EB74E414CB96

Function 021126E7 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 401COMMON

Download Yara Rule

Strings

I, xrefs: 02112BC5

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 613403da200f245bf8ad32dc6a8c51243919f9c8968614ee6c0e87c1646e4660
Instruction ID: 1d11ff49d2a9fc1bb9d946e381e018e45d323940354604ca5c5e18c203b5ef0c
Opcode Fuzzy Hash: 613403da200f245bf8ad32dc6a8c51243919f9c8968614ee6c0e87c1646e4660
Instruction Fuzzy Hash: FAF1D1716883509FD725CF18C884BABB7E5BF85308F18893DE999873A0D770D885CB96

Function 021673A0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 235COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 02167509
__wcsicoll.LIBCMT ref: 02167576
SysStringLen.OLEAUT32(?), ref: 021675A8
SysFreeString.OLEAUT32(?), ref: 021675BC

Strings

name, xrefs: 02167515, 02167570
iid, xrefs: 0216752E, 021675D5

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: String__wcsicoll$Free
String ID: iid$name
API String ID: 1058036804-1827342429
Opcode ID: 93ee8c9ab058c073c6858a2055a0b0ba4ed7f9aa34c92d0bf98db66d360015df
Instruction ID: 5f28d93bbdf3c8f083c3cf98dd3df6f26e30d81b6e7ece8eec8f804c85f8d75f
Opcode Fuzzy Hash: 93ee8c9ab058c073c6858a2055a0b0ba4ed7f9aa34c92d0bf98db66d360015df
Instruction Fuzzy Hash: E581D274A843019FD710DF29D888B7AB3E5EF84318F1485A9ED488B3D1D735E866CBA1

Function 02119E10 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 02119E28
__wcsicoll.LIBCMT ref: 02119E40

Strings

Off, xrefs: 02119EB9

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll
String ID: Off
API String ID: 3832890014-334568355
Opcode ID: d1041e13f99ac2dbabf307b12275e4a7e1215cc88b787e1b88e181a5f87bbf7c
Instruction ID: de201cc25813ce65a41ea176cc119b62d62bd93778c4a805289a81944615d513
Opcode Fuzzy Hash: d1041e13f99ac2dbabf307b12275e4a7e1215cc88b787e1b88e181a5f87bbf7c
Instruction Fuzzy Hash: B0116D64EC222176EF1121398E227AE10895F6270BFFE4075FC18D5281F7ADD60792AA

Function 02116BE0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 301COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 02116D51
FindWindowW.USER32(004A59FC,00000000), ref: 02116D6D
CallNextHookEx.USER32(?,?,?), ref: 02116F88

Strings

., xrefs: 02116E10
n, xrefs: 02116E15
L, xrefs: 02116CE7

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CallFindHookNextWindow_memset
String ID: .$L$n
API String ID: 2943327079-3051456332
Opcode ID: 52db9e5c8c8663980006850309c7a4a0846af8ea9f701748300d6db6181c5f1a
Instruction ID: b2728bd895c5cdccadf071bdb0c94a8e42d2f7462b792000ce9ad51bc6f476b8
Opcode Fuzzy Hash: 52db9e5c8c8663980006850309c7a4a0846af8ea9f701748300d6db6181c5f1a
Instruction Fuzzy Hash: 46B137605883D86EE765CB28EC48F767BDA9B4630CF084579E4C4433A2C337984AC76B

Function 02145A80 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 300COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32(00000000), ref: 02145AFB
_wcschr.LIBCMT ref: 02145B25
GetKeyboardLayout.USER32(00000000), ref: 02145B79
IsCharAlphaW.USER32(00000000), ref: 02145C61
_free.LIBCMT ref: 02145D4D
_malloc.LIBCMT ref: 02145D5A
_wcschr.LIBCMT ref: 02145DB4

Strings

0, xrefs: 02145C6B

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: KeyboardLayout_wcschr$AlphaChar_free_malloc
String ID: 0
API String ID: 2524737710-4108050209
Opcode ID: 0435748ff7fc80e20b40e562c5b6e4456ab7c4de005ea3ab19eafc56745b73c7
Instruction ID: d728fb20bffe419357213e2ed1df715e14a668ca92eb30cbe9df8b992765cf2f
Opcode Fuzzy Hash: 0435748ff7fc80e20b40e562c5b6e4456ab7c4de005ea3ab19eafc56745b73c7
Instruction Fuzzy Hash: B5B12871588385ABC725DF24C44476B7BE2AF65318F88045DF8C88B292EB39C64DC7A3

Function 0213ECE0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0213ED29
_wcsncpy.LIBCMT ref: 0213ED93
_wcschr.LIBCMT ref: 0213EDDA
_wcschr.LIBCMT ref: 0213EE33

Strings

", xrefs: 0213EDF9

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: _wcschr$_malloc_wcsncpy
String ID: "
API String ID: 3220175845-123907689
Opcode ID: 1462cca0ec4af517ec1b4f4015f1424a6a679c39631037b7158f443b7f7c7bea
Instruction ID: 84321481153fdd77644f169d177f270339056b47b6f52b2b8e33f6a7c940424d
Opcode Fuzzy Hash: 1462cca0ec4af517ec1b4f4015f1424a6a679c39631037b7158f443b7f7c7bea
Instruction Fuzzy Hash: C391D271E403199BCF22DF54D881BEEB3B6EF48310F158065E905EB280E775AA55CBE1

Function 004581D0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 95windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001200,00000000,?,00000000,?,00001000,00000000), ref: 00458251
_vswprintf_s.LIBCMT ref: 00458296
SysFreeString.OLEAUT32(?), ref: 004582C6
SysFreeString.OLEAUT32(00000000), ref: 004582CC
SysFreeString.OLEAUT32(?), ref: 004582D2

Strings

No valid COM object!, xrefs: 0045821C
0x%08X - , xrefs: 00458228
Source:%wsDescription:%wsHelpFile:%wsHelpContext:%d, xrefs: 0045828D

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: FreeString$FormatMessage_vswprintf_s
String ID: Source:%wsDescription:%wsHelpFile:%wsHelpContext:%d$0x%08X - $No valid COM object!
API String ID: 575495657-3028990165
Opcode ID: 0da4345b2c23d8ee534a75d3469eaadeb252e7bf3c68f77cc5ecf5486fd98254
Instruction ID: 4a7dd6d41aa898a03cfa5f28ae6521c61a39bb189237137fb6365e3b381cb41a
Opcode Fuzzy Hash: 0da4345b2c23d8ee534a75d3469eaadeb252e7bf3c68f77cc5ecf5486fd98254
Instruction Fuzzy Hash: E03109726003106BDB14EBA5DC85F677BA8EFC4741F04856EBD01A7196DE78D808C7A9

Function 004181C0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32 ref: 004181E9
FindResourceW.KERNEL32(00000000,>AHK WITH ICON<,0000000A), ref: 004181F9
SizeofResource.KERNEL32(00000000,00000000), ref: 00418204
LoadResource.KERNEL32(00000000,00000000), ref: 00418215
LockResource.KERNEL32(00000000), ref: 00418220

Strings

Could not extract script from EXE., xrefs: 00418276
>AUTOHOTKEY SCRIPT<, xrefs: 004181CD
>AHK WITH ICON<, xrefs: 004181F3

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Resource$Find$LoadLockSizeof
String ID: >AHK WITH ICON<$>AUTOHOTKEY SCRIPT<$Could not extract script from EXE.
API String ID: 3127896203-4021547232
Opcode ID: 9de87304b959eedd45034297723f0abca83777e190420b9050421f2b1e8a7a8b
Instruction ID: 5dcd8b25721e3a037b3743ad15cd8ef3095d7bdeac94b465dd52d37fc4df07dd
Opcode Fuzzy Hash: 9de87304b959eedd45034297723f0abca83777e190420b9050421f2b1e8a7a8b
Instruction Fuzzy Hash: 26110330A097015BE310EB298C06F5BBB94EB91700F04086EF944972D1DB74C8048AEA

Function 02121010 Relevance: 13.9, APIs: 9, Instructions: 391threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 02121050

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 736549f45ea7f827c3d872aa11dac0c7bf51e8b9308f9fa9578116ab22a92a2b
Instruction ID: 3836ead75129466d89fa1050a7482a24dd85a57331c6c734cf1e7d8abc35f20e
Opcode Fuzzy Hash: 736549f45ea7f827c3d872aa11dac0c7bf51e8b9308f9fa9578116ab22a92a2b
Instruction Fuzzy Hash: 42F1E67058C3A0AFD735DB24D8447AB7BE5AB82318F08095DF8C9872A2C735956CCB97

Function 0211273F Relevance: 13.9, APIs: 9, Instructions: 382windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009), ref: 021127AD
ScreenToClient.USER32(?,?), ref: 021127DA
SendMessageW.USER32(?,00001111,?,?), ref: 021127F5
_memset.LIBCMT ref: 02112C35
SendMessageW.USER32 ref: 02112C69

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: MessageSend$ClientScreen_memset
String ID:
API String ID: 121930748-0
Opcode ID: 4847400b5a8923bd9ffc2004cc1b5428a67b37db39dc008b7b47ae529dc35d7a
Instruction ID: 394ed96f9025557f1b32ede5db40ba1692309bb3d6ed75cb040060427753d828
Opcode Fuzzy Hash: 4847400b5a8923bd9ffc2004cc1b5428a67b37db39dc008b7b47ae529dc35d7a
Instruction Fuzzy Hash: ABE1B071A493509FCB25DF18C884BABBBE5BF89304F14893DE99987390D770D885CB92

Function 02181100 Relevance: 13.8, APIs: 9, Instructions: 340COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 021811BA
__wcsicoll.LIBCMT ref: 021811E9
__wcsicoll.LIBCMT ref: 021812C3
__wcsicoll.LIBCMT ref: 02181354

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll
String ID:
API String ID: 3832890014-0
Opcode ID: 003088d94b1fff0d03335882e75eb495f009c2210c394b583e121132ef16c99d
Instruction ID: 24e3fedd8f4d4d5f9a0bce3bd6d9febc3a5443e8c3c8e4d74997e20d56c13f55
Opcode Fuzzy Hash: 003088d94b1fff0d03335882e75eb495f009c2210c394b583e121132ef16c99d
Instruction Fuzzy Hash: CFB1A173B40204ABCB10EE19E8C1B6AB7A5EB54325F24816AED0DCB742E732D556CFD1

Function 021128FE Relevance: 13.8, APIs: 9, Instructions: 337windowCOMMON

Download Yara Rule

APIs

Part of subcall function 02187990: GetWindowRect.USER32(?,?), ref: 02187998

GetWindowLongW.USER32(?,000000EC), ref: 0211292B
SetWindowLongW.USER32(?,000000EC,00000000), ref: 0211293F

Part of subcall function 0216FC50: DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0216FC6D
Part of subcall function 0216FC50: DragQueryFileW.SHELL32(?,00000000,?,00008000), ref: 0216FCD3

MulDiv.KERNEL32(?,00000060,004CB4F4), ref: 021129DC
MulDiv.KERNEL32(?,00000060,004CB4F4), ref: 02112A24
_memset.LIBCMT ref: 02112C35
SendMessageW.USER32 ref: 02112C69

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Window$DragFileLongQuery$MessageRectSend_memset
String ID:
API String ID: 109366103-0
Opcode ID: 2f777e8ffc9bce0ff373f0b5249ecb6e5716deabc130dee09d5dee1d80712032
Instruction ID: d526a9221824858c90493cd91a3939ed6e9ae1545cbd931c69ca8b1a3332b081
Opcode Fuzzy Hash: 2f777e8ffc9bce0ff373f0b5249ecb6e5716deabc130dee09d5dee1d80712032
Instruction Fuzzy Hash: EBD1E271648310AFD724CF18C884BAAFBE5BF85318F14893DE99987391D771E885CB82

Function 0046B120 Relevance: 13.6, APIs: 9, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000019F,00000000,00000000), ref: 0046B15A
SendMessageW.USER32(?,00000198,00000000,80000000), ref: 0046B173
SendMessageW.USER32(00000000,0000100C,000000FF,00000001), ref: 0046B189
SendMessageW.USER32(?,0000100E,00000000,80000000), ref: 0046B1A6
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 0046B1BC
SendMessageW.USER32(?,00001104,00000001,80000000), ref: 0046B1D5
SendMessageW.USER32(?,00000419,00000000,80000000), ref: 0046B1E8
GetWindowRect.USER32(?,80000000), ref: 0046B200
MapWindowPoints.USER32(?,00000000,00000002,00000002), ref: 0046B214

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: MessageSend$Window$PointsRect
String ID:
API String ID: 467674420-0
Opcode ID: 84d78ba1d5cd1097a00c40e2669ce3f7e163727df9518ae0f9c07e8706b1e30b
Instruction ID: 6e43130aabcbc857c5f36dbbc5bd06bad8e8e5e2da8ed775a84a6c93a3b9cb22
Opcode Fuzzy Hash: 84d78ba1d5cd1097a00c40e2669ce3f7e163727df9518ae0f9c07e8706b1e30b
Instruction Fuzzy Hash: 3431A175144305BBD324CF28CC45FAAB7E8EB85750F208A1DF295D72E0E7B4E5818B56

Function 02114AE0 Relevance: 13.6, APIs: 9, Instructions: 74clipboardCOMMON

Download Yara Rule

APIs

GetClipboardFormatNameW.USER32(0000000D,00000104,00000104), ref: 02114B0C
__wcsnicmp.LIBCMT ref: 02114B1E
__wcsicoll.LIBCMT ref: 02114B37
__wcsicoll.LIBCMT ref: 02114B4C
__wcsicoll.LIBCMT ref: 02114B61
__wcsicoll.LIBCMT ref: 02114B76
__wcsicoll.LIBCMT ref: 02114B8B
__wcsicoll.LIBCMT ref: 02114BA0
GetClipboardData.USER32(0000000D), ref: 02114BC6

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll$Clipboard$DataFormatName__wcsnicmp
String ID:
API String ID: 3127108255-0
Opcode ID: ba0c5945728cd0bb08750c78345674eaba5c07f298cfce1c8ba0e794be639875
Instruction ID: 4f32d954114a24517b42f5a742028a7c52a71034ad4e78fb58f92d5a9ba9f3c1
Opcode Fuzzy Hash: ba0c5945728cd0bb08750c78345674eaba5c07f298cfce1c8ba0e794be639875
Instruction Fuzzy Hash: 6B1181B4980301AADB30EB709D46B6E72E95F54F06F640978EC98D1181F7B8D608C6AB

Function 0211FDAD Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 269windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0211FF0E

Strings

@, xrefs: 0211FE22

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: MessagePeek
String ID: @
API String ID: 2222842502-2766056989
Opcode ID: 05c4ff255829e964ab8e618f25962f7b28614a76b407283a46c9569e86c35af8
Instruction ID: 7157de5e433712551369128a6ec63695d51343e7bc3105bf5e9d66d91f8e54ec
Opcode Fuzzy Hash: 05c4ff255829e964ab8e618f25962f7b28614a76b407283a46c9569e86c35af8
Instruction Fuzzy Hash: B4A17C30A84398AFEB20DB74DC44FF93F76AB46348F188165F9446B2D2D3708559CB66

Function 02159DF0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 269COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(004C9458), ref: 02159E17
RtlLeaveCriticalSection.NTDLL(004C9458), ref: 02159F7C

Strings

0, xrefs: 0215A0C5

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID: 0
API String ID: 3168844106-4108050209
Opcode ID: cc1e4b22a18e0efb7ff6c064b3865a05c41041bfd40bf64c01dd6e113a97aa91
Instruction ID: 117ab7e797b41d8f624b6e816843afa7f8ab1c0e481678a59497ee5c629176d9
Opcode Fuzzy Hash: cc1e4b22a18e0efb7ff6c064b3865a05c41041bfd40bf64c01dd6e113a97aa91
Instruction Fuzzy Hash: 6DA1FD75644311CFCB14CF68D880B66B7E5FF89314F144AAEE86A8B390E731E905CB96

Function 0211CBB0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 195COMMON

Download Yara Rule

APIs

Part of subcall function 021865B0: _vswprintf_s.LIBCMT ref: 021865C9

__itow.LIBCMT ref: 0211CC3B

Strings

PART, xrefs: 0211CD71
(no), xrefs: 0211CE32
OFF, xrefs: 0211CD21, 0211CD3D, 0211CE4C

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __itow_vswprintf_s
String ID: (no)$OFF$PART
API String ID: 2948144822-3974843038
Opcode ID: bbcf5ce862b9fdc0d1332935ac5235cdfc2f9a219029adcfb732fc777d43487d
Instruction ID: 132770cdd258ff00e9cc9da169ebee24e945b1be217b8b48666383bdd93ed858
Opcode Fuzzy Hash: bbcf5ce862b9fdc0d1332935ac5235cdfc2f9a219029adcfb732fc777d43487d
Instruction Fuzzy Hash: 8461C1716C43419FDB28DE28C840B677BE6AF86308F09493EE48687690E735E909C7D7

Function 0211C780 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

Part of subcall function 0211C160: _memset.LIBCMT ref: 0211C177

_memset.LIBCMT ref: 0211C7F8
_wcsncpy.LIBCMT ref: 0211C93E
_wcsncpy.LIBCMT ref: 0211C9C2
_wcsncpy.LIBCMT ref: 0211C9F0
__wcsicoll.LIBCMT ref: 0211CA8C
__wcsicoll.LIBCMT ref: 0211CAA5

Strings

Up, xrefs: 0211CA02

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: _wcsncpy$__wcsicoll_memset
String ID: Up
API String ID: 2925817191-1355106271
Opcode ID: a156f10731d02ccc120276bdfab5b0835def7b42b4882d22eee11ffe488a22fa
Instruction ID: 64227d1ea32061e872236488ebdb0835aa53daecfd342e835fac65d38b9acb56
Opcode Fuzzy Hash: a156f10731d02ccc120276bdfab5b0835def7b42b4882d22eee11ffe488a22fa
Instruction Fuzzy Hash: 7C61D0325C83488AD735DF60D891BEBB3A6AF85300F58482BD58987285F7749548CBE3

Function 02121910 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 0212197C

Part of subcall function 021A1156: __fassign.LIBCMT ref: 021A114C

Strings

W, xrefs: 0212194E

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __fassign
String ID: W
API String ID: 3965848254-655174618
Opcode ID: 6afae57ea7950d9291c6cf6146bceec47e08522dec7d50de16b3ec4dee0d757c
Instruction ID: 8445f02c416fb3094b3ebe5e72cf4884175d53d6cb382abca2be17f23de92f5d
Opcode Fuzzy Hash: 6afae57ea7950d9291c6cf6146bceec47e08522dec7d50de16b3ec4dee0d757c
Instruction Fuzzy Hash: 135139729843607FD710EF249C00B6A77E65F45710F490828F88D6B2C2E3B59A69C7E7

Function 00422134 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 61COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0042213E
__wcsicoll.LIBCMT ref: 0042215E
__wcsicoll.LIBCMT ref: 00422174
__wcsicoll.LIBCMT ref: 0042218A

Strings

Name, xrefs: 00422158
Function name too long., xrefs: 00422D13
State, xrefs: 00422138

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll
String ID: Function name too long.$Name$State
API String ID: 3832890014-1283365435
Opcode ID: 7eb3497f39062326e77c0a1c9c8091a696a685971d1346195b6aa16a1e98741f
Instruction ID: 6e23b48b999e2adaefd9658650c6ef511164265c703010985135914989824c89
Opcode Fuzzy Hash: 7eb3497f39062326e77c0a1c9c8091a696a685971d1346195b6aa16a1e98741f
Instruction Fuzzy Hash: 7011C472A0431166C610EA71AD42A2B7294ABA4719F48493FFD44D3280FAFDDB18835A

Function 021597A0 Relevance: 12.3, APIs: 8, Instructions: 254COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 02159897

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll
String ID:
API String ID: 3832890014-0
Opcode ID: 0aa0411a621234e1ad8633b76e31020d0e88c4c62442a5e7a15cdeca7c880cab
Instruction ID: 4e7182a7f04028748cdc5160e4ade2e878c6a213b87d8a291876c7378b17d544
Opcode Fuzzy Hash: 0aa0411a621234e1ad8633b76e31020d0e88c4c62442a5e7a15cdeca7c880cab
Instruction Fuzzy Hash: A8911A71640229DFDB20DF19D880BAA7395EF85315F1440FAEC258B242D736E956CBE3

Function 021798B0 Relevance: 12.1, APIs: 8, Instructions: 122COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 021798CD
CallWindowProcW.USER32(004CA580,?,?,?,?), ref: 02179909
GetDlgCtrlID.USER32(?), ref: 0217991D
GetParent.USER32(?), ref: 0217992E
GetDlgCtrlID.USER32(00000000), ref: 0217993B
CallWindowProcW.USER32(004CA580,?,00000047,?,?), ref: 02179993
GetClipBox.GDI32(?,?), ref: 021799CB
FillRect.USER32(?,?,00000000), ref: 021799DB

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CallCtrlParentProcWindow$ClipFillRect
String ID:
API String ID: 1046380989-0
Opcode ID: d419929e04a6d0cfda344c34d7987d7459c65750c9e4d44cefcca5523f3285cc
Instruction ID: 3ddd04d010adafac7a1fe3cc16c1b51128032d52edcd8498a851f0127e0588f6
Opcode Fuzzy Hash: d419929e04a6d0cfda344c34d7987d7459c65750c9e4d44cefcca5523f3285cc
Instruction Fuzzy Hash: 1E41AC766002199BCB24DF18D898ABA77BAFBC5354F054179FE0697250D730EC15CBA2

Function 02169640 Relevance: 10.9, APIs: 7, Instructions: 440COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 02169715

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: 287228cbf5c3d4f53a84a52cb5ed8f1a194ac25648b420c7b5aa2c3c38b4ae2c
Instruction ID: b19957a446e8c822babc9b9ac402e57e320e715ad26a1340fe1c7a5a81f77acc
Opcode Fuzzy Hash: 287228cbf5c3d4f53a84a52cb5ed8f1a194ac25648b420c7b5aa2c3c38b4ae2c
Instruction Fuzzy Hash: 880267B15483058FD724CF64C488BABB7E5FF88308F14892EE99987251E770E959CF82

Function 02133B80 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 410COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 02133BE0
__wcsicoll.LIBCMT ref: 02133C32
__wcsicoll.LIBCMT ref: 02133F6E
__wcsicoll.LIBCMT ref: 0213400F

Strings

", xrefs: 02133CB8

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll$_wcsncpy
String ID: "
API String ID: 1630244902-123907689
Opcode ID: 6648f3619f5b3ba1127efb2b113da78b24098153f29b3d40d01d779dd79a3e1e
Instruction ID: 05a5bd0d1b474dabefa3299b210e36edf3455926604f005c9c0192d01f4490f8
Opcode Fuzzy Hash: 6648f3619f5b3ba1127efb2b113da78b24098153f29b3d40d01d779dd79a3e1e
Instruction Fuzzy Hash: D7E1F1756443068FC725DF18D880BAAB3E2FF88314F2446ADE8648B391D735E946CBD6

Function 02117560 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 319COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 02117663
IsCharAlphaNumericW.USER32(?,004A1564,00000000,?), ref: 02117721
GetStringTypeExW.KERNEL32(00000400,00000004,?,00000001,?), ref: 0211773E
IsCharLowerW.USER32(?), ref: 02117824

Strings

-()[]{}:;'"/\,.?! , xrefs: 0211765E

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Char$AlphaLowerNumericStringType_wcschr
String ID: -()[]{}:;'"/\,.?!
API String ID: 3734836551-2658396598
Opcode ID: 087950415860bc43b3fac5443763bfd0bebfac24da2db61377677a884046c34e
Instruction ID: 11d8f9c31795544195cbcb5fe8eb2e984d0dc336ef995ac24343abbebe06f80d
Opcode Fuzzy Hash: 087950415860bc43b3fac5443763bfd0bebfac24da2db61377677a884046c34e
Instruction Fuzzy Hash: 5DC13C75944251AAEB14CF38D858BBEBBE1EF89308F0549BDE8C5973D0E3348886C759

Function 02112A43 Relevance: 10.8, APIs: 7, Instructions: 301windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,00000060,004CB4F4), ref: 02112A9A
MulDiv.KERNEL32(?,00000060,004CB4F4), ref: 02112AE2
_memset.LIBCMT ref: 02112C35
SendMessageW.USER32 ref: 02112C69

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: MessageSend_memset
String ID:
API String ID: 1827994538-0
Opcode ID: bc41270903c75a682db74289cf5ca6dda1646421d82704e72d2591989189170b
Instruction ID: c1c3e6c4fabea1cb74777171c993c400568ddc08bea57b9bec26892efc18c759
Opcode Fuzzy Hash: bc41270903c75a682db74289cf5ca6dda1646421d82704e72d2591989189170b
Instruction Fuzzy Hash: A5C1E671588350AFDB35CF18C884BAAFBE5BF85308F14893DE99987291D770D884CB96

Function 021463B0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 296COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32(00000000), ref: 02146455

Strings

UseErrorLevel, xrefs: 021463D1
$cJ, xrefs: 02146413, 0214645C, 02146475, 02146583

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: KeyboardLayout
String ID: $cJ$UseErrorLevel
API String ID: 194098044-1974334687
Opcode ID: 8a25a3f6633064cbbd8271712a595cead48970572259becc259496925c13e3e6
Instruction ID: 2276ff4093922f7db251633f86f80e4d00b601995085a825258a9f5f15676329
Opcode Fuzzy Hash: 8a25a3f6633064cbbd8271712a595cead48970572259becc259496925c13e3e6
Instruction Fuzzy Hash: 27B159712843819FDB24DF28EC40B6A37EAAB8735CF04452DE9999B2C4DB71D844CB96

Function 0215E510 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 277windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,0000040B,00000000,00000000), ref: 0215E63F
MulDiv.KERNEL32(00000000,004CB4F4,00000060), ref: 0215E69C
DestroyCursor.USER32(00000000), ref: 0215E6EA

Strings

$cJ, xrefs: 0215E569

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CursorDestroyMessageSend
String ID: $cJ
API String ID: 3501257726-417114052
Opcode ID: 13a31f426d894dffeba71c856a4d6211a1dfa7835443f4e44cb1971545c8255e
Instruction ID: 47016b54c06a001b5ffd2ff1c020518017d7c5029b70b9c71ee6ed15aa444cb2
Opcode Fuzzy Hash: 13a31f426d894dffeba71c856a4d6211a1dfa7835443f4e44cb1971545c8255e
Instruction Fuzzy Hash: C491E0B5A44311DFD710CF28D884B2AB7E5EBC8354F048569EE29DB281D731E901CBA2

Function 02117C20 Relevance: 10.7, APIs: 7, Instructions: 191windowCOMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 02117C53
CharLowerW.USER32(00000000,?,?,?,00000000,?,?,-00000019), ref: 02117C69
CharLowerW.USER32 ref: 02117C76
CharLowerW.USER32(?), ref: 02117C91
PostMessageW.USER32(004CA564,0000041B,004CAD70,00000000), ref: 02117CD1
PostMessageW.USER32(004CA564,0000041B,004CAD70,00000000), ref: 02117D70
PostMessageW.USER32(004CA564,0000041B,004CAD70,00000000), ref: 02117D9F

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CharLowerMessagePost$_wcschr
String ID:
API String ID: 1671784288-0
Opcode ID: 2dba94506fc51693c3cffcb3cef31fcc9ca2f46ab911250ee991a3108bf3687a
Instruction ID: 9a48460bf648c77d033e9bb7887f45d72db5a99453b3b92f31fafd2a8b1d6375
Opcode Fuzzy Hash: 2dba94506fc51693c3cffcb3cef31fcc9ca2f46ab911250ee991a3108bf3687a
Instruction Fuzzy Hash: DE61AC70644705ABD720DF25D880B76F7E2FB99344F144979E8868B7D1E332E446CB62

Function 004370C0 Relevance: 10.7, APIs: 7, Instructions: 184COMMON

Download Yara Rule

APIs

Part of subcall function 00444650: GetForegroundWindow.USER32(?,?,00437345,?), ref: 0044467E
Part of subcall function 00444650: IsWindowVisible.USER32(00000000), ref: 00444699

__fassign.LIBCMT ref: 00437118

Part of subcall function 004913BF: wcstoxl.LIBCMT ref: 004913CF

__fassign.LIBCMT ref: 00437154
GetWindowRect.USER32(00000000,?), ref: 0043719A
GetWindowRect.USER32(00000000,?), ref: 004371CC
GetParent.USER32(00000000), ref: 004371F7
ScreenToClient.USER32(00000000,80000000), ref: 00437207
MoveWindow.USER32(00000000,?,?,?,?,00000001,?,?,?,?,?,?,?,?,004294B8), ref: 004372AE

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Window$Rect__fassign$ClientForegroundMoveParentScreenVisiblewcstoxl
String ID:
API String ID: 4198355719-0
Opcode ID: a92d6b29bb2d3b75762705950fe442d801a8c84fdf986f5979f1caa5b4e2f620
Instruction ID: 1c891f63866bf9f633d1bcbda47a4db3bc108c0e04b8a5eff1ebb8705958e604
Opcode Fuzzy Hash: a92d6b29bb2d3b75762705950fe442d801a8c84fdf986f5979f1caa5b4e2f620
Instruction Fuzzy Hash: 4251F1B26083019BD730DF64DC41B2B77A5AB89710F14192EF880AB381D7B9EC44C7AA

Function 02186090 Relevance: 10.7, APIs: 7, Instructions: 174timeCOMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 021860B9
_wcsncpy.LIBCMT ref: 021860E5
_wcsncpy.LIBCMT ref: 0218611D
_wcsncpy.LIBCMT ref: 02186151
_wcsncpy.LIBCMT ref: 02186186
_wcsncpy.LIBCMT ref: 021861BB
SystemTimeToFileTime.KERNEL32(?,?), ref: 02186262

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: _wcsncpy$Time$FileSystem
String ID:
API String ID: 456616543-0
Opcode ID: 32be6ae6566634ebabf999b0ea3bc8403da15acc3f334bc790dd7d1a3a74ab9d
Instruction ID: 1c57ca46b1eeeb8c030e04ef513b8db395601d7493513822501ebdabf0d570da
Opcode Fuzzy Hash: 32be6ae6566634ebabf999b0ea3bc8403da15acc3f334bc790dd7d1a3a74ab9d
Instruction Fuzzy Hash: 4D510571A543406AD718EB34CC81A6BB2EAEFC8300F49CD2DE85AC7251F735E5098756

Function 004120B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(004C9484), ref: 00412148
GetSystemMetrics.USER32(00000000), ref: 004121C0
GetSystemMetrics.USER32(00000001), ref: 004121C6
GetCursorPos.USER32(?), ref: 00412225

Strings

d, xrefs: 00412209

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CursorMetricsSystem
String ID: d
API String ID: 3091566494-2564639436
Opcode ID: c211bb55981c3127a474b2a351d6987fbd699298291f044b76a36cf7165d34fa
Instruction ID: 5bc05deff55d77e115c75b38e9b676587ee8842ef92869f24c2587dae03bc7cc
Opcode Fuzzy Hash: c211bb55981c3127a474b2a351d6987fbd699298291f044b76a36cf7165d34fa
Instruction Fuzzy Hash: 0051DD357043019BD718CF58E981BAA73E1BB88304F24453EED89C7342D779D9A5CB5A

Function 00417080 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 159COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,00404094,?), ref: 004170A6
_wcsrchr.LIBCMT ref: 00417149
GetModuleFileNameW.KERNEL32(00000000,?,00007FFE,?,?,?,?,?,00404094,?), ref: 004171E5
_wcsrchr.LIBCMT ref: 00417245

Strings

Out of memory., xrefs: 004170F9
%s\%s, xrefs: 0041719D

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: FileModuleName_wcsrchr
String ID: %s\%s$Out of memory.
API String ID: 2248907744-1641153398
Opcode ID: f5b0e2eff4024d5dc113413ff412b86ec4617b7aef40f9135233e5128bda4ab1
Instruction ID: e9aec9891ec7854fd5483a4050920514405bc3c5355203deba120071fc3d31c2
Opcode Fuzzy Hash: f5b0e2eff4024d5dc113413ff412b86ec4617b7aef40f9135233e5128bda4ab1
Instruction Fuzzy Hash: 4F51C3725083026AD720EF649C01AE772A4EF94314F08493EFD558B381EB78D648C7AB

Function 0211F9A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 148threadCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02120323
GetForegroundWindow.USER32(00000000), ref: 02120557
GetWindowThreadProcessId.USER32(00000000), ref: 0212055E

Strings

0, xrefs: 0211F9A9

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Window$ForegroundProcessThread_free
String ID: 0
API String ID: 3803968087-4108050209
Opcode ID: 2919c684d5c27a583b812fcd56b9a35925093f2044b5010293fcb8b11db408c7
Instruction ID: ef4ae4fafdaa3c7d81980f240d0528a7af2efa871ade09c98b4732dcbaefcb0b
Opcode Fuzzy Hash: 2919c684d5c27a583b812fcd56b9a35925093f2044b5010293fcb8b11db408c7
Instruction Fuzzy Hash: 76514A71D88268EFDB21DB60EC44FEE3F75EB5A308F084265F44557291D3304569CBA6

Function 0211F9CF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 148threadCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02120323
GetForegroundWindow.USER32(00000000), ref: 02120557
GetWindowThreadProcessId.USER32(00000000), ref: 0212055E

Strings

@, xrefs: 0211F9D9

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Window$ForegroundProcessThread_free
String ID: @
API String ID: 3803968087-2766056989
Opcode ID: 0c2c4ef9f284a86dacede3a72eb7a71df311975b1b8cd1d5d96ea29f524e9406
Instruction ID: 12b851fd201481439740635e3f1ca7324f66ca8655a7d4bbc712f5d16563b3a3
Opcode Fuzzy Hash: 0c2c4ef9f284a86dacede3a72eb7a71df311975b1b8cd1d5d96ea29f524e9406
Instruction Fuzzy Hash: DF515A71D88268EFDB20DB60EC44FAE3F75EB5A308F084266F405572D1D3304569CBA6

Function 02156240 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0215627A

Strings

0, xrefs: 021562CC

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: ForegroundWindow
String ID: 0
API String ID: 2020703349-4108050209
Opcode ID: e9013811190f5feca0c703ebae91005b04b75cc42384ecb734cc96fadc10b4aa
Instruction ID: a09a276be288dd85b0c939fcd47beb5a6384cb281e513d0602dc17a5bfe6083a
Opcode Fuzzy Hash: e9013811190f5feca0c703ebae91005b04b75cc42384ecb734cc96fadc10b4aa
Instruction Fuzzy Hash: A341F432A402189FCB50DF69EC88B5BB7E9EB84364F44057AEC1DC76A0E7729404CBD6

Function 00421100 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 129COMMON

Download Yara Rule

Strings

Out of memory., xrefs: 0042127A
Missing "]", xrefs: 00421169
Not a valid method, class or property definition., xrefs: 00421116
%.*s.Get%s, xrefs: 004211D5
Duplicate declaration., xrefs: 00421205

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID:
String ID: %.*s.Get%s$Duplicate declaration.$Missing "]"$Not a valid method, class or property definition.$Out of memory.
API String ID: 0-1119647260
Opcode ID: 39421bfbc6a7ef2cc8739dd62bc5427920f35b89beb3d2f35436365aa5d2d67c
Instruction ID: fc82f7e8b93b53ffa53959e7c1e91bc7d37728a516545a4477f2e29edb715848
Opcode Fuzzy Hash: 39421bfbc6a7ef2cc8739dd62bc5427920f35b89beb3d2f35436365aa5d2d67c
Instruction Fuzzy Hash: 754144307002109BCB209F29984277BB7A5EFE9304F84886BE8458B3A1EA7CD954C789

Function 02126290 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 02126296
__wcsicoll.LIBCMT ref: 021262E5
__wcsicoll.LIBCMT ref: 0212632D

Strings

Off, xrefs: 021262DF
$cJ, xrefs: 021262A6
9J, xrefs: 021262F1

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll
String ID: 9J$$cJ$Off
API String ID: 3832890014-726444215
Opcode ID: 74df72d166711da5d922015a407bfbdc6f3acade02d36c8ec90071b4f4dbb11d
Instruction ID: 95fc73796c400a0298e5e51e65575e44c59533039e02aa05b40da55dc5f7972a
Opcode Fuzzy Hash: 74df72d166711da5d922015a407bfbdc6f3acade02d36c8ec90071b4f4dbb11d
Instruction Fuzzy Hash: 7411E5626901B251AF102B308E027B7309EEF31A58B990264F829CA2C9F75BC26AC250

Function 0216D240 Relevance: 10.6, APIs: 7, Instructions: 61COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0216D252

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll
String ID:
API String ID: 3832890014-0
Opcode ID: 0f2c5ec6d37b9b30a8930679efa88b5cacdf706584bf4b8cc745eba7118e1128
Instruction ID: 7af6a4794435fda828c96503a4b21c03185c9d7da351cd9a953ceb5b51342c65
Opcode Fuzzy Hash: 0f2c5ec6d37b9b30a8930679efa88b5cacdf706584bf4b8cc745eba7118e1128
Instruction Fuzzy Hash: 4D01A995BC161562EF102138AC02BAE304E5F62F07FE48078FC08C52C1F78ED22690AE

Function 02123B20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57registrylibraryCOMMON

Download Yara Rule

APIs

ActivateKeyboardLayout.USER32(?,00000000,?,00000000), ref: 02123B30
GetKeyboardLayoutNameW.USER32(?), ref: 02123B69
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?), ref: 02123B86
LoadLibraryW.KERNEL32(?), ref: 02123BB5
ActivateKeyboardLayout.USER32(00000000,00000000), ref: 02123BC9

Strings

Layout File, xrefs: 02123B9D

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: KeyboardLayout$Activate$LibraryLoadNameOpen
String ID: Layout File
API String ID: 1064788448-1055935358
Opcode ID: 276a9c7da169e365410642f2fc1326e0b95fe21c42b34976ae3a095137f169da
Instruction ID: 41b412a236274bc6a7d4c880e230a5213a65577c79f83a86b7c8fa96f0b2afb1
Opcode Fuzzy Hash: 276a9c7da169e365410642f2fc1326e0b95fe21c42b34976ae3a095137f169da
Instruction Fuzzy Hash: 89118235644315AFD734AFA49C48FABBBACEB85355F0048ADF956C2150EB38D408CB65

Function 0211EF40 Relevance: 10.6, APIs: 7, Instructions: 52COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0211EF50
__wcsicoll.LIBCMT ref: 0211EF66
__wcsicoll.LIBCMT ref: 0211EF7C

Part of subcall function 0219FE69: __wcsicmp_l.LIBCMT ref: 0219FEE9

__wcsicoll.LIBCMT ref: 0211EF92
__wcsicoll.LIBCMT ref: 0211EFA8
__wcsicoll.LIBCMT ref: 0211EFBE
__wcsicoll.LIBCMT ref: 0211EFD4
__wcsicoll.LIBCMT ref: 0211EFEC

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll$__wcsicmp_l
String ID:
API String ID: 3172861507-0
Opcode ID: 5f4701f7fe81a11beb3d826a9e6fc404618b80336881ed2fe4a7a148178e60a8
Instruction ID: 17e4ac8caef8addd90f6ea0ac2bb6320b344a1a6b2094553e313722aef5794ce
Opcode Fuzzy Hash: 5f4701f7fe81a11beb3d826a9e6fc404618b80336881ed2fe4a7a148178e60a8
Instruction Fuzzy Hash: F8F0AF6AAC1719759E2135319E02B5F108E0E32647F2E0175FC08E19C1FBDDD617C4BA

Function 0040A0C0 Relevance: 9.4, APIs: 6, Instructions: 370COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040A0E1
UnregisterHotKey.USER32(000201FC,?,004CB508,00000028,004CB508), ref: 0040A17B

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Unregister_memset
String ID:
API String ID: 2392160147-0
Opcode ID: 028d2088a1659a4ab87439cdd4795785e723fdf5c9e2601c4aaaaa8e11008163
Instruction ID: 696d72e4843b34e9b49dbd0273efdf7c7148b77ca4796f885ce486d7516f4be3
Opcode Fuzzy Hash: 028d2088a1659a4ab87439cdd4795785e723fdf5c9e2601c4aaaaa8e11008163
Instruction Fuzzy Hash: 01E1D5305083808ADB36CB249448B677BA16B12348F1845BFD8826B7D2D37DDDEAD75B

Function 0211A310 Relevance: 9.4, APIs: 6, Instructions: 363COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0211A331
UnregisterHotKey.USER32(004CA564,04000000,004CB508,004C6950,004CB508), ref: 0211A3CB

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Unregister_memset
String ID:
API String ID: 2392160147-0
Opcode ID: 9b586f657cd55c89f7d2eccdd2e61a45f2c04b5f5514f7f2b2f49028f096df59
Instruction ID: 7d99e2eb39169a08bc8e2f07dd32058e166c1df4449be7f9440d7fd7026dad7d
Opcode Fuzzy Hash: 9b586f657cd55c89f7d2eccdd2e61a45f2c04b5f5514f7f2b2f49028f096df59
Instruction Fuzzy Hash: E4E1E56098A3949EEB75CF24D458B767FB16F02318F0C40B9D8C24BA92D375E9CAC791

Function 02137040 Relevance: 9.3, APIs: 6, Instructions: 292windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32(004CC048), ref: 021370B8
CloseClipboard.USER32 ref: 021370C8
GetTickCount.KERNEL32 ref: 021370DA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 02137106
GetTickCount.KERNEL32 ref: 0213711C
GetTickCount.KERNEL32 ref: 021371D6

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 7864d36bd7d5a73bc730558869c8022117772eeccaad223e0478b6abd7060de3
Instruction ID: a1408d4e0838d50c23218626b05a26c9f81c91a5597ea0ad1227c4f1e17e7f50
Opcode Fuzzy Hash: 7864d36bd7d5a73bc730558869c8022117772eeccaad223e0478b6abd7060de3
Instruction Fuzzy Hash: 74C102B1684341DFDB2ACF24D880B6ABBE7FB85328F14462DE859977D1D3309842CB95

Function 021AFF80 Relevance: 9.3, APIs: 6, Instructions: 262COMMON

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 021B0081
__FindPESection.LIBCMT ref: 021B009B

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: 5f2ba4219c27c2326e78d163c3cdfd2f3e7950a028b6276ac41be21445c95d6b
Instruction ID: ea5aa8817dc24eb6056ef16dc6ab6bd6fe4bfb44ee51d289fa2dabe9e38763b1
Opcode Fuzzy Hash: 5f2ba4219c27c2326e78d163c3cdfd2f3e7950a028b6276ac41be21445c95d6b
Instruction Fuzzy Hash: F691B236E802158FCB16CB58D890BBFB7B6EF88354F154179D81A973A0E731E842CB94

Function 0213E9F0 Relevance: 9.2, APIs: 6, Instructions: 241COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0213EA37
_wcsncpy.LIBCMT ref: 0213EAA3
_wcsncpy.LIBCMT ref: 0213EAC6
_wcschr.LIBCMT ref: 0213EBDB
_free.LIBCMT ref: 0213EBFD
_free.LIBCMT ref: 0213EC59

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: _free_wcsncpy$_malloc_wcschr
String ID:
API String ID: 609840974-0
Opcode ID: e0fe2754d6d4b62e2d6f98cb4db529234186eebc832fd6233b342fce2c7bfae3
Instruction ID: 56ae81813e59b6f615f3cf87cdd0f1f3a22a02a12dc5a64ac5b1418ba1c98cad
Opcode Fuzzy Hash: e0fe2754d6d4b62e2d6f98cb4db529234186eebc832fd6233b342fce2c7bfae3
Instruction Fuzzy Hash: BB919071E403199FCF26DF54D880AEEB7F6FF88314F148495D80A97240E734AA91CBA1

Function 02112177 Relevance: 9.2, APIs: 6, Instructions: 210windowfileCOMMON

Download Yara Rule

APIs

GetMessageW.USER32(?,00000000,00000000,-00000311), ref: 02111790
GetFocus.USER32 ref: 02111834
TranslateAcceleratorW.USER32(00000000,?,?), ref: 0211187A
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 02112198
DragFinish.SHELL32(?), ref: 021121B7
DragFinish.SHELL32(?), ref: 0211254D

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Drag$Finish$AcceleratorFileFocusMessageQueryTranslate
String ID:
API String ID: 3028411364-0
Opcode ID: dc0f0a72ab7a2515a941de71b9d0efe48bfc9f911a55778d0df1076a36c29790
Instruction ID: fba8333fb0aae7ccde418d746a224c2c33bda442918c257f415e4e6659a7318a
Opcode Fuzzy Hash: dc0f0a72ab7a2515a941de71b9d0efe48bfc9f911a55778d0df1076a36c29790
Instruction Fuzzy Hash: 6271F671AC4314AFDB748F58C8D47AEF7E5BF85308F580539EA9983264D3349881CB86

Function 02119120 Relevance: 9.2, APIs: 6, Instructions: 169threadsleepwindowCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00002000,00409200,00000000,00000000,004C9470), ref: 0211917A
SetThreadPriority.KERNEL32(00000000,0000000F,?,00000100,00000000,02128051,02127F1F,?,00000100,?,00000000,02127F1F,00000100,004CB508,021406F5), ref: 02119190
PostThreadMessageW.USER32(004C9470,00000417,00000002,00000000), ref: 021191B4
Sleep.KERNEL32(0000000A,?,00000100,00000000,02128051,02127F1F,?,00000100,?,00000000,02127F1F,00000100,004CB508,021406F5), ref: 021191C0
GetExitCodeThread.KERNEL32(004CAD94,?), ref: 0211928A
Sleep.KERNEL32(00000000), ref: 021192A7

Part of subcall function 02119790: _free.LIBCMT ref: 021197FD

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Thread$Sleep$CodeCreateExitMessagePostPriority_free
String ID:
API String ID: 2132562146-0
Opcode ID: 405eba820bcba44f91289e55c47021f744956c4c51a5cba9d79a477db6a181c3
Instruction ID: 4baeb21e474cf9bbb95c0e57b68b7c18c782203415f550076ac65787ba608fee
Opcode Fuzzy Hash: 405eba820bcba44f91289e55c47021f744956c4c51a5cba9d79a477db6a181c3
Instruction Fuzzy Hash: 1D519830288344AAE722DF70EC5AB5A7FE4AF4231DF044479F895971E1C3B8D584CB6A

Function 02186BD0 Relevance: 9.1, APIs: 6, Instructions: 126COMMON

Download Yara Rule

APIs

CharLowerW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02186C7D
CharLowerW.USER32(00000000), ref: 02186C8A
CharLowerW.USER32(?), ref: 02186CA4
CharLowerW.USER32(?), ref: 02186CB2
CharLowerW.USER32(?), ref: 02186CCE
CharLowerW.USER32(00000000), ref: 02186CDB

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CharLower
String ID:
API String ID: 1615517891-0
Opcode ID: 4dc4eaac74ffe94b67c37a89d981a31f2be02721ae442972b24b5abdb757bc7c
Instruction ID: 3db33ba4154756e2c02ea275d7f68ebdf188de9ec46e49951a5e9817fb2219ed
Opcode Fuzzy Hash: 4dc4eaac74ffe94b67c37a89d981a31f2be02721ae442972b24b5abdb757bc7c
Instruction Fuzzy Hash: EE41AF659803B99B8B206F269CC523ABBE8FB84655F050D1AFCC5CA240F738D8409A75

Function 021691A0 Relevance: 9.1, APIs: 6, Instructions: 90COMMON

Download Yara Rule

APIs

SafeArrayGetDim.OLEAUT32(?), ref: 021691AD
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 021691CB
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 021691E5
SafeArrayAccessData.OLEAUT32(?,?), ref: 021691FD
SafeArrayGetElemsize.OLEAUT32(?), ref: 02169221

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: ArraySafe$Bound$AccessDataElemsize
String ID:
API String ID: 505432365-0
Opcode ID: 4949f4540dace6809cd1bdd2537ada9ee1df9f7b5e85c9bbe6a36eedc06ca760
Instruction ID: 37fe31878510f53b386bdc54b947efd8075d709475f313a0989a47c0652d2ff5
Opcode Fuzzy Hash: 4949f4540dace6809cd1bdd2537ada9ee1df9f7b5e85c9bbe6a36eedc06ca760
Instruction Fuzzy Hash: FA319FB5544302AFD700DF68D8889AABBE8FF88350F04886EFD5597231D775E8448B61

Function 00479039 Relevance: 9.1, APIs: 6, Instructions: 77clipboardCOMMON

Download Yara Rule

APIs

GlobalSize.KERNEL32(00000000), ref: 0047908B
GlobalLock.KERNEL32(00000000), ref: 00479098
GlobalUnlock.KERNEL32(00000000), ref: 004790ED
EnumClipboardFormats.USER32(00000000), ref: 004790FE
GlobalUnlock.KERNEL32(00000000), ref: 00479122
CloseClipboard.USER32 ref: 00479132

Part of subcall function 00404890: GetClipboardFormatNameW.USER32(0000000D,00000104,00000104), ref: 004048BC
Part of subcall function 00404890: __wcsnicmp.LIBCMT ref: 004048CE
Part of subcall function 00404890: __wcsicoll.LIBCMT ref: 004048E7
Part of subcall function 00404890: __wcsicoll.LIBCMT ref: 004048FC
Part of subcall function 00404890: __wcsicoll.LIBCMT ref: 00404911
Part of subcall function 00404890: __wcsicoll.LIBCMT ref: 00404926
Part of subcall function 00404890: __wcsicoll.LIBCMT ref: 0040493B
Part of subcall function 00404890: __wcsicoll.LIBCMT ref: 00404950

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll$Global$Clipboard$Unlock$CloseEnumFormatFormatsLockNameSize__wcsnicmp
String ID:
API String ID: 4010163957-0
Opcode ID: 5fbad0cbcd8efd48152daedfa8ea5cb145221950830a3b4ec0b6554a1846e1ce
Instruction ID: bb4a184ad2baf7df3add7dd79cc3dfd7d08a35701dec41baa3f1c1c4aebf6349
Opcode Fuzzy Hash: 5fbad0cbcd8efd48152daedfa8ea5cb145221950830a3b4ec0b6554a1846e1ce
Instruction Fuzzy Hash: 2E218D325103828BC721CF29D88879B7BE1BB45744F04892AE84DA3360D738DD49CB9E

Function 00434030 Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00434042
__fassign.LIBCMT ref: 0043407B

Part of subcall function 004913BF: wcstoxl.LIBCMT ref: 004913CF

Part of subcall function 00490F06: __fassign.LIBCMT ref: 00490EFC

__fassign.LIBCMT ref: 004340AB
_wcsncpy.LIBCMT ref: 004340D7
_wcsncpy.LIBCMT ref: 004340FB
Shell_NotifyIconW.SHELL32(00000001), ref: 00434113

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __fassign$_wcsncpy$IconNotifyShell__memsetwcstoxl
String ID:
API String ID: 551406035-0
Opcode ID: e66adcc18bbc10b2f52b53873922d3b0e38951699ed3cc4a75f92c58cc495a2d
Instruction ID: 5afafabdf718e6cd8bf1dc44fb614064b30d250e0f2b81a2f43a3b69eeb2305d
Opcode Fuzzy Hash: e66adcc18bbc10b2f52b53873922d3b0e38951699ed3cc4a75f92c58cc495a2d
Instruction Fuzzy Hash: 3621C9B1A043006BE735EB64CC42BAF76FC5F84704F00583EBA849A2C1E7B95205874F

Function 02126350 Relevance: 9.1, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 02119C10: __wcsicoll.LIBCMT ref: 02119C28
Part of subcall function 02119C10: __wcsicoll.LIBCMT ref: 02119C75

__wcsicoll.LIBCMT ref: 0212636B
__wcsicoll.LIBCMT ref: 02126384

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll
String ID:
API String ID: 3832890014-0
Opcode ID: c541506866d938dced41fe333cdaaf8a4ffe437695f829ef26f23cf14cc25e6f
Instruction ID: d154e2fdddf81019f74fb21484866b2f7ccb141131f93d6e212ed49f552a7474
Opcode Fuzzy Hash: c541506866d938dced41fe333cdaaf8a4ffe437695f829ef26f23cf14cc25e6f
Instruction Fuzzy Hash: 09016272BC0A6566EE5021387D02BDF114D5F62716F260176FC1CD82C5F74CD56E44EA

Function 021AF495 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 021AF4BD

Part of subcall function 021AEDA1: __getptd.LIBCMT ref: 021AEDAF
Part of subcall function 021AEDA1: __getptd.LIBCMT ref: 021AEDBD

__getptd.LIBCMT ref: 021AF4C7

Part of subcall function 021A3982: __getptd_noexit.LIBCMT ref: 021A3985
Part of subcall function 021A3982: __amsg_exit.LIBCMT ref: 021A3992

__getptd.LIBCMT ref: 021AF4D5
__getptd.LIBCMT ref: 021AF4E3
__getptd.LIBCMT ref: 021AF4EE
_CallCatchBlock2.LIBCMT ref: 021AF514

Part of subcall function 021AEE46: __CallSettingFrame@12.LIBCMT ref: 021AEE92

Part of subcall function 021AF5BB: __getptd.LIBCMT ref: 021AF5CA
Part of subcall function 021AF5BB: __getptd.LIBCMT ref: 021AF5D8

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 1b316c8473a93b343d5f537133477b467525443aef24f85a48caa6918db169e2
Instruction ID: 0f6025d93e2409b0206bb5211ed9d75d4ec11724ca0b7a0680438b78e2923cc9
Opcode Fuzzy Hash: 1b316c8473a93b343d5f537133477b467525443aef24f85a48caa6918db169e2
Instruction Fuzzy Hash: 7E1119B9C40209DFDF00EFA4D894BADBBB1FF48314F1080A9E894A7250DB799A119F90

Function 021A2FD8 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 021A2FE4

Part of subcall function 021A3982: __getptd_noexit.LIBCMT ref: 021A3985
Part of subcall function 021A3982: __amsg_exit.LIBCMT ref: 021A3992

__amsg_exit.LIBCMT ref: 021A3004
__lock.LIBCMT ref: 021A3014
InterlockedDecrement.KERNEL32(?), ref: 021A3031
_free.LIBCMT ref: 021A3044
InterlockedIncrement.KERNEL32(004C5718), ref: 021A305C

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 5f4f07d0e76b3c78905ebfa961882fd5c095da79817d3d4d0d084b3aa64b1e5e
Instruction ID: 28695b79d4271df49a1b742864c18b433ff54b1cf80e1fe7e6f732bb3387caa9
Opcode Fuzzy Hash: 5f4f07d0e76b3c78905ebfa961882fd5c095da79817d3d4d0d084b3aa64b1e5e
Instruction Fuzzy Hash: 5701D63DD81B11DFC721BB64A566B5DB7A0BF01720F100195D820A3290C774A9C1DFD9

Function 021338D0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 232COMMON

Download Yara Rule

Strings

local, xrefs: 021338F6

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID:
String ID: local
API String ID: 0-2346092776
Opcode ID: 0c69bc13aefb73e42755eb2104f0f9d617791f670872223b4d58fd4f2d87a5b4
Instruction ID: 5fc51399cd8331a96edeb7c372072a95cfe8c61d7e2ba476596f7da4590234ae
Opcode Fuzzy Hash: 0c69bc13aefb73e42755eb2104f0f9d617791f670872223b4d58fd4f2d87a5b4
Instruction Fuzzy Hash: 2C8107366443459FD731DF18D884BABB3E2AF88314F09069DE9A987382D731E845CBD5

Function 0215E810 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 224windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(004C69FC,00001032,00000000,00000000), ref: 0215E8EF
__wcsnicmp.LIBCMT ref: 0215E90A
SendMessageW.USER32(004C69FC,00001004,00000000,00000000), ref: 0215E941

Strings

$cJ, xrefs: 0215E86A

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: MessageSend$__wcsnicmp
String ID: $cJ
API String ID: 2103314646-417114052
Opcode ID: ca5ef3df414cc83077101d062570975ea7e89f274724e9a31e0b024666aa8950
Instruction ID: 13edf85ecb0d562c8f58f657ace8c88e31de91671283cdfa42d4718ba1704a2d
Opcode Fuzzy Hash: ca5ef3df414cc83077101d062570975ea7e89f274724e9a31e0b024666aa8950
Instruction Fuzzy Hash: 0961E076F80311DBDB20DF29D884B6AB7E5FB85724F0045AAFD6987290D731D901CBA2

Function 0214E730 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 185COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0214E800

Strings

$cJ, xrefs: 0214E915
9J, xrefs: 0214E90E
UseErrorLevel, xrefs: 0214E763
1aA, xrefs: 0214E77F

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: _free
String ID: 9J$$cJ$1aA$UseErrorLevel
API String ID: 269201875-3525961569
Opcode ID: c8e0d6494d66012b853786e9234fb5f5ca299e58fb9c791ef4b923809f9694d8
Instruction ID: a048164e747ebb1390ee740d124013b1cb3cf20744b82c955a517032ee12e415
Opcode Fuzzy Hash: c8e0d6494d66012b853786e9234fb5f5ca299e58fb9c791ef4b923809f9694d8
Instruction Fuzzy Hash: F05103716443015FCA20DF28D880F67B7E6AB85314F008A6DF5998B381DB71E806CBA6

Function 02157A60 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(004A58E4), ref: 02157A99
GetLastError.KERNEL32 ref: 02157B9C
__itow.LIBCMT ref: 02157BC8

Strings

0, xrefs: 02157C1F

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: ErrorLast$__itow
String ID: 0
API String ID: 3125673013-4108050209
Opcode ID: 8e6ebd2ad20d8a39c355452cb6241081a62332ba2158c894556cf156dd812957
Instruction ID: 96f1ea3c16614ac8150100b3a574458827bca9cddea065733ad3c9689a93abf1
Opcode Fuzzy Hash: 8e6ebd2ad20d8a39c355452cb6241081a62332ba2158c894556cf156dd812957
Instruction Fuzzy Hash: DC616DB0E40229DFDB24CF98D985BADFBB5FB08314F104269E825A73D0D775A942CB90

Function 0211C160 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0211C177

Strings

Up, xrefs: 0211C3D0

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: _memset
String ID: Up
API String ID: 2102423945-1355106271
Opcode ID: 38edb8207897dbfd8eac9b485632f7402f1dedb6647f825a79395c151608d206
Instruction ID: 7bbccc51238f614ebfb17caa28bf26b5a77d74820df4a586c143fd4367478a3e
Opcode Fuzzy Hash: 38edb8207897dbfd8eac9b485632f7402f1dedb6647f825a79395c151608d206
Instruction Fuzzy Hash: B9412332AC02109BCB389B28889167BB3A4EF56B04F09443FE84AD7281F735D544C7DB

Function 0211D030 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 146sleepCOMMON

Download Yara Rule

APIs

CharUpperW.USER32(?,?,?,?,?,021122CA,?,?), ref: 0211D0C1
CharUpperW.USER32(?,?,?,?,?,021122CA,?,?), ref: 0211D0D2
Sleep.KERNEL32(00000000), ref: 0211D1B1

Strings

{Raw}, xrefs: 0211D108, 0211D131
{Text}, xrefs: 0211D118

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CharUpper$Sleep
String ID: {Raw}${Text}
API String ID: 3503790639-924107855
Opcode ID: 45bce33d6a8a6df1b82dec38023b66c6f85ca4477616bdec529f76df68018b8b
Instruction ID: a08350664afcc1ee0015ecca28d49756e9f192e8c7e280e18b029d7282047cdc
Opcode Fuzzy Hash: 45bce33d6a8a6df1b82dec38023b66c6f85ca4477616bdec529f76df68018b8b
Instruction Fuzzy Hash: 115193746487448BDB209F2898407ABBBF1FF8E304F08496DE8C997391E734E545CB55

Function 0218B210 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126windowCOMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0218B2A8
_wcsncpy.LIBCMT ref: 0218B2C5
PostMessageW.USER32(004CA564,00000044,00000403,?), ref: 0218B373
MessageBoxW.USER32(?,?,?,?), ref: 0218B395

Strings

AutoHotkey v1.1.33.02, xrefs: 0218B295, 0218B2BB

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Message_wcsncpy$Post
String ID: AutoHotkey v1.1.33.02
API String ID: 3297763708-502322182
Opcode ID: 8e35db3dbaae8a8a068b43ba8f02a28663172b8bea6bd1c3fedc72b6510e9093
Instruction ID: af265e20480be1048ec5cacd8e46e90c0999663ef741e4904097a5f304a24c32
Opcode Fuzzy Hash: 8e35db3dbaae8a8a068b43ba8f02a28663172b8bea6bd1c3fedc72b6510e9093
Instruction Fuzzy Hash: 624124B09883819AE720AF50DC84F9B77F4FB49704F048C7DEA888B290D77595498B8A

Function 00438000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 00444650: GetForegroundWindow.USER32(?,?,00437345,?), ref: 0044467E
Part of subcall function 00444650: IsWindowVisible.USER32(00000000), ref: 00444699

_wcsncpy.LIBCMT ref: 00438044
__wcstoi64.LIBCMT ref: 00438084
__fassign.LIBCMT ref: 004380D2
__fassign.LIBCMT ref: 004380FE

Part of subcall function 00491A12: __wtof_l.LIBCMT ref: 00491A1C

Part of subcall function 00490F06: __fassign.LIBCMT ref: 00490EFC

Strings

msctls_statusbar321, xrefs: 0043805B

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __fassign$Window$ForegroundVisible__wcstoi64__wtof_l_wcsncpy
String ID: msctls_statusbar321
API String ID: 4167010027-1022929942
Opcode ID: 6790195ce637ee190761b11690cc7ed550e6f48484dc1f718f7748b9c06890b8
Instruction ID: 788eacb607f33b64be3d547047aa1f0c496ec20a191ed04e37f1a56de443d958
Opcode Fuzzy Hash: 6790195ce637ee190761b11690cc7ed550e6f48484dc1f718f7748b9c06890b8
Instruction Fuzzy Hash: 1E312E72A0430097E630B7358C46B6B73B89F8C314F05193FB94967283E97D951DD2AB

Function 02150840 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 02142820: __wcsicoll.LIBCMT ref: 02142838

_wcsncpy.LIBCMT ref: 02150890
SetVolumeLabelW.KERNEL32(?,?), ref: 021508FB

Part of subcall function 02150450: _wcsncpy.LIBCMT ref: 02150488
Part of subcall function 02150450: GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 021504EC

Strings

9J, xrefs: 02150903
$cJ, xrefs: 0215090A
\, xrefs: 021508C1

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: _wcsncpy$DiskFreeLabelSpaceVolume__wcsicoll
String ID: 9J$$cJ$\
API String ID: 1863641975-1909888522
Opcode ID: 26eff295a1f2d6cb540cf58fa0d8ef9d92c2dbf0378017c8559d908ed792bbbb
Instruction ID: aed3fe05ef4fd717534938b351b37445d8e9b2a35a05dcb94c12d8c07bcba0d5
Opcode Fuzzy Hash: 26eff295a1f2d6cb540cf58fa0d8ef9d92c2dbf0378017c8559d908ed792bbbb
Instruction Fuzzy Hash: B5316E32644314DBC634EBA8DC80FAAB399EB9D310F14463AFD65C7290EB76D44087D6

Function 0217D3E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON

Download Yara Rule

APIs

RemoveMenu.USER32(?,?,00000000), ref: 0217D40E
SetMenuItemInfoW.USER32 ref: 0217D455
DeleteObject.GDI32(?), ref: 0217D467
DestroyCursor.USER32(?), ref: 0217D473

Strings

0, xrefs: 0217D441

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Menu$CursorDeleteDestroyInfoItemObjectRemove
String ID: 0
API String ID: 2910511256-4108050209
Opcode ID: 78fe589266dff621738dc09cd580b17f00030bf12e7960d229dc73668580f6f0
Instruction ID: ae8f9f5b1d2a6acf771d9f95054e932db04b125892186f3eaf4d664a2500c40f
Opcode Fuzzy Hash: 78fe589266dff621738dc09cd580b17f00030bf12e7960d229dc73668580f6f0
Instruction Fuzzy Hash: 1B316CB26402449FC724CF59E884D2ABBF9FF88314B14467DE58A8BA21D730F884CB95

Function 0047B01F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0047B058
_wcsncpy.LIBCMT ref: 0047B075
PostMessageW.USER32(000201FC,00000044,00000403,?), ref: 0047B123
MessageBoxW.USER32(?,?,?,?), ref: 0047B145

Strings

AutoHotkey v1.1.33.02, xrefs: 0047B045, 0047B06B

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Message_wcsncpy$Post
String ID: AutoHotkey v1.1.33.02
API String ID: 3297763708-502322182
Opcode ID: 4d858b20879698586b62548811320521b5f89dec9b6e5d0e7635d555d82f9167
Instruction ID: 5037d3f3131e8d4430dd0b5c110027bf20470c1670cd799b848116fb22f4fea9
Opcode Fuzzy Hash: 4d858b20879698586b62548811320521b5f89dec9b6e5d0e7635d555d82f9167
Instruction Fuzzy Hash: BD31D1719043819AD7209F10D948BEB77F4FF45700F04CD7DE9885B291D77A4849878A

Function 02182FF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,00000002,?), ref: 02183067

Strings

W, xrefs: 02183015

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Open
String ID: W
API String ID: 71445658-655174618
Opcode ID: 4eaa1448f047c0a9e37dc15e519b90fea570750adc6d4903e70a76d622233704
Instruction ID: 96d0e053b2d78ebc61fbce866ec0104f0765683ba8f991aa9b081958d9b13936
Opcode Fuzzy Hash: 4eaa1448f047c0a9e37dc15e519b90fea570750adc6d4903e70a76d622233704
Instruction Fuzzy Hash: A62197716082019FC304EF24DCC8A2BBBE8FB89355F04492DF855D32A0D731D9488BA6

Function 00416040 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00416046
__wcsicoll.LIBCMT ref: 00416095
__wcsicoll.LIBCMT ref: 004160DD

Strings

Locale, xrefs: 004160D7
Off, xrefs: 0041608F

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll
String ID: Locale$Off
API String ID: 3832890014-2054679776
Opcode ID: 7a0b0196891a786b0891aa3d41ab6e38dadfc404f173ccd241545673c09b9616
Instruction ID: bd6479399031bbe77513467dfbd74f1c393df7e816a8239ea1c880c3a9fcd5b1
Opcode Fuzzy Hash: 7a0b0196891a786b0891aa3d41ab6e38dadfc404f173ccd241545673c09b9616
Instruction Fuzzy Hash: A111E962650512029B24EB348C027F72555AF39B58B9F46BAEC06C63C5FB4FCBC5C29C

Function 02119C10 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 02119C28
__wcsicoll.LIBCMT ref: 02119C75

Strings

$cJ, xrefs: 02119C38
Off, xrefs: 02119C6F
9J, xrefs: 02119C81

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll
String ID: 9J$$cJ$Off
API String ID: 3832890014-726444215
Opcode ID: 76cdb0d5839de39d175e6bcc09380cb86b1285596161c8e7d454c4073052871d
Instruction ID: a4cc538ffe721c29ebf45a5847627043a0677de0509854c89df8e48755361d1c
Opcode Fuzzy Hash: 76cdb0d5839de39d175e6bcc09380cb86b1285596161c8e7d454c4073052871d
Instruction Fuzzy Hash: 80117C41A8011AD1EF246B348D217A631D6AB31B68F994274D8B9CB3C9F33BD681C290

Function 02123B44 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46registrylibraryCOMMON

Download Yara Rule

APIs

GetKeyboardLayoutNameW.USER32(?), ref: 02123B69
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?), ref: 02123B86
LoadLibraryW.KERNEL32(?), ref: 02123BB5
ActivateKeyboardLayout.USER32(00000000,00000000), ref: 02123BC9

Strings

Layout File, xrefs: 02123B9D

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: KeyboardLayout$ActivateLibraryLoadNameOpen
String ID: Layout File
API String ID: 2091964706-1055935358
Opcode ID: 86dcf971c9547de30d1bf89f76b619d02056e4675c3859158bc4dd5fbb2261e4
Instruction ID: a8796388f77027418b9ffe6371e37c73b43ccffe9e015bd4d7634eb24223e019
Opcode Fuzzy Hash: 86dcf971c9547de30d1bf89f76b619d02056e4675c3859158bc4dd5fbb2261e4
Instruction Fuzzy Hash: 4A01B1352443119FD738AF609C48FABB7A8FB80351F0048AEFE56C2190EB389018CB62

Function 00491078 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00491092

Part of subcall function 0048FCA4: __FF_MSGBANNER.LIBCMT ref: 0048FCBD
Part of subcall function 0048FCA4: __NMSG_WRITE.LIBCMT ref: 0048FCC4
Part of subcall function 0048FCA4: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00495598,004011D4,00000001,004011D4,?,00494023,00000018,004C1C20,0000000C,004940B3), ref: 0048FCE9

std::exception::exception.LIBCMT ref: 004910C7
std::exception::exception.LIBCMT ref: 004910E1
__CxxThrowException@8.LIBCMT ref: 004910F2

Strings

bad allocation, xrefs: 004910C0

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID: bad allocation
API String ID: 615853336-2104205924
Opcode ID: 36f28e2f7be32c6c88e2c8835e3d3f52415e842892e41568fbdb9cd4d28f9e6a
Instruction ID: 0e97269d05949e0eae5a2051462803c07d347007da5e63e20302bf3b35848e6c
Opcode Fuzzy Hash: 36f28e2f7be32c6c88e2c8835e3d3f52415e842892e41568fbdb9cd4d28f9e6a
Instruction Fuzzy Hash: 75F0F93550061AAADF50FB56CD06B6F3E64AB51354F64407FF805922E1DFBD8A80874C

Function 00409120 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37synchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,023A50F0,?,0040F2F1), ref: 00409133
CreateMutexW.KERNEL32(00000000,00000000,AHK Keybd,?,023A50F0,?,0040F2F1), ref: 0040913E
GetLastError.KERNEL32 ref: 00409146
CloseHandle.KERNEL32(00000000), ref: 00409171

Strings

AHK Keybd, xrefs: 00409135

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastMutex
String ID: AHK Keybd
API String ID: 2372642624-4057427925
Opcode ID: 5c1dec462a99eb0cbdb192bafac2b5537f98b22e2b92c282c39de3a5b1d5a127
Instruction ID: b11a0fa6ae01493b16eee62e90afce83b7d6509963e95f52bf66ae369014e02f
Opcode Fuzzy Hash: 5c1dec462a99eb0cbdb192bafac2b5537f98b22e2b92c282c39de3a5b1d5a127
Instruction Fuzzy Hash: DAF05E3370122196DA2067B5BC88F4A6B695B95BA2F058033E505EB290C738CC4046A9

Function 02160800 Relevance: 7.8, APIs: 5, Instructions: 266COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 02160909

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: 98f8e3e177bbc8a687f11b72fa054c5222a589484f78f3fbd14376b96d592325
Instruction ID: 58ae014cc6761de523098019c9ef7214f193444e252f4aba2a6d3b639d5eaec3
Opcode Fuzzy Hash: 98f8e3e177bbc8a687f11b72fa054c5222a589484f78f3fbd14376b96d592325
Instruction Fuzzy Hash: D39106719803009FD724DF18884973EB3E6BF5D754F08886DE8999B380E375D965CBA2

Function 0216F2F0 Relevance: 7.7, APIs: 5, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcstoui64
String ID:
API String ID: 3882282163-0
Opcode ID: 89f6f9a896a8a446fd48ddba9fabd29907f9cc1d3132efd8c7f0b1e3cafb092b
Instruction ID: ef4eaa8f14fea70f10ea3facdb4b229a9cfcc057a16134ddbaacae33b38b52f1
Opcode Fuzzy Hash: 89f6f9a896a8a446fd48ddba9fabd29907f9cc1d3132efd8c7f0b1e3cafb092b
Instruction Fuzzy Hash: 6A711231648304AFC724DF68EC84F6FB7A5EB84714F144A2AF85A8B2D0D771D815CB99

Function 02157F40 Relevance: 7.7, APIs: 5, Instructions: 181libraryCOMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 02157FA7
_wcsrchr.LIBCMT ref: 02157FC0
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,00000001,?), ref: 02157FED
WideCharToMultiByte.KERNEL32(00000000,00000000,-00000002,000000FF,?,00000104,00000000,00000000,?,00000001,?), ref: 0215808D
LoadLibraryW.KERNEL32(?,?,00000001,?), ref: 021580B6

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$LibraryLoad_wcsncpy_wcsrchr
String ID:
API String ID: 3605676759-0
Opcode ID: fedc871011c6c37a1891870a6c324305d196aba50796a013d73e5318e052b1fa
Instruction ID: 97269fad22c2d70fbcd5e9655798c2de6d6542efdddbaf2fe6eeca5b63b793f1
Opcode Fuzzy Hash: fedc871011c6c37a1891870a6c324305d196aba50796a013d73e5318e052b1fa
Instruction Fuzzy Hash: 4F516A72A80321AFE730EB64DCC0FA7B399EF99710F050669EC2893290EB75D445C7A5

Function 021201B4 Relevance: 7.7, APIs: 5, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02120323

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3bca486101eb41088be1b8c2d30fed34860812d7bf2f2d9861858a3b8d7e8fd5
Instruction ID: 104ad2c53de50b62301c89005014958ef7e6dc85df9e76b1418614e9d03d43b2
Opcode Fuzzy Hash: 3bca486101eb41088be1b8c2d30fed34860812d7bf2f2d9861858a3b8d7e8fd5
Instruction Fuzzy Hash: E3515871D84268FFDB20DBA0DC44FAE3F75AB5A308F084269F40567291D3304569CBA6

Function 021595F0 Relevance: 7.7, APIs: 5, Instructions: 165COMMON

Download Yara Rule

APIs

__wcsdup.LIBCMT ref: 02159639
_malloc.LIBCMT ref: 0215965B

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsdup_malloc
String ID:
API String ID: 2398682791-0
Opcode ID: 746868dff13f7642c0ad85fdd5fe5b5a28c182d62539c3688bb970b4c9bcfe13
Instruction ID: 86c7d99082870fc871931ee55a9863f3880f6d8ccbd79df9926fa3976194c383
Opcode Fuzzy Hash: 746868dff13f7642c0ad85fdd5fe5b5a28c182d62539c3688bb970b4c9bcfe13
Instruction Fuzzy Hash: B45102B2640755DFC720DFA9E88056BB3E6EB84314F204A6ED96687640E732E546CFC2

Function 021201C4 Relevance: 7.7, APIs: 5, Instructions: 164threadkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 021206C0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0212073C

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0211F918
_wcschr.LIBCMT ref: 0211F960
_free.LIBCMT ref: 02120323
GetTickCount.KERNEL32 ref: 0212035A
GetForegroundWindow.USER32(00000000), ref: 02120557
GetWindowThreadProcessId.USER32(00000000), ref: 0212055E
AttachThreadInput.USER32(004CB4F0,?,00000000), ref: 02120594
BlockInput.USER32(00000000), ref: 021205A7
GetForegroundWindow.USER32(00000000), ref: 021205DE
GetWindowThreadProcessId.USER32(00000000), ref: 021205E5

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Window$Thread$ForegroundInputMessagePeekProcess$AttachBlockCountTick_free_wcschr
String ID:
API String ID: 255257169-0
Opcode ID: 712c3b3c0728f970c5b716229d307538e8331260c2c1420dbeba7f2f22d91357
Instruction ID: f231416a63ca4dac4fb7308b783f1f4f86ef844f459604f4123c647b53bedbc3
Opcode Fuzzy Hash: 712c3b3c0728f970c5b716229d307538e8331260c2c1420dbeba7f2f22d91357
Instruction Fuzzy Hash: 13516A71D88268FFDB20DBA0EC44FAE3F75AB5A308F084269F405672D1D3314569CBA6

Function 021201CA Relevance: 7.7, APIs: 5, Instructions: 164threadkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 021206C0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0212073C

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0211F918
_wcschr.LIBCMT ref: 0211F960
_free.LIBCMT ref: 02120323
GetTickCount.KERNEL32 ref: 0212035A
GetForegroundWindow.USER32(00000000), ref: 02120557
GetWindowThreadProcessId.USER32(00000000), ref: 0212055E
AttachThreadInput.USER32(004CB4F0,?,00000000), ref: 02120594
BlockInput.USER32(00000000), ref: 021205A7
GetForegroundWindow.USER32(00000000), ref: 021205DE
GetWindowThreadProcessId.USER32(00000000), ref: 021205E5

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Window$Thread$ForegroundInputMessagePeekProcess$AttachBlockCountTick_free_wcschr
String ID:
API String ID: 255257169-0
Opcode ID: eecdb2b7aff3b22a3bdb9fdb280fdd7f16555b64c2b31d721cca7d4cd7941d91
Instruction ID: 4904fd7089d686c9176d5ccb6e93c1eba3795a8840adfcb0420f4f13565b3f69
Opcode Fuzzy Hash: eecdb2b7aff3b22a3bdb9fdb280fdd7f16555b64c2b31d721cca7d4cd7941d91
Instruction Fuzzy Hash: EB515A71D88268FFDB20DBA0EC44FAE3F75AB5A308F084269F405672D1D3714569CBA6

Function 02177CE0 Relevance: 7.7, APIs: 5, Instructions: 155COMMON

Download Yara Rule

APIs

__wcstoui64.LIBCMT ref: 02177D27
GetDlgCtrlID.USER32(00000000), ref: 02177D32
GetParent.USER32(00000000), ref: 02177D41
GetDlgCtrlID.USER32(00000000), ref: 02177D4E

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Ctrl$Parent__wcstoui64
String ID:
API String ID: 2645479964-0
Opcode ID: 4c984ca42b7cabf5292c64daf7a8300b78c0da66ebc48ecbd6b409431984e8d2
Instruction ID: ce776c63d9885e79e0d3fd347885e6db29b6d8243498cc2f32edcf79f8045a3b
Opcode Fuzzy Hash: 4c984ca42b7cabf5292c64daf7a8300b78c0da66ebc48ecbd6b409431984e8d2
Instruction Fuzzy Hash: 0B4118323802055BDB219F28CC55BBAB377EBC1715F394435F6019B2D1EB35E85287A4

Function 0211F996 Relevance: 7.6, APIs: 5, Instructions: 148threadCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02120323
GetForegroundWindow.USER32(00000000), ref: 02120557
GetWindowThreadProcessId.USER32(00000000), ref: 0212055E

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Window$ForegroundProcessThread_free
String ID:
API String ID: 3803968087-0
Opcode ID: 033ed6a336de9722f24e365c9f78b69235320d2cd06c27130b9b8dbe9f319bdd
Instruction ID: 7409c12e11ccf495bad24cd59e41f781774879d0b5d57661af0de2b4e42b9f84
Opcode Fuzzy Hash: 033ed6a336de9722f24e365c9f78b69235320d2cd06c27130b9b8dbe9f319bdd
Instruction Fuzzy Hash: 30514A71D88268EFDB21DB60EC44FEE3F75EB5A308F084265F40557291D3314569CBA6

Function 0211F9BC Relevance: 7.6, APIs: 5, Instructions: 148threadCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02120323
GetForegroundWindow.USER32(00000000), ref: 02120557
GetWindowThreadProcessId.USER32(00000000), ref: 0212055E

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Window$ForegroundProcessThread_free
String ID:
API String ID: 3803968087-0
Opcode ID: 0ab73e46303fdb278573827c73ba4cf4068995202d73aa20a21d84bc4feb34f5
Instruction ID: 18a8820369ba693401015fd7ff5303252b8c9dfa947d005ae2cf041deddd7891
Opcode Fuzzy Hash: 0ab73e46303fdb278573827c73ba4cf4068995202d73aa20a21d84bc4feb34f5
Instruction Fuzzy Hash: 2C514A71D88268EFDB20DB60EC44FAE3F75EB5A308F084269F40557291D3314569CBA6

Function 0218A970 Relevance: 7.6, APIs: 5, Instructions: 143windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,0215493E,004C6A44,?,00000000,00000000,00000000,00000000,?,?,02147595,?), ref: 0218A9B1
IsWindowVisible.USER32(00000000), ref: 0218A9C6

Part of subcall function 0218B730: __wcsnicmp.LIBCMT ref: 0218B7F4
Part of subcall function 0218B730: __wcstoui64.LIBCMT ref: 0218B873

IsWindow.USER32(004A3890), ref: 0218AACA

Part of subcall function 0218B640: IsWindowVisible.USER32(004A3890), ref: 0218B641

GetWindowLongW.USER32(004A3890,000000F0), ref: 0218AAF6
EnumWindows.USER32(0047A9B0,00000002), ref: 0218AB48

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Window$Visible$EnumForegroundLongWindows__wcsnicmp__wcstoui64
String ID:
API String ID: 256079111-0
Opcode ID: 1ff72e04120917a91cb1bf0cb7594ff27423dcf84b25814678284e21baaf9aec
Instruction ID: f6b19d5de0309c2ea153257dbe1f371b6e6e72d716b00fa8dc23caf42de32fe4
Opcode Fuzzy Hash: 1ff72e04120917a91cb1bf0cb7594ff27423dcf84b25814678284e21baaf9aec
Instruction Fuzzy Hash: D85171759893958BD730BF6498D46EAB7E5FF85304F44892FD98883240EB748684CF92

Function 021219B0 Relevance: 7.6, APIs: 5, Instructions: 110COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 021219D5
__fassign.LIBCMT ref: 02121A22
__fassign.LIBCMT ref: 02121A5D
__fassign.LIBCMT ref: 02121A92
__fassign.LIBCMT ref: 02121AC7

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: 41ba6864de551952a85156bc9d2977188199858485834648c3be75105a1305e6
Instruction ID: 4e534235ffbdffd94268fb82e0b3ccb970f82a24c4389b6cb7012826f540ec51
Opcode Fuzzy Hash: 41ba6864de551952a85156bc9d2977188199858485834648c3be75105a1305e6
Instruction Fuzzy Hash: B8313872AC43247FC610EB148C00B5A73A69F44754F580828FD8C6F2C2E3B5AD99C7E6

Function 021AE982 Relevance: 7.6, APIs: 5, Instructions: 109COMMON

Download Yara Rule

APIs

PMDtoOffset.LIBCMT ref: 021AEA56
std::bad_exception::bad_exception.LIBCMT ref: 021AEA80
__CxxThrowException@8.LIBCMT ref: 021AEA8E

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Exception@8OffsetThrowstd::bad_exception::bad_exception
String ID:
API String ID: 1176828985-0
Opcode ID: f1daaf7272d83479e5d9c48f97770eaf38c8a788f8f7a771ceb9e7a392e4d973
Instruction ID: b7c6379e077daaf0fbc7e860e3d8ea204d0ed20f04315ef3e93757b2d0096e76
Opcode Fuzzy Hash: f1daaf7272d83479e5d9c48f97770eaf38c8a788f8f7a771ceb9e7a392e4d973
Instruction Fuzzy Hash: 0331C17EA802159FCF14DF68C8B0BAEB7A1BF48311F148469E816E7290D734E901CFA0

Function 021219B6 Relevance: 7.6, APIs: 5, Instructions: 109COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 021219D5
__fassign.LIBCMT ref: 02121A22
__fassign.LIBCMT ref: 02121A5D
__fassign.LIBCMT ref: 02121A92
__fassign.LIBCMT ref: 02121AC7

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: fc70f87bdc6a397edf184e36bb0f87abd49d83b238beab0d5eed361c8deb2969
Instruction ID: 33f7c0499d677a5e8ce1fdf1b811dccc4cfdd84217e441ce1b1e05838bbcee2e
Opcode Fuzzy Hash: fc70f87bdc6a397edf184e36bb0f87abd49d83b238beab0d5eed361c8deb2969
Instruction Fuzzy Hash: 05312972A843647FD710EB148C00B5A33A29F44754F584828FD8D6F2C2E3B5AD99C7E6

Function 021284E0 Relevance: 7.6, APIs: 5, Instructions: 99COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(004CC1E8,?), ref: 02128537
_free.LIBCMT ref: 0212858F
_free.LIBCMT ref: 021285AC
_free.LIBCMT ref: 021285EE
_free.LIBCMT ref: 0212860B

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: d0e7f00bbf892677bdd41b72260f83d6c0fe3c67c6124a2bbec218d0eadfa590
Instruction ID: 55ab45bb7a9b0d238f2cdccedeff7137f590bd3db2e0a3507d9408e8cdb7f692
Opcode Fuzzy Hash: d0e7f00bbf892677bdd41b72260f83d6c0fe3c67c6124a2bbec218d0eadfa590
Instruction Fuzzy Hash: 71313BB2A483908FC720DF98888461BFBE9BB9A614F444E2EF69583340D775D51C8F97

Function 02152B30 Relevance: 7.6, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?), ref: 02152B4C
SetLastError.KERNEL32(000000B7), ref: 02152B5E
_wcsrchr.LIBCMT ref: 02152B77
CreateDirectoryW.KERNEL32(?,00000000), ref: 02152BE0
SetLastError.KERNEL32(00000057), ref: 02152BF5

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: ErrorLast$AttributesCreateDirectoryFile_wcsrchr
String ID:
API String ID: 1861573484-0
Opcode ID: dae40e702c3771359214405505dfd5eaa4e0b247359fa5e72bce5ca1d31bea6c
Instruction ID: ad904fd1170fb84164c6af413cbdb9432e8466e2b8fd81fef6b58b45d2902143
Opcode Fuzzy Hash: dae40e702c3771359214405505dfd5eaa4e0b247359fa5e72bce5ca1d31bea6c
Instruction Fuzzy Hash: DF213733A80624EBDB302F34EC44BDAB7A4EB44769F048679EE3997190E3318585CB91

Function 004441F0 Relevance: 7.6, APIs: 5, Instructions: 73timeCOMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 004441FF
GetSystemTimeAsFileTime.KERNEL32(?,?,?,023B1B28), ref: 004442BC

Part of subcall function 00475E40: _wcsncpy.LIBCMT ref: 00475E69
Part of subcall function 00475E40: _wcsncpy.LIBCMT ref: 00475E95
Part of subcall function 00475E40: _wcsncpy.LIBCMT ref: 00475ECD
Part of subcall function 00475E40: _wcsncpy.LIBCMT ref: 00475F01
Part of subcall function 00475E40: _wcsncpy.LIBCMT ref: 00475F36
Part of subcall function 00475E40: _wcsncpy.LIBCMT ref: 00475F6B

SystemTimeToFileTime.KERNEL32(?,?,?,?,?,023B1B28), ref: 00444242
GetLastError.KERNEL32(?,?,?,023B1B28), ref: 0044424C
LocalFileTimeToFileTime.KERNEL32(?,?,?,?,?,023B1B28), ref: 004442AB

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: _wcsncpy$Time$File$System$ErrorLastLocal
String ID:
API String ID: 3240568017-0
Opcode ID: 1312f3ad860936e977c46fb2c2976336659f494334651d602f7568b6dee9c96b
Instruction ID: ed3c0ece4a4318ca4416859416a3598fdd0206a96019e0ddb1ccf5fe4eb86390
Opcode Fuzzy Hash: 1312f3ad860936e977c46fb2c2976336659f494334651d602f7568b6dee9c96b
Instruction Fuzzy Hash: D921C8356043406BE720EB20EC41FFB77A8BFD5704F04892EB989562D1EBB89509C75B

Function 02119060 Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0211906E

Part of subcall function 0219FEF4: __FF_MSGBANNER.LIBCMT ref: 0219FF0D
Part of subcall function 0219FEF4: __NMSG_WRITE.LIBCMT ref: 0219FF14
Part of subcall function 0219FEF4: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 0219FF39

_malloc.LIBCMT ref: 02119093
_free.LIBCMT ref: 021190A2

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: _malloc$AllocateHeap_free
String ID:
API String ID: 1159278337-0
Opcode ID: bfce2379d6a6073e6adfe375bc166afb75f5e1b015479cc5936c9dbff0a7321a
Instruction ID: 232b39eb33f904bec76f65c4efc0b419d9dde82a4a509b2095cb91acba9420a4
Opcode Fuzzy Hash: bfce2379d6a6073e6adfe375bc166afb75f5e1b015479cc5936c9dbff0a7321a
Instruction Fuzzy Hash: 49113DB69803185FCA90EF95FC80FDB736EABC5715F500039EC0687611E731A95ACEA2

Function 02126950 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0212696B
__wcsicoll.LIBCMT ref: 02126984

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll
String ID:
API String ID: 3832890014-0
Opcode ID: 903e79645ca7077841e0e114f50f90866777ccf917b188f60b2fb4b0b671e742
Instruction ID: 1f66136ea345c56aa1638cd2ced51ff21b98e49f2557ef9f5d74b79e292ed982
Opcode Fuzzy Hash: 903e79645ca7077841e0e114f50f90866777ccf917b188f60b2fb4b0b671e742
Instruction Fuzzy Hash: A101D862AC16723EAE24353C3C01BEA114D4F21316F164136FC08E92C5FF4CC9A640E9

Function 021A1177 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 021A1185

Part of subcall function 0219FEF4: __FF_MSGBANNER.LIBCMT ref: 0219FF0D
Part of subcall function 0219FEF4: __NMSG_WRITE.LIBCMT ref: 0219FF14
Part of subcall function 0219FEF4: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 0219FF39

_free.LIBCMT ref: 021A1198

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 8a85b2422ff44affc924af4dbc445d07efe07d6852990364a55c1d78d94f4020
Instruction ID: 5969c70e732902c8acfb38409bb176ed7c22488c80c0796d722460627a0b9ec9
Opcode Fuzzy Hash: 8a85b2422ff44affc924af4dbc445d07efe07d6852990364a55c1d78d94f4020
Instruction Fuzzy Hash: 2C11A77B9C16117FCF212BB4AC24B6A3B9AAF453B1F314565E85DDA160DF34C8408A94

Function 02142670 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 021426A4

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll
String ID:
API String ID: 3832890014-0
Opcode ID: 21ade3fd0822db5317d07713a8acde142c83c73a01b6abd888cd885da4b2a72f
Instruction ID: 74b6c8ace08855e9ab08af96507350c28ce7f2cda93aaeadf61600ab16f44fb7
Opcode Fuzzy Hash: 21ade3fd0822db5317d07713a8acde142c83c73a01b6abd888cd885da4b2a72f
Instruction Fuzzy Hash: 25013155BC161526EF2171384C42BAA204A5B61B0AFE94560FD08E52C6FFEDC98194D9

Function 02126400 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 02126409
__wcsicoll.LIBCMT ref: 02126422

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll
String ID:
API String ID: 3832890014-0
Opcode ID: 47659b04db0ef7a416f5ac458911f85821d1363b722fb693dc90851dbe562faa
Instruction ID: f55f7f78363ea0e22b7724def8ada24deb056fa0b97b5b30bb8707e3d88498e9
Opcode Fuzzy Hash: 47659b04db0ef7a416f5ac458911f85821d1363b722fb693dc90851dbe562faa
Instruction Fuzzy Hash: D4F096B2EC06B162DE6122387C02BFE118D4F21356F164066FC88D55C9F78D9AA644D9

Function 02142720 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 02142730
__wcsicoll.LIBCMT ref: 02142748

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll
String ID:
API String ID: 3832890014-0
Opcode ID: 78d72f5161912edb43d412b3478a34a7cca4ee3f478739f5f6dbdbdeb72eee9b
Instruction ID: eddc76519311aee037b96a040d07c693447f5eb37e7d20f09eed6d6d44cb138e
Opcode Fuzzy Hash: 78d72f5161912edb43d412b3478a34a7cca4ee3f478739f5f6dbdbdeb72eee9b
Instruction Fuzzy Hash: 24F0BE66AC2A1122EF1120389C03F9A20495F72B07FE94170FC1CC02C1FF9DE29284AE

Function 02126790 Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 021267A0
__wcsicoll.LIBCMT ref: 021267B3

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll
String ID:
API String ID: 3832890014-0
Opcode ID: 6d8cd9f16e74b58d15d7419833f31a88cefdb957cca74c7fe64a4a0be2038e9a
Instruction ID: dc76ae729f3367cfa58fe3e752c1c49490f8b17c110bdfba3cd6347fb6828893
Opcode Fuzzy Hash: 6d8cd9f16e74b58d15d7419833f31a88cefdb957cca74c7fe64a4a0be2038e9a
Instruction Fuzzy Hash: BEF08975AC166562EF2129385C02B5E204D5F22B07FE44079FC08D55C1FB8DD62E8599

Function 02125DD0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 02125DD6
__wcsicoll.LIBCMT ref: 02125DEE

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll
String ID:
API String ID: 3832890014-0
Opcode ID: 0ed3fe1f2b192cc8fa187e5a40f94ddd1ec1b965cc49efc2bfb1ea3ecd97b932
Instruction ID: de7382e97566eee00d2ed570ea2d91b91f6020f7723043587f12d8e2a5871144
Opcode Fuzzy Hash: 0ed3fe1f2b192cc8fa187e5a40f94ddd1ec1b965cc49efc2bfb1ea3ecd97b932
Instruction Fuzzy Hash: 3FF0A761EC452576DE1121344C42B9E204B4F22B06FE54064FC08D01C1FB8DD22A80D9

Function 021A3759 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 021A3765

Part of subcall function 021A3982: __getptd_noexit.LIBCMT ref: 021A3985
Part of subcall function 021A3982: __amsg_exit.LIBCMT ref: 021A3992

__getptd.LIBCMT ref: 021A377C
__amsg_exit.LIBCMT ref: 021A378A
__lock.LIBCMT ref: 021A379A
__updatetlocinfoEx_nolock.LIBCMT ref: 021A37AE

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 30f2f978db3a3185453e21d0b76ebbaa8c314a263122820700460cccc5d812df
Instruction ID: c3ee8a5cea82f93250527c9af7b7f3588490449043632722395cad6627759d76
Opcode Fuzzy Hash: 30f2f978db3a3185453e21d0b76ebbaa8c314a263122820700460cccc5d812df
Instruction Fuzzy Hash: ABF0F07E9C0710AFD7A1BBF46826F1D73A16F00724F114289D4A0A71D0CBA465408E59

Function 021800D0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 360COMMON

Download Yara Rule

Strings

Parameter #1 invalid., xrefs: 02180186

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID:
String ID: Parameter #1 invalid.
API String ID: 0-1208927624
Opcode ID: 46248bfe309755df73f3819ff16bb6d98a4e953c241720d2b0d88671f19fa8a9
Instruction ID: 9dbd93a32c4b015f3866ac4c885b464c347b68a39fc22a4468cd8005808a840a
Opcode Fuzzy Hash: 46248bfe309755df73f3819ff16bb6d98a4e953c241720d2b0d88671f19fa8a9
Instruction Fuzzy Hash: 8ED1817164470A9FDB14DF58C4C0B6AB3E1FF88318F148A2EE85997241D771E949CF92

Function 0215AA70 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 296COMMON

Download Yara Rule

APIs

__wcsdup.LIBCMT ref: 0215AD19
_free.LIBCMT ref: 0215AD79

Strings

O, xrefs: 0215AD4B
ERCP, xrefs: 0215AB68

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsdup_free
String ID: ERCP$O
API String ID: 2088533098-1578287635
Opcode ID: b09f2bcdd348ff3e40569aa6681643fdbc5e1a9436c58d4b5d20774f4087a7b1
Instruction ID: e403ffdc5627d91e640f56010c645b3568ac4d9e81421e3a437391f471296955
Opcode Fuzzy Hash: b09f2bcdd348ff3e40569aa6681643fdbc5e1a9436c58d4b5d20774f4087a7b1
Instruction Fuzzy Hash: 43B19375E80229EFCB14DF94C880AAEB7B6FF48314F148299EC25AB350D771A945CF91

Function 02148390 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 278windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 021548A0: GetForegroundWindow.USER32(?,?,02147595,?), ref: 021548CE
Part of subcall function 021548A0: IsWindowVisible.USER32(00000000), ref: 021548E9

SendMessageTimeoutW.USER32(004CA514,?,004CA514,00000000,00000002,00001388,?), ref: 02148502

Strings

$cJ, xrefs: 02148664
FAIL, xrefs: 02148525, 02148540, 0214865D, 0214867E, 0214869A

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Window$ForegroundMessageSendTimeoutVisible
String ID: $cJ$FAIL
API String ID: 578228273-2838781074
Opcode ID: 4ee379e8ecf06f8ac15b4d21dfccc5ea42f2728296180e7de2062403343a85ed
Instruction ID: 9e19f08e4ad464774c6073654c2cf73f2384d1e28a64249d82333b2dfa19b0cf
Opcode Fuzzy Hash: 4ee379e8ecf06f8ac15b4d21dfccc5ea42f2728296180e7de2062403343a85ed
Instruction Fuzzy Hash: CEA126717842005FC724DF28EC80F66B7A6AB85328F1985ADE94D8F2C1CB75D885CBD5

Function 004800C7 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00480BF6

Strings

], xrefs: 00480B5E
\, xrefs: 0048012E

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: \$]
API String ID: 4104443479-2127938089
Opcode ID: f8e5b251e1edd8fbfb66df5a1802ceb21747df498eb1ba6de6123a39dddb2ab4
Instruction ID: fe6821bc1007312be04e06b417fa11cba559fcd3dc6eaf4cb4a27364cc70c6ae
Opcode Fuzzy Hash: f8e5b251e1edd8fbfb66df5a1802ceb21747df498eb1ba6de6123a39dddb2ab4
Instruction Fuzzy Hash: D7717E70A193458BC764DF28C48176FB7E1BFD4710F148A2EE49987390E778E948CB9A

Function 0216D680 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 0216CDC0: _wcschr.LIBCMT ref: 0216CDD9

__wcstoui64.LIBCMT ref: 0216D6EB

Part of subcall function 021A1BAE: wcstoxq.LIBCMT ref: 021A1BD0

__wcstoui64.LIBCMT ref: 0216D805

Strings

$cJ, xrefs: 0216D752
$cJ, xrefs: 0216D70D

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcstoui64$_wcschrwcstoxq
String ID: $cJ$$cJ
API String ID: 848492632-4067473746
Opcode ID: 7ba915fb25c51edeaf8860f6269e35b26e5b9e3b07647a0eb4651b7c157ea5c3
Instruction ID: 3ac9d02a5cfa5eef1422569a237cfcc87f4e2a2d586b784949bde0c8b0d34f43
Opcode Fuzzy Hash: 7ba915fb25c51edeaf8860f6269e35b26e5b9e3b07647a0eb4651b7c157ea5c3
Instruction Fuzzy Hash: CA51E3B6B802445FC730AF68FC88A7F73E9EB85758F594539E85487240EB35E814CA92

Function 02122300 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(004C9484), ref: 02122398
GetCursorPos.USER32(?), ref: 02122475

Strings

d, xrefs: 02122459

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Cursor
String ID: d
API String ID: 3268636600-2564639436
Opcode ID: 0a8221b956d51a686e304ca07a9abecb84ec165ab9cdbd670feb013ca5bbe2e5
Instruction ID: 1412bc8778862e1ba0162821d3e229eeb5f0d5d01dbae23fc9b336260f0f7e8d
Opcode Fuzzy Hash: 0a8221b956d51a686e304ca07a9abecb84ec165ab9cdbd670feb013ca5bbe2e5
Instruction Fuzzy Hash: 4051BB356843119FD728CF28D880B6EB3E2BB88714F144539FC8AC7251D735D969CB65

Function 02126CE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 132comCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 02126F22
OleInitialize.OLE32(00000000), ref: 02126F6C

Part of subcall function 02127D40: _wcsncpy.LIBCMT ref: 02127D93
Part of subcall function 02127D40: SetCurrentDirectoryW.KERNEL32(004A3890,00000000,?,00000100,00000000), ref: 02127DFF

Strings

%E, xrefs: 02126D07
Tray, xrefs: 02126F2F

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CurrentDirectoryInitialize_memset_wcsncpy
String ID: Tray$%E
API String ID: 613146505-3103445395
Opcode ID: 51ce06a3aa56aaa2013ac6591dd4849e289739a97c3c9ec41f5233dca173aaf9
Instruction ID: ed0ad94f21611a2fbbabedcfb564212f306cea90734c39e7c2dafc684af29a75
Opcode Fuzzy Hash: 51ce06a3aa56aaa2013ac6591dd4849e289739a97c3c9ec41f5233dca173aaf9
Instruction Fuzzy Hash: E2615EB4846384EEC3908F6AADD2E15BAA8F759708F90823EE448C33A1C77401448FDD

Function 02161A20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

joyGetDevCapsW.WINMM(?,?,000002D8), ref: 02161A5F
_memset.LIBCMT ref: 02161A75
joyGetPosEx.WINMM ref: 02161AB7

Strings

4, xrefs: 02161AA7

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Caps_memset
String ID: 4
API String ID: 675830301-4088798008
Opcode ID: bc540bbd9bd6e9462421f524c438b7103932e9f24e31840f203531a11d0905d1
Instruction ID: 9ddcdaefa0f8b3c11e8c6acf6a23744ba0989202e3de841508e73138b5fbee7a
Opcode Fuzzy Hash: bc540bbd9bd6e9462421f524c438b7103932e9f24e31840f203531a11d0905d1
Instruction Fuzzy Hash: 7731E672681341ABD330CF18E4887BEF3E4EF96315F88895EE49887290E37A911CCB51

Function 0042900D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0042901B
__wcsicoll.LIBCMT ref: 0042911D

Strings

ahk_group, xrefs: 00429015
$cJ, xrefs: 0042900D, 0042908F, 004290EB, 00429154

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll__wcsnicmp
String ID: $cJ$ahk_group
API String ID: 28402859-3333620948
Opcode ID: 6cc332ec26e0d1f70017bea1e546447b45eec99dec9f01c7d0211ccf1f60a14f
Instruction ID: e2c5433b7f064a0bef8cd9e8951e5c6eb8b59b3c40446619f25343e6f1a12235
Opcode Fuzzy Hash: 6cc332ec26e0d1f70017bea1e546447b45eec99dec9f01c7d0211ccf1f60a14f
Instruction Fuzzy Hash: 1E31D130704268EBD764DF18EC84E2B37B5AB4A308F88846EE5444B392D7799C91C76E

Function 00459100 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(atl), ref: 00459112
GetProcAddress.KERNEL32(00000000,AtlAxGetControl), ref: 00459122

Strings

AtlAxGetControl, xrefs: 0045911C
atl, xrefs: 0045910D

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: AtlAxGetControl$atl
API String ID: 1646373207-1501572552
Opcode ID: b4da0a31f756675afc51a82b7d910fcf342e7155634322e39036e5bb30fded02
Instruction ID: e97827cb32079c3960b9188d26754c4635221f31eb59461d8d6e1150b6d55386
Opcode Fuzzy Hash: b4da0a31f756675afc51a82b7d910fcf342e7155634322e39036e5bb30fded02
Instruction Fuzzy Hash: 22317074200602EFDB04DF59D854B5777E4AF84309F14846EE809CB362E77ADC0ADB95

Function 02122C30 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 02122C68
GetForegroundWindow.USER32(?,021215D9,?,?), ref: 02122CB4
GetWindowTextW.USER32(00000000,004CAD8C,00000064), ref: 02122CE1

Strings

N/A, xrefs: 02122D0A

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Window$CountForegroundTextTick
String ID: N/A
API String ID: 3416458291-2525114547
Opcode ID: 2fd051712f737ae47f244709d37459cad1e2b1d357a65674ddae0cbbb7e22ec3
Instruction ID: f491e705847ca41ff5e5d1c5e8fd07fdcdf03268cec0c81a285848f36382ef71
Opcode Fuzzy Hash: 2fd051712f737ae47f244709d37459cad1e2b1d357a65674ddae0cbbb7e22ec3
Instruction Fuzzy Hash: D6319531104214CFC359CF24ED94E297BB2FB89309F05C57AE806CB675D7309824CB4A

Function 021A03F6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

__woutput_l.LIBCMT ref: 021A0451

Part of subcall function 021A3EC2: __getptd_noexit.LIBCMT ref: 021A3EC2

Strings

B, xrefs: 021A0443

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __getptd_noexit__woutput_l
String ID: B
API String ID: 3669879410-1255198513
Opcode ID: 03032bbca66baeae611268328c120a2d0e66b8455c233a04f28a1321d39e88e8
Instruction ID: f831c8201aa199eb3003cf00a9e29439bef27192e11b83677c8e48ba76edd8b1
Opcode Fuzzy Hash: 03032bbca66baeae611268328c120a2d0e66b8455c233a04f28a1321d39e88e8
Instruction Fuzzy Hash: 8A115E7694425DDFDF019FA4CC90AFEB7B8FB0C324F10456AE920A6281D77899048BB0

Function 0043C1D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00476360: _vswprintf_s.LIBCMT ref: 00476379

GetFileAttributesW.KERNEL32(?,0043C3BD,00000000,?,0043C463), ref: 0043C203
GetFileAttributesW.KERNEL32(?,?,?,?,?,0043C3BD,00000000,?,0043C463), ref: 0043C259

Strings

"%s\%s, xrefs: 0043C1E0, 0043C236
AutoHotkey.chm, xrefs: 0043C1DE, 0043C234

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: AttributesFile$_vswprintf_s
String ID: "%s\%s$AutoHotkey.chm
API String ID: 1487582922-1989825519
Opcode ID: 095e45e3d592fc7686ef85049473f613db3b1e2b00e935daeae4889220443448
Instruction ID: a420c570394e4981e771206abc9edcf9669dd6b7b2b753d55bc7da5be51c1535
Opcode Fuzzy Hash: 095e45e3d592fc7686ef85049473f613db3b1e2b00e935daeae4889220443448
Instruction Fuzzy Hash: E81123764006046BC3108F98EC82AAB7399FB4A764F04826AF819D7391D739AC158BE5

Function 02128370 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0212837B
_wcschr.LIBCMT ref: 021283BB

Strings

Class, xrefs: 02128375
<>=/|^,:*&~!()[]{}+-?."'\;`, xrefs: 021283B6

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsnicmp_wcschr
String ID: <>=/|^,:*&~!()[]{}+-?."'\;`$Class
API String ID: 2237432580-400929710
Opcode ID: 3e65991958776511a363d75a9652196ca4b45058d2c914b72df164aef9867b9e
Instruction ID: 01bf9018eb968bcb73617aebc8eb70b323afbf3dd88a4685e9e2fb24ddbcdfcb
Opcode Fuzzy Hash: 3e65991958776511a363d75a9652196ca4b45058d2c914b72df164aef9867b9e
Instruction Fuzzy Hash: 491189626402319BD7208B2DAD417BB73D1EF95314B1A4516FC44CB184F720D8AEC6B0

Function 00418120 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0041812B
_wcschr.LIBCMT ref: 0041816B

Strings

Class, xrefs: 00418125
<>=/|^,:*&~!()[]{}+-?."'\;`, xrefs: 00418166

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsnicmp_wcschr
String ID: <>=/|^,:*&~!()[]{}+-?."'\;`$Class
API String ID: 2237432580-400929710
Opcode ID: ddb9f795ef5eef9625f2d227e283799c986f45950540f36eecceebb915710be6
Instruction ID: 000611b55cc603882a6c8dd12de19df21fd80f28234bad1777c5b54ea45d26c5
Opcode Fuzzy Hash: ddb9f795ef5eef9625f2d227e283799c986f45950540f36eecceebb915710be6
Instruction Fuzzy Hash: D6110873604211AA9B209B2DAC425FB73A1EFA2311718492FEC45C6354FB28DCC6C699

Function 02127910 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 02127920
_wcsncpy.LIBCMT ref: 02127992
Shell_NotifyIconW.SHELL32(00000000,?), ref: 021279A5

Strings

AutoHotkey, xrefs: 02127983, 0212798A

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: IconNotifyShell__memset_wcsncpy
String ID: AutoHotkey
API String ID: 1481257660-348589305
Opcode ID: 4de8aaaec7b3385bc2d5b59284372a4e1311b53348e82b983606de7dee336c8d
Instruction ID: ecbd3f8ec84ca26debf249f4ab1975335f5585c503ba8b103f0a960f50ff63a7
Opcode Fuzzy Hash: 4de8aaaec7b3385bc2d5b59284372a4e1311b53348e82b983606de7dee336c8d
Instruction Fuzzy Hash: BC112DB0640701AFEB60DF34C849B97B7E8EB49354F00482DE99ED7380E774A915CB65

Function 02114890 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000002,00000000,0211485A,?,?,?,00000000,0212503E,004A3890,02144C62), ref: 021148A1
GlobalLock.KERNEL32(00000000), ref: 021148C6
GlobalFree.KERNEL32(00000000), ref: 021148D7

Strings

GlobalLock, xrefs: 021148E2

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Global$AllocFreeLock
String ID: GlobalLock
API String ID: 1811133220-2848605275
Opcode ID: 3077d16a6333e464a38a1998cabdca6bdcba8b44f69dc64c1187058e47271b07
Instruction ID: bb61ebefb7b3452b22502894a1ac37805f763253e324812369f9f2d3f41ed2cf
Opcode Fuzzy Hash: 3077d16a6333e464a38a1998cabdca6bdcba8b44f69dc64c1187058e47271b07
Instruction Fuzzy Hash: 3FF04471A40B419AD714DFB58D09F12B7E5AF45B05F00887EB55AD3654FF38E4008B58

Function 0217E330 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

SetMenuItemInfoW.USER32 ref: 0217E363
DeleteObject.GDI32(00000000), ref: 0217E376
DestroyCursor.USER32(00000000), ref: 0217E390

Strings

0, xrefs: 0217E34B

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CursorDeleteDestroyInfoItemMenuObject
String ID: 0
API String ID: 392443887-4108050209
Opcode ID: bcb17f935b03f77c21bbf1565bad6a80ba5704de6224b23550ba8cda24da3172
Instruction ID: 19005a6d31b5c7ad42d73170a03e2f2e2e10b7c9a28e9b3d581213dad0e6fa8b
Opcode Fuzzy Hash: bcb17f935b03f77c21bbf1565bad6a80ba5704de6224b23550ba8cda24da3172
Instruction Fuzzy Hash: EFF04FB05013009FE324CF15C958B177BF4BB88709F44095CE48A876A0D7B9E408CB95

Function 0046E0E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

SetMenuItemInfoW.USER32 ref: 0046E113
DeleteObject.GDI32(00000000), ref: 0046E126
DestroyIcon.USER32(00000000,?,0046CBF5,00000000,00000000,75845780,?,?,00416ED1,004CB508,023A2EF8,?,?,?,00000000,00000000), ref: 0046E140

Strings

0, xrefs: 0046E0FB

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: DeleteDestroyIconInfoItemMenuObject
String ID: 0
API String ID: 2083505926-4108050209
Opcode ID: bcb17f935b03f77c21bbf1565bad6a80ba5704de6224b23550ba8cda24da3172
Instruction ID: 9ba0049c749f477f11fd6e0a93733dfd42603c35f6568d37a2aa2cf327b2bc5a
Opcode Fuzzy Hash: bcb17f935b03f77c21bbf1565bad6a80ba5704de6224b23550ba8cda24da3172
Instruction Fuzzy Hash: B8F06DF45013009FE324CF16C958B577BE4BB49705F840A1CF49A877A0E7B9E808CB9A

Function 0042A054 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0042A065
__wcsicoll.LIBCMT ref: 0042A07C

Strings

$cJ, xrefs: 0042A08B, 0042A0A1
wait, xrefs: 0042A05F

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll
String ID: $cJ$wait
API String ID: 3832890014-1684543882
Opcode ID: e140d34723dc111992b1ed2cf201ebc7f83160051c9a72e4a6e3a927357a2cf7
Instruction ID: 1378ec2c2e1a5aab58b6cf052c1957ae3d335812870cfaf5c805cc1277386b26
Opcode Fuzzy Hash: e140d34723dc111992b1ed2cf201ebc7f83160051c9a72e4a6e3a927357a2cf7
Instruction Fuzzy Hash: 36E09B60B04214BBDA90AF75FD85F17239C6705308B48442B7D01C3152D77DD8A5833F

Function 0216C4D0 Relevance: 6.3, APIs: 4, Instructions: 300COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0216C577
_malloc.LIBCMT ref: 0216C591

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: _free_malloc
String ID:
API String ID: 845055658-0
Opcode ID: 265540759c46f58153206af4fd07174db42eced511f7a7a180f7f0053de9921f
Instruction ID: 72ac7b82e680d2d5b35f00333a3a7e6494598e8c09f92661a9a1b3413460913f
Opcode Fuzzy Hash: 265540759c46f58153206af4fd07174db42eced511f7a7a180f7f0053de9921f
Instruction Fuzzy Hash: 1AB1DE716482448FD714DF28A88CBBEB7E5AB85305F04853FE8C687241D735D525CBDA

Function 0211226C Relevance: 6.2, APIs: 4, Instructions: 229windowCOMMON

Download Yara Rule

APIs

GetMessageW.USER32(?,00000000,00000000,-00000311), ref: 02111790
GetFocus.USER32 ref: 02111834
TranslateAcceleratorW.USER32(00000000,?,?), ref: 0211187A
DragFinish.SHELL32(?), ref: 0211254D

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: AcceleratorDragFinishFocusMessageTranslate
String ID:
API String ID: 3031666465-0
Opcode ID: 82b705f1cfa4194da50d9e7223db4bbf129d93850633d6305fbd967e34fffd72
Instruction ID: ea7718b72b8cd01db8623643410aba6625b2e6fd4133e090e90bfcd22e295ab7
Opcode Fuzzy Hash: 82b705f1cfa4194da50d9e7223db4bbf129d93850633d6305fbd967e34fffd72
Instruction Fuzzy Hash: 3B81E4719C8350AFCB35CF18C4947AAF7E6AF85308F484539EA9987364D374D882CB86

Function 0211235B Relevance: 6.2, APIs: 4, Instructions: 219windowCOMMON

Download Yara Rule

APIs

GetMessageW.USER32(?,00000000,00000000,-00000311), ref: 02111790
GetFocus.USER32 ref: 02111834
TranslateAcceleratorW.USER32(00000000,?,?), ref: 0211187A
DragFinish.SHELL32(?), ref: 0211254D

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: AcceleratorDragFinishFocusMessageTranslate
String ID:
API String ID: 3031666465-0
Opcode ID: 334ef50807d7bdf99b2ef6d46e019313d9a4e1b63d94a723f83dfccd939e036a
Instruction ID: 6a87bae367e77084095517ce02917a27af462c1ca1b5633757e9f3a50faa4574
Opcode Fuzzy Hash: 334ef50807d7bdf99b2ef6d46e019313d9a4e1b63d94a723f83dfccd939e036a
Instruction Fuzzy Hash: 4C71D571AC4314AFCB248B18C4D47AEF7E5AB89308F584639EA9987354D330D982CB86

Function 02112129 Relevance: 6.2, APIs: 4, Instructions: 198windowCOMMON

Download Yara Rule

APIs

GetMessageW.USER32(?,00000000,00000000,-00000311), ref: 02111790
GetFocus.USER32 ref: 02111834
TranslateAcceleratorW.USER32(00000000,?,?), ref: 0211187A
DragFinish.SHELL32(?), ref: 0211254D

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: AcceleratorDragFinishFocusMessageTranslate
String ID:
API String ID: 3031666465-0
Opcode ID: 7fbda89de4f581030ffcbf43f03d96112dcd573f1735d9589365a4b7fb391144
Instruction ID: 78921a72a6095b2cef907f7c1810153fd1def88bf41e847c6219f2c608e9b6af
Opcode Fuzzy Hash: 7fbda89de4f581030ffcbf43f03d96112dcd573f1735d9589365a4b7fb391144
Instruction Fuzzy Hash: 6661F771AC4314AFDB758B1CC8D47AEF7E6AF85308F584539EA9987264D330D881CB86

Function 02112145 Relevance: 6.2, APIs: 4, Instructions: 198windowCOMMON

Download Yara Rule

APIs

GetMessageW.USER32(?,00000000,00000000,-00000311), ref: 02111790
GetFocus.USER32 ref: 02111834
TranslateAcceleratorW.USER32(00000000,?,?), ref: 0211187A
DragFinish.SHELL32(?), ref: 0211254D

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: AcceleratorDragFinishFocusMessageTranslate
String ID:
API String ID: 3031666465-0
Opcode ID: 112b7eb5fdea1455c57fb30aefbc8f84dafc170fdc64ad91bb2e82776f998ed3
Instruction ID: 520a0e159927aa702281f275803a659635b6a69d706d74ad23caf1359db12c0c
Opcode Fuzzy Hash: 112b7eb5fdea1455c57fb30aefbc8f84dafc170fdc64ad91bb2e82776f998ed3
Instruction Fuzzy Hash: 3461E671AC4314AFDB758B1CC4D47AEF7E6AF85308F584539EA9987264D330D881CB86

Function 021120F8 Relevance: 6.2, APIs: 4, Instructions: 197windowCOMMON

Download Yara Rule

APIs

GetMessageW.USER32(?,00000000,00000000,-00000311), ref: 02111790
GetFocus.USER32 ref: 02111834
TranslateAcceleratorW.USER32(00000000,?,?), ref: 0211187A
DragFinish.SHELL32(?), ref: 0211254D

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: AcceleratorDragFinishFocusMessageTranslate
String ID:
API String ID: 3031666465-0
Opcode ID: 52ecb12a4fd2bea60b8359a136ef88312082890e0ff35d71426ed9757f8002f8
Instruction ID: 7d242e0006275f86266692c9a4afd4467f2fa9bc680b27eb1077a5a171e55aa0
Opcode Fuzzy Hash: 52ecb12a4fd2bea60b8359a136ef88312082890e0ff35d71426ed9757f8002f8
Instruction Fuzzy Hash: C261F671AC4314AFDB758B2CC8D47AEF7E5AF85308F484539EA9983264D330D881CB86

Function 02112F0D Relevance: 6.2, APIs: 4, Instructions: 194windowclipboardCOMMON

Download Yara Rule

APIs

GetMessageW.USER32(?,00000000,00000000,-00000311), ref: 02111790
CountClipboardFormats.USER32 ref: 02112F0D

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: ClipboardCountFormatsMessage
String ID:
API String ID: 477315184-0
Opcode ID: a5bd795eaaea059997e66ef42b7d2e3ebc02a3127186f58c48d2abd295303f30
Instruction ID: ba2cefdd5149696410cdea4fb95bd5200759b96b0d802d397017602979aad4da
Opcode Fuzzy Hash: a5bd795eaaea059997e66ef42b7d2e3ebc02a3127186f58c48d2abd295303f30
Instruction Fuzzy Hash: D7611471688351AFDB348B28C884BAEB7E9AF85708F04453DFA59C7390D774D880CB96

Function 0211230E Relevance: 6.2, APIs: 4, Instructions: 193windowCOMMON

Download Yara Rule

APIs

GetMessageW.USER32(?,00000000,00000000,-00000311), ref: 02111790
GetFocus.USER32 ref: 02111834
TranslateAcceleratorW.USER32(00000000,?,?), ref: 0211187A
DragFinish.SHELL32(?), ref: 0211254D

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: AcceleratorDragFinishFocusMessageTranslate
String ID:
API String ID: 3031666465-0
Opcode ID: 38de454f00cf1859e1ba1a98118224f971f79228e71105e7cf12037d21d3432a
Instruction ID: fe0b02943ab6488dbf03dbb1f73ff8a2ead77155e38d0c942f263dfafb04800f
Opcode Fuzzy Hash: 38de454f00cf1859e1ba1a98118224f971f79228e71105e7cf12037d21d3432a
Instruction Fuzzy Hash: C961E6719C4714AFDB758B18C8D47AEF7E5AB85308F584539EA8983364D3349881CB86

Function 02112338 Relevance: 6.2, APIs: 4, Instructions: 193windowCOMMON

Download Yara Rule

APIs

GetMessageW.USER32(?,00000000,00000000,-00000311), ref: 02111790
GetFocus.USER32 ref: 02111834
TranslateAcceleratorW.USER32(00000000,?,?), ref: 0211187A
DragFinish.SHELL32(?), ref: 0211254D
DragFinish.SHELL32(?), ref: 02112590

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: DragFinish$AcceleratorFocusMessageTranslate
String ID:
API String ID: 2266762101-0
Opcode ID: 15f6af7553ff76668244343b4349a39a08cbdf135d5d9f5c75b2c4fbeae659d4
Instruction ID: c55b2e6bbc3d2174a0ce1f95241a4ab128cd80d07900f1a204ba4c85c17f263a
Opcode Fuzzy Hash: 15f6af7553ff76668244343b4349a39a08cbdf135d5d9f5c75b2c4fbeae659d4
Instruction Fuzzy Hash: 236109719C47146FDB758B2CC4D47AEF7E5AF85308F484539EA9987264D330D881CB86

Function 02112161 Relevance: 6.2, APIs: 4, Instructions: 189windowCOMMON

Download Yara Rule

APIs

GetMessageW.USER32(?,00000000,00000000,-00000311), ref: 02111790
GetFocus.USER32 ref: 02111834
TranslateAcceleratorW.USER32(00000000,?,?), ref: 0211187A
DragFinish.SHELL32(?), ref: 0211254D
DragFinish.SHELL32(?), ref: 02112590

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: DragFinish$AcceleratorFocusMessageTranslate
String ID:
API String ID: 2266762101-0
Opcode ID: e4be9fcff14c6a1d994baeef08becb6f4fab5c10b56141066124c7cf952b72a1
Instruction ID: 699ab43894588a34236804b9ffc58dad2889938e96bb4c09ce56b161cb9db89b
Opcode Fuzzy Hash: e4be9fcff14c6a1d994baeef08becb6f4fab5c10b56141066124c7cf952b72a1
Instruction Fuzzy Hash: B9510871AC4714AFDB758B1CC8D47AEF7E6AB85308F484539EA9983264D330D881CB86

Function 02125C00 Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 02125D0C
__wcsicoll.LIBCMT ref: 02125D24

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll
String ID:
API String ID: 3832890014-0
Opcode ID: 569442e974ecc65b458fcfc2957a79c8a0527e44a4dcf07d9a501c72f8652c49
Instruction ID: a95966d23c7d0ca7ca0af67b41555856214fd1a19fd28523e6a894d78b8bf73d
Opcode Fuzzy Hash: 569442e974ecc65b458fcfc2957a79c8a0527e44a4dcf07d9a501c72f8652c49
Instruction Fuzzy Hash: D24127326443296ACB389E68E8C07FA73EAEFC5314F89443DED4587150F736956D8392

Function 021272D0 Relevance: 6.2, APIs: 4, Instructions: 159COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,021142E4,?), ref: 021272F6
_wcsrchr.LIBCMT ref: 02127399
GetModuleFileNameW.KERNEL32(00000000,?,00007FFE,?,?,?,?,?,021142E4,?), ref: 02127435
_wcsrchr.LIBCMT ref: 02127495

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: FileModuleName_wcsrchr
String ID:
API String ID: 2248907744-0
Opcode ID: 3d273865c451ccdac851a998b091693aee1a9c27cbd87a93ba4498bc403332db
Instruction ID: f33dd8e80c013bb841002c3488fc866fbf1d84a60f4708c650a9e26eeb1237b1
Opcode Fuzzy Hash: 3d273865c451ccdac851a998b091693aee1a9c27cbd87a93ba4498bc403332db
Instruction Fuzzy Hash: 6751F3B2A843525AD714EF649C01BABB3A5EF81314F084679FD658B2C0FB70D519CBA2

Function 02121F10 Relevance: 6.1, APIs: 4, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a1a268ee89e11112a3751bdb9c4f03cc218f28128f4e87f9d09ae17b186c66c
Instruction ID: a2e1791798cb9b5eb5a8fb41146857fbe222cbb6e075616f73b9bae26b67df18
Opcode Fuzzy Hash: 3a1a268ee89e11112a3751bdb9c4f03cc218f28128f4e87f9d09ae17b186c66c
Instruction Fuzzy Hash: 715116316842209FD728DB28DC88B7F77E5EB85315F05462DFC46932A0D335996CCB66

Function 021773E0 Relevance: 6.1, APIs: 4, Instructions: 144COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 021773FC
__wcsicoll.LIBCMT ref: 02177646

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll
String ID:
API String ID: 3832890014-0
Opcode ID: 1f986cea34d6bdb3f680d5e208d465f01867dc74f5bbacd9a1c444c998213c18
Instruction ID: de7ce650b2985aea5a2b01b6ba139215da565c42abd33149ff544e04cf565c72
Opcode Fuzzy Hash: 1f986cea34d6bdb3f680d5e208d465f01867dc74f5bbacd9a1c444c998213c18
Instruction Fuzzy Hash: BD41CB317883406BE7206B384C81B37BBA6ABC6724F140679F995CB2C2D7B5D941C790

Function 0218A770 Relevance: 6.1, APIs: 4, Instructions: 142windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,0215C9A6,004C6A44,?,?,?,?,00000001), ref: 0218A7C7
IsWindowVisible.USER32(00000000), ref: 0218A7E3
GetForegroundWindow.USER32(?,?,?,?,0215C9A6,004C6A44,?,?,?,?,00000001), ref: 0218A823
IsWindowVisible.USER32(00000000), ref: 0218A890

Part of subcall function 0218B5D0: LoadLibraryW.KERNEL32(004C0BF4,004C0BDC,?,0218B651,004A3890), ref: 0218B5EB
Part of subcall function 0218B5D0: GetProcAddress.KERNEL32(00000000), ref: 0218B5F2

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Window$ForegroundVisible$AddressLibraryLoadProc
String ID:
API String ID: 559202094-0
Opcode ID: 1b822b83f54eb783e1beb6e98d1f90d02db2a897f562ac8009dc5fc06fe466b1
Instruction ID: 4b541043edea2e9b1ff3cd555a8cfe24ab32aad4c6729fe414f90d5263b38f84
Opcode Fuzzy Hash: 1b822b83f54eb783e1beb6e98d1f90d02db2a897f562ac8009dc5fc06fe466b1
Instruction Fuzzy Hash: 23518E31A883808BC734BF6898D05EAB7E5FF81345F44453EE68887200EB355A85DFE2

Function 02122055 Relevance: 6.1, APIs: 4, Instructions: 132threadwindowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0212208B
WindowFromPoint.USER32(?,?), ref: 0212209B
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 021220BB
SendMessageW.USER32(00000000,00000084,00000000,?), ref: 021220E5

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Window$CursorFromMessagePointProcessSendThread
String ID:
API String ID: 3692963090-0
Opcode ID: bf2bcef10f5004125dfb244e15bd72f7526e5bcd0c086549a6f802b11aa38257
Instruction ID: 52abebd465f0fda5f5dbf8025b0148289a8c3acdec7451f190abfb104ca59f29
Opcode Fuzzy Hash: bf2bcef10f5004125dfb244e15bd72f7526e5bcd0c086549a6f802b11aa38257
Instruction Fuzzy Hash: 4241AF30A883308FE7249F14D888B2E77E1EB84308F54082EFE9582261D775D9ADCB57

Function 02166680 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

CLSIDFromProgID.COMBASE(004A3890,?), ref: 02166708

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: FromProg
String ID:
API String ID: 3303861117-0
Opcode ID: 58294abb8fdee38dbe5b5f00303f33a6a6918028cff27506c07d57bbde999d42
Instruction ID: 116075eef33432a88628bcb3aea9879d0627aabadc88e6e46244920e1c475894
Opcode Fuzzy Hash: 58294abb8fdee38dbe5b5f00303f33a6a6918028cff27506c07d57bbde999d42
Instruction Fuzzy Hash: F041BFB56003409FD704CF68D888B6AB7E8FB89319F14857EF909CB250E779E915CBA1

Function 02182E20 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00008000,?,?), ref: 02182E45

Part of subcall function 02182CE0: FindFirstFileW.KERNEL32(?,?,?), ref: 02182D2C
Part of subcall function 02182CE0: FindClose.KERNEL32(00000000), ref: 02182D38

WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 02182E72
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 02182EC9
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 02182EDE

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: PrivateProfileWrite$FindString$CloseFileFirstFullNamePathSection
String ID:
API String ID: 1032437609-0
Opcode ID: 42aa3618908874c96a052b404d798eb055d65569fdcca02c83836074fc1e4db7
Instruction ID: d72b5991538b291bc3acff4861b8a388f6eb7beb17a02afd334d0e08e7ac004e
Opcode Fuzzy Hash: 42aa3618908874c96a052b404d798eb055d65569fdcca02c83836074fc1e4db7
Instruction Fuzzy Hash: 253158326802146BC736EB54DC81FFA73A9EB59710F1041AAFD46A71C4D7B09684CFA4

Function 0211ADF0 Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0211AE1B

Part of subcall function 021865B0: _vswprintf_s.LIBCMT ref: 021865C9

GetTickCount.KERNEL32 ref: 0211AE31
GetTickCount.KERNEL32 ref: 0211AF3A
PostMessageW.USER32(004CA564,00000312,?,00000000), ref: 0211AF5C

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CountTick$MessagePost_vswprintf_s
String ID:
API String ID: 134691662-0
Opcode ID: 12b5987cdf12e5e63177606ad771d35da1e3858191e44414540bced949eb95dd
Instruction ID: f047c0405584bd34a34ab712afdd8d1c1247f8f43d95d2974a53f93c740dd028
Opcode Fuzzy Hash: 12b5987cdf12e5e63177606ad771d35da1e3858191e44414540bced949eb95dd
Instruction Fuzzy Hash: B73148B6A853859FE7A0DF64EC84FAA3F51FB40715F04807AE98492290D3745458CB9E

Function 021A9674 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 021A96A8
__isleadbyte_l.LIBCMT ref: 021A96DB
MultiByteToWideChar.KERNEL32(00000080,00000009,021A0474,?,00000000,00000000,?,?,?,?,021A0474,00000000), ref: 021A970C
MultiByteToWideChar.KERNEL32(00000080,00000009,021A0474,00000001,00000000,00000000,?,?,?,?,021A0474,00000000), ref: 021A977A

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 6bf853ae2f161f5a34ded4e7b8bbada234fe93d8fd70944f6cc760147cfe4a90
Instruction ID: 81551febd284e8d8f83e3dc11b404560f80464576a456a76bd2acab579da9434
Opcode Fuzzy Hash: 6bf853ae2f161f5a34ded4e7b8bbada234fe93d8fd70944f6cc760147cfe4a90
Instruction Fuzzy Hash: AD31F639A44285EFCF21DFA8C8A0ABE3BB5FF01314F154969E4698B1A1D730D980DF90

Function 02168260 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 02168275

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1dd92524b566162a11483f81f651ebfa27d3dc4138ff3c148e50568542e9210b
Instruction ID: 9f76f4e08d3153c4fa2fa1a8c84b7a02e4f1330999a65f6d2ef6989988949f10
Opcode Fuzzy Hash: 1dd92524b566162a11483f81f651ebfa27d3dc4138ff3c148e50568542e9210b
Instruction Fuzzy Hash: 3721F73A6402049F8B10DF65D88887FB7A9EBC9621B55867EFC1CC7210DB31DC19CB90

Function 0217DB50 Relevance: 6.1, APIs: 4, Instructions: 91windowCOMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0217DB78
CreatePopupMenu.USER32 ref: 0217DBA4
SetMenuDefaultItem.USER32(00000000,?,00000000,?,?), ref: 0217DBE8
CreateMenu.USER32 ref: 0217DC67

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Menu$Create$DefaultItemPopup__wcsicoll
String ID:
API String ID: 2645790526-0
Opcode ID: 0645373555680b832c703ea3490dc6799377385098865099364d46f3deabaf24
Instruction ID: baa40ce3db203b40b3c6c124c30fae3223d6163d9c99aa8cb538cce56c4395e5
Opcode Fuzzy Hash: 0645373555680b832c703ea3490dc6799377385098865099364d46f3deabaf24
Instruction Fuzzy Hash: A93166716847099FD720DF29E804B2BBBF5BFC9714F150A2DE88993250E7B4E504CB92

Function 00458010 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00458025

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: f93a8f5ece9b7f4ed98fb35e62aa26fe980490d6f2ad06af92ec744b0999a5ea
Instruction ID: 36c1a96ea8efe714a6be1a5a90194b126031f09fd66b95cedbb3b62cbdf16f29
Opcode Fuzzy Hash: f93a8f5ece9b7f4ed98fb35e62aa26fe980490d6f2ad06af92ec744b0999a5ea
Instruction Fuzzy Hash: 6221D03A6002049F8B10DF65D88482B77A8EBC9B22B55897FFC1CD7251DE39D80D8755

Function 02124BC1 Relevance: 6.1, APIs: 4, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(004A7154,004A7144), ref: 02124BDA
GetProcAddress.KERNEL32(00000000), ref: 02124BE1
GetVersionExW.KERNEL32(004CC068), ref: 02124C0D
__snwprintf.LIBCMT ref: 02124C44

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion__snwprintf
String ID:
API String ID: 3388246157-0
Opcode ID: 32fae2caef0a7f30becbde89c6afbefd60492e4f596e9ed5866628dafe20d96e
Instruction ID: 91d0b76160edd3a7a1fba5d6c4deeea952a95f0cd21682e39724b377f6f6042b
Opcode Fuzzy Hash: 32fae2caef0a7f30becbde89c6afbefd60492e4f596e9ed5866628dafe20d96e
Instruction Fuzzy Hash: D9317E71688254DED7A5CFAAACC4F603BA1B316314F19157AF40D86362CBB640A9CF2D

Function 02123BE0 Relevance: 6.1, APIs: 4, Instructions: 83libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,004A7030), ref: 02123C62
GetCurrentProcess.KERNEL32(?), ref: 02123C7E
IsWow64Process.KERNEL32(00000000), ref: 02123C85
FreeLibrary.KERNEL32(00000000), ref: 02123CAB

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Process$AddressCurrentFreeLibraryProcWow64
String ID:
API String ID: 2487901806-0
Opcode ID: d71ff97a24f90802113fa9838289f6aefaaa6826565bce9bd5dd19c572f6cc23
Instruction ID: 51277bc745457e4fb5a2c52f02a6f923f0def874c1278ad18e7786eceb98a78f
Opcode Fuzzy Hash: d71ff97a24f90802113fa9838289f6aefaaa6826565bce9bd5dd19c572f6cc23
Instruction Fuzzy Hash: 2621377164022C9FD7244F25FC88BA673A9EB40719F16117FF462C2570DB38C4B8CA99

Function 0046A150 Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0046A188
GetWindowRect.USER32(?,?), ref: 0046A1AC
GetWindowRect.USER32(?,?), ref: 0046A1B6
IntersectRect.USER32(?,?,?), ref: 0046A1C7

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Rect$Window$IntersectParent
String ID:
API String ID: 3824346474-0
Opcode ID: a2a9c61d02c7a5410c11e78f0f90da1b9aa997381b9e9349aa7e1fb9457c62a5
Instruction ID: ffffdbbbc35763f3e59cd151e13437dee45ede1eb13d76331a43f8c16601ccf0
Opcode Fuzzy Hash: a2a9c61d02c7a5410c11e78f0f90da1b9aa997381b9e9349aa7e1fb9457c62a5
Instruction Fuzzy Hash: C321CCB21083409BC304CF54D98099BFBE4FB96310F048A2EE98693214D636E918CF97

Function 0217A990 Relevance: 6.1, APIs: 4, Instructions: 77windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0217A9A0
GetWindowLongW.USER32(?,000000F0), ref: 0217A9A9
SendMessageW.USER32(?,00001328,00000000,?), ref: 0217AA29
MapWindowPoints.USER32(?,?,?,00000002), ref: 0217AA44

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Window$ClientLongMessagePointsRectSend
String ID:
API String ID: 1965652201-0
Opcode ID: 6cffab8d8c0d44edddcee5e0414bb86ac7c9c45487e3b09f3ee518a7a6ba5046
Instruction ID: 500050e8e0e052fa006078da5760d63a60f5619897b9cdebc619205f352ab0e5
Opcode Fuzzy Hash: 6cffab8d8c0d44edddcee5e0414bb86ac7c9c45487e3b09f3ee518a7a6ba5046
Instruction Fuzzy Hash: 51217A7124A342AFD308DF28CD45BAEBBE8FFC8741F04891DF59296290D774A605CB56

Function 02124160 Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 021241A0
_wcstoul.LIBCMT ref: 021241B7
__wcsnicmp.LIBCMT ref: 021241CA
_wcstoul.LIBCMT ref: 021241E5

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsnicmp_wcstoul
String ID:
API String ID: 372159744-0
Opcode ID: 5775e04b1fad546c23c7350f24c6ab725d30e7789c3c1376bd2d91f5a5e0cb24
Instruction ID: 14060cfa4ec471d65f85f73f315f2d5391a2973c2b77f1d3ed748cdff35d34ee
Opcode Fuzzy Hash: 5775e04b1fad546c23c7350f24c6ab725d30e7789c3c1376bd2d91f5a5e0cb24
Instruction Fuzzy Hash: B0114C369C43316BE700EB68BC41FEB739E6F95718F04405AF84C9B281E3A6D51987A6

Function 021A2AC3 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: 9e1da2fe81c1f81961f87cd0be240a4457afa06abba1d31a25c5393deff3c16e
Instruction ID: c0445ac52d2d1a91aa1f3a9c5c15c9ac57d8015926fb061f4804198a9105f7ba
Opcode Fuzzy Hash: 9e1da2fe81c1f81961f87cd0be240a4457afa06abba1d31a25c5393deff3c16e
Instruction Fuzzy Hash: 7811937A682204BFDF315F71DC14B6A3A69FB857A0F214564ED51961A0DB708940CB94

Function 0046E160 Relevance: 6.1, APIs: 4, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetIconInfo.USER32(?,?), ref: 0046E1AE
GetObjectW.GDI32(?,00000018,?), ref: 0046E1C4
DeleteObject.GDI32(?), ref: 0046E1EC
DeleteObject.GDI32(?), ref: 0046E1F3

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Object$Delete$IconInfo
String ID:
API String ID: 507670407-0
Opcode ID: 08d23ffeff4b942ab2032edc374c2c6eb2402444333ed95def03b1ba7f102634
Instruction ID: c01d2a373b3f42516f172c59a9f8ef1b064613a64d7b7b83a78346f5bae6b3ad
Opcode Fuzzy Hash: 08d23ffeff4b942ab2032edc374c2c6eb2402444333ed95def03b1ba7f102634
Instruction Fuzzy Hash: 1F113D757042119BD714DF2ACC40AA7B7E9BF85754B04892EE819C7360F734E8029B96

Function 02161970 Relevance: 6.1, APIs: 4, Instructions: 61keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(-00000001), ref: 02161985

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 30c581018c6b5407fb735b64b023a340e6b3019dc2629554ecdd3b9917c572b8
Instruction ID: 28a0f4af97774b737de39863c012630d12a23bbc5ef04bf9dea30c15ef92b762
Opcode Fuzzy Hash: 30c581018c6b5407fb735b64b023a340e6b3019dc2629554ecdd3b9917c572b8
Instruction Fuzzy Hash: 621108B54D01146ADF188F34A82D7FC37D1B79234AFCC4895E0CD8A191D32E816DE616

Function 0211E1B0 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0211E224
_free.LIBCMT ref: 0211E22D
_free.LIBCMT ref: 0211E236
_free.LIBCMT ref: 0211E248

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 88c3a55fa520e33e21593ec9370fcb1b100599787eeceb93dcbf277ecf4b7da2
Instruction ID: 0b170eb11ada369bf57085e0924c72f7e09b04b53c63fa9cc0c35702f847a11b
Opcode Fuzzy Hash: 88c3a55fa520e33e21593ec9370fcb1b100599787eeceb93dcbf277ecf4b7da2
Instruction Fuzzy Hash: CD11F679640B009FC724EBA5C894B57B3E9BF89704F14891CE99A87790DB39E801CB51

Function 021125E1 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

GetMessageW.USER32(?,00000000,00000000,-00000311), ref: 02111790
GetFocus.USER32 ref: 02111834
_wcsncpy.LIBCMT ref: 021125F2
_wcsncpy.LIBCMT ref: 02112613
_wcsncpy.LIBCMT ref: 0211268B

Part of subcall function 021139C0: SetCurrentDirectoryW.KERNEL32(004A3890,?,004CAD6C,0213D5B5,00000000,00000000,00000065), ref: 02113A35

GetTickCount.KERNEL32 ref: 021126B7

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: _wcsncpy$CountCurrentDirectoryFocusMessageTick
String ID:
API String ID: 2031546545-0
Opcode ID: a603a2f4cce01d11e8a7e6809e6ae30fc840f5761466c8a8508c10a81f5e8467
Instruction ID: 4db0cb4c947fb0fe431a5af39732381d402e79c7a1a191799940b9b8863a6c27
Opcode Fuzzy Hash: a603a2f4cce01d11e8a7e6809e6ae30fc840f5761466c8a8508c10a81f5e8467
Instruction Fuzzy Hash: 5411C2746402009FE364DF65DC52E5677A5FF89304F04853CE94A972B1EB70A814CBAA

Function 021AADC3 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 021AADE9

Part of subcall function 021AAC15: __fltout2.LIBCMT ref: 021AAC40

__cftog_l.LIBCMT ref: 021AAE0F
__cftoe_l.LIBCMT ref: 021AAE41

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 5ecf0e655be76999f57c6178485e1f9e2d1575bfcba749b05efbb8babae6f9cf
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 0511663A48018EBFCF265E84CC618EE3F77BF18394B198415FA6858020D736C5B1EB81

Function 021A12C8 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 021A12E2

Part of subcall function 0219FEF4: __FF_MSGBANNER.LIBCMT ref: 0219FF0D
Part of subcall function 0219FEF4: __NMSG_WRITE.LIBCMT ref: 0219FF14
Part of subcall function 0219FEF4: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 0219FF39

std::exception::exception.LIBCMT ref: 021A1317
std::exception::exception.LIBCMT ref: 021A1331
__CxxThrowException@8.LIBCMT ref: 021A1342

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID:
API String ID: 615853336-0
Opcode ID: 3210b775c5a043df588acabb392f9cfcaba741b45311ccdbf8bc3cce2aad1651
Instruction ID: 75df26e42520edfa5bf2d80e2f28fe7a727b5a2849f432c451c65f2a4568c1e1
Opcode Fuzzy Hash: 3210b775c5a043df588acabb392f9cfcaba741b45311ccdbf8bc3cce2aad1651
Instruction Fuzzy Hash: 05F0447C8806097EDF40FB54CC24BAE3AAAAB90354F68006EE419E21E0CFB4C941CF48

Function 02126720 Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 02126730
__wcsicoll.LIBCMT ref: 02126742
__wcsicoll.LIBCMT ref: 02126754

Part of subcall function 0219FE69: __wcsicmp_l.LIBCMT ref: 0219FEE9

__wcsicoll.LIBCMT ref: 02126766

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll$__wcsicmp_l
String ID:
API String ID: 3172861507-0
Opcode ID: 671f2a05066076d7985238845dedb2542319bfb4710b9ae564652af99fa2a317
Instruction ID: db68d04bdea3c7ac6c861d962069a6b129518bd9d826ad2238a6261c8cef7839
Opcode Fuzzy Hash: 671f2a05066076d7985238845dedb2542319bfb4710b9ae564652af99fa2a317
Instruction Fuzzy Hash: 6FE06570EC166621DF2129306D4175E309D4F12B06FA90038BC08E09C1FF8ED52AA1A9

Function 0211E180 Relevance: 6.0, APIs: 4, Instructions: 17COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0211E184

Part of subcall function 021A07B1: HeapFree.KERNEL32(00000000,00000000,?,021A3973,00000000,?,021A4C02,?,021865CE), ref: 021A07C7
Part of subcall function 021A07B1: GetLastError.KERNEL32(00000000,?,021A3973,00000000,?,021A4C02,?,021865CE), ref: 021A07D9

_free.LIBCMT ref: 0211E18D
_free.LIBCMT ref: 0211E196
_free.LIBCMT ref: 0211E1A8

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1d653afc0b5b4d72424c6d1f83938718647a2103f5bb989e249a50e4e0938c8e
Instruction ID: fcfba938835a968be3645d919794d50c61aee4bd251177795dc0b78cfef20e87
Opcode Fuzzy Hash: 1d653afc0b5b4d72424c6d1f83938718647a2103f5bb989e249a50e4e0938c8e
Instruction Fuzzy Hash: 8ED067BA540B009FC634ABF4C894E1773AAAF8D310BA48A1CAAC747A44DB74E4458F90

Function 004821C7 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 436COMMON

Download Yara Rule

Strings

z, xrefs: 004822D0

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID:
String ID: z
API String ID: 0-1657960367
Opcode ID: ae7f74adada480b2a51ef882d72b9535e1c328b5541bd4fb2dfc6e2ffc10b2e8
Instruction ID: fae5ee67b392fbda8aeeed42e9e1aff23eb77c6f238d91f5da1b27c4ecf6aab0
Opcode Fuzzy Hash: ae7f74adada480b2a51ef882d72b9535e1c328b5541bd4fb2dfc6e2ffc10b2e8
Instruction Fuzzy Hash: EC028A716083418FC728DF28C5906AFB7E1FFC8714F54896EE88A87341D778A985CB96

Function 021206C0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 291windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0212073C

Strings

@, xrefs: 02120A21
@, xrefs: 02120855

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: MessagePeek
String ID: @$@
API String ID: 2222842502-149943524
Opcode ID: 11034188c2bc69193e2bbdba781310bf48e299ca8adb864499640c3c6578da35
Instruction ID: cdd19fff96057434a1c6b540fc86bb5dd9c970ba9a39e8566d752670f8fc949c
Opcode Fuzzy Hash: 11034188c2bc69193e2bbdba781310bf48e299ca8adb864499640c3c6578da35
Instruction Fuzzy Hash: 4EB118346883E45EF715CB248854BBB7FB19BAA348F088569F5C00B2C2C7B5841CCB67

Function 00438140 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 278windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00444650: GetForegroundWindow.USER32(?,?,00437345,?), ref: 0044467E
Part of subcall function 00444650: IsWindowVisible.USER32(00000000), ref: 00444699

SendMessageTimeoutW.USER32(00000000,?,00000000,00000000,00000002,00001388,?), ref: 004382B2

Strings

FAIL, xrefs: 004382D5, 004382F0, 0043840D, 0043842E, 0043844A

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Window$ForegroundMessageSendTimeoutVisible
String ID: FAIL
API String ID: 578228273-2964506365
Opcode ID: a53029a06b22c017d1b43aa18f8df6c6b4810d41da9da551def13fae6fb2dd42
Instruction ID: b8563befaeef53a1b23f593fb44afa5e9eaf67b67f55a10d57882c3974533e0c
Opcode Fuzzy Hash: a53029a06b22c017d1b43aa18f8df6c6b4810d41da9da551def13fae6fb2dd42
Instruction Fuzzy Hash: 56A1F4717043005BDB20CF55E881B67F7A1AB99718F2491AFF8458B382CB7ADC85C799

Function 02140A80 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 208COMMON

Download Yara Rule

Strings

The current thread will exit., xrefs: 02140D1A, 02140D26
__Delete will now return., xrefs: 02140D13

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CurrentDirectory_free
String ID: The current thread will exit.$__Delete will now return.
API String ID: 3757797350-1380654191
Opcode ID: b513cf29519713b95e58e941b77984a22c8e700fa06c824b819a970a10871fb0
Instruction ID: 2fedf5506e07530951c3dcaea4e1fb84c005cf08f3e4706f789002a82106c225
Opcode Fuzzy Hash: b513cf29519713b95e58e941b77984a22c8e700fa06c824b819a970a10871fb0
Instruction Fuzzy Hash: A27107706843049FD728DF25C880B6AB3E5EF48718F04455DFA8C9B282EB71EA49CBC5

Function 02160350 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 165windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001127,00000000,00000010), ref: 02160479
SendMessageW.USER32 ref: 021604FF

Strings

$cJ, xrefs: 021603B1

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: MessageSend
String ID: $cJ
API String ID: 3850602802-417114052
Opcode ID: 3d32e9a033b3f68d0da364985c163fb5253f3dbb21dda329ad3ae70eb24fda6c
Instruction ID: 9a548a0ff0a7d3b0b0e28031b8daa0b50f8efba3ee751cf0bacdd33a10b73e19
Opcode Fuzzy Hash: 3d32e9a033b3f68d0da364985c163fb5253f3dbb21dda329ad3ae70eb24fda6c
Instruction Fuzzy Hash: 9D51BC726443019FD7208F15D888B3EB7E5FF89725F55456DE9998B2C0E730D860CB52

Function 02121720 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 02121806
__fassign.LIBCMT ref: 02121833

Strings

,, xrefs: 02121792

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __fassign
String ID: ,
API String ID: 3965848254-605440088
Opcode ID: 6d392ecb036466c7bc28d4b1ee0a262d97b5b41adce7e34230ff3c154ea9b493
Instruction ID: d6bb3469b80505cc0582e02f2ea48a6eb12af8ae11f46ba2f85ba08326924b5e
Opcode Fuzzy Hash: 6d392ecb036466c7bc28d4b1ee0a262d97b5b41adce7e34230ff3c154ea9b493
Instruction Fuzzy Hash: 16511674980321EFD721DF14D88072A73E5AF86354F140968FC999F392E371D9A9CB92

Function 02127D40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 02127D93

Part of subcall function 021279C0: Shell_NotifyIconW.SHELL32(00000001,004CB28E), ref: 02127A90

SetCurrentDirectoryW.KERNEL32(004A3890,00000000,?,00000100,00000000), ref: 02127DFF

Strings

$cJ, xrefs: 02127EEC

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CurrentDirectoryIconNotifyShell__wcsncpy
String ID: $cJ
API String ID: 3432613961-417114052
Opcode ID: 038e1feb790dc717154fd5b89b9ce248b4eccb317c44cf7873f455b07e1d4a64
Instruction ID: c210c37767fc12cab6465518a77157925e5b832d5ff482d28fed95e843101f49
Opcode Fuzzy Hash: 038e1feb790dc717154fd5b89b9ce248b4eccb317c44cf7873f455b07e1d4a64
Instruction Fuzzy Hash: D85125B2644384DFD760DF68ECC0E67BB95EB85304F04847DF9488B290D7319858CB6A

Function 0215EA70 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000105F), ref: 0215EB5F

Part of subcall function 0216D880: __wcsicoll.LIBCMT ref: 0216D89C

SendMessageW.USER32(?,0000104B), ref: 0215EBBC

Strings

$cJ, xrefs: 0215EAA1

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: MessageSend$__wcsicoll
String ID: $cJ
API String ID: 2764284104-417114052
Opcode ID: 9942069cf0db6a43520bd863272c55bd2024a636f1389c3bde3502c8a9f0dec1
Instruction ID: 8d51d0402d99620319c84a9f22263369dcdb9fc4fea97f31733b701f78ada192
Opcode Fuzzy Hash: 9942069cf0db6a43520bd863272c55bd2024a636f1389c3bde3502c8a9f0dec1
Instruction Fuzzy Hash: 8341D2B1644311DFD720CF28D880B6AB7E6FB84314F104AADF96A9B290E771D904CF62

Function 004471C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,00000060,00000060), ref: 00447252
__itow.LIBCMT ref: 00447260

Strings

0x%Ix, xrefs: 004472C0

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __itow
String ID: 0x%Ix
API String ID: 3482036329-2288733857
Opcode ID: 0e86f06e918903fd84595879037907ab772fc429207a04ceee62b104076617b2
Instruction ID: ae776d68f3dfc35fe916c0b1f613de8eb1b81822cf01e6b70569880b687ae888
Opcode Fuzzy Hash: 0e86f06e918903fd84595879037907ab772fc429207a04ceee62b104076617b2
Instruction Fuzzy Hash: F24121326082059FE7149B65C881B7773A0FF85310F9885AAFD408B790E3B9FC12C79A

Function 02150450 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 02150488
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 021504EC

Strings

\, xrefs: 021504B0

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: DiskFreeSpace_wcsncpy
String ID: \
API String ID: 1165104651-2967466578
Opcode ID: 00abc2931b9043036465fde4b3fb628bd60df9bb621ab5a09d270a4bf91d96da
Instruction ID: da2b8c4d6dcbc7da4229f8b84d9b919c08bdec07e364e1467dcfebebc84e7516
Opcode Fuzzy Hash: 00abc2931b9043036465fde4b3fb628bd60df9bb621ab5a09d270a4bf91d96da
Instruction Fuzzy Hash: 61315932654314ABC724DB54DC44F9BB3A9EB8C320F04466AFD55672D0D7B0E544C7D9

Function 02168420 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001200,00000000,?,00000000,?,00001000,00000000), ref: 021684A1
_vswprintf_s.LIBCMT ref: 021684E6

Strings

No valid COM object!, xrefs: 0216846C

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: FormatMessage_vswprintf_s
String ID: No valid COM object!
API String ID: 3456365560-2914111645
Opcode ID: 5279c4d66cdd857995fb1138bce6be5872ad67d9030ff9327ad50f91fc1a19d4
Instruction ID: 73771d8ddfab5f38d47d257009e3c8be0336e9dbd94807acb60225ac53100ac7
Opcode Fuzzy Hash: 5279c4d66cdd857995fb1138bce6be5872ad67d9030ff9327ad50f91fc1a19d4
Instruction Fuzzy Hash: 6F314672644310ABD714EBA8DC88F7B37ADEF88704F018929AA0597080E774D908C7A5

Function 0218A0C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 0218A109

Strings

variable, xrefs: 0218A134
function, xrefs: 0218A13B, 0218A144

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: _wcschr
String ID: function$variable
API String ID: 2691759472-1379276077
Opcode ID: 273e7c0133b1aeefffe944e0a34a659cb347f42e1708adecfc6786368bde12dd
Instruction ID: f3d54f62b6f6b0778473d9284875fbe781861ffd6541292233e4b0c0c349a1ff
Opcode Fuzzy Hash: 273e7c0133b1aeefffe944e0a34a659cb347f42e1708adecfc6786368bde12dd
Instruction Fuzzy Hash: 0C110666F8021417CB30B55AAC81F667399CB84335F04427BFD0CD72C0FB65985486E5

Function 021139C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNEL32(004A3890,?,004CAD6C,0213D5B5,00000000,00000000,00000065), ref: 02113A35
GetTickCount.KERNEL32 ref: 02113AA7

Strings

e, xrefs: 02113A50

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: CountCurrentDirectoryTick
String ID: e
API String ID: 2167818035-4024072794
Opcode ID: 6b79dfba60c1fe39b664df0ffb153e290497f8b9d3a5b6ee83f90ab23ff93158
Instruction ID: aeb937f93c5e38e6053017fa686df37c407cb6dbc2de31d2e8a1d5e3921bff0c
Opcode Fuzzy Hash: 6b79dfba60c1fe39b664df0ffb153e290497f8b9d3a5b6ee83f90ab23ff93158
Instruction Fuzzy Hash: F12181705447818EEB64CF29F808B56BBE1EB45318F0889BED4A6D73D4C7B59889CF48

Function 0217D1D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

InsertMenuItemW.USER32(?,00000000,00000001,00000030), ref: 0217D282

Part of subcall function 0217DB50: __wcsicoll.LIBCMT ref: 0217DB78

GetMenuItemCount.USER32(?), ref: 0217D26C

Strings

0, xrefs: 0217D1F8

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: ItemMenu$CountInsert__wcsicoll
String ID: 0
API String ID: 858756630-4108050209
Opcode ID: 2b92bb06e0142acd0dbe52444476e352b5e1701e98f4fdf13df1b190600c588d
Instruction ID: 7b6445538bd0e89e7a74dd277883dffa51913f4888ef695b1ab591f460508423
Opcode Fuzzy Hash: 2b92bb06e0142acd0dbe52444476e352b5e1701e98f4fdf13df1b190600c588d
Instruction Fuzzy Hash: 34216D716097059FD724CF69E444A2BBBF8EF88720F008A1EF896C7690E770E905CB91

Function 02134090 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 021340E9

Strings

`dL, xrefs: 021340B3
d;J, xrefs: 021340BF

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __wcsicoll
String ID: `dL$d;J
API String ID: 3832890014-3532224444
Opcode ID: 5be9c0ad1f30b90bfbbea2a9dea22aa66a09807b75e48b5532cfdc895c69757e
Instruction ID: c8df1d14cbff63bf17d27a671809ae29b2d870904445787f094c082556debab3
Opcode Fuzzy Hash: 5be9c0ad1f30b90bfbbea2a9dea22aa66a09807b75e48b5532cfdc895c69757e
Instruction Fuzzy Hash: B401F97238410547D725DEA8F8806FA73A6E780371F15883BE905C7101E332E8099655

Function 00476030 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32 ref: 00476044
FileTimeToSystemTime.KERNEL32(?,?), ref: 00476062

Strings

%04d%02d%02d%02d%02d%02d, xrefs: 00476090

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Time$File$LocalSystem
String ID: %04d%02d%02d%02d%02d%02d
API String ID: 1748579591-4847443
Opcode ID: 42e1a3b716db4f8600779cadb7be6b665accd6c124b5f7ce359656b884348930
Instruction ID: 2b1691edeaa739b97338c0010a2acaf2dcc89ee84594656d4247a61c926406e4
Opcode Fuzzy Hash: 42e1a3b716db4f8600779cadb7be6b665accd6c124b5f7ce359656b884348930
Instruction Fuzzy Hash: 15019EA1118610AAC318DF55DC459BBB7E8AF89B00F008A4EF9C882290F67CD844E7A7

Function 021AF5BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 021AF5CA

Part of subcall function 021A3982: __getptd_noexit.LIBCMT ref: 021A3985
Part of subcall function 021A3982: __amsg_exit.LIBCMT ref: 021A3992

__getptd.LIBCMT ref: 021AF5D8

Strings

csm, xrefs: 021AF5E6

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: cf4c69ece9d69a2b6b889e57c0bbc0dc20a53738493a5713921788ea5bc3160b
Instruction ID: 4adf9cf630d902da982a5803503539385b6e0cbe723a6abb98b3f2f10a779ba6
Opcode Fuzzy Hash: cf4c69ece9d69a2b6b889e57c0bbc0dc20a53738493a5713921788ea5bc3160b
Instruction Fuzzy Hash: F2018B388812009ECF349F68C4607ADB3B6FF00318F24452DD4C996AA0CB329597CF81

Function 02140A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

IsWindow.USER32(004CA564), ref: 02140A4D
DestroyWindow.USER32(004CA564), ref: 02140A65

Strings

This DllCall requires a prior VarSetCapacity., xrefs: 02140A41

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: Window$Destroy
String ID: This DllCall requires a prior VarSetCapacity.
API String ID: 3707531092-2544115803
Opcode ID: dabbcdf0e06df0105577b415bdc5ca899a36287992fbd9f27948f0e5404afb97
Instruction ID: b6fac81c21170fe87d1e65275be6d82fc4f9777d3387bb8b16b2f7d5f02c857f
Opcode Fuzzy Hash: dabbcdf0e06df0105577b415bdc5ca899a36287992fbd9f27948f0e5404afb97
Instruction Fuzzy Hash: FCE01274681304AFD348DB65ED4DF653BA4AB49745F04C53CB209876A1DB74A401CB59

Function 02123AD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31threadCOMMON

Download Yara Rule

APIs

GetGUIThreadInfo.USER32 ref: 02123AF5
GetKeyboardLayout.USER32(00000000), ref: 02123B0F

Strings

0, xrefs: 02123AED

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: InfoKeyboardLayoutThread
String ID: 0
API String ID: 939672861-4108050209
Opcode ID: 6d501edb6af67e15d7267ec7101b85c6d7b328b853351aa09eec27844975f908
Instruction ID: f58feacc1399bd08e7ef511c4aa903f6dabbe0650fca57da1feee038872c7ca8
Opcode Fuzzy Hash: 6d501edb6af67e15d7267ec7101b85c6d7b328b853351aa09eec27844975f908
Instruction Fuzzy Hash: 9DE0307660122167D730AE669C04B9BBE9CEF82994F050565F815D3160D764C809C6F5

Function 00401000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26clipboardCOMMON

Download Yara Rule

APIs

IsClipboardFormatAvailable.USER32(0000000D), ref: 00401012
IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Strings

<<>>, xrefs: 0040101E

Memory Dump Source

Source File: 00000000.00000002.2627034341.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2627034341.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2627034341.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: AvailableClipboardFormat
String ID: <<>>
API String ID: 778505046-913080871
Opcode ID: 04f0b6836c3849fc43cd959317823ad0a7ee629a3c685ef4d77dab26bbd98445
Instruction ID: fc4e81c7ec4e22e57c7312cd810b67a9f2312ac08cb55214dfa6a66ca0fee7f1
Opcode Fuzzy Hash: 04f0b6836c3849fc43cd959317823ad0a7ee629a3c685ef4d77dab26bbd98445
Instruction Fuzzy Hash: FDE04861300191D3D66066ED7D81F9726809756B58F004137F514DBAE5D33DCC4156AC

Function 02114A90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22clipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32(00000000), ref: 02114A9F
CloseClipboard.USER32 ref: 02114AAC

Strings

GlobalLock, xrefs: 02114ACE

Memory Dump Source

Source File: 00000000.00000002.2627434216.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2110000_W7ZBbzV7A5.jbxd

Yara matches

Similarity

API ID: ClipboardCloseGlobalUnlock
String ID: GlobalLock
API String ID: 3794156920-2848605275
Opcode ID: 063e2083801668df6284fe6aeb0da6a9bf68f4b1a00cd4b58b436b5e5594adcd
Instruction ID: 4ae495d22638584510756fcf8ca61652fbac44e6c92f7079e26bde1bee330559
Opcode Fuzzy Hash: 063e2083801668df6284fe6aeb0da6a9bf68f4b1a00cd4b58b436b5e5594adcd
Instruction Fuzzy Hash: DFE065740407018BE3349F49E818746B6F0EB80B0AF64482DA086826E0EBB890C4DA88

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report W7ZBbzV7A5.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
W7ZBbzV7A5.exe

Function 00403D20 Relevance: 53.0, APIs: 21, Strings: 9, Instructions: 464
sleepwindowCOMMON

Function 004545D0 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 281
networkCOMMON

Function 004781C0 Relevance: 21.2, APIs: 14, Instructions: 174
windowlibraryCOMMON

Function 00477170 Relevance: 12.2, APIs: 8, Instructions: 164
fileCOMMON

Function 00417290 Relevance: 58.0, APIs: 24, Strings: 9, Instructions: 244
windowregistryCOMMON

Function 0042AC4D Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 248
windowclipboardCOMMON

Function 00472DA0 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 318
registryCOMMON

Function 00427284 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 286
windowclipboardCOMMON

Function 0042B16B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 198
registrywindowclipboardCOMMON

Function 0211003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 00426E22 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 349
windowclipboardCOMMON

Function 00427EB1 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 194
windowclipboardCOMMON

Function 00427B52 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 154
windowclipboardCOMMON

Function 00417870 Relevance: 10.7, APIs: 7, Instructions: 161
timeCOMMON

Function 00416A90 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 132
comCOMMON

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre